or How to resolve common WordPress Security issues
There may be a lot of content management systems around, but none of them can hold a candle to WordPress. Hey, 16.2 million sites as of November 5, 2015 should give you an idea just how vastly superior and beloved this system is. WordPress security and actionable tips to prevent WordPress hacking though - still has a way to go. However, we want to help you secure your WordPress website from the get go - preventention is better than cure, so make sure you action these tips to prevent WordPress hacking.
Hackers. It’s not uncommon to wake up one morning to find your beautifully assembled website waxing poetic about herbal enlargement pills or some cause in middle-east. Empathy is short lived when it’s your personal space they’re defacing with stupid quotes. Screaming incoherently is the first course of action you will take when your site is hosting full-page ads and redirects to shadier aspects of ‘pharma’ companies.
If you’re terrified, you’re justified. Everybody wants to prevent WordPress hacking. Recovering can take some intense time and effort. So harden your WordPress with these WordPress security best practices, lest that horrible fate befalls you. And yes, it’ll take some time and continuous effort to avoid WordPress hacking.
Don't like to get your hands dirty with code? Try iThemes security and let it do the dirty work.
If you don't want to go through a lot of messing of files, enabling of different plugins, and lots of other things you don't really go - we also have the easy way out for you. iThemes Security is the best WordPress security plugin to secure and protect your WordPress site.
Not interested in WP plugins just yet? Read on!
We’ll work up to some code work, but first, let’s take care of the basics of WordPress security issues. Starting with:
1. Preventing WordPress hacking starts with your workstation
This is the first and most easily overlooked: your computer. You should always keep your system free of malware and viruses, especially if you’re accessing the internet with it (which you are, of course). Workstation security is even more essential when you are conducting transactions and have a website, because all it takes is a keylogger to knock out the most hardened of WordPress websites. A keylogger will read all your usernames and passwords and send them to hackers - which of course is going to create a whole host of issues and problems for your website.
Stay safe and regularly update your OS, software, and browsers on your computer. Use a good anti-virus service. Keep your eyes peeled for any vulnerability on your system and remove it before it becomes a massive pain.
2. Stay protected from the latest security threats with WordPress Updates
Every time a software package gets updated, it does so in the midst of a wave of excitement. You are excited because, hey, new features! Hackers are excited because Security and Maintenance Release notes. This is because, unfortunately, each WordPress update brings along with it a number of WordPress security vulnerabilities.
WordPress is no different. With every new update we get additional features and upgrades, along with a page listing the security flaws in the previous version and their fixes. That page is practically a cheat-sheet for hackers everywhere. Should you fail to update in time, those security flaws will be the bane of your existence. And if your site gets hacked, it will be no-one’s fault but your own.
So don’t give lazier hackers a chance to wriggle in. Install the latest version of WordPress as soon as it’s released. If you’re afraid it will mess up your carefully crafted website (it’s been known to happen), create a backup before you update. This will resolve any WordPress security issues which existed in the previous version - and goes a very very long way to prevent WordPress hacks.
Want your WordPress to get updated automatically? Check out InMotion for your hosting - they have excellent WordPress specific features so you can update WordPress automatically as soon as they are out. We're on InMotion, and we love it!
3. Prevent WordPress hacking: Make sure that your Hosting Server is secure
This rather alarming fact is true because a majority of WordPress sites/blogs are hosted on shared servers. Basically, if one site on a shared server gets infected, every other site is at risk, regardless of how secure the site/blog is otherwise. You’ll get hacked through no fault of your own.
Thought exercise: Have you ever been inside a soup kitchen? Can you picture one and imagine what happens in there? If you’re one of those lucky enough to have escaped that travesty, I’ll give you a taster (pun intended). Think of everything that has ever happened since the kitchen came into existence, spills and breaks, leaks and splashes. In a soup kitchen server, those things are never gone. They become a part of the kitchen.
Now imagine the same happening to your site. A server which scoffs at maintenance has devolved into a soup kitchen already. Unused files, data, sites, and more pile up until they become a security threat to current sites.
So choose a reliable and secure host. VPS and managed hosting minimizes chances of breaches and are excellent for e-commerce sites. If shared hosting is enough for you, check out their security before subscribing for space on them. Make sure to check their maintenance schedule. This is another step which should be on your priority list if you want to prevent WordPress hacking.
4. Use Network Security to prevent password and data interception
Over an unsecured connection, data can be intercepted and you can be hacked before being able to say “unencrypted”.
This is why you should focus on secure network connections and encryptions: server side, client side, and all the sides. Find a host that allows SFTP/SSH encryption to protect your data and information from malicious intercepts.
5. Prevent WordPress hacking through complex passwords
Essential WordPress security tip: create a secure password and don't reuse passwords
A startling number of people think long, complicated passwords are overrated and will prefer something shorter and easier to remember; a fact hackers know and take advantage of.
There is no other way to put this: a good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your WordPress blog. Brute force algorithm works endlessly, yes. But the more characters there are in your password, the longer it takes to crack it. And I mean exponentially longer.
Recommended Reading: 10 WordPress security tips for your website
Any personal details, or a password based on them, will be easy to crack. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either. What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.
Create a password which is easy to remember but hard to guess to prevent WordPress hacking - if your blog is about WordPress security, make it something like pressmyWORDSand5ecurit!$
6. WordPress Security through isolation: Keep your WordPress Databases Secure and isolated
Your database knows everything that has ever happened on your site. It’s a veritable well of information and that makes it damn near irresistible to hackers.
Automated codes for SQL injections can be run to hack into WordPress databases with relative ease. If you are running multiple sites/blogs from a single server (and database), all your sites are at risk.
As the code resource puts it, it’s best to use individual databases for each blog/site and give them to be managed by separate users. You can also revoke all database privileges except data read and data write from users who will only work with posting/ uploading data and installing plugins. It is not recommended, though, due to schema change privileges required in major updates.
You should also rename your database (by changing its prefix) to misdirect the hackers aiming their attacks on it. Although this does not prevent WordPress hacking per se, it makes sure that if any databases are compromised, the hackers can't hope to the next WordPress installation.
7. Hide WordPress login and admin name
Next on how to secure WordPress from hackers concerns the WP Administration.
Leaving WordPress defaults untouched is practically asking for trouble.
It is laughably simple to find your site’s admin name if you don’t actively hide it. All a hacker needs, is to add ?author=1 after your URL and the person/member who shows up is most likely the admin. Imagine how easy it would be for the hackers to use brute force once they find the admin’s username. How can you prevent WordPress hacking if you are leaving so much information available, make exploitation easier?
Solution to prevent WordPress hacking: Hide all usernames with this code in functions.php file:
Your WordPress login page is also easy to access, and not just for you. I can simply add wp-admin or wp-login.php after your homepage URL, fill the username I learned from ?author=1 and sip mint juleps while the algorithm cracks your password.
Use the age old technique of ‘smoke-and-mirrors’ and change your login page URL to make the hackers’ job that much difficult. WordPress security plugins like Stealth Login will even do it for you - and once again, doing this simple step will go a very long way in preventing WordPress hacking.
Not sure whether you can deal with all this?
Need some help? Have a look at iThemes Security Pro - one plugin and your WordPress is safe. Guaranteed.
8. Prevent WordPress hacking through security plugins and tricks to protect wp-admin
A strong password, a different administrator account (with a username that’s anything but ‘admin’), and using Stealth Login plugin to rename your WordPress login links will make definitely help to prevent hacking.
You can also strengthen the guard around admin with WordPress security plugins like:
With a bit of code coupled with unlimited login attempts, any hacker will eventually break in. You can restrict the amount of liberty anyone is allowed to take with admin login page using Limit Login Attempts. It will limit the number of login attempts for each IP address, including your own (with auth cookies).
- SSL - this encrypts your communications
Use the power of Private SSL to secure admin login, area, posts, and more. This enables encryption on your login sessions, meaning the password is difficult to intercept. You'll need to get an SSL Certificate and get it installed on your hosting server. InMotion offer SSL certificates for free on their hosting plans - so if you still haven't maybe it's time to switch to InMotion to get your SSL too.
Once you have confirmed with your hosting provider that you have Shared SSL and then paste this code in wp-config.php:
This plugin is a superb security solution in general, but some key features make it even better. First of all, it runs a WordPress security scan. It also pays close attention to preventive measures so you actually stop WordPress hacking from happening in the first place. To protect admin area, it will remove error information from the login page.
That may not sound like much, but the error message actually helps hackers find out if they had gotten anything right. Removing the message (hint) takes away that advantage. If you want to avoid WordPress hacking, get at least some of these plugins set up.
Top Tip: Advanced WordPress Security
The rest of the tips requiring tinkering with your WordPress installations, which brings along some risk. If you'd rather not tinker around with your installation, you might want to hire a WordPress developer to help you out.
9. Prevent WordPress hacking through wp-includes security
Let’s get this straight: wp-includes is the core. It should be left alone, even by you. And by no means should it be left accessible to potential hackers.
So prevent any malicious persons/ bots from sending unwanted scripts straight to the heart of your WordPress to prevent hacking attacks. Add this before #BEGIN WordPress in your .htaccess file:
Note that you’ll have to omit the third RewriteRule if you want the code to work on Multisite.
10. Protect your wp-config for improved WordPress security
This is one of the WordPress security issues that is a bit controversial. Not everybody agrees with doing this.
Whether or not you actually move wp-config.php outside the root folder, there’s no denying that a bit of tweaking the code in this file can help harden security and prevent WordPress hacking.
Not sure whether you can handle all of this security stuff? There's one WordPress security plugin to rule them all.
- Start with disabling editing PHP files from dashboard, which is where the attacker will concentrate after hacking through an access point. Add this to wp-config.php
- $table_prefix is placed before all your database tables. You can prevent SQL injection based attacks by changing its value from the default wp_.
- Move wp-content directory from its default position with this
Now if you’re not a developer, you don’t have much use of error logs. You can keep them from being accessible with this:
You can find more details on configuring error logging (and how to hide logs from public), but you don’t really need to delve that deep.
11. Backup your WordPress site (just in case)
This is the safety net. A backup is one of the first things you’ll need to restore your site if you do get hacked.
Backup your site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some quite thorough services and plugins that will run automated backups for you. There is VaultPress, UpdraftPlus, WP-DB-Backup, BackupBuddy, etc.
Recommended Reading: Native vs plugin - WordPress backup using different methods
Create a schedule and let the plugin do the rest. Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up the entire site, including all databases and directories. All though this does not prevent WordPress hacking, it gives you peace of mind of restoring your site if the unthinkable happens.
12. Use trusted sources only for downloads
You can't prevent WordPress hacking if you are downloading premium stuff from ill-reputed or unauthorized sources - they will come back to punch you in the heart. They are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let the stupid folks do the rest. A hidden backdoor will be all they need to convert your brand’s online appearance into a giant poster for enlargement pills - or even worse, malware. Your site will quickly get blacklisted, even from search engines and browsers if it contains malware. You'll need much more than WordPress security to fix these problems.
This is a known and very popular tactic of hackers. Pirated themes and plugins are riddled with backdoors and malware. This is one of the easiest WordPress security issues to resolve really away from.
Remember: Pirated stuff? Don’t bother.
13. Secure your WordPress by looking like a Pro
A rookie is easier to hack. At least, that’s what most hackers think (not incorrectly). Even the Bible says: Abstain from all appearances of being an amateur; even, and especially if you are one.
Change all defaults: posts, comments, usernames, directory names, etc. It’s easier when you’re setting up. If you already have WordPress up and running, go to Settings > Miscellaneous (in your Admin controls) to change directory names. This will be another step in your drive to prevent WordPress hacking and make hacking your site much more difficult.
To hide which version of WordPress you’re on, remember to delete /wp-admin/install.php and wp-admin/upgrade.php. Take it a step further and remove meta generator tag (“”) from wp-content/your_theme_name/header.php. You should also remove version detail from RSS feed.
To do this, open wp-includes/general-template.php. Around line 1860 you’ll find this:
Add a hash before ‘echo’ command and you’re golden.
14. Strong WordPress Security requires correct File permissions
The rule of thumb is 755 for directories and 644 for files. Although, this varies depending upon server and the type of file in question - in most cases, you should work very well with these permissions. It would be best to ask your host to check, or if you've got direct access, you can do this yourself.
15. WordPress Security sins: Never ever set file permissions to 777 (not even temporarily)
If you are serious about wanting to prevent WordPress hacking - NEVER set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers. There is a very dangerous tendency amongst beginners to set file permissions to 777, "because it's easy", or "because we'll fix it later", or "because I'll change it later". This is extremely dangerous - 777 means anybody who wants can change the contents of that file. With those permissions set, your website is an open house. Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.
WordPress codex gives you a complete guide to file permissions: how to change them and the recommended permissions for some files. You need to balance security with functionality, so start low and gradually increase permissions till you get it right. The right file permissions will surely help avoid WordPress hacking. Again, this is one of easier WordPress security issues to prevent, you just need to be aware of it.
16. Allow access to WP admin and login to your IP only through IP filtering
A very simple, elegant way to restrict access to the login page and admin area is through IP filtering. All you need to do is add this code to .htaccess. This suggestion comes with thanks to Sucuri, who provide an excellent WordPress security service
Now that works only for static IPs, but you can do the same for dynamic IPs with this:
To restrict access to wp-admin directory, add this to .htaccess:
By domain name:
17. WordPress Security Plugins to Prevent WordPress hacking
Although we don't tend to advocate the use of many plugins, when it comes to WordPress security plugins, there are some which you really might want to install to increase the security of your site.
- iThemes Security Pro - Listen, many of the above actions are a bit technical no doubt about that. We get that. If you are not technically inclined, we have the solution for you. iThemes Security is the best WordPress security plugin to secure and protect your WordPress site.
Google Authenticator and Duo Two-Factor Authentication are great choices for adding an extra layer of protection on your login page. An authorization code will be sent to your email/ mobile, without which the user/hacker will not be able to log in.
Is there anything better than a nice BBQ? This plugin will block URI strings containing eval( base 64 and other suspiciously long request strings.
Check your theme for malware and hidden backdoors with this plugin before someone exploits those weaknesses in an otherwise secure site/blog.
- Antivirus Plugins
This one is a no-brainer. Conduct frequent site scans and eradicate them before they take hold. Plugins/ services like Sucuri, Wordfence, etc. Previously mentioned Acunetix Secure WordPress is another good one. Exploit Scanner will check your site inside out for malicious code too.
The Essential Checklist to full WordPress Security - YouTube version
Thanks to Webucator, a provider of WordPress training, we've got this checklist created as a video.
If you’re confused, just go for a managed hosting solution and let someone else handle it for you.
This is just the beginning. As WordPress continues to evolve, so will the hackers and their attempts to infiltrate your site and chuck you out. Stay one step ahead by learning more about your friendly CMS and keeping up with updates and your stay on top of WordPress security - this will for sure ensure you prevent WordPress hacking.
Author Bio: Tracey Jones is a renowned front end WordPress developer with hobbies of innovative and technical writing. Presently, she is working for HireWPGeeks Ltd., one of the top most custom WordPress development company across the globe, where you can hire WordPress developers in order to customize your WordPress site at a very reasonable price.