Blog

How Secure Your WordPress Site (25 Hardening Suggestions)

Posted on by info
How Secure Your WordPress Site (25 Hardening Suggestions)
21
Jul

If you happen to’re searching for a top-tier, all-in-one content management system to power your website, look no further than WordPress.

WordPress is an excellent, secure platform out of the box, but there’s actually more you’ll be able to (and will!) do to maintain your site secure from malicious intent. A lot of these security enhancements are easy to implement and will be performed manually in mere minutes. Others simply require installing a selected plugin.

In this text, I’ll guide you thru 20 different strategies for upping the defenses in your WordPress fortress. But first, let’s go just a little further into why website security should matter to you.

Why WordPress Security Is So Necessary

Selecting WordPress as your platform is a superb solution to start if you’re attempting to create a site. It’s not only a versatile, powerful platform for constructing web sites — it’s also remarkably secure as is.

But after all, no platform will be 100% secure, and there are lots of reasons to be concerned in regards to the security of your WordPress site:

  • Popularity – WordPress powers an enormous portion of all of the web sites on the web, making it a primary goal for cybercriminals. Its widespread usage makes it a gorgeous platform to take advantage of vulnerabilities and gain unauthorized access to web sites.
  • Vulnerabilities – As with every software, WordPress shouldn’t be resistant to vulnerabilities. Hackers continually seek for vulnerabilities in WordPress themes, plugins, and core software. Exploiting them can result in unauthorized access, data breaches, defacement, and even complete control of an internet site.
  • Data breaches – WordPress web sites often store sensitive user information, like email addresses, passwords, and private data. A security breach can expose this confidential data, resulting in identity theft, financial loss, and even legal consequences (yikes!).
  • web optimization impact – A compromised WordPress site will be used for malicious activities, like hosting malware, redirecting visitors to harmful web sites, or sending spam emails. Search engines like google and yahoo may flag and penalize such web sites, resulting in a big drop in rankings and organic traffic when you regain control of your site.
  • Status and trust – If a WordPress website is compromised and used for malicious purposes, it might probably severely damage the positioning owner’s status and erode user trust. Consider an e-commerce store, for instance. If the shop can’t commit to keeping shoppers’ personal data secure, people just won’t shop there (and who can blame them?).
  • Downtime and financial loss – A hacked site can experience prolonged downtime while the web site owner works to resolve the safety breach. In turn, downtime can lead to lost business, decreased revenue, and extra expenses for recovery and restoration.

Given these risks, investing in WordPress security measures is crucial to guard your website and its users’ data. Ideally, you need to put just as much effort and time into security as you spent designing your site in the primary place (if no more). Fortunately for you, dear reader, there are a number of easy, quick ways to enhance your site’s security, in addition to some more complex techniques it’s possible you’ll wish to employ — and below, we’re covering all of them.

Get Content Delivered Straight to Your Inbox

Subscribe to our blog and receive great content similar to this delivered straight to your inbox.

Top WordPress Security Vulnerabilities

Because the saying goes, know thy enemy. Before we dive into our security suggestions, let’s learn more in regards to the security vulnerabilities it’s essential protect your WordPress site from.

  • Outdated software, themes, and plugins – Using outdated versions of WordPress, themes, or plugins can leave your site vulnerable to known security flaws.
  • Weak usernames and passwords – Weak login credentials make it easier for hackers to access your site. Avoid using common usernames like “admin” and select strong, unique passwords that include a mix of letters, numbers, and symbols.
  • Brute force attacks – Brute force attacks involve repeated attempts to guess your login credentials. You’ll be able to prevent them by limiting login attempts and using two-factor authorization (more on that later in this text).
  • Cross-site scripting (XSS) – XSS vulnerabilities occur when malicious scripts are injected into web pages, potentially compromising users’ browsers or session data. Many security plugins have features to stop XSS.
  • Malware infections – Malware will be injected into your site through vulnerabilities, infected themes or plugins, or compromised files. To avoid malware, don’t install plugins without checking into their status first. And regular malware scanning can catch infections before they’ve the possibility to wreak havoc in your site.
  • Backdoors – A backdoor is a hidden entry point in an internet site that enables unauthorized access even after security measures are in place. Backdoors will be created by malicious actors or by accident introduced through compromised themes, plugins, or weak security practices. Once a backdoor is established, it might probably grant unauthorized access to an attacker, who can then manipulate the positioning, steal data, or perform other malicious activities without the web site owner’s knowledge.

Implementing security plugins and other best practices can protect your site from these vulnerabilities. So without further ado, let’s get to what you’re here for: actionable WordPress security suggestions and the best way to put them into practice.

20 WordPress Security Suggestions

Hopefully, I’ve convinced you in regards to the importance of maintaining a secure WordPress website. If not, I’m going to should re-enroll in Persuasive Writing 101. Please don’t make me do this.

Throughout the remaining of this text, I’ll introduce 20 strategies (together with a few of the perfect WordPress security plugins) for making your site safer from a number of the commonest and dangerous security vulnerabilities. You don’t should implement every suggestion on this list (although you actually can!), however the more steps you are taking to secure your site, the lower your possibilities of encountering a disaster down the road.

1. Use A Quality Host

You’ll be able to consider your web host as your website’s street on the Web — it’s the place where your site “lives.” And like a very good school district matters to your kid’s future (so that they say; I turned out fantastic), the standard of your website’s home base counts in lots of big ways.

A solid hosting provider can impact how well your site performs, how reliable it’s, how large it might probably grow, and even the way it ranks in search engines like google and yahoo. One of the best hosts offer a wide range of useful features, excellent support, and a service tailored to your chosen platform.

As you’ve probably already guessed, your web host can even have a big impact in your site’s security. There are several security advantages to selecting from the perfect hosting corporations.

How Web Hosting Can Improve WordPress Security:

  • A top quality host will continually update its service, software, and tools to answer the most recent threats and eliminate potential security breaches.
  • Web hosts often offer various targeted security measures, reminiscent of SSL/TLS certificates and DDoS protection. It’s best to also get access to a Web Application Firewall (WAF), which is able to help monitor and block serious threats to your site.
  • Your web host will probably provide a solution to back up your site (in some cases, even carrying out real-time backups for you), so when you’re hacked, you’ll be able to easily revert to a stable, previous version.
  • In case your host offers reliable, 24/7 support, you’ll all the time have someone to assist you to out when you do run right into a security-related issue.

This list should offer you a very good start line to work from when searching for a number in your recent site. You’ll want to seek out one that gives all the features and functionality you’ll need, plus has a status for reliability and excellent performance.

DreamPress is a managed WordPress hosting service that’s fast, reliable, scalable, and, after all, secure. DreamPress features a pre-installed SSL/TLS certificate and provides a dedicated WAF designed with rules built to guard WordPress sites and block hacking attempts. Together with your hosting plan, you’ll also get automated backups, 24/7 support from WordPress experts, and Jetpack Premium — a plugin that may add many additional security measures to your site — at no additional cost.

With DreamPress, you’ll give you the chance to rest easy knowing that your site is protected. Our hosting service even takes care of lots of the other security-enhancing steps on this list — although we still encourage you to read on to learn what extra measures you’ll be able to take to guard your site.

2. Register Your Domain Privately

To register a site, you’re asked to supply your name, address, and phone number. This information is used to track ownership of domains and will be found online with a fast search on the WHOIS directory.

While keeping track of this information is important to the health of the web, it’s reasonable to not want your personal information online. That is where Private Registration enters the story. If you register a site with DreamHost (or one other secure hosting platform, I guess), you’ve gotten the choice to substitute your personal information with the relevant data from the hosting platform — so looking up your domain on WHOIS shows DreamHost’s address and make contact with information as an alternative of yours. You’ll be able to even enable this security feature after your domain has already been registered!

3. Change Your Admin Username

If you first create your website, all shiny and recent, you’re given a User Profile. At any time, you’ll be able to return and alter your Nickname or fill in your Full Name, but to change your username is a unique story — you will have to create an entire recent user and grant that account the administrator role. The disadvantage? It’s essential to use a unique email address than the one utilized by your current account.

You’ll be able to then alter your username by making a recent user, giving it the administrator role, attributing all of your content to it, and deleting your original account. When your previous username has been deleted, you’ll be able to change the e-mail address of your recent account when you desire.

WordPress Login Screen

4. Enable A Web Application Firewall

You’re probably conversant in the concept of a firewall — a program that helps to dam all kinds of unwanted attacks in your site. Probably, you’ve gotten some type of firewall in your computer. A Web Application Firewall (WAF) is solely a firewall designed specifically for web sites. It may protect servers, specific web sites, or entire groups of websites.

A WAF in your WordPress site will function as a barrier between your website and the remaining of the online. A firewall monitors incoming activity, detects attacks, malware, and other unwanted events, and blocks anything it considers a risk from accessing your web server. #winning

You could have many options for adding a WAF to your site (WordFence is a well-liked selection). But when you’ve opted for our DreamPress package, you’ll be able to calm down; you won’t need an extra firewall. DreamPress features a built-in WAF that may monitor your site for threats and block malicious users and programs from gaining access. No motion required in your part.

DreamHost also offers DreamShield, our in-house malware scanning service. If you enable DreamShield in your hosting account, we’ll scan your site weekly for malicious code. If we discover anything suspicious, you’ll be notified immediately via email.

5. Implement Two-Factor Authentication

Two-factor authentication (which also goes by two-step authentication and a wide range of other, similar names) refers to a two-step process you’ll must follow when logging into your site. This takes just a little more effort and time but goes a good distance toward keeping hackers out.

Two-factor authentication involves using a smartphone or other device to confirm your login. First, you’ll visit your WordPress site and enter your username and password as usual. A singular code will then be sent to your mobile device, which you have to provide to complete logging in. This lets you prove your identity by showing you’ve gotten access to something solely yours — reminiscent of a selected phone or tablet.

As with many WordPress features, two-factor authentication is simple so as to add with a dedicated plugin. The Two Factor Authentication plugin is a solid selection — it’s created by reliable developers, compatible with Google Authenticator, and can enable you so as to add two-factor functionality to your site with no fuss.

One other selection is the Two-Factor plugin, which was built mainly by core WordPress developers and is well-known for its reliability. As with every plugin on this category, it comes with a little bit of a learning curve, but it’ll get the job done and is incredibly secure. If you happen to’re willing to spend just a little money, you may also take a look at Jetpack’s Clef-like premium solution.

Whatever route you select, make sure that to plan ahead together with your team, because you’ll need to collect phone numbers and other information for all user accounts. With that, your login page is now secured and able to go.

6. Be Mindful When Adding Recent Plugins And Themes

Probably the greatest things about WordPress is the ready availability of plugins and themes for almost any need. With these handy tools, you’ll be able to make your site look good and add nearly any feature or functionality you’ll be able to consider.

Not all plugins and themes are created equally, though.

Developers who aren’t careful or don’t have the best level of experience can create plugins which might be unreliable or insecure — or simply downright sucky. They could use poor coding practices that leave holes hackers can easily exploit or unknowingly interfere with crucial functionality.

This implies you have to be very careful in regards to the themes and plugins you add to your site. Every one ought to be vetted to make sure it’s a solid option that won’t hurt your site or cause problems. Here’s the best way to select quality tools:

  • Read reviews Check user rankings and reviews to learn whether others have had a very good experience with the plugin or theme.
  • Developer support Have a look at how recently the plugin or theme has been updated. If it’s been longer than six months, chances are high it isn’t as secure because it might be.
  • Easy does it Install recent plugins and themes separately, so if anything goes mistaken, you’ll know what the cause was. Also, remember to back up your site before adding anything to it.
  • Vetted sources Get your plugins and themes from trustworthy sources, reminiscent of the WordPress.org Theme and Plugin Directories, ThemeForest and CodeCanyon, and reliable developer web sites.

7. Commonly Update WordPress

Keeping WordPress up thus far is one of the vital necessary things you’ll be able to do to secure your site. Smaller patches and security updates shall be implemented routinely, but it’s possible you’ll must approve major updates independently (don’t worry, that is quite simple to do). This probably goes without saying, but DreamHost handles these updates for you, so that you don’t should worry.

But your work isn’t done simply because WordPress is up thus far.

You’ll also must commonly update your plugins, themes, and other WordPress installations to make sure they work well together and are secured against the most recent threats. Fortunately, this can also be pretty easy — simply go to your WordPress dashboard, search for the red notifications telling you there are themes or plugins with available updates, and click on “Update Now” next to every one.

Keep WordPress secure by updating plugins

You may as well update your plugins in a batch by choosing all of them after which hitting the update button, either here or within the WordPress panel.

8. Configure File Permissions

Let’s talk technical for a minute.

Plenty of the knowledge, data, and content in your WordPress site is stored in a series of folders and files on its back end. These are organized right into a hierarchical structure, and every one is given a permissions level. The permissions on a WordPress file or folder determine who can view and edit it. They will be set to permit access to anyone, only you, or almost anything in between.

File permissions are represented by a three-digit number in WordPress, and every digit has a meaning. The primary digit stands for a person user (the positioning’s owner), the second digit for the group (for instance, members of your site), and the third for everybody on the earth. The number itself implies that the user, group, or world:

  • 0: Has no access to the file.
  • 1: Can only execute the file.
  • 2: Can edit the file.
  • 3: Can edit and execute the file.
  • 4: Can read the file.
  • 5: Can read and execute the file.
  • 6: Can read and edit the file.
  • 7: Can read, edit, and execute the file.

So, for instance, if a file is given a permissions level of 640 it means the first user can read and edit the file, the group can read the file but not edit it, and the remaining of the world cannot access it in any respect. It’s necessary to be sure that everybody only has the extent of access to your site’s files and folders you wish them to have.

WordPress recommends setting folders to a permissions level of 755 and files to 644. You’re pretty secure sticking to those guidelines, although you’ll be able to arrange any combination you’d like. Just do not forget that it’s best not to offer anyone more access than they absolutely need, especially to core files.

It’s best to also consider that your ideal permissions settings will depend somewhat in your hosting service, so it’s possible you’ll want to seek out out what your host recommends.

Note: Be very careful when making changes to your permissions levels — selecting the mistaken values (like the dreaded 777) could make your site inaccessible.

And while we’re on this subject, it’s necessary to notice that WordPress comes with a built-in code editor that enables users to edit theme and plugin files right from the Admin Area. That is handy if you need it, but a giant security risk in case your site falls into the mistaken hands. That’s why you need to disable file editing with a plugin like Sucuri.

9. Keep WordPress Users To A Minimum

If you happen to’re running your WordPress site solo, you don’t must worry about this step. Just don’t give anyone else an account in your site, and also you’ll be the one one who could make changes.

Nevertheless, there are lots of reasons so as to add one other user account to your site: Chances are you’ll wish to let other authors contribute content, or you would possibly need people to assist edit content and manage your site. Chances are you’ll even have a whole team of users who commonly access your WordPress site and make their very own changes.

This will be useful (and even obligatory). Nevertheless, it’s also a possible security risk.

The more people you let into your site, the upper the possibility that somebody will make a mistake, cause problems, or simply be a putz. That’s why you need to keep your site’s user count as little as possible without hampering its ability to grow. Particularly, attempt to limit the variety of administrators and other user roles with high privileges.

Listed here are just a few other best practices:

  • Limit each user to only what permissions are obligatory for them to do their job.
  • Encourage users to make use of strong passwords.
  • Attempt to keep on with one administrator and a small group of editors.
  • Remove users who’ve left the positioning or not need access.
  • Commonly sign off idle users (the Inactive Logout plugin is great for this!).
  • Consider downloading a plugin like Members, which provides a user interface for WordPress’ role and capabilities system.

Content permissions settings on WordPress

10. Limit Login Attempts

Everyone forgets their password sometimes. But excellent news! By default, WordPress allows a vast variety of guesses.

But is that really excellent news? Brute force attacks, or attacks where a hacker tries any variety of passwords, are one of the vital common ways hackers gain access to non-public accounts. With no limit on login attempts, a hacker or bot could try every password within the book with no consequences.

First, check your Web Access Firewall (WAF) to limit the variety of login attempts a user could make. In case your firewall is already arrange, a limit will already be in place, but you may also use a separate plugin for that! Each Login Lockdown and Cerber Limit Login Attempts record the IP address and time stamp for every failed login attempt, allow you to limit the variety of failed attempts allowed in a certain span of time, and lock out IP addresses that exceed the limit. Each plugins are free, but Login Lockdown is less complicated and more beginner-friendly. If you happen to require a more robust system, Cerber Limit Login Attempts is the solution to go, allowing not only IP white/blacklisting, but additionally notifying admins if a certain variety of lockouts is reached.

11. Track Your Admin Area Activity

If you’ve gotten multiple users, keeping tabs on what they’re all doing on the positioning is a very good idea. Tracking activity in your WordPress admin area will assist you to spot when other users are doing things they shouldn’t — and may assist you to spot when unauthorized users have gained access.

But you furthermore may need a tool to assist you to see who’s behind different site activities — like when someone makes an unauthorized change or a suspicious recent install. For that, you would like one other plugin. Easy History lives as much as its name by making a streamlined, easy-to-understand log of changes and events in your site.

For more comprehensive tracking features, take a look at WP Security Audit Log, which tracks nearly all the things that happens in your site and offers premium add-ons.

Session timeouts keep WordPress secure

12. Password Protect Your Login Page

The login page is the probably way for hackers to access your website, so protecting it’s an excellent solution to protect the remaining of your site. This generally is a bit technical, but it surely’s still price learning. Use this tutorial to learn the best way to create an htaccess file and add a password prompt to your login page. A login in your login — what is going to they consider next?

And when you’re hosting content that not everyone must see, you’ll be able to password protect other parts of your site. For blog posts and other pages, you’ll be able to add password protection by going into pages >> all posts option. Click “edit,” and also you’ll see the choice to vary the visibility to “Password Protected”. Just publish, and badabing-badaboom, that page is locked up tight!

13. Hide Your Login Page

Adding password protection to your login page is great, but even higher is that if hackers can’t even find it. Changing your wp-admin and wp-login pages is simple and helps deter hackers who can easily find your login page when you leave default settings in place.

There are several plugins that may redirect the default login page to a different page of your selecting. Many plugins offer this as part of a bigger package (for instance, Defender also features a malware scanner and firewall). But when you’re searching for something easy, try WPS Hide Login, which just hides your login. Just don’t forget to bookmark your recent login page so you will discover it.

14. Update PHP

Identical to America runs on Dunkin’ (don’t quote us there), WordPress runs on PHP. Updating WordPress isn’t enough to maintain your site secure and secure — it’s essential make sure that you’re using the most recent version of PHP, too.

Normally, each PHP version is supported for a minimum of two years after its release date, meaning vulnerabilities are addressed by the engineers who designed the code. When the code goes outdated (or reaches its EOL or “end of life”), it’s time to upgrade, otherwise you risk being exposed to security concerns, performance slowdowns, and bugs galore.

To see which version of PHP you’re currently running, log in to your WordPress site, and choose Tools >> Site Health. Navigate to Info after which Server, and view your current PHP version.

15. Secure Your WordPress Database

Leaving anything on the default settings is a boon for hackers, and by default, WordPress uses wp_ because the prefix for all of your related tables. Excellent news! If you happen to’re using the One-Click Installer, you have already got a prefix of random letters and numbers. So long as it ends with an underscore, the system is completely satisfied. Higher News! Even in case your WordPress is already installed, it might be eligible for the One-Click Installer so long as the positioning is fully hosted and meets just a few other guidelines.

Just note that breaking something will be as easy as a missing underscore. Luckily, there may be a default version of the wp-config.php file available at WordPress Core, so you’ll be able to quickly and simply rebuild — whether you tried to vary the database prefix manually, or with a service like phpMyAdmin.

16. Add Security Questions

Security question plugin for WordPress

Security questions are sometimes missed, but they offer extra oomph to your security. Depending on the plugin you select, you’ll either select from existing security questions or create your personal.

17. Hide Your WordPress Version

Security through Obscurity — in the event that they can’t find it, they’ll’t hack it!

Hide which version of WordPress you’re using (or hide that you just’re using WordPress altogether) by altering the header code. If that sounds too technical, use a plugin like WPCode. Just make sure that to change the code and not only edit the display information in your theme settings — those snippets of code will only return in the course of the next theme update.

18. Prevent Hotlinking

Hotlinking is the act of stealing bandwidth by utilizing files hosted on one site and linking them to a different. For instance, let’s say someone draws a fairly clever comic, and another website desires to feature it without permission. They might hotlink the comic as an alternative of hosting it on their very own servers, costing the unique website more bandwidth, and due to this fact extra money.

To prevent hotlinking, you’ll be able to decide to reject certain domains, allow only certain domains, or remove the power to hotlink altogether, all by making just a few changes to your htaccess file. You’ll be able to even include a snippet in your .htaccess file that routes all hotlinking attempts to a page or image of your selection — perhaps one that claims, “Stop hotlinking, freeloader!”

19. DDoS Protection (Disable XML RPC)

A Distributed Denial of Service attack (or DDoS) is when a hacker uses multiple systems to send an enormous volume of information and overwhelm their goal. This may decelerate and crash their goal — imagine an enormous traffic jam in your website where no legitimate traffic can get in.

We all know that patience is tough to return by online, with the common user waiting only 3 seconds for a page to load before clicking away, so the earlier you’ll be able to discover and resolve an attack in your website, the higher.

While stopping a DDoS attack could seem daunting, considered one of the primary steps you’ll be able to take is to remove or disable any old or unutilized plugins. Plugins are incredibly handy, but by increasing functionality, in addition they have access to your website that will be exploited. For once, downloading more plugins shouldn’t be the reply!

XML-RPC allows WordPress access through the app in your mobile device. If you happen to don’t use your smartphone to make changes to your WordPress website, you likely don’t need this feature enabled. Turning it off involves adding a fast snippet of code to your htaccess file, and also you’ll be all of the safer for it.

20. Malware Scanning

Malware (short for malicious software) hides in what appears to be secure applications in order that the user doesn’t know their computer or website has been infected.

Malware scanning is a very important defense that works by utilizing anti-malware software to discover and isolate suspicious files until you choose in the event that they have to be removed. If a threat is detected, a very good malware scanner will delete any trace of it out of your computer ASAP. Luckily, several firewall plugins include malware scanning in-built, so make sure that to examine your security plugins to see what they provide.

If you’ve gotten DreamHost as your hosting platform, you’ll be able to activate DreamShield to handle weekly malware scanning for you.

DreamShield Malware Remover from DreamHost

WordPress Security: Locking It Up

In case your website is hacked, you’ll spend hours (even perhaps days) attempting to repair the damage. Chances are you’ll permanently lose data or see your personal information compromised — or worse: your clients’ data.

That’s why you’ve gotten to place enough time and energy into ensuring your site is secure. Otherwise, you simply risk losing invaluable business and precious time.

These WordPress security suggestions should help. Some are easy tweaks, while others affect your entire site. But when you’re searching for one impactful change you’ll be able to make today to maintain your site secure, make sure that it runs on a secured WordPress host.

DreamPress hosting (with free WordPress migration) is specifically designed for the WordPress environment. Plus, when you ever do encounter a security issue, we’ve got you covered with automatic every day backups, a weekly malware scan, and our support team of WordPress experts! Able to protect your site from threats and vulnerabilities? Learn more about DreamPress hosting today.

info