The Ultimate WordPress Security Guide
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
There is a good reason to be worried about your website’s security. Reports tell us that over 90,000 hack attempts are made on WordPress website every minute of the day.
Many websites owners may think their website is too small to draw a hackerās attention. The truth is, since small websites take security leniently, hackers find it all the more easy to hack small websites.
Big or small – every WordPress website needs to take security measures.
Luckily, there are numerous things you can do to protect your website from hackers and bots. In this article, weāll show exactly what steps you need to take to ensure that your website is secure.
[lwptoc skipHeadingLevel=”h1,h4,h5,h6″ skipHeadingText=”Final Thoughts”]
Importance of Website Security
WordPress is the worldās most popular website building platform. Right now there are 75 million WordPress websites on the internet, and hundreds of new ones are being created each day. This kind of popularity comes with a price.
The more people use it, the more attractive it is as a target for hackers. Windows is a bigger target than Appleās operating system. Chrome is a bigger target for exploit than Firefox. Popularity draws more attention, both good and bad.
We mentioned earlier how small website owners consider their websites immune and donāt take necessary precaution which makes them an ideal target.
When your website is hacked, hackers use websites to run malicious activities. They could be launching bigger attacks on other sites, sending spam emails, storing pirated software, injecting spam links, selling illegal products, creating affiliate links with Japanese SEO Spam and among other things.
And that’s the end of the problem. Things can snowball quickly and search engines will provide deceptive site warnings to users and can blacklist your site. Reports tell us that Google blacklists 50,000 websites for phishing activities and around 20,000 websites for containing malware every week!
Apart from that, hosting providers can also suspend your account. This means your website will be down for days which will have an impact on your revenue collection. If you wait too long to fix your site, itāll have irreparable damage on your business.
We can all agree that taking security precautions is much better than fixing a hacked WordPress website.
Weāll show you how you can secure your site but before that we want to address a question that many of our readers are thinking.
But Isnāt WordPress Secure?
The WordPress core is secure. WordPress has an army of the best developers working tirelessly to keep the WordPress core safe. They are consistently improving technology and releasing patches and updates to fix any glitch or error.
There hasn’t been any major vulnerability in the WordPress core for a long time.
Despite this, there are over 90,000 hack attempts made on WordPress websites every minute of the day. And there are two main reasons behind that.
First off, WordPress is an extremely popular platform. Some 75 million websites on the internet are built on WordPress which attracts the attention of hacking groups from around the world.
Another reason is the presence of vulnerable and outdated themes and plugins. In fact, reports suggest that outdated themes and plugins are a leading cause of more WordPress compromises.
(Psst — you can read more about this on our WordPress security updates article.)
So although your WordPress is a safe platform, there are other factors that can lead to a compromised website. Hence, taking the following security measures can go a long way in saving your WordPress websites.
How to Secure a WordPress Website?
There are 15 different security measures that you can take to protect your WordPress website. Those are:
- Install a WordPress Security Plugin
- Take Regular Backups
- Use a Good Hosting Company
- Keep WordPress Up-to-Date
- Use an SSL Certificate
- Protect Your WordPress Login Page
- Set Up a Firewall
- Harden Your Website
- Employ Least Privileged Principles
- Blocking Suspicious IP Addresses
- Implement Country Blocking
- Hide WordPress Version
- Check Activity Log
- Use Only Email Address to Login
- Use HTTP Authentication
Letās take a deeper look at these measures.
1. Install a WordPress Security Plugin
The primary functions of a security plugin or service are to scan, clean, and protect. While there are many WordPress security plugins to choose from, not all plugins are effective. Some may offer many features but it just creates a lot of noise. A seasoned hacker can bypass such security plugins to hack your website.
MalCare is one of the best WordPress security Scan plugins out there. Hereās why –
i. MalCareās Malware Scanner
A WordPress malware scanner requires resources to run a scan. Many scanners rely on your web server’s resources but this can slow down the speed of your website.
To overcome this challenge, MalCare uses its own server resources to run a scan of your website. It transfers your website’s files to its own server and then runs the scan there. This method ensures that your site remains unaffected during the scanning process.
Many scanners look for only existing malware which means that they miss new types of malware. MalCare is designed to identify all types of malware including new ones.
ii. MalCareās Malware Removal
MalCare offers the fastest malware removal service. Most WordPress security services offer ticket-based cleaning. In this, if your website is hacked, you’d need to raise a ticket, pay the malware removal fee and then wait for security personnel to clean your site and get back to you. This process is time-consuming and involves giving access to your site to a third-party.
MalCareās Cleaner works differently. Following a hack, time is of the essence. The longer it takes, there are more chances of Google blacklisting your website or web hosts suspending your site. Thatās why MalCare offers an instant WordPress malware removal to clean a hacker website. All you need to do is click a button, sit back and let the plugin clean your site within minutes.
iii. MalCareās WordPress Protection Measures
All the measures that we mentioned so far – from using Firewall to Country Blocking to Hardening Your Website are protective measures that MalCare enables you to take with just a click on the button.
How to Use MalCare?
- To use MalCare, you need to first download and install the plugin on your website.
- Then add your site to the MalCare dashboard. The plugin will begin scanning your website immediately. If it finds any malicious files on your website, it’ll notify you.
- You can clean your site immediately using MalCare’s Auto-Clean button.
2. Take Regular Backups
Backups are your safety net. If something goes wrong with your website, you can restore it back to normal if you have a copy of your website.
There are many backup plugins out there. With the overwhelming number of choices available, it can be really easy to end up with a service that is not up to the mark. To select the right backup service, youāll need to know how to choose a backup plugin.
Moreover, reviewing backup plugins will be a time-consuming and expensive affair. Luckily, we did a comparison between the major WordPress backup plugins in the market. Take a look at the best WordPress backup plugins.
3. Use a Good Hosting Company
The two most popular hosting providers are shared hosting and managed hosting.
Shared hosting is popular because it’s less expensive. It has enabled millions of people across the globe to start their own website without a big investment. But in shared hosting, you are sharing a server with other unknown websites. And often when one website is compromised, other websites on the same server are affected. Hence, although popular, shared hosting providers are ill-equipped to handle threatening situations.
If you can afford a dedicated server, always choose that. It does a better job of keeping a WordPress website secure. You can check how web hosting affects website security.
Since there are many hosting providers to choose from, we made a comparison of the top WordPress hosting. Hopefully, itāll help you make a decision on which web host provider to opt for.
4. Keep WordPress Website Up-to-Date
Like any other software, plugins, themes, and even the WordPress core develop vulnerabilities over time.
When developers learn about the vulnerabilities, they release a patch in the form of an update. When website owners donāt update their site, the vulnerabilities remain.
After releasing a patch, developers announce the reasons for the update which means the vulnerability is publicly announced. Hackers are now aware of the security flaw and in which version it exists. They are aware that not every website owner is going to update their site immediately, so they start looking for websites that are running on the vulnerable version. This time gap gives them a good chance of successfully hacking a large number of sites.
Case in point, statistics show that over 80% of the websites were hacked because they were not being updated!
You must update your WordPress site regularly. Learn how to update your WordPress website safely.
You may notice that there are plugins and themes that are not being updated by their developers in a long time. In most cases, the software is abandoned by the developers. Itās best to remove the plugin or theme from your website and install an alternate.
5. Use an SSL Certificate
Quickly take a look at the URL of this website.
Notice the lock? This lock means the site is using an SSL certificate. SSL is a secure socket layer that encrypts the data while it’s being transferred between browser and website.
Why? Because data (like credit card details) transferring from a visitorās browser to your website can be intercepted and stolen. So even if the data is stolen, if it’s encrypted then hackers cannot use it.
Hereās a guide thatāll help you install an SSL certificate on your website and Move WordPress Site From HTTP to HTTPS.
6. Protect Your WordPress Login Page
The login page is one of the most commonly attacked parts of a WordPress site. Hackers try to guess the login credential and access the WordPress admin area which will give them complete control over the website. Hence, itās important to implement the right protection on your WordPress login page. Letās look at the different techniques thatāll enable you to protect your login page and increase WordPress login security.
i. Use Unique Username
If your username is easy to guess, then the hacker only needs to figure out the password. With one less thing to worry about, it makes the job of a hacker a lot easier.
One of the most common WordPress usernames is āadminā. Up until a few years ago, WordPress encouraged people to use āadminā as a username. Although WordPress no longer auto-suggests āadminā, it is still widely used. Hence, you must take measures to make sure that your admins avoid using “admin” as the username along with these commonly used usernames.
Consulting this list every time a new user account is created could go a long way in keeping your WordPress safe. Moreover, if any of your existing users are using common usernames, then tell them to change it. Hereās a guide that theyāll find helpful on How to Change WordPress Username?
ii. Change Your Display Name
To infiltrate your site, hackers skim through your website and pick up the display names. They use different combinations of those names to try to log in. Hackers know it’s not uncommon to have the same username and display name. For example, if Sophia Lawrence is a display name, they might try to login in using sophialawrence or sophia.lawrence or sophia as the username.
So, to safeguard your site from this, you can change your display name.
Go to āEdit My Profileā. And then change your āNicknameā. Save the update. Now, select āDisplay Name Publicly Asā. A drop-down menu appears in which youāll see the new display name. Select it and save the setting.
Hackers will inevitably fail if they try to use the display name.
iii. Prevent Discovery of Username
Apart from the display name, another method that can be employed to discover the username from your website is through WordPress Rest API. This a serious WordPress security issue. Introduced in 2016, this core WordPress feature allows anyone to discover usersā information on your site. All they need to do is run a simple URL: example.com/wp-json/wp/v2/users
To prevent this from happening, use the following code snippet in the functions.php file. Itāll hide the user’s list and give you a 500 error if you try to run the URL again.
[php]
add_filter( ‘rest_endpoints’, function( $endpoints ){
if ( isset( $endpoints[‘/wp/v2/users’] ) ) {
unset( $endpoints[‘/wp/v2/users’] );
}
if ( isset( $endpoints[‘/wp/v2/users/(?P<id>[\\\\\\\\d]+)’] ) ) {
unset( $endpoints[‘/wp/v2/users/(?P<id>[\\\\\\\\d]+)’] );
}
return $endpoints;
});
[/php]
The username is one of the two components of a login credential. Letās look at the second component – password, and try and figure out how to secure it from hackers.
iv. Enforce Strong Passwords
Any password will protect my website, isn’t that enough? The answer is no because hackers are constantly trying to guess passwords of WordPress sites in order to break in.
They use a technique called brute force attacks in which they program bots to make millions of login attempts trying to guess your credentials in under a few minutes.
If you use an easy password like Passw0rd123$, the bot will crack it in a few guesses. This is why it’s important to have a unique and complex password.
WordPress encourages users to auto-generate strong passwords, but you can still create an account using a weak password. Therefore, the onus of using strong passwords falls on your shoulder.
You can educate your WordPress admins to use strong passwords. The guidelines for setting a strong password are as follows:
– Create Long Passwords
In general, passwords that exceed 8-10 characters are considered strong and typically difficult to crack. Every character you add to your password makes it stronger. However, over the past few years, password cracking technology has advanced significantly. Hence, many WordPress security personnel recommend using passphrases that are 15 characters in length.
- Long password: pd&&)xG56ZhLNrjl4jjNJ4#h (hard to remember)
- Long passphrase: Its wolf was white as you know nothing John Snow (easy to remember)
– Use a Combination of Uppercase, Lowercase, & Special Characters
In brute force attacks, bots are programmed to carry out password cracking procedures. They follow certain instructions, for instance, they’ll try to guess the right password by coming up with a combination of different lowercase letters (‘a’, ‘b’, ‘c’, etc.). Using an easy password like ‘testpass’ means they can crack the password after making only a few attempts.
Hence if you use a combination of both lowercase and uppercase characters, it’ll take them a long time to figure out the password. However, a really well-programmed bot can try a few million passwords every second. So mixing special characters, numbers, lower and uppercase letters should ideally make the password unpredictable and hard to crack.
- Add caps – TestPass
- Add numeral and symbol – TestPass123$
– Avoid Using Common Words and Publicly Known Details
Common words like ‘test’, ‘admin’, ‘login’ are common words that WordPress users tend to use. These are some of the passwords that bots first try out, hence avoid using them. According to an infographic by Splashdata, the top 25 most commonly used passwords are:
- Common Sports and Interest like ‘baseball’, ‘football’, and ‘Star Wars’, ‘Princess’, ‘Solo’ etc.
- Numbers in Order like ‘87654321’, ‘0123456’, etc.
- Letters in Order like ‘abc123’, etc.
Hackers targeting your website may pick up details from your site and try them out. For instance, if you have a website built around your favorite TV show Game of Thrones, bots will try various combinations of the phrase to break into your sites such as āGoThrones123ā or āgameofthrones123ā. To prevent this from happening, design a password that has no mention of anything related to the website.
Securing passwords minimizes the chances of a security breach. But strong passwords are hard to remember unless you have a few tricks up your sleeves.
v. CAPTCHA-based Protection
Besides using unique usernames and strong passwords, using CAPTCHAs is another perfect way to prevent brute force attacks on your WordPress website.
Following a certain number of failed login attempts, a CAPTCHA is generated to determine whether the user is human or bot. CAPTCHAs are designed to be unreadable by bots. Hence, it thwarts brute force attacks because bots canāt access the login page until they solve the CAPTCHA.
WordPress security plugins like MalCare generate image-based CAPTCHA that is only solvable by a real, human user.
Designed to prevent hacker bots from cracking your credentials, CAPTCHAs are great.
vi. Implement Two-Factor Authentication
Have you noticed how popular services like Facebook and Gmail authenticate users when they try to log in? A code is sent to the smartphone associated with your account which helps validate the user. This is known as two-factor authentication.
WordPress does not offer two-factor authentication. Hence, to implement this on your WordPress site, you can follow this guide on How to Add WordPress Two-Factor Authentication.
7. Set Up a Firewall
Of the hundreds of visits that you receive on your website, some are malicious. Such visitors come to your site with the intention of finding vulnerabilities that they can exploit to gain control of your site.
A WordPress firewall checks every visitor request made to your website. No matter what device the visitor is using – desktop, smartphones, tablets, laptops – every device is associated with an IP address. If the request comes from a suspicious IP, the visitor is blocked, otherwise, itāll be allowed to and access the site. A good firewall is your first line of defense against malicious traffic.
A WordPress firewall plugin like the one MalCare offers comes with an advanced firewall that offers better security. It does not just check traffic requests made on your site, it also records bad traffic. Meaning when it comes across a new bad IP, it keeps a record of that. If the bad IP tries to access your website again, itās promptly blocked.
8. Harden Your Website
We identified some common areas of a WordPress website that hackers take advantage of. For instance, could be using your security keys to gain access to your website or installing malicious plugins or themes on your website. To protect your website from hackers, you need to take steps to fortify your website.
We have a guide thatāll help you take WordPress hardening measures.
9. Employ Least Privileged Principles
WordPress offers 6 default WordPress user roles: Administrator, Editor, Author, Contributor, Subscriber, and Superadmin. Allotment of these roles must be done carefully. Each role comes with its own set of power and responsibilities. Letās take a look at them:
The Administrator is at the top of the hierarchy. He has full control over the website and can execute the following functions:
- Create, edit and delete content
- Edit plugins and themes code
- Manage all plugins and themes
- Create, modify and delete user accounts
The rights decrease as you go down the hierarchy. The Editor cannot make major changes but he can manage categories and link, moderate comments, create, edit, and delete a post, and pages. The author, contributor, and subscriber have fewer permissions.
The highest responsibility is that of an Administrator, the rights to which should be given to the people you are confident won’t abuse power.
If the wrong sort of people gains admin access, they could take advantage of the role. They can install rogue plugins and themes, steal your data and sell it for a price, store illegal files and folders among other things.
10. Blocking Suspicious IP Addresses
If you have a WordPress security plugin like MalCare installed on your website, go through the log of IP addresses that have been trying to log in unsuccessfully.
Notice how some of them could be using common usernames (we spoke of this in the āUse Unique Usernameā section) like “adm2016”. This picture below is a record of failed login attempts made on one of our websites.
To block these malicious IP addresses, place the code in your .htaccess file:
[php]
order allow,deny
deny from 61.134.52.164
allow from all
[/php]
Replace ā61.134.52.164ā with the IP address you want to ban and save the file.
11. Implement Country Blocking
The world wide web gives hackers access to websites all across the globe. They could be located in Russia targeting a website from New York.
Statistics show that the top five countries where hack attempts originate include China, United States, Turkey, Brazil, and Russia.
If you have MalCare installed, it is easy to check users who are trying to log into your website. You can see their country of origin.
If you have users located only in the US, then login attempts made from other countries are most likely malicious.
In the above image, we can see that login attempts have been made from four different countries – the United States, United Kingdom, Russia, and China.
Now, if you are targeting only specific countries like the US, you don’t need traffic from other countries hence you can block the United Kingdom, Russia, and China.
To learn how to implement country blocking, take the help of this guide on How To Block a Country In WordPress?
12. Hide WordPress Version
Another way a hacker can find out if you have any files with known WordPress vulnerabilities is by looking up the WordPress version you are using. Sometimes website owners miss new WordPress updates that leave their site vulnerable.
Hackers can exploit any vulnerability that may have existed in the previous version of the core WordPress installation. Hence, hiding the WordPress version you are using might be useful.
To do this, you need to place a code in the function.php file.
Step 1: Login to your host account. Access cPanel > File Manager > public_html.
Step 2: In the public_html folder, access wp-content and select the folder of your active theme.
For example, if you’re using the default WordPress theme Twenty-Nineteen, select the folder that’s named “twenty nineteen.”
Note that āpersonalblogilyā is the theme we are currently using our websites, you could be using a different theme.
Step 3: Right-click on the function.php file and select Edit. Here, place the following code.
[php]
function wpbeginner_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpbeginner_remove_version’);
[/php]
Save the file, and this will remove the WordPress version number from being displayed anywhere on your site.
13. Check Activity Log
Keeping a vigilant eye on everything that is happening on your WordPress website allows you to identify suspicious behavior at an early stage. This will help you thwart any possible malicious hack attacks before they actually happen and damage your WordPress website.
You can do this by installing a plugin to keep a record of everything that happens on your WordPress website in a WordPress activity log. There are several different plugins you can choose from. WP Security Audit Log is one such plugin.
14. Use Only Email Address to Login
In the WordPress login page, you can either use your username or your email ID to log in. Hence, disabling the use of username could discourage hackers from performing brute force attacks on your website.
There are plugins like No Login by Email Address that allows you to prevent the use of usernames to log into your website.
15. Use HTTP Authentication
HTTP authentication offers a layer of protection over the WordPress login page and is an important step towards WordPress security. To access the page, the user needs to enter the HTTP credentials. Without this, they will not be allowed to access the login page of your site.
Plugins such as HTTP Auth help set up this protective layer over your login page. Remember to share the HTTP authentication credentials with your users. Otherwise, they will find themselves locked out and unable to login to your site.
With that, weāve come to the end of advanced security measures for WordPress websites.
Common But Obsolete WordPress Security Measures
In the world of WordPress security, there is a lot of advice that site owners tend to get. But some of this advice is not very effective. We are going to list down some of the common security advice that comes with major drawbacks. These measures donāt really secure your website as hackers have found ways to work around these measures.
1. Hide WordPress Login Page
Hackers rarely target single websites. They program automated bots to launch attacks on WordPress login pages. Anyone who has used WordPress long enough knows that WordPress websites come with a default login page URL that looks like this: āexample.com/wp-adminā.
This makes the job of the automated bots much easier. Hence, changing your website login page to something like āexample.com/wrongpageā could deflect an oncoming attack.
There are several plugins such as WPS Hide Login, Hide WP-Admin, etc. that can help you hide your WordPress login page.
Drawback: Although this can easily prevent automated hack attempts, it does not guarantee that your website will be safe. This is mainly because tools like WPS Hide Login offer a default login URL. So, hundreds of thousands of websites using the tool are using the same URL for their login page. Hackers can easily find out the URL format and launch attacks.
Moreover, hiding the login page without properly informing all users can prove to be very inconvenient. It can even cost you a dayās work.
2. Set Passwords to Expire
You must have noticed in e-banking services they ask you to change passwords after a specific time period has lapsed. This is a safety measure that ensures that if your account is hacked, the hacker gets only a limited window to exploit your account. Applying the same measure on your WordPress websites reduces the damage.
Using the Expire Passwords plugin, you can set user passwords to expire after a specific number of days. All users are forced to update their passwords.
Drawback: This measure does provide some level of security, but hackers find ways to surpass it. For example, when they hack your site, they create new user accounts or install hidden backdoors. So even though you change your password regularly, they’ve already created other points of access.
3. Auto-Logout When Thereās No Activity
For websites with multiple users, chances of abuse of user rights are high. Itās even higher for users who work remotely. A user may have to leave their desk to tend to urgent business and forget to log out.
What if someone abuses the website during this time? To reduce the risk of such abuse, you can set up your WordPress website to log out users automatically if they are inactive for a long period.
The Inactive Logout plugin offers an Idle Session Logout feature. This allows you to set a time period of inactivity thatās acceptable, such as 10 or 20 minutes, after which the user is logged out automatically.
Drawback: But chances are if someone wants to snoop around in your site, theyāll do immediately after the user leaves. In cases like these, logging out idle users canāt prevent abuse of user rights.
Final Thoughts
We know that was a really long read and a bit overwhelming too. But before you seek off to take a nap, hereās what we suggest you do –
- Bookmark this article.
- Share it with friends and neighbors – anyone who you think would benefit from following our guide.
- Check out more guides like Secure Your WordPress Site With wp-config.php from our WordPress blog.
We sincerely hope that you found this article helpful. We want to leave you with one final thought – taking all these security measures can be very overwhelming, so we suggest running regular WordPress security audits and opting for a premium WordPress security plugin like MalCare that will handle security for you.
With MalCare, you’ll have access to nifty security features like the firewall, regular malware scans, WordPress hardening, and so much more. You can rest easy knowing your site’s security is taken care of.
Try Out Our WordPress Security Plugin – MalCare Right Now!
Category:
Share it:
You may also like
Fix Pharma Hack on WordPress and SEO
Pharma hack is a prolific malware that redirects visitors from your site to an online pharmacy that sells Viagra, Cialis, Levitra, Xanax, Tadalafil, and other drugs. It also shows up…
How To Protect Your WordPress Website From File Upload Vulnerability?
One of the core strengths of WordPress lies in its file upload functionality. The ability to seamlessly upload and integrate various types of files, from images and documents to multimedia…
MalCare Ensures Unmatched Protection Against User Registration Privilege Escalation Vulnerability
Imagine discovering that your WordPress site, which should be secure and under strict control, has suddenly become accessible to unauthorized users who have the same administrative powers as you. This…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.