WordPress is one of the most used website platform available for any website. WordPress has endless possibilities as CMS ( Content Management System), and can be used as either a CMS for the website, or can even act as a blog. You can even create an e-commerce website from a WordPress based website. Daily from World Wide Web, we get over of 20,000 websites blacklisted for different malware, and 50,000 websites for phishing. Today we will talk about security of a WordPress website.We have covered up with the WordPress security best practices in order to make your website much more secure by researching and speaking with the WordPress Experts.
We will start with the basic security steps and move forward to the Advance security measurement for securing the WordPress followed by the PHP hardening system for your WordPress and lastly, you will know the how to keep your WordPress healthy and recover your WordPress when it is getting hacked.If we are running a WordPress based website, then we must have a look on how we must secure our WordPress by using the various plug-in and different tips and tricks. Have a look at these different WordPress protection ways:
Basic WordPress Security Tips
1. Disable Registering option for the anonymous users
Go to Settings -> General and uncheck the “Membership – anyone can register” checkbox.
2. Remove Old Themes and Plugins of WordPress
WordPress Plugin and themes directory contains the old data set of plugins and themes which were not updated regularly and hence it does not compatible with the security system of WordPress and old is not gold always so if you find any WordPress plugins or themes are not being updated for one year or two year then I would suggest you to find alternative plugins or themes as no one wants to dissolve their hard work in water.Sometimes old plugins or themes are being exploited by the hacker so it is better to delete them and this security measure protecting the core of your WordPress files.
3. Change default Username
This is one of the most viable factors for WordPress security, earlier in the days, we had admin as the original username for most of the websites. It made it easy for hackers to attack the website using the admin as the username ; you can easily change the username by either creating new admin user profile or deleting the old user account, or by PHP MyAdmin by login to the Cpanel.Changing or creating a new username is easy, just login to your WordPress Dashboard, hover over the left side panel and look for the Users Menu and Click on Add New and then fill the new user’s details, make that user as Administrator and copy the login user name and password to a safe place.Next Log out from your WordPress and log in with your newly created logins. After you logged in Goto Users > All Users and change your old admin user to the subscriber and change the password to random.
4. Useless files can help Hackers to hack your WordPress
Have you ever wonder there are some useless files expose your WordPress details to the hacker and hence it reduces the security of your WordPress ? Goto the File Manager and look for the root location and you will find the files like readme.html, install.php, upgrade.php simply delete it as this file is not at all required for running your WordPress Website.
5. Limit Login Attempts
Another important WordPress security factor is Login Attempts; WordPress gives us access to customize the same. We must keep it to a maximum of 3 this will help us to save our website from brute-force attack as many hackers use Brute Force tactics to hack your WordPress easily. With this, we can secure WordPress to utmost state, and it will help us to block most of the people trying to login to your WordPress website.We do suggest you to use the popular security plugin Wordfence Security to secure the login page and other security measures.Alternatively, you can also use the Login Lockdown plugin to protect your login page as making the WordPress lighter is the best option to boost the website performance hence it also speed up your WordPress loading faster.Have you heard of locking the lock itself? If no then you must try doing the same, Login page which will give access to most of the things you need to edit on the website. The Login page itself is going to be blocked by a secure WordPress layer hence it is called as password protect WordPress page of your login system. This can be termed as the most important WordPress protection you can use to try escaping a DDoS attack. This layer will require an additional password on the server side, which will block all the DDoS attack request.
You can also restrict the IP Address to allow login to your IP only and rests are being blocked by the .htaccess file protection. Put the below lines in your .htaccess file at the end of the file.
<IfModule mod_rewrite.c>RewriteEngine onRewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$RewriteCond %{REMOTE_ADDR} !^Your IP address 1$RewriteCond %{REMOTE_ADDR} !^ Your IP address 2$RewriteCond %{REMOTE_ADDR} !^ Your IP address 3$RewriteRule ^(.*)$ - [R=403,L]</IfModule>6. Never use Easily guessable password
A password like 987654321 or 123456789 or QWERTY or PASSWORD leads to the easily guessable password found in a dictionary of 600 most commonly used passwords so stop or change your easily guessable password to at least 22 Upper, Lower, Symbol and numbering password, eg of a powerful password. j$N%FZctgaTF6Ljg2krWYd
7. Always use Email Address as Username
Usernames are always easier to guess but email addresses are longer than the username and not guessable. Also, your WordPress website is having an unique email address which will be serving as the genuine identifier.
8. Using Two Factor Authentication for Login
The most advanced security solution is to log in using Two Factor authentication which will block the hacker to log in with right username and password.As the random security codes will not allow the hacker to enter the WordPress Dashboard any how Two-factor login needs the randomly generated security codes to allow the user to log in. Wordfence Security is in-built having the Two Factor authentication system to block the logins so you can use it for protecting your WordPress and allow you to log in securely.
9. Make Your WordPress https compatible
Non-SSL websites are easily hackable as the login information is being tracked and can be hacked using the cookie tracker but keeping your Website in HTTPS , the information is being secured and encrypts the data hence your login credential is being locked within your browser and does not allow the hacker to guess.You can use the popular plugin Really Simple SSL to make your WordPress fully SSL compatible. Once you are done in installing and configuring this plugin, you can check whether anything is wrong with the https setup by using WhynoPadlock website.
10. Rename your login URL
Avoid the use of default login url of your WordPress orwp-login.php addedwp-admin to the site’s main URL. As this generally helps the hacker to access your website’s login url and start the DDOS attack or brute force.Hacker uses the GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword) combination to login to your WordPress.So to replace the login URL we need to do a little tweak for protecting from Brute Force Attack.
The iThemes Security plugin can help you change your login URLs to new form so use this plugin and change your Login URL and protect the WordPress login page.
Advance WordPress Security Measurement Tips
1. Secure WordPress by hiding version of WordPress
WordPress is being used up by millions of blogger that we all know but exposing your WordPress version might be easier for the exploiters to find your blog on Google and target your blog to exploit.
Place the following code in your theme’s functions.php file in order to remove the header meta version info:
function remove_version() { return ''; } add_filter('the_generator', 'remove_version');
2. Disable showing the unnecessary details after failed logins
By default WordPress shows the information about the failed login messages to the users but why should give a single chance of showing the reason of failure? better disable showing of the information to the failed login user or hacker.
Open your theme’s functions.php file and copy/paste the following code:
function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login');
3. Disable Directory Indexing and Browsing
There are loopholes in every thing we are using right now, we all know how to secure WordPress is, but still, we get many in WordPress. Directory browsing is one of the most important ways someone can download important files of your theme or the uploaded secured content and even the database. So to secure Directory browsing, you need to go to File Manager and Edit the .htaccess file which is located in the root of your WordPress installation folder. Generally .htaccess file is being kept in a hidden file so to find the .htaccess file go to the setting of the File Manager and change the Settings to show the hidden file and then you will find the .htaccess file , Edit the .htaccess file and put the line at the end of the file inside .htaccess file that I have given below :
Options -Indexes
4. Disable Editor in your WordPress System
When it comes in your mind about how to protect WordPress site from malware then what exactly hacker do to make your website malware?
Hacker injects the malware files into your WordPress core files so you need to disable File Editing in the WordPress by changing the theme function file.
Even if the hacker can log into your WordPress, you do not need to worry because hacker can’t modify or change the files if the File Editor system as it is being disabled via theme function file. So how to do it?
Goto Your Current theme’s functions.php file and edit it and put the below line at the end of the file or before any closing tag which does not make your website nonresponding.
define('DISALLOW_FILE_EDIT', true);
Check the default WordPress Security keys is being updated frequently once a year
Goto the root folder of your WordPress and find the file wp-config.php edit the file and you will find the below lines :
define('AUTH_KEY', '}
Now go to this URL: https://api.wordpress.org/secret-key/1.1/salt/ and copy the content you find in this URL and replace with your default Auth Keys in the wp-config.php file.
5. wp-config.php file permission should be set to 0400 or 0440
Your whole WordPress system depends on this single file wp-config.php file and this should be kept protected from the visitors or exploiters or Hackers in order to secure your WordPress. As we have shown how to change the file permission in this article, like wise you should change the file permission of wp-config.php file to 0400 and check whether your WordPress is working perfectly or not if it is failed to load then change your file permission to 0440 in order to protect your WordPress.
6. Wp-config.php file should be moved to a non-accessible directory
As the majority of this file is that if anyone can read this file then your whole WordPress can be hacked easily so in order to make this wp-config.php file in accessible, you should move the file to a level up for example
If the original location was:
/home/www/wp-config.php
move the file to:
/home/wp-config.php
Or for instance from
/home/www/my-blog/wp-config.php
to:
/home/www/wp-config.php
7. Disable Any Debug mode to make your WP site Secure
In order to make your WP Site never disclose the debug information , edit your wp-config.php file and find the below line :
define('SCRIPT_DEBUG', true);
Delete the above line or replace the above line with the given below line :
define('SCRIPT_DEBUG', false);
8. Check Folder and File Permissions of Your WordPress
The Folder of Your WordPress should have 0755 as the best permission for folders or directory and for files it should be 0644. If you find any directory with the permission as 0777 then change them to 0755.
How to Change the Folder or File Permission in Cpanel?
In the above, we have to click on the 0755 no. change the directory or folder permission also you can do the same for the file permission too.
Why change File or folder permission and how it can secure my WordPress?
If you do not set your Directory ( 0755) and Files (0644) your visitors or hackers can take the benefit to hack your WordPress based website easily as each permission have it own value of providing the access to the directory or files like some can read the file, write it, execute it easily from HTTP or https request and can read the file or write the file or execute the file to hack your WordPress.
File or Folder permission provides extra security to limit the access and hence the access remains limited to the user based.
Change WordPress Database Prefix
If you have a bit of knowledge about DBMS, then you must have seen WordPress prefixing most of its table with wp_ which makes it easier for hackers to see the name of your databases. You must get it done by someone who knows what exactly he is doing, coz if went wrong it can even break your website.You can use WP-DBManager plugin to change the Database prefix so that hacker could not guess the default WordPress Database prefix easily.
Although there are different kind of WordPress protection implemented on the core setup of WordPress for security. Still, these are some of the ways of securing the website to the entire state.
9. Timthumb script leads to the vulnerable to your WordPress
Timthumb script manipulate the image files so it can lead to serious problem to your WordPress security , we do recommend you to remove or disable the plugin if you are using it as it will allow the hacker to enter in your WordPress site easily , rather we do suggest you use any other plugin like WP Smush , Regenerate thumbnails plugin for your WordPress.
10. Disable EditURI link for your WordPress
Disabling EditURI makes the WordPress more secure but Jetpack plugin creates an issue as it connects your WordPress remotely hence you can’t use Jetpack plugin if you do the below steps mentioned so for the XML-RPC, we do suggest do not make any changes if you are using Jetpack.
Open your theme’s functions.php file and add the following line:
remove_action('wp_head', 'rsd_link');
Additionally, to completely disable XML-RPC functions put the following code in wp-config.php just below the require_once(ABSPATH . ‘wp-settings.php’); line:
add_filter('xmlrpc_enabled', '__return_false');
And also add this code to .htaccess to prevent DDoS attacks:
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
11. WordPress have too many unnecessary permissions granted at MySQL
If a hacker anyhow gets access to your wp-config.php file, the hacker will get to know the MySQL username and password, and a hacker can log in to that database and do anything that MSQL system allows him to perform. That’s why it’s important to keep the user account’s privileges to a minimum level. For instance, as for installing any new plugins or updating WordPress that user account doesn’t need the CREATE or DROP table privileges in MYSQL.
I do recommend the following privileges: SELECT, INSERT, UPDATE, and DELETE. As updating WordPress, you’ll also need the ALTER one. MySQL account privileges can be adjusted in cPanel.
12. Hide Author Usernames
It is easy to find the Author username easily by checking the author url of the WordPress but this lead to the security risk as author URL expose the username of the WordPress and remaining is the password which can be brute force attack to log in by the Hacker. so in order to hide the usernames, you should edit the fucntion.php file of the current theme of your WordPress and add the below.
add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}
Secure your WordPress PHP Files
As WordPress runs completely over PHP files so we need to take care of the PHP files in order to protect the files being exploited by the hacker so in this second step we will learn how to secure the PHP files and the changes needed to secure the WordPress php file system.
1. Avoid PHP older than 5.6 Version
Current PHP Version is PHP 7.1 so you should ask your hosting provider to upgrade your PHP version to at least PHP 7.0 as maximum plugins are not yet upgraded to PHP 7.1 compatible so PHP 7.0 is compatible with all the PHP based website. PHP 7.0 is fast and secure than 5.60 Version.
2. PHP Expose should be turned Off
If you have access to php.ini file locate in the root folder or Directory of your WordPress then make the change
expose_php = on
and change it to:
expose_php = off
3. Disable Safe Mode in your PHP file
Edit your php.ini file and locate
safe_mode = on
and change it to:
safe_mode = off
4. Disable PHP Error Reporting
Before starting the attack hacker need to get the error report of your PHP to get the full server path , I know it is a better idea to track the error report but who knows that this help the hacker to get the idea of server information easily , so it is better to disable by editing wp-config.php file and add the below line :
error_reporting(0);
@ini_set(‘display_errors’, 0);
Hackers would only need to view your error reports to get your full server path, which means you’d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, it’s a better idea to disable it altogether. This one’s another code snippet to be added to wp-config.php.
Suggestion for making WP site secure
WordPress is no doubt a great CMS system also for the E-commerce website and it is being used by millions of Company and Bloggers for building the Websites.As WordPress platform users are increasing , there are also increasing the security measures but hackers are always looking for the loophole to attack but ethical hackers are always giving the good suggestions to secure your WordPress from the hacker and after you complete the above steps your website will be secure from the attack and you can relax your mind from the thaughts of getting hacked.No one wants to pay a high amount of money to the hacker so to avoid wasting your money we have some suggestions for you for protecting your WordPress.
1. We do suggest you to keep a regular backup of your WordPress Data in order to restore from the old backup in case your WordPress gets hacked.Backups can help you to switch from one hosting to another hosting server quickly.No one can guarantee the long life security as online security is changing day by day and hackers are learning to hack the website daily.
2. Never take any free gift of Plugin or Themes which is not available for free but it is premium or need to be purchased.
3. Before installing any plugin or Themes , I do suggest you to scan the file in the Virustotal website.
4. Always update your WordPress Version , WordPress Plugin and WordPress Themes in order to protect your WordPress and block the loop holes of your WordPress.
5. Sometimes it is not the reason that your WordPress is being compromised but also your computer may be the reason for your website is getting hacked so Install a good Antivirus or Install a firewall on your computer.
