20 Tips to Secure a WordPress Website- WordPress Hardening

The web design project is over so that’s the end. That’s the attitude that most of the small to medium business owners have when it comes to their their websites. Blame it on lack of knowledge, lack of understanding, it wouldn’t happen to me attitude or whatever but website security is the last thing on their mind till things go horribly wrong and their website ends up in the wrong hands.

Here is a list of different techniques compiled by our team of WordPress developers that can be used to harden WordPress websites.

To start with here are some facts for you,

So how can you secure (harden) your WordPress Installation?

WordPress Security

Change your Admin Page URL

Every WordPress installation comes with a standard link to access the admin panel i.e. www.yourwebsite.com/wp-admin. Any hacker can easily access this page and then requires only the username (this is also an easy guess in most cases-admin) and the password (the only hard bit left now unless you chose a simple password!). So in order to change the admin panel URL you can download a WordPress plugin that can do the job cleanly. Some of the options are,

Use a Security Question to on the Administrator Panel

This provides an added layer of security to your WordPress installation. A question can be added to your WordPress administrator panel by simply installing the following plugin,

Do not use Admin as the Administrator Panel Username

When you create a new user from the WordPress Admin Panel use a different username rather than admin. This is something very simple and can be executed from the WordPress admin panel (Refer to screenshots below).

Note- An existing username cannot be edited however you can create a new administrator and delete the old user.

Use an Email as a Login

This is another way to secure your WordPress admin panel from getting hacked into. By default, WordPress asks to add a username however you can use an email address instead of a username. This provides a little more security as login names can be guessed more easily as compared to email addresses.

Here is a neat plugin to achieve this,

Limit Login Attempts to secure against Brute Force Attacks

Another easy fix that can be achieved using a plugin to further secure your WordPress Installation. It is very important to limit the amount of login attempts in order to protect your website against brute force attacks. Apart from gaining access to a website such attacks can bring down websites because of excessive usage of server resources (DDoS attacks). Unfortunately there are no built in features within WordPress to stop such attacks. However you can use one of the following plugins to limit the amount of login attempts that a single user can make (IP Address),

Use Strong Login Credentials across the setup

Weak passwords are a BIG No! Make use you have strong passwords that contain a combination of letters, numbers and symbols. Also keep your passwords for the hosting account and WordPress administration panel completely different. There are plenty of online tools that can be used to generate strong passwords. Here are some of them,

Human Verification for protection against DDoS Attacks

A Distributed Denial of Service Attack (DDoS Attack) is designed to take down a website by sending out excessive traffic to a website from multiple IP addresses. This leads to the server resources being over-utilised ultimately bringing down the website. So what can you do to protect your WordPress installation against DDoS attacks? Since such attacks are generated using multiple affected machines and internet connections, you need to verify that the incoming traffic is human rather than bots. This can be achieved by integrating reCAPTCHA on your website forms. Here is a plugin for WordPress that allows you to easily integrate reCAPTHCA.

Update Plugins Regularly

One of the easiest things you could do to tighten the security of you WordPress website. Head to the plugins page on your WordPress admin panel and hit the update required tab. You will now be shown a list of plugins which need to be updated. You can do the rest by a simple click of a button. Updating certain plugins might break your website especially if you are dealing with a highly customised environment. It is best you leave the job to a WordPress expert if you don’t have advanced knowledge on your WordPress setup.

Update your Theme Regularly

As we mentioned above, 29% security attacks took place through vulnerabilities in the WordPress theme. Therefore it is very important to update your theme regularly. The easiest way is to sign up for notifications with the theme publisher. Any information about theme updates will land right into your inbox! Some websites might run on highly customised themes and this might cause issues when themes are updated therefore it is best you leave this job to a qualified WordPress developer. However if you have advanced knowledge on this subject and feel comfortable performing the task then please go ahead.

Update WordPress Core Software Regularly

A message will generally appear on your WordPress admin dashboard if there are any updates available for the core software. You can either manually update the core software or set the system to automatic updates each time there is a update available. Here is a guide to updating WordPress.

Use a 2-factor Authentication for the WordPress Admin Panel

Google has introduced a new security mechanism that provides an extra layer of security to your WordPress admin panel (on top of the username & password). This typically involves receiving a unique code via SMS, voice call or through an app that needs to be entered each time you want to login into your WordPress admin panel. Here are two plugins that you can use to add this extra layer of security to your WordPress setup,

Protect wp-login.php File

Since most of the attacks (Brute Force & DDoS) using bots happen on the WordPress login page, it is a good idea to restrict access to this file (wp-admin & wp-login) using password protection. This can either be done from the cPanel using the directory privacy/ password protect directories feature or manually using .htpasswds file. Both these methods work quite well  but you will need a liitle more advanced knowledge with the manual method. Here is a handy little guide on how you can achieve this.

Use an SFTP Connection rather than a FTP Connection to Connect to the Server

WordPress recommends that connections to the server should be made using a SFTP connection. This essentially means that the communication between the two machines happens using a private and safe data stream.

Limit Access to the wp-admin using IP Address

This is yet another technique to limit access to the WordPress admin Panel. You can basically limit the number of IP addresses that can access the WordPress admin panel through the .htaccess file that is located in your wp-admin folder. For instructions on how you can achieve this please checkout this tutorial. The only downside to this technique is that you will need to update IP addresses in the .htaccess each time you want to access the admin panel from a new location. But better safe than sorry!

Change the WordPress Database Prefix

WordPress uses a database to store information of a website. The default table prefix for any WordPress installation begins with wp_. All the database tables start with a wp_ so it makes the website susceptible to hacking attacks. However changing the table prefix to something else rather than a wp_ is something like adding password protection to your database. You can choose any random character and that would do the trick!  Here is a step by step guide on how you can achieve this either at the time of installation or on an existing website.

Create Blocklists

According to WordPress most brute force attacks happen from countries such as Russia, Kazakhstan & Ukraine. In order to protect your website you can choose to block IP addresses originating from these countries. This can either be done manually by using shell-scripting (advanced programming knowledge required) or by simply using a security plugin for WordPress. Here are two plugins that can help you achieve the task,

Disable File Editing

WordPress recommends that file editing from the admin dashboard. This can be achieved by editing the wp-config.php file.

Disable XML-RPC Function

This is a very powerful feature that was originally designed for being a intranet notification system. Other uses include remote posting from mobile and content delivery. However this feature also allows hackers to execute amplified DDoS and Brute Force Attacks. It is therefore best to turn this feature completely off. You can either perform this action manually or through a plugin,

Take Backups Regularly

We can’t emphasise the importance of backups. There have been many cases where our client’s websites have been hacked into and backups have been the saving grace! There are plenty of Web hosting plans that come with automatic daily backups included in the hosting plan or else this can be purchased as a separate service. There are also plenty of WordPress based plugins that can be used to take backups of your website or blogs, some of which are as follows,

Use a Comprehensive Security Plugin

There are some really good security plugins available for WordPress that provide a range of security features that includes Login Security, Security Scans, Traffic Blocking and Firewall setup. Only basic security features are available with the free versions of these plugins however you can always upgrade the plugin to use the entire set of features. Here are some plugins that we have used in the past on our WordPress installations,

Whitehorsepoint is a digital agency based in Sydney with a team of expert WordPress Developers. We specialise in custom development using open source PHP based platforms such as WordPress, Joomla, & Magento.