How To Secure WordPress Site

WordPress Security Checklist

Introduction

Basic WordPress Security Tips:

Below are some of the best but simple to implement WordPress security tips. By implementing them, your WordPress website will be more secured

• Change your admin username
• Strong WordPress Password
• Update WordPress Site
• Best Security WordPress Plugins
• WordPress SSL Certificate
• WordPress File Permissions
• Cloud Managed WordPress Hosting

Advanced WordPress Security Tips:

These are advanced WordPress security tips, so if you are not 100% sure what to do, leave someone else to implement these settings. You have to pay major attention, because everything wrong implemented may broke the site. For example, if you change just a letter or symbol from inside the wp-config.php file, your WordPress website will be down in no-time.

• Server Level Layer of authentication
• WordPress Restrict WP-Config.PHP
• WordPress Login Hints
• Change WordPress Admin URL

Note: No system is 100% secure! The listed measures are necessary to harden a system from scratch and protect it against the most common attacks from script kiddies. Bots are the most common enemies of a WordPress installation and act somewhat randomly, automated, exploiting vulnerabilities. That someone sits in front of his device and says, “yes, I want to hack XY’s website now,” happens less often but is much more challenging to prevent. Let’s be clear: If someone wants to do it and has the means, the chances are that they will find a point of attack and thus an entry point, despite all the measures.

Even if this is a bit discouraging at the beginning of this article: It is best to have your WordPress website secured by a professional. Only those who are sure in the field know where he has to reach and what has to be done so that a website is secured as far as possible. In the following article, I try to keep the steps to secure even for non-professionals comprehensible. But if you are a little unsure, you should ask someone who knows how to do it.

Why WordPress security measures?

Wordfence, the maker of one of the most popular WordPress security plugins, shows in recent statistics that there are 3 million attacks on WP websites every hour in its secure network alone. That’s about 80 million attacks per day. The number of unreported attacks is probably many times higher since A) not every website uses Wordfence and B) many websites are not secured at all. The sheer mass of attacks alone shows that most attacks are mainly automated. These must be prevented or blocked.

WordPress’s overwhelming popularity makes it a target for hackers. Specifically, it’s seen thousands of attacks by bots (networks of computers infected with malicious software) trying gain entry into these sites by brute-force.

Most of these attacks are using the simplest method possible to gain access to a site: trying username and password combinations until they can login. This method relies on user error in that a lot of WordPress users are unaware of their responsibility to keep their site secure.

When that’s the case, the botnets can try to log in to these sites countless times, since there’s simply nothing to stop them from it.

Why is WordPress being targeted by hackers?

Since December 2020, WordPress CMS is the most used form of script utilised in the Website Development Process from the Entire WWW. Hand-coded languages (excluding the Content Management Systems / CMS. HTML language is a good example) have been the most used kind of websites since the WEB was born. And from December 2020, this title has been awarded by WordPress.

Users that aren’t proactive in protecting their site or don’t update old plugins/WordPress versions, can unknowingly be exposing potentially major site vulnerabilities. In this way, the hacked WordPress websites will give the possibility to the hackers to gain access inside. Here are some of the best WordPress security tips to help you better secure your site against all kind of attacks (brute force attacks, WordPress login attacks, and many more).

If you don’t have time to administrate your Business Website, check this: WordPress Website Maintenance Services

Is WordPress Website Secure?

Yes and No. Anything can be hacked, and WordPress CMS makes no exception. But, if you follow my piece of advice below, you will secure your WordPress site.

Generally speaking, WordPress CMS is one of the most secured forms of Web. WordPress suffers from minor security issues every now and then. Some of these security loopholes are patched quickly due to the active developer community. However, most of the security issues can be avoided by hardening the WordPress setup.

This guide forces the approach of better security practices that you can follow to safeguard your setup from common threats. You’ll learn some common fixes that can help your WordPress setup. You’ll also learn about files which are required to be modified in order to harden the security.

Never take WordPress security issues lightly!

Even minor plug-in or theme change can lead to a security flaw in WordPress. Remember, as software evolves so does the security flaws. The best thing that you can do is take precautions and avoid the common grounds from which security flaws are likely to affect your WordPress site.

Basic WordPress security tips for a more secure WordPress install:

ATTENTION! BEFORE CHANGING ANYTHING, MAKE A BACKUP COPY OF YOUR WORDPRESS SITE!

1. Change The WordPress Admin Username

Do not use admin (or anything simple) as a username for your site. This is the most targeted username these attacks use. Other usernames to avoid are administrator, manager, root, support, test, and user. The WordPress dashboard is the first “door” the hackers try to broke. Be smart.

To change a username in WordPress:

• Login with your administrator account and add a new user, with administrator privileges. Make sure your display name is different than your username.
• Once done, logout and login as your new user. Delete your old administrator account.
• You’ll be asked about what should be done with posts owned by this user, choose ‘attribute all posts to’ and select your new username.

2. Strong WordPress Password: BE CREATIVE!

Creating a WordPress password that contains numbers, symbols, lower and uppercase letters, and lots of characters, you’re making it a lot harder for those nasty bots to guess your password. Here’s a list of passwords that you should definitely avoid:

Worst WordPress Passwords of 2020 – You must avoid each of them:

• 123456

• 123456789

• picture1

• password

• 12345678

• 111111

• 123123

• 12345

…and so on. You got the idea: Choose your p4S$W0rDs with creativity!

I would also suggest staying away from passwords like ‘WordPress’ and ‘admin’ – you get the idea.

Strong password=Safe website.

How do I enforce strong passwords in WordPress?

There are some of the services that offer to generate secure and longer passwords (even cPanel provides you this kind of feature). Here are some of the options to generate the secure passwords. You can also use programs like Lastpass to store your passwords and use it for the autologin.

Best WordPress Password Managers:

• LastPass
• KeePass
• RoboForm

Don’t store the passwords in the normal text or word files. Don’t store the passwords in the FTP programs. Don’t store passwords in any program that gives access to any other user than you.

3. Update Your WordPress Site!

WordPress is updated every so often and with that, problems are fixed. Security issues which come to light are addressed, and by not updating you are creating vulnerabilities. It’s important to keep your WordPress installation up to date, and especially true for plugins and themes.

Since this is the case, it’s also a good idea to remove all of the plugins that aren’t used on your site. Always make sure to backup your site before making any changes (installing new plugins, tweaking the theme, updating plugins or theme, etc).

4. Best WordPress Security Plugins

Do You Need WordPress Security Plugin?

A strong WordPress security plugin can be much more convenient and time-saver for a non-technical persona. But if you have enough spare time and you want to secure your site without using a security plugin, you can follow the tips from this article (in the Advanced section).

Free or Premium WordPress Security Plugin?

It is not easy to select the type of the plugin suitable for your setup. Some of the premium plugins are suitable if your WordPress data is critical for your business. If you run a hobby blog or non-commercial blog, you don’t have to invest into a premium plugin. Keep in mind, the more important data that is being handled by WordPress, the harder your security setup should be.

How many WordPress security plugins should I use?

Short response: As few as possible. Avoid using unnecessary plugins and don’t forget to delete the inactive ones.

I have listed plenty of plugins for you to choose from and to install on your dashboard. However, you don’t have to install a ton of plugins. For example, If you are planning to optimize your site speed, you shouldn’t install 3 cache plugins, 5 image optimizers, or 500 CDN plugins (you got the idea). You should use a plugin which incorporate many features (image optimization, caching, script optimization, etc). This is also the case of the security plugin: Install a good one and that’s it. There isn’t any logic to use 3 plugins for the same goal, simultaneous. Do note that some of the hosts do not allow certain WordPress plugins.

Which is the best security plugin for WordPress?

In order to choose the best security plugin for your WordPress site, use the following checklist:

• The number of downloads. Select the higher downloaded plugin.
• How many issues are reported on the plugin official page, on WordPress.org.
• The plugin authors activity in the Forum. Another best way is to search on Reddit about him.
• The number of updates of the plugin.
• Ignore the star rating of the plugin.
• How the plugin makes use of unique namespace items.
• How the plugin makes use of settings API in the features.
• The Hooks, Filters, and Actions inside the plugins.
• If the plugin has properly sanitized data and MySQL statements.
• The plugins that use nonces instead of browser cookies. If the more than one plugin does the same task, choose the plugin with higher download count and reviews.
• The reputation of the plugin author in the WordPress community.

These are the criteria to look at while selecting the security plugin from the WordPress Support repository. If you choose to install the premium version of the plugins then you have to search online for the reviews. Also, test drives their free plugin or trial service before you buy the plugin.

a. Best WordPress Security Plugins in 2021 – The Ones I Have Personally Used

Below I will show you the best WordPress Security Plugins in 2021 and not only. Installing some of the essential plugins from the list below may ensure safety to your WordPress setup. Here are some of the plugins that I have personally used on many WordPress sites.

Sucuri

Sucuri is one of the most WordPress Security plugins in 2021. They have free & premium version. Sucuri also provide security improvement suggestions and tweaks, in order to keep your website safe. Sucuri Security have the following features: Auditing, Malware Scanner and Security Hardening.

Wordfence

Wordfence is a very straightforward and easy to use plugin. It acts as a firewall and anti-virus, as well as suggests how to improve your site’s security. Make sure to check out the ‘Live Traffic’ section, you can see all the failed login attempts to your site, it’s surprising.

iThemes Security (formerly Better WordPress Security)

iThemes Security This plugin will give you a more detailed review of what you can do to protect your site and more intricate security options. Be careful when activating settings that could conflict with other themes or plugins. These are highlighted in blue in System Status.

b. Other WordPress Security plugins:

All In One WP Security & Firewall

This plugin can help you run some basic security checks on your WordPress setup. You get to make few fixes from your plugin options page. You can install this plugin, run the scan and fix the minimal security issues. Once cleared the basic security fixes, you can uninstall the plugin.

Shield Security

WordPress Firewall avoids SQL injection attacks, brute force attacks, and Spambot registration attacks. It also notifies you via email when any live attack happens on your site. If you don’t like email notifications, you can disable it. It also comes with one handy feature which allows you to block the IP that regularly attempts to attack your WordPress setup. You can also blacklist certain IP address for additional protection. If you want some of the IP address in a whitelist, the plugin has an option that lets you do that.

Block Bad Queries

Block bad Queries plugin is designed to monitor the request URI in the WordPress dashboard. This way it can filter out some of the common attacks. This plugin checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. Block bad queries does a completely different job to that of WordPress firewall 2. So it is necessary to have this plugin installed with WordPress Firewall 2.

Website File Changes Monitor

It keeps track of every change in the WordPress installation. It keeps log of the changes in the files of WordPress directories. It notifies you of the changes that take place in the files. If any hacker gets access to your themes and plugins and rewrites new information on any of the file, you’ll get the notification of the changes. This plugin is handy to understand which file to rollback in the previous state. You can use the backed-up files to restore the unaffected file in that place. In order to do this, you need to have a different backup plugin or manual backup on regular basis.

Limit Login Attempts Reloaded

Install the plugin and set the number of attempts on plugins options page. You can also set the number of minutes to keep the lock on a login page. It also keeps the log of a number of attempts and number of times the lock was set.

AntiVirus

AntiVirus plugin helps your WordPress setup by scanning the files for malware and virus. This plugin detects every single change in file and reports in the dashboard. It does raise the false positives sometimes when it triggers the change in require_once, includes and other updated snippets which are genuine yet reported as malicious code. If any theme uses eval, base64_decode or shell_exec then It’ll notify in the report. You can then replace such themes with those which has a more secure code.

BCRYPT

Install the ‘bcrypt’ passwords plugin. Github Page. This will significantly improve the strength of encrypted passwords in your SQL database.

Fail2Ban

Use fail2ban along with WP Fail2ban Redux. This will catch would-be hackers scanning your website for vulnerabilities and ban them early.

WP-Bruiser

WP-Bruiser is mostly used as a no-captcha method to block spam bots in your comment, contact, registration and login forms, but it also includes some useful brute-force protections, and a feature that notifies you anytime an administrator logs in. These features are available for free. This is a great light-weight option.

c. WordPress Database Backup Plugins:

You can save a lot of headache of recovering your site if you take regular backup. You can schedule some of the plugins to automatically backup your site when you post or certain times during the week. When it comes to WordPress backup there are plenty of solutions. Here we are going to discuss three methods: plugins, hosted backup services and manual backups.

WordPress Backup Plugins – These plugins can help you take backup your WordPress posts, comments, and other settings and store it wherever you wish. Some of them offer the feature of emailing your backup or uploading it to a remote server like Amazon S3, Dropbox or any other backup service.

Manual Backup – In this method, you have to take backup of the setup and keep it safe on your own. You have to store the backed up data to any other place than the hosting server. There are free and paid backup plugins available for the WordPress. You can choose one that fits your needs.

Hosted Backup Service – These services integrates with the WordPress setup and take a regular snapshot of the WordPress setup. They are basically plugins that are connected to the backup server. In this article I will talk about the first two methods.

Most of the free plugins that upload the data to Dropbox or send data via email are preferred by the WordPress community members. If your WordPress data is critical then subscribing to the service like Vaultpress or Codevault is much better option. You can also use premium plugins like BackupBuddy or Backupify to backup your data.

The more important your data, the better to get your backup to hosted solution.

Here are some of the backup plugins that can solve your backup and monitoring requirements:

WP-DB Manager

This free plugin is very handy to optimize your database. It also sends the backup via email to the admin or the specific user. The plugin is not easy to use as there is no specific point for the newbie to learn from and use. However, if you are comfortable with WordPress and it’s various plugin configuration then it is not hard to use the plugin.

BackWPup

This is a free plugin that is very handy for uploading your database backup to external services like dropbox, amazon s3, Google drive and few other backup services. Restore option for a fresh install is included in the plugin. It doesn’t have active support in the forums but for the free plugin it gets the job done and doesn’t have critical bugs.

WP-DB-Backup

Very popular for backing up the database. It is very simple to use this plugin. It does only one task – which is backing up the core database. You don’t get to choose the backup location. You can’t backup posts and other files. There isn’t much support provided for this plugin. But considering the ease of use and quick backup of the database, this plugin is perfect for newbies who can’t use other advanced plugins.

Manual Backup

If you can’t afford any other method of the backup service, you can backup your WordPress site manually to Google drive, Dropbox or local computer. In this method, you can use any of the database backup plugins to download the archive that is generated by the plugin. Alternatively, you can also backup the data from /uploads folder for backing up images and other media files. Posts and comments along with core settings can be downloaded by following these instructions.

Click on Tools then go to the export page. In this page, you have to select all the posts and pages and click the export button. You get WXRS file that contains the data from the WordPress core. This is basically an XML file that has the structured data which you can use to restore your posts. If you can’t afford premium plugins or service for the backup. You can use free plugins that can store the backup on Dropbox or Google Drive. These two backup services can host your blog backups for free. If by any remote chance if your backup exceeds the data limit of these services, you can then go ahead and purchase the yearly subscription for storage.

I mention that I am a fan of manual WordPress backup, and I don’t recommend involving any plugin in the backup/recover process. If you want to learn how to manually backup your WordPress site, take a look here: How To Backup Your Site From cPanel

5. Install a SSL certificate (Secure Sockets Layer):

Nowadays, you have two options for the SSLs: Free SSL certificate and Premium SSL certificate.

One of the best providers of Free SSL certificates is  Let’s Encrypt. A 2021’s relevant hosting provider will add this feature for free on it’s hosting clients.

For the premium SSL certificates, you have a lot of options. Premium SSL certificates are an enhanced form of the standard SSL certificate used by eCommerce websites to secure online transactions. Of course, you can use this kind of SSL certificate for your basic WordPress site, too, but for medium and big sites, where people provide personal information, credit card information, etc, it is imperative to use a Premium SSL certificate.

A premium SSL certificate’s price starts from $5/year and goes up to $1,999/year for a DigiCert (formerly by VeriSign) SSL certificate.

Why to use a SSL certificate?

Not only it will secure your WordPress site, but using a SSL certificate in 2021 is a MUST. Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats. Ultimately, It builds a secure environment for both visitors and site owners.

6. File Permissions

Each file on the Linux or Unix based web server has read, write and execute levels. Users who access these files are divided into three groups – user (owner), group and the world. You can make your website more secure if you set the file permissions that restricts the anonymous users and group from modifying them. As you can see by default webserver sets some permission levels for you. Common permissions that you’ll find on a web server.

755 – User can read, write and execute a file, whereas group and the world can execute and read the file. 644 – User can read and write, whereas group and the world can read.
777 – User, group, and the world can read, write and execute.
400 – User read only. Group and the world have no permissions.
444 – All user levels can read.
600 – User can read and write, whereas world and group have no permissions.

As you can see the level of strictness from these permissions, you should stick to 644 and 755 when you modify the permission levels. By default, WordPress sets file permission to 644 and folder permission to 755.

You should never set any file or folder to permission 777. Some cache plug-ins require you to set the permission of the plug-in folder to 755, if your webserver overrides it to 644. Permission settings vary from one host to another. It also depends on the Operating system that is used on the hosting account. You may find a completely different way to set the permission level for windows server.

When you upload the files to the webserver via FTP or web-based uploader, check the permissions.

7. Think about Cloud Managed WordPress Hosting Services

Hosting your WordPress platform on cheap, shared servers may put your site at more risk – you have no control over what other users on that same server will do, and that can potentially compromise your site.

In addition, performance can degrade over time as the hosting provider adds more users onto that server, having you fight amongst each other for resources.

Why to avoid a cheap shared WordPress hosting and choosing an expensive one?

A good hosted WordPress service can help keep your site fast and secure by:

• Providing constantly updated servers/up-to-date security patches
• Offering a firewall (software or hardware) – also with up-to-date security patches
• Monitoring system performances for unusual activity (database requests, login attempts, etc)
• Having technicians that can understand the situation and provide instant help
• Backing up and restoring services in the event of a compromised site

Advanced WordPress Security Tips – Secure WordPress Site

ATTENTION! BACKUP YOUR WEBSITE BEFORE DOING ANY OF THE FOLLOWING CHANGES. ALSO, DO A BACKUP AFTER EVERY CHANGE YOU MAKE, IN ORDER TO SAVE IMPORTANT TIME!

1. Add a server-level layer of authentication

Having anybody being able to access your /wp-admin login screen makes it easier for hackers and bots to do their damage.

Adding an additional level of security on the server-level ensures that you are the only one who has control of who can and can’t access /wp-admin in the first place. In order to secure WordPress site, you should follow the next tips:

There are a few ways to do this:

a. IP Restrict /wp-admin

White-list only your IP (and those you trust) in your .htaccess file to ensure /wp-admin is only accessible by authorized people.

b. Add these lines to your .htaccess file:

# ALLOW USER BY IP

order deny,allow
deny from all
allow from YOUR.IP.GOES.HERE
Find out your IP address here http://www.whatismyip.com/

c. Add HTTP authentication to /Wp-admin

Add an additional username/password credential via .htpasswd to /wp-admin. Users can’t even view the WP login page until they provide the appropriate username and password on the .htpasswd level.

2. Restrict WP-CONFIG.PHP access

If you can access the file, change the permission to 0644. If you don’t have access, ask your hosting provider to do this.

3. Stop the Login Hints:

I don’t know why WordPress keeps this setting, but you have to get rid of it ASAP. To disable login hints, you have to add the following code to the Function.PHP file:

function no_wordpress_errors(){
return 'What the heck are you doing?! Back off!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

4. Change WordPress Admin URL

To change the WordPress Admin URL, follow these steps:

1. Add constant to wp-confing.php

define('WP_ADMIN_DIR', 'secret-folder');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);

2. Insert below filter to functions.php

add_filter('site_url', 'wpadmin_filter', 10, 3);
function wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}

3. Add this to .htaccess file

RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]

After these steps, your WordPress admin URL will be like: http://www.yoursite.com/hidden-folder/

5. Prevent bad code injection – Block Bad Queries

With the following plugin, you can protect WordPress from malicious URL requests. Just put the following snippet in a PHP file under wp-content/plugins and then activate the plugin in the backend.

/*Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
if (strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64"))
{
@header("HTTP/1.1 400 Bad Request");
@header("Status: 400 Bad Request");
@header("Connection: Close");
@exit;
}

Secure WordPress Site: Conclusion

Although WordPress has seen a huge increase in attacks from hackers, with a few adjustments and some awareness you can keep your site safe from hackers. Matthew Mullengweg, the founding developer on WordPress notes in his blog that if you change your admin username, ensure you have a strong password, and keep your site up to date, “you’ll be ahead of 99% of the sites out there and probably never have a problem.”