WordPress Security Guide – Step by Step (2020)
No matter how hard I try, I still can’t erase the painful and embarrassing memory of my first WordPress site.
I designed it, built it, wrote content for it, and…it got hacked! Within two days of its inception!
I tried to log in, but instead of the friendly WordPress dashboard, a black screen, and a scary message welcomed me. My very own site was in captivity of some bad, ugly guys.
Yikes, I hate hackers!
For me, it was a lesson learned the hard way: the security of your WordPress site is paramount.
One mistake and you’re doomed!
This WordPress security guide will help you bullet-proof your site with simple and easy steps so that you don’t have to face the same tragedy I did, years ago.
Why Do WordPress Sites Get Hacked?
Why do we keep hearing about vulnerabilities in WordPress? Is there anything wrong with it? Is WordPress insecure?
The straightforward answer is no. The core of WordPress is quite secure and safe. A dedicated team of developers is always testing for vulnerabilities in WordPress, and they keep updating the software to close any security holes.
But the problem is you’ll be running other software too alongside the core WordPress aka plugins and themes. Third-party developers write these plugins and themes, and you can’t be sure if those developers followed best practices. If there is any vulnerability in the code, it can be used to hack your website.
Why Is Security A Major Concern For WordPress Users?
WordPress is open-source. This means that while the developers are always laboring on the code to keep it secure, the moment you download it from their website, the responsibility of keeping your site secure comes down to you.
It’s just like owning a piece of land and building your own house on it. When buying the land, you make sure you’re given all basic amenities like electricity connection, gas pipes, water connection, etc. but the responsibility of building the house on it and keeping your building secure will rest on your shoulder.
WordPress Security Strategies to Bullet-Proof Your Site
Choose a Good Hosting Provider
Choosing a hosting provider is one of the first steps to take when creating a WordPress site. When looking for a hosting provider, don’t look for the cheapest package. Rather, look for a hosting provider that takes all the security measures to protect their servers against hackers.
If you’re not sure about what security measures your host is taking, it’s better to just ask them before buying a plan.
Another thing to consider is the type of hosting plan you buy. Shared hosting is cheaper, but it makes your site vulnerable to cross-site contamination.
Managed WordPress Hosting providers like Pantheon and WPEngine, on the contrary, take away half the trouble of keeping your WordPress site secure. They offer a disaster recovery program, regular backups, automatic updates, and secure infrastructure. Apart from that, they let you deploy sites on staging and test environments, which makes it easy to apply updates without worrying about breaking anything.
Use SFTP Encryption When Connecting To Your Server
When buying a hosting plan, ask your web host if they provide an SFTP connection. SFTP encrypts the data exchange between your computer and the website. This prevents hackers from intercepting your passwords and other login credentials.
Use SSL to Add an Extra Layer of Protection
Installing SSL encrypts the data exchange between the website and the users and protects your site from man-in-the-middle attacks.
Most web hosts offer free SSL certificates these days, but if yours doesn’t, you can buy one from Domain.com.
Buy Themes and Plugins from Trusted Sources
Themes and plugins are the most common culprits of hacking attacks. As a prevention strategy, first and foremost is to make sure you don’t buy themes and plugins from untrusted sources.
Check info on the developer who has developed the plugin or theme before buying it. It’s also a good idea to restrict yourself to the WordPress.org repository.
Clean Up Your Computer From Viruses
All your efforts and security measures will go in vain if there is a keylogger sitting on your computer. Use anti-virus software to keep your computer clean and keep all software, including your web browser updated to avoid vulnerabilities.
Make Sure Your Network is Secure
Both the server-side and client-side network should be secure and trusted. While your hosting provider should ensure the security of their network, you need to make sure the network you are working from is safe too. Update firewall rules and avoid using public networks at all costs.
Keep WordPress Core Software Updated
Now, this may be a simple, 1-click thing to do, but in reality, it’s the most critical thing when it comes to the security of your site.
As mentioned above, WordPress developers are always striving to discover and patch up security vulnerabilities, and so, they release new versions and updates that fix those holes.
Using the old version after an update has been released will put your site at great risk. This is because when a security vulnerability is patched, the vulnerability in the old version is more openly exposed and can be used by hackers to attack your site.
If you don’t have automatic updates enabled, it’s a good idea to enable it, so you don’t have to worry about updating it manually.
Update Plugins and Themes
The same goes for plugins and themes. The rule of thumb is to buy plugins and themes from trusted sources. But after that, keep them updated. Old versions of plugins and themes may have openly exposed vulnerabilities that hackers can use to launch an attack.
Though it’s a simple thing to do, a lot of people delay it because of the fear of breaking something on their site. Using a managed hosting provider like Pantheon makes it easier and more convenient to update everything on your site. You can use a staging environment to update your site and fix anything that breaks before you make it live.
Use Strong Passwords
A brute force attack is one of the most common ways your WordPress site can get hacked. It’s a simple crack-the-password attempt to get access to your site.
Using a strong password is the simplest thing you can do to avoid this attack and to make sure attackers don’t get access to your site.
One reason people use weak passwords is that they find it difficult to remember and manage so many different passwords. Using a password manager like 1Password or Lastpass to generate unique and secure passwords is highly recommended in this case. These password tools not only help you generate unique and strong passwords, but they store all your passwords in their vault, so you only have to remember one master password. They even fill in login forms for you!
Limit Login Attempts
Another way to secure your site against brute force attacks is to limit login attempts. This way, if a hacker tries to log in using different combinations of passwords, they will be blocked after the limit is reached. Login Lockdown plugin can be used to limit login attempts.
Likewise, two-factor authentication will also help in preventing brute force attacks. Check out this plugin that can enable you to do this.
Use Firewall Plugin
Another smart strategy to block hackers from even trying to crack your password is to use a firewall plugin. A DNS level firewall filters out the bad traffic from reaching your server. This way, hackers can’t reach your server and overload it with password attempts.
Disable File Editing
The WordPress dashboard includes a built-in file editor from where you can edit your theme and plugin files. However, this can pose a great risk in case a hacker is able to get into your account. This is the first thing the hacker will use to execute malicious code in your files.
It’s best to disable file editing from the WordPress dashboard. Placing the following line of code in your wp-config.php file will disable file editing.
Disable Directory Browsing
By default, your WordPress directories are indexed and can be browsed easily by anyone. Hackers can browse your files to see if there are any vulnerabilities.
To disable directory indexing and browsing, go to your cPanel dashboard and use the file manager to locate your .htaccess file in your WordPress root directory.
Add the following line at the end of the .htaccess file and then save and upload it again:
Options – Indexes
Password Protect WP-Admin Directory
The wp-admin directory is like the main gate of your building. Anyone can walk towards your gate and try to break in. To harden your security, you can lock down that gate so that hackers can’t access it and try their hacking tricks to get through.
You can password protect your wp-admin directory to do that. It’s very simple to do that using cPanel. Go to your cPanel dashboard and scroll down to security. Click on Password Protect Directories. Find the folder you want to protect and add login credentials.
Change File Permissions
One of the features of WordPress includes the ability of the server to edit files. This allows users to upload content like pictures and videos and change themes, etc.
However, not all WordPress files need to be editable. And if your files get into the wrong hands, then you know how bad it can be.
To avoid this, set the right file permissions instead of giving all permissions for all files. For example, wp-admin, wp-includes, and wp-content/plugins should only be writable by your user account.
iThemes Security plugin can be used to check your file permissions and see if any file or folder needs to be hardened.
Rename The Default Username
WordPress has become smarter now and lets you choose a unique username when installing the software. But many 1-click installers still use the good old ‘admin’ username.
If your site has the ‘admin’ username, it’s best practice to rename it and use something unique instead. With a unique username, hackers will have to first guess the username and then the password. Most hacking attempts are conducted through bots and so, changing the default username and using a strong password along with the other measures will protect your site.
Unfortunately, WordPress doesn’t have an option that allows you to change the username. The easiest method is to create a new administrator account and delete the old one.
You can also use phpMyAdmin to directly change the database and rename your username.
To do that, go to your cPanel dashboard and click on phpMyAdmin. Select the database your blog is hosted in.
Look for wp-users from your database tables. Change the user-login value from ‘admin’ to whatever you like.
Rename WP Prefix
Your WordPress database is like the brain of your website that stores all information. This makes the database a favourite target for hackers that use automated codes for SQL Injections.
To harden the security of your database, you can rename the wp prefix. The best and the easiest way is to rename it when installing WordPress.
If you forgot to do it at the time of installation, you can still go ahead and rename the wp prefix by editing the wp-config.php file.
In the wp-config.php file, find the line that contains $table_prefix and change the prefix to something like wp_4321_
This is what the line will look like when you edit it:
$table_prefix = ‘wp_4321_’;
After editing the wp-config file, you’ll need to rename the table prefixes from phpMyAdmin. You can run an SQL query to rename the tables:
RENAME table `wp_comments` TO `wp_a123456_comments`;
You’ll have to run this query for all database tables.
Back up Your Data Regularly
Making regular backups of your WordPress files and database is the best containment strategy that will help you get back and reduce the amount of damage in case you face a problem.
Most Managed WordPress Hosting providers offer daily backups of WordPress files and database, which is really convenient. Apart from backing up your site, it’s important to ensure data integrity by encrypting your backup files or storing them in a read-only media.
Monitor Your Logs
Monitoring your logs helps you keep an eye on what’s going on, what changes were made, and who made the changes. This lets you detect any suspicious activity beforehand and helps you be proactive.
Your logs will also help you figure out what went wrong in case of a compromise. They’ll help you clean up the mess left by hackers and fix the vulnerability that led to the issue.
We Have Reached The End…
Even after all these security measures, you still can’t guarantee complete security.
Dark things happen in the cyber world, and nothing is 100% secure.
But with the right tools and enough knowledge, we can stay prepared and improve our defense against hackers.