WordPress is very safe if you take the right security measures. Taking the right security measures is not common practice, unfortunately. Research by Sucuri shows that 25% of the WordPress hacks in Q1 2016 were caused by leaks in three specific plugins. Updating these plugins would have prevented the hacks in probably all cases.
In this WordPress Security Guide we will list 25 security measures to minimalise your risk at being hacked.
General Best Pratices
- Use a strong password
Trying to ‘brute force’ passwords is one of the most common ways to gain access to a website. Make sure your password is long and random. It is best to use a different password for all services that you are using. A password manager like 1Password or Keepass can help you keep track of all passwords. They can also help you change your passwords once every while.
- Use a least privileged system for permissions
Do not give all your users ‘administrator’ rights but only give them a role that has the minimal permissions to make sure they can do their daily work.
- Keep your own computer safe and clean
If someone manages to install a keylogger on your computer, your passwords could be compromised. Make sure to keep your operating system up-to-date, run antivirus software and a firewall.
- Register your website at Google Search Console
By registering your website at Google Search Console you will get notified by Google if they find something suspicious. They will also notify you when your site is blacklisted. After removing the malware, you can request a re-evaluation in order to be removed from the blacklist.
WordPress Core Security
- Always run the latest version of WordPress core
It is very rare, but sometimes security issues are found in WordPress itself. Make sure you always run the latest minor releases from WordPress core. Enable auto-updates in your wp-config.php or toggle auto-updates in the Savvii control panel.
- Disable trackbacks and pingbacks
Trackbacks and pingbacks are notifications from other sites saying they are linking to your site. This method is often used for spam purposes. Log in to your wp-admin and navigate to Settings > Discussion and disable ‘
- Disable XML-RPC
XML-RPC is needed for software clients like the WordPress smartphone apps. If you don’t specifically use XML-RPC it is better to disable this feature. It is a clear attack vector because one XML-RPC request can contain several login attempts. Perfect for brute forcing passwords.
To disable XML-RPC, you can add the following lines to your .htaccess file when running on Apache:
Deny from all
It is also possible to ask your webhost to disable XML-RPC for you.
- Turn off user registration
A lot of bots create WordPress users for spamming purposes. If you site does not require the registration functionality for visitors it is best to turn it off. Navigate to ‘Settings > General’ and disable the ‘Anyone can register’ option.
- Disable file editing
When someone has unauthorized access to your wp-admin, they can wreak havoc by using the built-in file editor of WordPress. Disable this feature by adding the following line to your wp-config.php
- Don’t use the username ‘admin’
In a brute force attack, the attacker has to guess both the username and password correctly. Since ‘admin’ is the default username in WordPress this username will be at the top of any attackers’ list, effectively making it much faster to guess the combination correctly. Create a new ‘administrator role’ user with a unique username for yourself and delete the ‘admin user’.
Securing WordPress Plugins and Themes
- Make sure you run the latest version of your theme and plugins
Vulnerabilities in plugins and themes account for 50% of all infected WordPress sites. A lot of these vulnerabilities are responsibly disclosed to the authors. That gives them the time to release a patch without the general public knowing how to exploit the vulnerability. Sooner or later it will be public knowledge how to take advantage of a (patched) vulnerability. So make sure you always run the latest versions of both plugins and themes.
- Consider a security plugin
Security plugins have pros and cons. We at Savvii think that a lot of things most security plugins do, for example blacklisting IP addresses that make too many login attempts, are better taken care of on a higher level. That is both safer and faster for your website. But every webhost takes different security measures, this makes the added value of a security plugin different from host to host.
We suggest to compare the security features of your webhost with the features of the most well-known security plugins and decide for yourself if they are worth it.
- Delete inactive plugins and themes
Both active and inactive plugins and themes can be exploited. Therefore, it is a best practice to always remove things from your website you are not actively using.
- Only use reliable plugins and themes
This is easier said than done. If you prefer free plugins and themes, please stick to the wordpress.org repository. Software in the wordpress.org repo is screened by a theme of developers. This not a guarantee that there are no vulnerabilities but it is certainly much better than no screening at all. Read reviews, check how often the software is updated and check the quality of customer support.
Stay away from premium themes and plugins that are nulled or otherwise made available for free. These are guaranteed to contain some form of malware.
- Be carefull of themes with bundled plugins
As stated before: updating plugins and themes is absolutely essential. This updating can get tricky or even impossible when a them has bundled a plugin. In some cases you have to rely on the theme author to get the bundled plugin updated to the latest version. There are several cases where some theme authors failed to provide these updates (for example with the famous Revolution Slider hack) and thousands of WordPress sites got infected.
- Do not modify plugins and themes
It seems obvious, but do not modify the code of plugins and themes of other authors. If you do this it is not possible to update the particular theme or plugin without breaking your own functionality or styling.
Luckily for us, WordPress has the Child Theme option for themes. This makes it possible for you to change the design of your website without compromising update functionality.
- Use two-factor authentication for WordPress
To login you normally need a username and password. Both are things you ‘know’. In two-factor authentication another thing is added to verify the identity of the user. That could be something only that user should possess (like his/her smartphone, or a ubikey) or a physical feature (like a fingerprint or iris). Combining two factors makes it much harder to gain unauthorized acces to your website.
A well known two-factor authentication plugin for WordPress is clef.
Hosting & Server
- Check your PHP version
Vulnerabilities can even be found in PHP itself. That makes it important that your webhost is running a version that is still supported with security patches. You can find the support status for the various php versions on php.net. You can ask your webhost about the PHP version in use. An additional advantage of running the latest version (PHP 7, june 2016) is that this one is much faster.
- Block PHP code execution in /wp-content/uploads
A lot of backdoors (scripts who are specifically made to provide access to attackers) end up in the /wp-content/uploads/ folder. If you block PHP code execution in this (and deeper) folder and in the /wp-includes folder as well, you prevent backdoor scripts from being executed in these folders. A good Managed WordPress Hoster will do this automatically for you. If your website runs on Apache, please place a .htaccess file in these folders with the following lines:
Deny from all
- Check your backups
If your site ever gets hacked or something happens to your server it is very important to have a good backup. Verify that a backup is created at least once a day and that these backups are stored offsite (on another server in another datacenter). You should at least have backups of the last 7 days, or better yet, 14 days. At Savvii we create daily offsite backups with a retention of 14 days.
- Check your malware scanning & removal options
A good webhost will run daily malware scans for your websites. Most of them will warn you if they have found suspicious files or behaviour (at least we do). If you are not that into development it could be nice if your webhost could also cleanup the malware and give you pointers on how to prevent reinfection. Removing all malware, making sure you follow up the points on this list and changing all your passwords will almost always prevent a new infection. Many ManagedWordPress Hosters, including Savvii, offer malware cleanup services.
- Restrict access to wp-config.php
Your database credentials are stored in the wp-config.php file. It is very important to keep those save by restricting access to your wp-config.php. You can do this by adding the following lines to your .htaccess file (if you are using apache):
Deny from all
Good webhosts do this by default.
- Restrict access to /wp-admin and wp-login.php
In addition to a good password you could restrict access to your /wp-admin and wp-login.php. Best way to achieve this, is by adding your own IP adress(es) to a whitelist in the firewall rules (and thus putting all other IP’s on a blacklist). Please send your webhost the IP’s you want to whitelist and ask for assistance.
- Use encryption for your website and FTP connection
Unencrypted communication between your website and your users and between you and your FTP server can be intercepted and read by attackers. By encrypting this communication, it can still be intercepted, but the content is not readable anymore for the attacker.
You can start using encryption for your website by ordering and installing an SSL certificate. To change your FTP connection to a sFTP connection you have to contact your webhost.
- Regularly check your error logs
A badly configured website is more prone to being hacked. Regularly check your error logs. If you find an error, fix it as soon as possible. At Savvii you can find the error log from within the Savvii plugin or you can download them through sFTP.
It is quite a list, but it is not very hard to stick to the advice mentioned above. You can greatly reduce the risk of a hack by following up on our point but it is never possible to be 100% secure. If you don’t have the knowledge to carry out our advice, please contact a reputable WordPress development agency and use a Managed WordPress Host like Savvii.
If you like to print this whitepaper, please download our pdf version.