Security

Basic Steps To Secure Your WordPress Website

Basic Steps To Secure Your WordPress Website

WordPress is a very popular CMS and now powers around 30% of all websites on the internet. It’s relatively easy to use, which has obviously helped it gain such popularity. Given its ubiquitousness, keeping your website secure is of utmost importance.

The reason for this is that WordPress is opensource and it’s code is available online. So anybody who is smart enough to find a loophole can attack a website. Unfortunately hackers have a slight upper hand here for this reason. Of course the positive side is that you can also view the code so its possible to verify it is not adding additional ‘features’ you don’t require and whitehat hackers can report any vulnerabilities they find..

Here we outline some basic steps to help minimise the risk of malware or of being hacked – there is no silver bullet, but taking a few precautionary steps will significantly reduce your risk.

 

Use Strong Passwords

One of the commonly used hacking technique is to try different passwords for your wordpress hosting account or WP admin and login with the password they obtain with the trial and error method. This is often referred to as brute force hacking and there are various password hacker tools available to automate this process. Using a strong password will offer some protection here.

Advanced Tip:

It is also worth changing the default administration login page from /wp-admin to a different URL, thus significantly thwarting this basic attack before it starts

Steps:

  • Add a constant to wp-confing.php

define('WP_ADMIN_DIR', 'adminLoginUrl');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);

 

  • Add the below filter to functions.php

add_filter('site_url', 'wpadmin_filter', 10, 3);
function wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}

  • Add the below line to .htaccess file under IfModule mod_rewrite.c

RewriteRule ^adminLoginUrl/(.*) wp-admin/$1?%{QUERY_STRING} [L]

  • Restrict the /wp-admin URL:

The above code allows you to login to admin from a new url at /adminLoginUrl/ But so far the wp-admin url is not blocked nor disabled. To do this you need to add the below code to restrict  /wp-admin.

add_action('login_form','redirect_wp_admin');
function redirect_wp_admin(){
$redirect_to = $_SERVER['REQUEST_URI'];
if(count($_REQUEST)> 0 && array_key_exists('redirect_to', $_REQUEST)){
$redirect_to = $_REQUEST['redirect_to'];
$check_wp_admin = stristr($redirect_to, 'wp-admin');
if($check_wp_admin){
wp_safe_redirect( '404.php' );
}
}
}

Change the user name for login

It is always recommended to use a different user name for WP admin login because most of the WP users use the default user name admin and attackers are very much aware of this, so if you are going with the default username, you are giving attackers an advantage. Make sure to delete the default admin user once you have created a new admin username.

Update WordPress and its themes and plugins on a regular basis

Using an outdated version of WordPress,or its themes or plugins constitutes a serious security threat. Attackers regularly find backdoors and its all the easier as most of  the code is opensource thus allowing them to look for and test new methods to gain access.

To prevent this from happening we need to update the WordPress application, it’s themes and plugins to the latest stable version.

This can be done automatically and we outline below how to do this – however precaution must be taken as unattended updates could potentially break your website – we’d recommend checking frequently and updating manually, ensuring you have taken a backup first.

Advanced Tip: Enable WordPress auto updates

Add the following code in the wp-config.php file present in the WP installation directory.

define( 'AUTOMATIC_UPDATER_DISABLED', false );
define( 'WP_AUTO_UPDATE_CORE', true );

To auto-update WP Plugins

Add the following code in wp-config.php file.

add_filter( 'auto_update_plugin', '__return_true' );

To auto-update WP Themes

Add the following code in wp-config.php file.

add_filter( 'auto_update_theme', '__return_true' );

 

Use SSL / HTTPS

Most hosting services provide the option to add SSL which encrypts your data between your site and the browser. These daysit is not necessary to pay for a certificate, many sites now use LetsEncrypt which provide free certificates.

An added bonus is this opens the door to use HTTPS2:

HTTP/2 Push is a feature of the HTTP/2 protocol. With HTTP/2 Push in place, files and resources required to render the webpage are automatically sent to the visitor before they even request them.

This optimization is a key component of getting that instant, snappy load feeling for people visiting your website.

Your web server needs to support HTTP2 in order for this feature to be available. If you’re using WordPress there are several plugins that will add this functionality to your site.

See the WPSupportly PageSpeed optimization service for more details on how we can help to dramatically increase your WordPress performance.

 

Hide WordPress Version

The listed WP version can spark an idea for a hacker to break in. If you are running an older version of WP and everyone knows it, you become a target.

Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

Check WordPress Folders File Permissions

Go to the File Manager provided by your hosting company and check the attributes of your WordPress folder.

It’s good if it’s 744 (read only). If you find it to be 777, change it immeditely as that is an easy backdoor for hackers.

When most website owners change hosting, they don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting.

 

Hide The Plugins Folder

The plugins folder /wp-content/plugins/ should not be showing the list of folders and files inside of them.

Try visiting your plugins folder: yourdoman.com/wp-content/plugins/

If you see a list of folders and files, you need to hide them. To do this you need to add the following to your .htaccess file on the server:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress

Add a Security plugin

There are a number of  reputable plugins that reguarly scan your site for vulnerabilities such as Wordfence and Securi. It’s well worth installing one of these for an added layer of protection.

Web Server Vulnerabilities

The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it.

This means checking you are running one of the latest versions of PHP from 7.xx upwards. This also has the advantage of boosting your site website page speed load times.

WPScanly.com provide a free web page speed test and WordPress vulnerability scan all in one, allowing you to quickly see any potential issues on your website.


    Related Articles

    PageSpeed

    Analysing your performance scans
    Latest

    Improving your advanced Pagespeed metrics
    PageSpeed

    Stay on top of the latest WordPress Vulnerabilities