Introduction
Website security has always been a big concern for WordPress site owners, While 28% of all websites on the internet are powered by this powerful CMS. So because of its popularity, WordPress has become a target for hackers. However, that doesn’t mean your website has to fall over the malicious behaviors.
No system is 100 percent hack-proof, but you can always use some measures to prevent a security flaw. to reduce your chance of being a victim, read the following tutorial to improve your WordPress website security against the most common attacks like Brute Force attacks, Core and Theme vulnerabilities, File Inclusion Exploits, SQL Injections, Cross-Site Scripting (XSS), etc.
We are going to show you some easy and effective tips step by step to get a decent security.
Requirments
This tutorial is not covering the installing and Deploying a WordPress website so we are assuming that you have it up and running.
1. WordPress Password
Some people are using an easy password so they can remember, passwords that contain some of their personal information such as date of birth etc. but it’s wrong because you might think that it’s very hard for someone to guess it but what you are not seeing is that for an automated brute-force script it’s like a piece of cake.
So pick your Passwords wisely and make sure to use different passwords for different parts of your website, Database system, and server. consider using built-in WordPress password generators they are there for your own security.
2. Consider using a Two-Factor Authentication
Two-Factor Authentication adds an extra layer of security to your login credentials, it works by requiring a second factor of information that only you can get it like a code sent to your phone. There are many plugins to deploy a Two-Factor Authentication, we recommend you the “Google Authenticator” which is very easy to use and have a Mobile app which is available for both Android and IOS phones.
After you successfully installed the mobile app you can go ahead and install the WordPress plugin.
After the installation process is finished you can manage it for each user separately from their user profile.
3. Change your Login URL
To make your site almost bulletproof to brute-force attacks you can perform an easy yet effective action like renaming your login page to a random name like “dolphins-can-fly.php”. So if there is no login page for a hacker, there can not be a brute-force attack.
You can easily rename your login page using a WordPress official plugin such as “Move Login” or “iThemes Security”.
4. Restrict Access to wp-config.php
Your “wp-config.php” file contains your websites base configuration details like Database connection information, you can Restrict access to it easily by adding the following lines to your “.htaccess” file:
<files wp-config.php>
order allow,deny
deny from all
</files>5. Set correct file and directory Permissions
As you might already know your web server (assume Nginx) should be set as the owner of all of the WordPress files and directories, but it has no need to have extra permissions. All of the files should have permission “644” and directories should have “755”. so if you have SSH access to your server you can set the proper permissions with the following commands otherwise you can set permissions using your Control Panel or FTP.
find /path/to/your/wordpress/ -type d -exec chmod 755 {} \;find /path/to/your/wordpress/ -type f -exec chmod 644 {} \;6. Disable XML-RPC
XML-RPC is an API (Application Program Interface) for WordPress that give developers who make mobile apps or desktop apps the ability to talk to your WordPress site, The XML-RPC API that WordPress provides gives developers a way to write applications that can do many of the things you can do when logged into WordPress via the web interface such as: Publishing a post, Edit a post, Delete a post etc. But hackers can use these abilities to compromise your website in many ways so if you are not using a custom app for managing your site you probably want to disable it.
there are many ways you can disable XML-RPC, either you can use a security plugin (most of them are capable of disabling XMP-RPC) like iThemes security or Sucuri or you can easily restrict access to it by adding the following lines to your “.htaccess” file
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>7. Disable file editing
Assume that somehow your WordPress admin password has gone compromised, in this scenario the bad actor can easily log into your panel and start defacing your website by editing your plugins and your theme files, but also you can be smart and be one step ahead with disabling the ability of editing the files so if somehow you’ve been hacked the hacker will only able to edit your posts which is not as catastrophic as editing your whole website’s files.
You can easily disable this ability by adding the following line at the end of your “wp-config.php” file:
define('DISALLOW_FILE_EDIT', true);8. Set up regular Backups
We highly recommend you to set up regular backups so if somehow your website gets compromised you can roll back right away and keep it live. there are many plugins to backup your WordPress site below are some of the popular ones:
- BackupBuddy
- UpdraftPlus
- BackWPUp
- Duplicator
9. Install a Security Plugin
One of the important steps of this tutorial is installing a Security Plugin which makes it easy to audit and monitor everything that happens to your website, these plugins are capable of file integrity monitoring, show you failed login attempts, malware scanning, blocking common attacks like “SQL Injection” etc.
There are so many free security plugins out there that you can use and all of them nearly do the same things, the following names are some of the most popular and most installed security plugins for WordPress:
- Sucuri Security
- iThemes Security
- WordFence
10. Keep everything up to date
Here is the most cliche yet important advice: Keep WordPress Core, Themes, and Plugins up to date. Outdated components are the most common criminals of a hacked WordPress. Outdated plugins, themes, and core open the portal for a potentially hacked site. When left un-updated, these outdated files are traceable and make your site a target by outside intruders.
WordPress is updated regularly, these updates account for bug and security fixes alike. When working with point releases (e.g., 4.7.1) you should consider applying as soon as it is released. Major releases (e.g., 4.7) should be applied as soon as possible, but be sure to follow a good upgrade process to avoid any potential conflicts.
Conclusion
At last, the answer to the question “Is WordPress secure?” it depends, WordPress is very secure itself as long as WordPress security best practices are followed. If a hacker can find a way into one of the 700 milion WordPress websites, they can search for other websites which running the same insecure configuration. WordPress runs on open source code and has a team specifically working to finding and fixing WordPress security flaws that occur in the core code. As security vulnerabilities are reveal, fixes are immediately pushed out to patch any new security issues in WordPress. That’s why keeping WordPress updated to the latest version is incredibly important to the overall security of your website. hadening WordPress with practices like this tutorial will strongly reduce the chance of being a victim, but keep that in mind that you can always do more.