How to Secure Your WordPress Site: The Complete Guide
WordPress is an open source content management system and it is built around neat and secure software, sometimes breaches of security will happen and it is not all up to WordPress itself.
You could be damaging your own site by following bad practices, like still running on an old WordPress software, install unsecured plugins and choose nulled themes for which we are going to talk later on this article, and lack of basic knowledge about security and best techniques to implement among newbies in the web world, and due to this reason it makes those sites vulnerable to cyber-crime activity.
WordPress account for 36.3% of the web, this popularity comes with a price, being enticed to multiple threats and vulnerabilities from hackers, and with most WordPress users having little to no knowledge in coding, because we all know the simplicity and smoothness of WordPress, this makes them an easy victim.
But don’t let that be the case because these next steps we are going to show you are not going to require that much coding skills, there are simple steps like strengthening your password and username to secure your website. The very first step would be raising awareness for this important process before it happens to you, because once you’ve been burned you will most likely be more cautious.
On the other hand, the huge ecosystem of themes and plugins have to be taken into account as well, with each one having the potential to open up additional vulnerabilities.
But to counterweight the statistics, WordPress security team is made of approximately 50 (up from 25 in 2017) experts including lead developers and security researchers — about half are employees of Automattic and a number work in the web security field.
Each security report is acknowledged upon receipt, and the team works to verify the vulnerability and determine its severity. And a huge community of developers, enthusiasts that are willing to help and advise each other. As long as you keep an interchangeable pace of security approaches, you will be on the safe side.
Without further ado let’s see what are some of the best practices to keeping your WordPress website secure.
Chose a solid hosting service
If we are going to talk about how to keep your website secure, you must know that WordPress alone doesn’t take part in the setup, the configuration of the operating system and the underlying web server hosting the software is of the same importance. Unfortunately, sometimes that’s where issues begin.
Hosting is an important key to keeping a secure environment. In order for a hosting service to keep a safe infrastructure that is adequate to protect your website from high-end cyber threats, it needs to have multiple layers of security measurements of hardware and software levels.
Be picky about your hosting provider and do thorough research on its security capabilities. Do they give security a top priority? Do they rely on the latest technology of operating systems and (security) software as well as are they thoroughly tested and scanned for vulnerabilities and malware?
These are all rightful questions you should be asking before deciding with which hosting provider you are going. Don’t make the mistake of taking security for granted over saving a few bucks. It will cost you much more in the future.
Things to look out on hosting provider include:
- Server-level firewalls and systems that detect intrusion that keeps the WordPress installation safeguarded
- The server should be configured to use secure networking and file transfer encryption protocols (such as SFTP instead of FTP) to hide away sensitive content from malicious intruders.
- Your server should be running on the latest PHP version, any server that is running on a PHP 7.1 or any version below, they have long lost the support and thus it will be exposed to security breaches. If you want to know what PHP you are running you can check it using Pingdom, a free tool that will give you valuable insights about your website. You can view your PHP version under File request > then click on the domain which will open a window containing information about our site and under x-powered-by you can see the PHP version running on your hosting server.
From HTTP to HTTPS: Install an SSL Certificate
In 2016 Google announced that all websites that required delicate information such as credit card number will have a red label next to the HTTP as not secure.
The transition from HTTP (HyperText Transfer Protocol) to HTTPS (HyperText Transfer Protocol Secure) is made possible by installing an SSL (Secure Sockets Layer) certificate whose primary usage is to keep sensitive information travel across the Internet encrypted and secure, that way it will be accessible only by the intended recipient.
When you use an SSL certificate the information being provided will be encoded and unreadable for anyone except the server a user is sending information and you as a recipient, this way HTTPS will protect all the data and information being exchanged between a browser and a server, so it is vital to keep those secure.
On the contrary, if you are not using a secure HTTPS all the sensitive data that is supposed to be encrypted will be delivered in plain text, meaning there is a huge possibility that data is going to be intercepted and maliciously used by anyone looking to invade the privacy and it presents an easily accessible loophole for hackers.
SSL certificates are now mandatory for all sites since 2018, not only for those sites who require sensitive information such as credit card details or passwords, and in the end that’s what makes all the difference between a secure and a not secure site.
Set directory permissions carefully
This is an advanced task to secure your website that requires some pretty hard knowledge of code, so if you are exactly a tech-savvy person I would recommend not to mess with it.
When using a shared web hosting, you will add files and directories to your web hosting space, and to each of them, you are going to have permissions assigned to them, in that way the server will know who can access them and keep them secure.
For clarification file permissions to determine who can access and what functions can they apply will be categorized with a set of rules like below:
First, you have to define who has permissions over the files and directories and it is divided into three groups
User – Which is the administrator of your website, this is your cPanel username
Group – Here are collected all the other users in your website, that can be editors, contributors or any other user you set in this category
World/Other – everyone else in the world/ in the internet
Next, you have three different actions the users above can take upon these files and directories
Read – this allows content on the website to only be viewed or read
Write – This category allows for to alter files and directories
Execute – File’s contents such as a program, or script can be run,
And lastly, each number corresponds to a level of permission or a combination of permissions. All you need to remember is
Read – 4
Write – 2
Execute – 1
No access – 0
In that case, when you say that a directory should be chmod 755 it means that
- User has permissions to Read (4) and Write (2) and Execute the directory (1) so 4+2+1 gives 7.
- Group has permissions to Read (4) and Execute the directory (1) so 4+1 gives 5
- Others have permissions to Read (4) and Execute the directory (1) so 4+1 gives 5
In a nutshell, it means that you as a user can view the files and directories, can write and alter the files and directories and execute them as well, but the other two categories like other users and the rest on the internet can only view and execute the files and directories.
You want to be careful when setting permission properly on your WordPress website, because you could easily give more access than you should to people that are not supposed to have access in the first place, leaving the territory open for malicious events.
Note that none of your WordPress file permissions should be set to 777 or “-rwxrwxrwx” if you are using FTP or SSH, because you will be granting full access to everyone.
But also another thing you should not do is set the permissions to 444 or “-r–r–r–“ in FTP or SSH, because that way everyone will only be able to view the files, and sometimes WordPress would need to need permission to safely modify, or execute certain files.
WordPress Theme and Plugins Security
As you may know WordPress uses themes and plugins as extensions to both render content visibility and add functionality to a website, and in its repository WordPress counts a number of approximately 50,000+ plugins and 5,000+ themes listed, that is a vast number and even larger is the number of themes and plugins that are build on insecure codes and are prone to malfunctions due to their poor construction, thus compromising a secure website.
These can pose serious problems and security issues. We will show you what it takes for you to be on the safe side and secure your website.
Perform regular updates for your WordPress, themes and plugins
Part of the job for the team of security of WordPress aside from protecting it from threats and perilous events, they also provide updates and maintain its core software structure.
These updates are vital for keeping your site safe because they are meant to fix bugs and at times they provide crucial security enhancements and patches. Starting from the version 3.7, WordPress offers automated updates for minor updates, for major updates you will have to perform it manually.
Same goes for themes and plugins, any outdated WordPress product will pose serious threats and leave an open road to vulnerabilities that are left from outdated plugins and themes.
Avoid using/installing Nulled Themes
Before I get started on why you shouldn’t use nulled themes, I feel like I have to explain its context first. Nulled Themes are hacked or pirated copies of an original premium theme sold illegally on the internet for a lower price than the original or sometimes for free.
They are scams and those who provide those kinds of themes hack the code of premium themes leaving nasty traces and backdoors which will provide them easy access to your site and perform all kinds of mischievous steps that infect your site.
What are some threats that these types of thee expose? Those backdoors that are left open in nulled themes are often deliberate, and the reasoning behind this is to use your site for backlinks so they gain point to their sites, and you won’t even know it.
That is why it is important to check for broken links and malicious links to your site since they can ruin your reputation and negatively affect your SEO. They can also redirect your site to spam links, or hack your site for various reasons, even for ransom. You won’t believe what people are capable of.
You might think that installing an SSL certificate to our site will keep it secure and not affected by such themes, but that is not the case. The malicious code they leave behind can invade your customers/users’ sensitive information and they are left unprotected and hackers can easily steal valuable information. Be careful when choosing a theme or plugin.
Hide the latest version tag
It is easy to find the latest version of WordPress you are running, it is located in the site’s source view for everyone to see it. It is set by default from WordPress. And you might be thinking what this little detail has to do with keeping my website secure from threats. Well, let me tell you a lot.
The catch is this: When hackers are able to find out your latest version of WordPress it will be easy for them to create a tailored attack for your site and be very effective actually. To prevent them from doing this you can try and hide this numbered tag.
There are two approaches, one being the manual way. Note that: You should not perform this task yourself if you don’t have the knowledge required to do it, because you can mess up your site and it will be hard to take it back on track. You can hide the tag by adding the following function to your functions.php file:
function neuron_remove_version() return ''; } add_filter('the_generator', 'neuron_remove_version');
By adding this code you will hide the version number from both, your head file and RSS feed. But for those with limited coding skills you can always turn to a plugin to do that for you as simple as switching on a button.
Backup your WordPress website
We need to stress how important it is to backup your WordPress website, it is a vital process to keep your site healthy and if it were to happen any misfortunate, you would have all your files saved and stored and secure, worst-case scenario: you won’t have to do it all over again from the ground up.
This is like saving all our valuable assets before your house burns down from the fire. Make it a habit to perform backups on your WordPress website as often as you can. You can do regular backups daily, weekly, monthly, as many times as you find the time.
Although it is not recommended to delay backups for more than 6 months.
Knowing the crucial components of backing up your site, you should already be conscious and responsible to keep your data saved and easily retrieved. The process of backing up a website can be done manually, which can be time-consuming, especially for those whose running a website isn’t their primary goal.
It is true that your hosting provider might perform backup plans for your site, but I wouldn’t rely only on that, it is never bad to be a bit more careful.
You can always turn to plugins to make it easier for you. You can use the guidance on how to backup and restore your site with UpDraftPlus for more insights and steps to complete this important task.
Plugins to Backup your website
Protect your WordPress website via admin Dashboard
The WordPress core system is inherently secure, but sometimes the smallest details will matter. Imagine setting up all these walls to secure your site for it only to get hacked because you choose a weak username and password. Yes, using your username as wp-admin is common knowledge, even for hackers… especially for hackers. It’s like locking your house but leaving the keys in the door.
Before I did research on his article I always thought cyber hacks are done by a hacker somewhere in a dark room, using sophisticated technology, encrypting files and codes of long complex text. Let me tell you I was disappointed to find out that right after plugin vulnerabilities, brute force attacks account for 16.1 % of all WordPress sites.
Access control is much more important than most give credit for and brute forces are password attacks, by guessing the combination of your username and password of your WordPress admin adrea.
You can be the next victim of
- Brute force attacks, which are repeated entry tries to your long in page until the right combination if found
- Stealing login credentials via other methods
The exploitation of access control often comes in the form of a brute force attack, in which the attacker attempts to guess the possible username and password combinations in an effort to log in as the user.
Strengthen your username and password
Now that we know what our threats are we can move on and take precautions to make sure our website is tightly secured. This next step might seem simple but it is really effective.
Choose a wise and bizarre username that only you know and an air-tight password, you can combine capital letters, letters, numbers and symbols. Never use a common password, many people make this mistake by choosing their passwords like 123456. That could go for a phone lock password, but to rely your entire website on that password is irresponsible.
If you don’t know how to create a strong unbreakable password, you can use this free tool to generate complex passwords: Strong Password Generator. You could also use an encrypted database to store and secure your passwords on your computer.
Tools like 1Password and Remebear. You can systemize and save your passwords, all in one please. And remember it is always good to create unique passwords for different pages. This way you will have created a layered protection for your website.
Let’s talk about usernames. Most of the people don’t bother changing the wp_admin username for their log in and that is like honey on a pot for hackers. Be creative, think of something unique to you and generate it. Also you don’t have to remember all the details, just keep a copy on your pc and organize various combinations so they are always easy to reach.
Secure your wp-admin directory
The wp-admin directory is the centerpiece of your entire website. Having a breach in this section is like the caste being conquered from the inside. Tremendous consequences. That is why you are going to have to work a little harder to keep it secure and one way of doing so is layering it with another password protection for this directory.
This method is quite effective because it restricts breaches that have already passed through round 1: the login process and they will be presented with another requirement of credentials.
You can do this directly from the cPanel, first, log in with your credentials, then > Go to the Files section and click on the Directory Privacy icon.
And from there you will have to select the directory you want to password protect and then you will see the Set permissions for “/home/exampl3/directory/”screen appears.
From that window, you will have to switch on the checkbox labeled Password to protect this directory.
Next, you would want to Type a name for the folder you are trying to protect in the designated field Enter a name for the protected directory.
Click Save to save the names you created the directory and option to password protect the directory.
And lastly would be to Create a user to grant access to the protected directory by typing the credentials into the Username, New Password and Confirm Password fields
Create a Two- Factor Authentication to your WordPress login
Layer over layer over layer, it might be exhausting, but hey, it is a dangerous world out there and you need to protect yourself from pretentious people looking to harm you or your business.
We give you the Two-Factor Authentication method that adds another secure sheet to your login verification.
We can assume that, if someone has set their mind to break into your site they won’t stop until they achieve it, and by using programs to run an automated process that tries several random password combinations per second, they have the confirmation they need to enter your WordPress Dashboard.
But at the faint of their heart, you can add another verification factor that will require you to write a token or a code usually sent to you by text message, email, or even an app.
Better safe than sorry. It will be nearly impossible to get the required confirmation until they have physical access to your devices.
All this can be easily done with the help of a plugin.
Google Authenticator – Two Factor Authentication by miniOrange, is a plugin designed to help you set up Two-Factor Authentication and simplify the process of doing so. All you need to do is install it in your WordPress Dashboard just like any other plugin.
Register for an account and start twerking around to set up the verification. With the free version of this plugin, you can set other methods of authentication.
- SMS authentication (you get 10 free SMS messages, but after that, you’ll need to pay)
- Google Authenticator app
- Scan QR code with miniOrange Authenticator app (similar to the now-defunct Clef method)
- Authy 2-Factor Authentication app
Take full advantage of this method as it will provide you with excellent security for your site, unlike another method.
Limit the number of login attempts
In order to protect your website from brute attacks, the best practice would be to set a login attempt limit. When hackers have gone above the limit during a specific time, you will be alerted and will be able to react on time. It would be foolish to leave the login attempts unlimited, it’s a golden ticket way out into your website, because after many attempts, they are most likely to succeed, and that would be fatal for you and your website/business.
Best thing to do in this case is to reach out with the help of a plugin, some of the best being Login LockDown or Limit Login Attempts Reloaded. Both of the plugins will be a great security addition to your site, but if you are looking for a free version, Cerber Limit Login Attempts plugin is a great way to easily setup lockout durations, login attempts, and IP whitelists and blacklists.
One final tip: It would be a good habit to change your password often, so that you create a chain of diversity like every 6 months or so.
Change your WordPress login route
Another very simple, yet very effective way of securing your website would be to change your WordPress login URL, by default the URL you use to login to your WordPress Dashboard is wp-login.php or wp-admin and if I know that, it means that all hackers know that.
It provides the easiest way of entering your WordPress login account for those who want to gain access to your database. A simple trick like changing that URL will lose track of your navigational route to your site and protect it from brute force attacks.
Disable file editing in your WordPress Dashboard
One other problem we must talk about is who to give administrative credits to. You should limit user access to your site to only those who in any sort are contributing to as authors or editors.
If you are running on a multi user website, set those permissions straight and neve give administrator access to anyone unless they need it to continue to add functionality to your website.
Let’s say that the hackers have brought down every protective wall you have put against it, or sometimes people don’t put these security walls and make it easy peasy for people with bad intentions to have access to your files and database.
A smart move to make would be to disable file editing in your WordPress Dashboard, so that even if a hacker has made it all the way to your files, they would want to mess with the code and place malicious activity around it in the Appearance Editor.
In order to limit their activity you can place the following code in your wp-config.php file to remove the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users.
As you can see, there are plenty of ways how you can keep your WordPress website secure, keep an eye for some of the best practices that work for you and never take security for granted. It should be the number one priority for maintaining a clean and healthy website.
Don’t let those hackers get away with it and be sure to make their job as hard as you can. First and foremost always check up for updates, never, ever use outdated plugins or themes, choose a reliable and secure hosting provider and perform backups regularly.
Get ahead and use other techniques we mentioned in the article below like choosing a hard complex password, a clever username, set login attempts or secure your website. Establish all those obstacles one by one to make sure your WordPress website will be running safely and without any errors.
If some of the steps shown here are a bit more complicated and require custom work directly to the code, it would be best to get some professional rather than attempting to do it yourself and end up making more damage than any hacker could do. Keep yourself, your website and your business secure.
We would love to hear from you what are some of the best practices you recommend for keeping a secure website. Leave your comments below and help out others looking to learn from other’s experiences.