A Complete step by step guide to secure your WordPress Websites.
In this post I am going to show you on how to secure your WordPress Website. This is a lengthy post and you should set a side at least 30 minutes to go through it. Implementing the techniques might take some more time, but it will be worth it I promise.
So lets get started with Securing your WordPress Website!
WordPress is the most popular blogging and CMS platform in the world, this makes it a favorite target for most hackers. Unless you take the necessary steps to Secure your WordPress sites against this real threats, you risk losing your data, you client`s data and also your whole business.
I wrote this post to help the owners and the users of the most popular blogging and CMS platform in the world to secure their websites from hackers. I also have a great passion in information security and I do a lot of reading in computer security.
When you are done reading this post, I guarantee you that, you will be well equipped with the necessary knowledge to keep your WordPress site relatively safe. What I can`t guarantee is 100% security proof to your WP sites, because there is no such thing as 100% security proof especially when it comes to online systems.
In this post I have explained in details the most common and free techniques used to greatly decrease the chances of your sites being hacked and to stay safe. All the techniques explained in this post can be used to secure your WordPress website. Keep in mind that your website does not have to be popular for it to attract hackers. Most of the attacks are automated by some kind of scripts which crawl the web looking for weak points that can be break into. So even if your website is one day old, I suggest you take this seriously and protect yourself from any eventualities.
Introduction To WordPress Security
What is Security?
Fundamentally, security is not about perfectly secure systems. Such thing might be impractical or impossible to achieve. What security is though, is risk reduction and not risk elimination.
Guys at WordPress take security very seriously. But as with any other system there are potential security issues that may arise if some basic security precautions are not taken. WordPress by itself, has very few security vulnerabilities which are immediately patched with an update.
Your WordPress website is more likely to be compromised because of your own negligence and those of other people including but not limited to:
- Simple username and password.
- Your web host security practices.
- Third party software like themes and plugins which run on WP sites.
- Failure to update you WP Core, themes and plugins.
- Not using any antivirus and anti-malware software on your computer system.
WordPress Security vulnerabilities
We are going to discuss some of the common WP Security vulnerabilities and how we can take precaution against them. Some of these vulnerabilities might sound simple but they can do a lot of damage if not take seriously.
Your Computer Vulnerabilities
The first place to start with, is to ensure that, all your computer systems are free of viruses, spyware and malware. Otherwise you will be fighting an unknown ghost. If for example there is a Key logger installed on your computer stealing all your strong passwords in plain text then it does not matter whatever else you do to protect you WP sites, it will be a total waste of your time and resources.
To ensure your computer systems are secured make sure to always update your Operating Systems and all the other softwares especially your anti-virus software and your web browsers to protect yourself from viruses and software vulnerabilities. For those of you who are using Windows Operating System, Microsoft works very hard to release security patches to seal security holes. So make sure to turn on Automatic Updates and make sure that your Firewall is always on.
WP by itself is quite secure and has few security vulnerabilities that are immediately patched up with updates once discovered. Most vulnerabilities are introduced as a result of many other factors including your web host and the other software that run on WordPress like themes and plugins. According to statistics in 2012 alone more than 117,000 WP installations were hacked. The simple trick here is to always update your WP core, themes and plugins which we will look into more detail in the next chapters.
Choosing which network to trust and which one not to trust is a good way to protect yourself. Both network ends need to be trusted – the WP server side and the client network side. Avoid using Cyber Café or Free Hot spots internet connection to login to your WP sites by sending your credentials over non secured connections. You never know who is connected to the same network and sniffing packets in order to get your login credentials.
Web server vulnerabilities
You might have done all the necessary steps to protect your WP sites but if your Web Server has been compromised, that can be an easy way for you to be hacked. Make sure your site is hosted on a secure server by choosing the right host. Make sure your host is running a secure and the most stable versions of your web server and the other software on it.
Essential steps to secure your WordPress Website
WordPress is a secure platform and the developers are working tirelessly round the clock to seal any security vulnerabilities that are discovered in WordPress. So by just updating your WP sites you will be sealing a lot of security holes that would have otherwise expose you to unnecessary attacks.
Types of WordPress updates
For us to be able to get the most of WP updates, we need to first understand the types of updates that WP releases.
WordPress has two kinds of updates:
- Major updates
- Minor updates
Major WordPress releases are identified easily, as the version number is normally incremented by 0.1. Whereas Minor WP release version number is incremented by 0.01. Major WP updates mostly introduces new features to the WP Platform while Minor WP updates are mostly released to fix bugs and security vulnerabilities.
So how do you go about updating your WP sites? Don` t worry because this is the easiest thing anyone can do and I am going to show you the different ways you can do it.
Updating your WordPress core
Before you get started updating your WordPress sites, you need to understand a few things.
- There are two ways of updating your WordPress. Automatic or manual
- Make sure to back up your WordPress sites before you do any update. In case something goes wrong, you can always restore back your WordPress sites.
Every WP version release addresses security vulnerabilities that have been discovered in the previous WP version. Therefore not updating your WP core files makes you more susceptible to attacks. To stay secure, it is essential to always update your WP to the latest stable release.
Enabling WordPress automatic updates
It is possible to automate your WP updates so that you do not delay any updates. WP automatic updates feature was first release in WordPress 3.7. This feature updates WP in the background without user intervention.
Opposite to what many users believe, this feature by default will only automatically apply minor updates to your WP site.
To enable automatic updates to both Major and Minor releases, add or edit your wp-config.php file to have the below line of code:
define ( ‘WP_AUTO_UPDATE_CORE’, true );
You will need to login to your Cpanel – Scroll down to Files – and Open File Manager.
Depending on where you installed your WP, locate and click Code Edit the wp-config.php file as shown below.
A sample from my blog is as below. Make sure to save you changes.
Updating your WordPress themes and plugins
Security vulnerabilities in themes and plugins make up more than half of all successful WP hacks. Therefore you need to limit your usage of plugins, unless very necessary. Below are some guidelines when choosing which plugin to install.
- Do not install plugins which have not been updated for more than 2 years, they might have security holes that have not been fixed.
- Avoid downloading premium themes and plugins from untrusted sources such as torrent sites. Hackers might have inserted a malicious code which could easily expose you to attacks.
- If you can survive without the functionality of a plugin, deactivate and remove it.
- Keep in mind that the more plugins you install the easier it is for a hacker to gain access to your website due to plugins vulnerabilities.
- Regular updates of themes and plugins is the easiest way to protect your WP sites.
Depending on which theme you are using for your WP site, you will need to update your theme when theme updates are available. Keep in mind that if you had made changes to the mother theme directly, your changes will be overwritten if you update your theme. That is why it is very import to use a child theme to customize your main theme, instead of making those changes directly into the mother theme.
With that being said,if you want to automate the process of updating your themes and plugins, insert the following piece of code into your wp-config.php file. See above on how to access your wp-config.php file.
add_filter( ‘auto_update_plugin’, ‘__return_true’ ); //Auto update your plugins
add_filter( ‘auto_update_theme’, ‘__return_true’ ); //Auto update your themes
Note that some themes do not support automatic theme updates.
Be warned that automatic updates of plugins may cause errors on your WP sites, I therefore recommend you to manually update your plugins so that in case of any errors, you can deactivate and find ways to fix the plugin errors.
Delete unused themes and plugins
There is no need of keeping themes and plugins that you do not use, these may introduce security vulnerabilities which can be easily avoided by deleting the files completely.
Manually updating WordPress CORE, Themes and plugins
Another way of updating your WP sites is by doing it manually. Most Web Masters prefer this method since it gives them more control over the whole process.
For you to be able to do this, you need to login to your WP site as an administrator.
Once you are logged in to your WP site, on the left side click on Updates. If you have any updates you will be able to choose what you want to update manually from the form that will appear.
Secure your WordPress Login Page
This is the most important chapter which will help you secure you WP sites from many forms of attacks which target this part of you WP site.
The login page is the main entry to any system and hence needs to be much secured. There are many things from simple to advanced that you can do to secure you login page. Below are the list of things you can do to secure your WP Login page.
Using unique username and strong password
Please, please and please DO NOT use the “admin” name as your username. If you have already installed WP and your username is still ‘admin’ you need to leave everything else that you are doing now and follow these steps to change your username.
Using wp admin area to change your username
The process of changing your admin name is simple but you need to be careful so that you don`t lose any of your valuable content. By changing or deleting your default admin username it will help increase the security of your WP site.
Follow the below steps carefully to achieve this.
- Login to your WP site using your default admin username. On the side bar, go to Users and Click on Add New.
- Enter all the required details.
- Please note you cannot use same email for two usernames. However you can always change this later on.
- Make sure to give your new username the Administrator Role, this is the only way you can have full access to your site.
- Click on the Add New User button to complete the process.
- Log out and login back with the new username that you created.
- Go to Users and click on All Users. Hover your curse over the admin username, and click on Delete button. The next step is the most critical.
- Before deleting the old admin username, you need to transfer all your content attributes to the new username. On the form below choose the option ‘Attribute all content to’ and then click on the Confirm Deletion button.
- The last step in this is to make sure that you do not display your usernames publicly when you post an article. To change this to you Users –All Users. Edit your username and on the ’Display name publicly as’ make sure it is not the same as your login username.
For someone to access your WP site, they need to have both your username and password. Having a unique username and password is a good way to protect yourself from hacks.
What is CAPTCHA?
CAPTCHA is an online test designed so that humans but not computers are able to pass it. CAPTCHA is used as a security measure and usually involving a visual-perception task. Using CAPTCHA is a great way to protect you login page from automated bots which crawl the web trying to brute force into WP sites.
HOW TO ENABLE CAPTCHA ON YOUR WP LOGIN FORM
There are several options of activating CAPTCHA on you login form but my favorite way is to use the SI Captcha plugin which is absolutely free!
Follow the below steps carefully to achieve this.
- Login to your WP Site – Go to Plugins and choose Add New.
- On the search box type ‘SI Captcha’, hit the Enter button on your keyboard to search and click on Install Now. Activate your plugin
- Hover over Plugins on your side bar. Click on SI CAPTCHA Options.
- Then choose to Enable CAPTCHA on the Login form. Don`t forget to Update Options.
As you can see from SI Captcha Options, you can do a lot more with the SI Captcha Plugin. Enable the other options which are appropriate for you WP Site.
Prevent WordPress Brute Force BY LIMITING Number of Failed Login Attempts
By default, WP allows users to enter passwords as many times as they want. This can be exploited by hackers who use scripts that try to brute force until they gain access to your website. To achieve this we can use a plugin such as Login LockDown.
- Login to WP as an administrator
- Go to Plugins – Add New.
- On the plugin search box, type Login LockDown and hit enter on your keyboard.
- Install and activate the plugin
- After installing the plugin go to Settings – Login LockDown page to configure the plugin.
Blocking any Login Attempts using non existing Usernames & Prevent Brute Force attacks BY LIMITING Number of Failed Login Attempts
You can also block any attempts by hackers trying to login using non existing usernames.
Using Login LockDown Plugin
- Login to WP as an administrator.
- Go to Settings – Login LockDown.
- Scroll down to the bottom of the configuration page.
- Choose the ‘Yes’ option under ‘Lockout Invalid Usernames?’
Now anyone trying to login with a non-existing username will be immediately locked out.
Please note that the Login LockDown has not be updated for quite sometimes and might pause as a security threat. The same protection can be achieved by a better plugin called Wordfence as discussed below.
Using Login WordFence Plugin
The Wordfence security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware.
Follow the steps below to install and setup your Wordfence security plugin in WP.
- Login to WP as an administrator
- Click on Plugins – Add New
- Search for Wordfence install and activate the Plugin
Wordfence can do a lot more in terms of securing your WP sites. In this part I am going to show you how to prevent brute force attacks and how to block any attempts to login with a non-existing usernames.
Follow the following steps to setup your Wordfence Login Security Options
- Login to WP as an administrator
- On the side bar click on the Wordfence and choose Options and shown below.
- On the options page scroll down to Login Security Options. Here you can see all the options that are available for you
- Prevent brute force attacks by using the – Lock out after how many login failures. The other options are self-explanatory which you can change according to your needs.
Consider using Two Factor Login Authentication
If you want to add an extra layer of security to your login page, you can choose to go with the two factor authentication option.
There are several free and paid options for this. I personally recommend the paid version of WordFence plugin which has the Cellphone Sign-in option. Unfortunately you need the paid version for you to be able to use this feature.
However there are some other free options available like the Google Authenticator plugin, the only problem with this plugin is that it has not been updated for more than two years and may no longer be supported and maintained.
There are some other plugins which you can take a look at such as:
- Duo Two-Factor Authentication
- Authy Two Factor Authentication
- Rublon Account Security: Two-Factor Auth
- Clef Two-Factor Authentication.
Change your Login Page URL
Changing you Login Page URL can prevent a lot of attacks attempts since hackers and automated spam bots will have no idea on how to access your login page.
To do this, you can use a plugin called WPS Hide Login.
Follow the following steps to change your Login URL.
- Login to WP as an administrator
- Click on Plugins – Add New
- Search, install and activate “WPS Hide Login” plugin.
- Go to Settings – General. Scroll down to the bottom.
- Under the WPS Hide Login, you will see Login URL, set it to a unique URL and save changes.
Make sure you remember the URL and it is better to note it down.
Securing your wp core files
To add an additional layer of security you can password protect any directory including those of WP core files.
Password Protect your wp-admin
Protect your WordPress Admin Area by password protecting your wp-admin directory.
Follow the steps below to achieve this.
- Login to your Cpanel.
- Scroll down till you see the Security Tab and lick on the “Password Protect Directories” icon.
- Locate you wp-admin folder. A screen like below will show up. Click on the wp-admin folder.
- Enter a name for the protected directory, tick the “Password protect this directory” and save. Create a username and a password for the directory.
- Now when you try to access the wp-admin folder by accessing your WP Login URL, an authentication box will appear for you to provide the username and password.
Doing this will force a hacker or bot to attack this second layer of protection instead of your actual admin area.
However securing the wp-admin directory might break some WP functionality especially the AJAX handler at wp-admin/admin-ajax.php.
To solve this do the following steps:
- Login to see Cpanel
- Go to your WP installation folder and open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess).
- Add the following line of code in the wp-admin .htaccess file and save.
Order allow, deny
Allow from all
Using .htaccess to protect your wp-config.php File
You can use the .htaccess file to significantly strengthen the security of your WP sites.
Please note that the code should be placed outside of the # BEGIN WordPress and # END WordPress tags, if placed between those tags can be overwritten by WP during updates.
The wp-config.php is an important file as it contains your database connection settings, table prefix, security keys, and other sensitive information.
Follow the steps blow to achieve this.
- Login to your Cpanel
- Go to Files tab and click on File Manager Icon
- Tick the show hidden files otherwise you will not be able to see the .htaccess file.
- Locate you .htaccess file right click it and choose Edit.
- Add the following code snippet to your .htaccess file and save.<files wp-config.php>order allow, denydeny from all</files>
Using Correct File Permissions and Securing Your Database
Directories and File Permissions
Configuring correct file permission is extremely important in ensuring the security of your WP sites. Most of the time people do not give proper attention to this so I would kindly ask you to login to your Cpanel right now and confirm the file permissions of your directories.
Directories set with permission 777 could allow a hacker to upload a file or modify an existing which could compromise your WP.
WordPress has standard directory permission that you should use on a WP site:
- All directories should be 755 or
(I was having an issue using 750 so I personally recommend 755).
- All files should be 644 or 640.
- Wp-config.php should be 600.
Follow the steps below to configure correct permissions to your WP directories.
- Login to your Cpanel
- Scroll down to the Files Tab
- Click of File Manager
- Locate the directory you want to change permission. Right click and choose Change Permissions.
- Set the correct permission for each directory as recommended above.
- Repeat the same for all the directories until you are done.
- Make sure your wp-config.php file permission is set to 600.
Using WP Security Plugins
There are some awesome security plugins which you can use to protect your WP sites. When using these plugins properly you might not necessarily need to do anything else, because they come as a complete package.
My favorite plugin that I personally use for all by WP sites and those of my clients is Wordfence which has over 1 million active installs! Even the free version of this plugin can do a lot for than you can imagine. And if I was to show you how to use it, I would need to write another post. See the below picture on what Wordfence has for you.
Some other options in WP Security are:
- iThemes Security with over 700K active installs
- All In One WP Security & Firewall
I am not going to go into more details in this post on how to use the security plugins, I suggest you check them out and see how they can help you to secure your website.
Monitoring Your WordPress
There are many ways of monitoring your WP sites including looking and analyzing your log files. To do this, you will need to log in to your Cpanel and take a look at your log files. Your web server keeps different kinds of logs to help you monitor you website.
Follow the following steps to access your log files.
- Login to Cpanel
- Scroll down to Logs Tab
- You can see the different options available from the above screen short.
- Try click on the Latest Visitors to see the IP addresses of those who visited your website.
- Click on the view button to see the list of IPs which have accessed your website.Another easiest option for anyone would be to use a plugin like Wordfence.With Wordfence, you can see exactly what people are trying to do and get immediate notifications through email alerts.For example if someone is trying to brute force your username and password, Wordfence will block their IP (according to your settings) and send you a notification. You can also see Live Traffic into you WP sites, and also get a nice summary weekly report of such activities.
Regular Backup of your WordPress Site
As they say, you should always have a backup plan! To stay safe make sure you backup your WordPress Files plus your MySQL database and place them in a secure location. In case your website gets hacked, you have all your data and you can easily get back to work.
My favorite way to backup is to automate the whole process. By automating the backup process, I do not need to always remember to backup. I use a plugin called UpdraftPlus – Backup/Restore. With the free version of this plugin you can Schedule backup of both your files and database, backup your data to Dropbox, Google Drive or FTP Server and also get reports for every successful backup so that you can be sure that the schedule backup worked.
Follow the following steps to set up a daily backup for your WP websites.
- Login to your WP site as an administrator
- Go to Plugins and click Add New
- Search for ‘UpdraftPlus – Backup/Restore’ and install the plugin.
- Once you have installed and activated the plugin go to Settings and choose Updraft Backups.
As I have already mentioned, there is no such thing as 100 % security proof. Security starts with you. You need to take precautions and all the necessary steps to secure your website otherwise you run a high risk of being hacked.
Ensure that your WP core files, themes and plugins are up to date, your login page is protected, use unique usernames and strong passwords and a daily backup has been schedule. Your website does not need to be popular to become a target for the hackers, some of the attacks are automated robots that can attack any website on their way. At the end of the day, the goals are simple: safety and secure.
In case one day your website is compromised, stay calm. First make sure to change your password, scan your website using WordFence or any other security plugin for any malicious content. If you need the help of your host be sure to contact them.
I would like to personally thank you for reading this post and I hope that it has added value. Your honest feedback would greatly be appreciated.
So which ways are you using to Secure your WordPress website? Leave your comments below.