If you’re a WordPress site owner, you’re a prime target for hackers.
That’s not just my opinion. There are more than a few statistics that make that clear. The popular WP security plugin, Wordfence, reports an incredible 90,000 attacks on WordPress websites every single minute. Another security platform, Securi, produced a report in 2018 based on an analysis of more than 18,000 hacked sites that revealed 90% of these sites were running on WordPress. And last year, close to a million WP sites were attacked in a single month by the same malicious actor.
You get the picture. Hackers have gotten a taste for going after WP sites, believing them to be easy prey. But the truth is, in a lot of cases, site owners make them an easy target. There is A LOT you can do to beef up your site security to prevent your site from being just another number added to the stats above. And in this article, we’re going to help set you on the right path.
We spoke to a whole bunch of WordPress experts and asked them the million-dollar question: How do you secure a WordPress website? Each provided one piece of advice and we ended up with a checklist of sorts to help make your site a tightly-run ship.
So dig out a notebook, grab a coffee and let’s get started.
How to Secure Your WordPress Website Quickly
As part of our research when putting together this article we also conducted a couple of polls asking 50 WordPress pros two questions. The first of these was “Name your 3 favorite quick-wins that bolster WordPress security with relatively little effort?”
We wanted to provide you with an understanding of the steps that are easy to implement, but that have a big impact on strengthening your site security. So if you’re pushed for time, these are the things that are going to give you the most protection for time invested.
In the chart below, you can see which items were mentioned most frequently.
As you can see, the top three suggestions are all very straightforward and don’t take any special preparation or skills to implement. These are:
- Keep everything updated (this includes the WP Core, your templates and plugins). You also want to keep an eye on the PHP version your site is running on and keep that up to date too.
- Install a security plugin. There are several good ones to choose from, many of which have a free version that gives you a good amount of protection without spending a dime. And even the premium versions are often very affordable.
- Use secure passwords. This isn’t rocket-science. The weaker your password, the easier it is for a hacker to gain access to your site. So do yourself a favor and make their job as hard as you possibly can by using complex, secure passwords.
So if you only have very little time to try and figure this WordPress security thing out, make these three things your top priorities. If you have a bit more time, look into the other steps outlined on the chart. This will go a long way to helping make your site more secure.
The Biggest Security Mistakes WordPress Site Owners Make
The second poll was simple. We wanted to know which WordPress security errors the pros see WP site owners making most frequently. Because if you can avoid these, it’ll go a long way to ensuring your site is not as vulnerable to attempted attacks.
And wouldn’t you know it. There are lots of similarities between the two charts. Not keeping software updated to the latest versions and using weak passwords were by far the most popular answers in this poll. And both of these mistakes are so, so easy to remedy.
If your site did fall victim to an attack, it’s extremely likely that one of these bad practices on the chart above would be to blame. Use this as a checklist of the absolute fundamentals that you need to have in place to prevent your site’s defences from being breached.
Other Articles You May Find Useful:
How Else Can I Secure a WordPress Site You Ask? Here’s Our Complete List of Ideas
You’re now hopefully aware of the main bases that you need to have covered. But as we mentioned earlier, there really are lots of things you can do to improve WordPress site security if you wish to. Below you’ll find an overview of all of the WordPress security tips shared in this article.
Read them, study them and implement them. Don’t become another victim of cybercrime!
- Install iThemes Security and Run the Default Security Set Up
- Update Update Update!
- Use Two-Factor Authentication
- Use a WordPress Specific Hosting Company that Handles Security for You
- Make Sure Your Organization Has Password Policies + Your Team is Trained on Digital Security
- Periodically Delete Old Users/Admins
- Rename the WordPress Login URL
- Disable Plugin and Theme File Editing in WordPress
- Never Rely on Any One Layer of Security
- Limit Login Attempts
- Select Trusted Themes and Plugins
- Install Malcare by BlogVault
- Give Users the Most Appropriate User Role
- Limit User Options Using the WP.Config File
- Hide Your WordPress Version
- Backup Your Website Regularly
- Change the Default “admin” Username
- Disable XML-RPC
- Keep Your Plugin List Lean and Light – Less is more!
- Rotate SALT Keys
- Update your website to use HTTPS
- Use SFTP Not FTP When Transferring Files to Server
- Match the Level of Security Efforts to the Profile of a Site
- Use File Change Monitoring and Keep an Audit Trail
- Use a Captcha Service on All Forms
- Upgrade PHP to the Latest Version
- Always Force Strong Passwords for All Users
- Change WordPress Database Prefix
- Install Wordfence
- Monitor Your User Activity Logs
- Secure.HTACCESS Configurations
- Check Content for Strange Links
- Ensure You are Producing Secure Code
What the Experts Said: WP Security Tips Explained
There’s no better way to learn than by listening to folks that have been there and done it. This is why our experts are always the stars of our articles and we publish exactly what they had to say about the topic.
So prepare to learn a thing or two about how to secure your WordPress website. You can read the advice that each of them had to share and start to put together an action plan for your own site.
Use the filters below to skip to anything that peaks your interest.
- All
- Plugins/Themes
- Updates
- Two-Factor Authentication
- WordPress Specific Hosting
- Passwords
- Users
- Login URL
- Disable File Editing
- Multiple Layers
- Login Attempts
- WP Version
- Backups
- XML-RPC
- SALT Keys
- HTTPS
- SFTP Not FTP
- Tailor Security Efforts
- Audit Trail
- Captcha
- WP Database Prefix
- User Activity Logs
- Secure .HTACCESS
- Strange Links
- Secure Code
Keryn van der Dijken
Update your website to use HTTPS
– “So, you’ve noticed Chrome has marked your site as ‘Not secure’ or firefox isn’t giving you the ‘locked’ padlock. This means it’s time to upgrade your site from using HTTP to HTTPS.
In short, you’ll need to do the following to accomplish this task:
- Install an SSL on your server
- Update your website links to reflect the http:// to https:// change
- Fix any mixed content issues on your web pages
- Inform Google of the changes
Setting Up the SSL
With so many hosting companies and server setups out there, it would be impossible for me to write detailed instructions for all of them here.
If you are at all familiar with your hosting company’s backend, login and search for an “SSL” setting. Some companies offer a one-click SSL setup, and others with a cPanel environment offer something called “Let’s Encrypt”. This is a free SSL you can activate on your server and what I use for my clients that don’t have the aforementioned one-click setup with their host. You’ll want to set it up to secure both the www and non-www for your chosen domain.
If you are not familiar with your hosting company’s backend, the best thing to do is pop on a chat with their customer service team, and ask them to help you set this up (if they don’t offer to do it for you). Remember to always ask if they have a “Let’s Encrypt” option, otherwise they will try to sell you their paid SSL option. Do this as a last resort if they don’t offer a free one.
Updating Your Website to Use the New Protocol
Once the SSL is installed it won’t change your website to https by itself. You’ll need to manually update the links yourself. Here are some common steps to accomplish this:
1. Backup your website!
You’ll be messing with the database so you’ll want to make sure you have a backup in case anything goes wrong.2. Deactivate any caching plugins you may have on the website
3. Go to Settings » General and update your WordPress and site URL address fields.
This may temporarily kick you out of the backend of your site. Don’t worry, just refresh the page and login to WordPress again.4. Install the plugin “Better Search Replace” and go to Tools » Better Search Replace. Use the following settings:
5. Once completed, you should be able to tell by a refresh of the page if the site is showing a green padlock or not. You can also use this website to help troubleshoot: https://www.whynopadlock.com/index.html
6. The search and replace plugin will get most items, but some things fall through the cracks so you should also check all pages manually. Both for the padlock and for any change in functionality. Depending on your theme, you may need to alter theme files if some URLs have been hard-coded. Using your browser’s inspection tool should help you locate where these mixed content errors are coming from:
Bonus Steps that May Solve Some Issues
Sometimes I find a site needs a couple of extra steps depending on its server setup. These aren’t common but things I’ve had to do in the past.
1. Update Permalink Settings
Navigate to Settings » Permalink and hit the save changes button to update the permalink structure code in the .htaccess file.2. Setup Permanent 301 Redirects
If you’re adding SSL to your existing site, then you need to setup WordPress SSL redirect from HTTP to HTTPS.A 301 permanent redirect passes all link juice and SEO value from the old domain to the new one thus preserving your site search engine ranking.
You can do this by adding the following code in your .htaccess file:
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
If you have any 301 redirects set up previously, you must change the URLs to HTTPS.
3. Force SSL and HTTPS
You may want to force SSL and HTTPS on your WordPress admin or login pages. In this case, you need to configure SSL in the wp-config.php file.Add this code above the “That’s all, stop editing!” line in the wp-config.php file:
define('FORCE_SSL_ADMIN', true);
If you are still able to reach the HTTP pages, install a plugin called “WP Force SSL”
Inform Google of changes
To inform Google about the change in the URL, add your new HTTPS WordPress site to Google Search Console (but this time with the https://). Don’t delete the old one.
Once you’ve added the above property, submit your new domain sitemap by going to Sitemaps » Add a new Sitemap.
Then, login to Google Analytics and change the site from http:// to https:// in the settings.
Admin » Property Settings » Default URL
Google will now start to index your new HTTPS pages. If you’d like to speed up the process you can go back to GSC and type in the URL in the top bar, and then click on “Request Indexing”. This will send the request to Google right away vs. waiting for them to crawl your site and update the changes.”
Clark Alford
Change the Default “admin” Username
– “When WordPress began, the first username created was by default set as “admin”. When version 3.0 came out WordPress allowed the ability to set the administrator role to a username other than “admin”. However, by default “admin” was still the suggested username which many users continued to use.
If you use the default “admin” username than you are making it easier for a brute-force login attack since now the hacker will only have to guess the password and not the username. Also as a security precaution against brute force attacks I recommend long passwords; preferable 16 digits minimum. Old habits die hard so if you find yourself using a WordPress install with an “admin” username you need to change it right away.
For Those That are More Tech-Savvy
Changing the “admin” username directly in the WordPress database is the simplest way to make the change. However, it is the method that may cause the most damage. Only make direct changes to your WordPress database if you feel comfortable doing so! I recommend using HeidiSQL. It is a free and open source database administration tool for MySQL and MariaDB. I recommend using HeidiSQL over the popular phpMyAdmin due to security concerns. phpMyAdmin is a public-facing web application and is only accessible using a web browser. Many developers, myself included, view it as an unnecessary potential security vulnerability. HeidiSQL on the other hand connects to MySQL or MariaDB databases via SSH tunnel; so all communications back and forth are encrypted.
Once you login into your server via HeidiSQL click on the name of the WordPress database you wish to open. Next, scroll down until you get to the table wp_users and click on it. Then click on the Data tab. Find the username “admin” and click on it. A text editor will open and then proceed to change your username (preferably 16 digits minimum). Click on the green arrow to save your changes. Viola! That’s it. You’re done; all finished. Log out then log back in using your new username. FYI, users on a Mac OS may wish to try Sequel Pro which like HeidiSQL is also free and open source.
The Easier Way
If you don’t feel comfortable using the database to change your username; you can still make the necessary changes using the WordPress Backend. First login to WordPress as an administrator. Go to Users then click “Add New”. Make your new username at least 16 digits minimum. If you have trouble coming up with a long username or password try using an online Secure Password Generator. Next enter a different email address, password, and make sure Role is Administrator; than click “Add New User”. Now logout than log back in with the new username and password that you just made.
Now that you are logged back in, go to Users find the “admin” username and click to delete that user. You will see another screen asking if you want to attribute content owned by “admin” to the new username you just made. Make sure you do this and Confirm Deletion. That’s it. You’re done. If you want you can change the email address of your new username back to your old email address from your “admin” username.
P.S.
To change a username in WordPress it should be simple and expedient. However, this is not the case as WordPress will not allow this by default. If you are not a ‘do it yourself’ type of person there are a few WordPress plugins that may assist you in changing your username. Easy Username Updater by Yogesh C. Pant and Username Changer by Widgit Team are two such excellent plugins that will allow you to change your WordPress username to something more secure.”
Jim Callender
Use SFTP Not FTP When Transferring Files to Server
– “When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.”
Ian Pegg
Upgrade PHP to the Latest Version
– “Since version 5.2 of WordPress was released, attentive site owners will have spotted a new tool was added to their website dashboard. Site Health Status (under ‘Tools’ –> ‘Site Health’) does what it says on the tin: it runs a suite of tests to establish a baseline for your website health. One of the tests this script performs is to check which version of PHP your site is currently running on.
Personally, I’m not a betting man. But if I were, I’d bet you a shiny English pound that if you run the Site Health test on your website right now it will have something to say about your active version of PHP.
According to WordPress’ official stats, 35% of all WordPress installs are still using an outdated version of PHP. Since that implies that the majority of WP sites are using a supported version, you might not think it’s such a big deal. But, when you consider that WP now powers 38% of the entire world wide web, and that there are now more than 1.8bn websites in the world today it becomes clear that those 35% still represent a huge number of vulnerable websites!
In addition to this, don’t forget that PHP 7.2 will officially reach end of life at the end of November 2020! This will add another 22.6% of WordPress installs to the number of sites running on unsupported versions, bringing us back up to almost 60% again!
In fact, unless you are currently running your site on PHP 7.4, Site Health will complain to some extent. Pro tip: if it doesn’t complain this means that you are, at the date of publication, running 7.4 – congratulations, you’re ahead of the game! If you want to check to be sure, you can click on the ‘Passed Tests’ button to uncover all tests that were run and then search for “Your site is running the current version of PHP”.
But why should I upgrade to the latest version of PHP?
After all, WordPress still officially (but somewhat quietly) supports PHP 5.6. Additionally, any decent host (and you must choose a decent host if you care about your website security) will offer patched versions of all the major PHP releases via HardenedPHP. This means these hosts can safely offer versions of PHP dating all the way back to version 5.2 or beyond. What a time to be alive!
So why bother? After all, even if you are running cPanel on your server you do still need a degree of technical ability and some brass to switch PHP versions. Things can and do go wrong.
Presumably, security is your main concern since you’re reading this article. Personally, I prefer not to rely upon third parties to continue to patch the security of 14-year-old software running on my publicly accessible server. Instead, I sleep easy at night knowing that I’m running officially supported software on all my sites.
But if security is not enough to convince you – here’s an additional bonus: performance!
Over recent years, website speed has come to be accepted as an important part of the user experience, as well as an increasingly larger part of the search engine optimisation puzzle. With Google recently announcing that Web Core Vitals are set to be rolled into their algorithm next year, you’d better believe that getting on top of your website performance is more important now than ever before! There are other good reasons too, but if I haven’t convinced you already, then you are one stubborn ox!
So, if you’re not running an officially supported version of PHP you have to upgrade. The only question is how?
First, you need to make sure all of your plugins and your theme supports the latest version of PHP. On occasion, I’ve had issues with the White Screen of Death making an unwelcome appearance after making a test switch to 7.4. This was likely caused by a plugin that was yet to be fully tested with the latest PHP release.
This post by Speckyboy runs you through the process of preparing your site for a PHP upgrade and then going ahead and executing on your plan. It does make reference to using the PHP Compatibility Checker plugin which is now, ironically enough, out of date! I’ve yet to find a suitable alternative plugin so your best bet is to test in a staging or development environment as Speckyboy recommends.
Alternatively, the easiest way is to hire a developer to make the switch for you. Or, you could turn on the charm and raise a tech support ticket with your hosting company and see if they will do it. The only likely caveat is that if they encounter a problem they almost certainly aren’t going to be re-coding your site to fix it for you! In this case, you will need a developer to help you.
Whichever approach you use, make sure you enable the required extensions before you make the switch. Each version of PHP that’s installed on your server can have its own extension settings. So, when switching to a new version you will need to check to make sure you are loading everything WP needs in order to run. Provided your site is still working after you switch versions, you should run Site Health again as it will tell you if it detects any missing PHP extensions.”
Jay Buys
Make Sure Your Organization Has Password Policies + Your Team is Trained on Digital Security
– “Website attacks generally come in two flavors; indirect and direct. You can think of indirect attacks as a robber walking down the street and trying every front door until they find one left unlocked. They’re not trying to hurt you specifically. They’re just looking for easy targets. Most of these attacks are easily mitigated by security plugins, firewalls, and some customizations that others have covered in this article.
I’d like to talk about direct attacks; the people that, for whatever reason, are out to get your organization directly, and an overlooked way that they do it, called social engineering. Here’s what it looks like in a large organization.
A hacker goes onto your website and finds your IT Director (let’s call her Sarah) and a junior staff member on your marketing team (let’s call him Joe). The hacker then calls your office and asks to speak with Joe.
Hacker: Hey, Joe. My name is Jay. I’m a consultant working on Sarah’s team to conduct a security audit. You can never be too safe these days, ya know? We’re having an issue with some of the website passwords. Could you verify your password for me so I can check it with our security database?
Joe: Umm… sure, yeah. It’s IHeartKittens2020
Hacker: Got it. Okay, yep, that matches up. Phew, thanks so much for helping us. We really do appreciate it.
Joe: No problem. Happy to help!
It’s often just that simple. Don’t believe me? Watch this clip of people just giving out their passwords on camera. So let’s talk about what to do about it.
Make sure your organization has security policies in place and that your team knows what they are. Here are a few good ones to start. (Note: these will help protect your website, but it will also train your team on how to protect their bank accounts, social media, etc.)
– Never give your password out. To anyone. Ever – If IT really needs to get into your account, they can reset your password. Your password is yours alone.
– Don’t re-use passwords – If your fantasy football account gets hacked and you use that same info for your WordPress login (or your bank), you’re in trouble. You can use the GhostProject tool to search your email address and see if any of your passwords have been compromised.
– Change your passwords on a schedule – The longer you have the same password, the less secure it is. Have a policy to change these on a regular basis.
– Use strong passwords – If your password is “password” (currently the 4th most popular password in use), you’re going to get hacked.
– But not too strong – Isn’t “fajf235!^FA3912##@%Nvmw;498x” a better password than “password”? On the one hand, absolutely. On the other hand, you’ve just guaranteed that Joe in Marketing will write it on a Post-it note and stick it to his monitor. Consider passphrases (i.e., “My favorite thing to eat is giant burritos”), which are long and unique while still easy to remember. You can also consider a password manager like LastPass or Dashlane, which can help manage complex passwords and add extra protection through two-factor authentication and/or fingerprint scans.
These are just a few suggestions. The key takeaway here is to make sure that you have security policies like this in place within your organization and that, more importantly, everyone knows what they are and follows them.”
Tom Greenwood
“There is no single magic bullet for great security on the web, and it needs a holistic approach, so I think that every tip suggested here is going to be a good one.
My specific tip is therefore complementary to other tips, and I am certainly not suggesting that it is the only thing that will help WordPress security. So what is it?”
Install Malcare by BlogVault
– “Malcare is a product from the creators of the excellent WordPress backup plugin, BlogVault.
As security plugins go, it is second to none. Here is why it is so great:
1. Reliability
There are lots of systems that claim to do security scanning of WordPress sites, from stand-alone solutions such as Securi to the scanning provided by web hosts. I have been surprised how these systems can miss things. We have had several occasions when people approached us to help fix an old website that they suspected had been breached, or during our own checks before taking on someone’s site, and the web hosts and Securi could not detect the malicious code (or at least not all of it). We found that Malcare could reliably detect malicious code that other services could not. For me, trust is the single most important factor in a security system, and Malcare is the only system that I really trust.
2. Performance
Some security plugins can slow websites down and cause performance issues while running security checks. Malcare does everything off-site so that it doesn’t put extra load on your web server and doesn’t slow down your website.
3. Solutions
Finding issues is one thing. Fixing them is another. In addition to reliably finding malicious code, Malcare can actually remove it without damaging WordPress files, so that it doesn’t break your website.
4. Extra features
In addition to the above features, it also contains an excellent Firewall feature, and features to help harden your WordPress installation.
I would always suggest approaching good security from the beginning of a web project and not as an afterthought, but no matter how good your approach to WordPress security, Malcare is a great addition to the mix.”
Kate Gilbert
Keep Your Plugin List Lean and Light – Less is more!
– “Pop quiz: How many WordPress plugins do you have on your WordPress website? Go look.
Got more than 4 plugins? More than 10? Did you know that hackers love plugins, and that the nature of the open source community means that there are hundreds of poorly managed plugins out there that could literally invite hackers to your doorstep?
According to Google’s Safe Browsing tool, phishing is on the up-trend, taking an unprecedented spike when the world shut down for the COVID pandemic in March 2020.
Google, in the data analysis, blames WordPress, citing stats that point a very clear finger at out-of-date and infected WP plugins:
“75% of [infected websites] were on the WordPress platform and over 50% of those websites were out of date. Many infected websites are attacked through old security vulnerabilities in just three WordPress plugins that have not been updated.”
By keeping your plugin list lean and light, and using only the most impactful and secure plugins to enhance your site, you can stay safe from hacks that will inject unwelcome content onto your site – or worse, crash it altogether.
So go review your plugin list again, and delete or uninstall any that you’re not actively using right now.
And if you have any of these known insecure plugins, delete those too, as they’ve recently been identified as unsafe for site security: Duplicator – WordPress Migration Plugin, Profile Builder Plugin by Cosmoslabs, Flexible Checkout Fields For WooCommerce, Async JavaScript, Modern Events Calendar Lite, and any plugin flagged as not tested with your version of WordPress.”
Antti Koskenrouta
Give Users the Most Appropriate User Role
– “If your WordPress website has multiple users, it is good practice to look at each user and give them the most appropriate user role. In other words, don’t make all users administrators by default.
The principle of least privilege suggests that you should give a user the minimum amount of power or, in WordPress world, the least number of capabilities to perform a task.
This approach increases security on two levels; Firstly, when a user doesn’t have certain powers, they cannot inadvertently cause big problems. Deactivating plugins or themes come to mind as the most critical ones. Because “With great power comes great responsibility” only works if the person understands the potential ramifications of their actions. Secondly, should a user account be breached, the malicious actor can do the least amount of damage.
Default WordPress user roles are a good starting point for setting levels of access for your users. If you need more control or granularity over your users’ capabilities, consider writing custom code or using a user roles plugin to adjust individual users or roles’ capabilities.
Sometimes when a person leaves the organization, you might want to keep their user account to accurately attribute a blog post, for example. In that case, make sure the account is no longer tied to an email address they have access to and then bump their account to a subscriber or a custom role with even fewer capabilities. This way you can retain the account for post ownership and historical purposes while minimizing the security risk. Lastly, change their password – and remember to use a complex one!”
Mike Sayenko
Rename the WordPress Login URL
– “Moving your WP login page to a unique URL helps fight hackers and brute force attacks. Unfortunately, this does happen often with the popularity of WordPress and this is a great easy step to making your site more secure.
How to Achieve This:
- Login to your WordPress site > Go to Plugins › Add New.
- Search for WPS Hide Login.
- Download and activate it.
- The page will redirect you to the settings. Change your login url there
- You can change this option any time you want, just go back to Settings ›WPS Hide Login.”
Andrew Briggs
Disable XML-RPC
– “Most WordPress website owners will have never heard of XML-RPC and most web developers have never used it.
Without going into all the unnecessary technical detail, XML-RPC is a packaged solution in WordPress to allow remote updates to your website by software other than through your normal logged-in WordPress dashboard.
XML-RPC makes it possible for remote Web Applications and Mobile Apps to connect to your website and perform updates without you being directly logged in. The software does need to authenticate through XML-RPC, but without any login limits imposed on XML-RPC your website can be susceptible to brute force attacks where hackers just keep trying until they get in.
Remote access to update your website can be very useful, but for the vast majority of websites this type of update access is just not necessary.
So, if you have the need to run software or apps to update your website remotely, by all means go ahead and use XML-RPC. That’s what it’s there for.
For everyone else and his dog – Shut it down!
Disabling XML-RPC is fairly easy and there are a few ways to do it:
1. Install a plugin.
Simply install one of the many plugins found in the WordPress plugin repository:
https://wordpress.org/plugins/search/disable+xmlrpc/
2. Update .htaccess file.
For those comfortable with updating the .htaccess file and do not want yet another plugin on your website. Simply add the following code to your .htaccess file found in the root directory of your website (after you have taken a backup copy):
# BEGIN Disable XMLRPC.PHP
Order Deny,Allow
Deny from allIt is possible to deny all access and also add an IP address where access is allowed but let’s not complicate things. Just disable it! Google is your friend if you really want to dive into the technical nitty-gritty.
3. Delete xmlrpc.php
Okay, so I don’t really recommend deleting core files from your WordPress installation, but you have to agree it’s an effective solution. You can’t run software if the files are not there!
Once you’ve implemented your preferred method of disabling XML-RPC just visit the following URL:
https://YOURWEBSITE.COM/xmlrpc.php
If you have successfully disabled XML-RPC you will get some access error such as:
“403 Forbidden”
If XML-RPC is still accessible you will get the message:
“XML-RPC server accepts POST requests only.” and you will need to try disabling it again.”
Rich Mehta
Install iThemes Security and Run the Default Security Set Up
– “There’s so much I could write about securing WordPress. By default, the platform’s come a long way but when you add in Themes and plugins to the mix from various sources, how secure your WordPress website is becomes a little more suspect. Add to that the possibility of your server not quite being airtight, and there’s the potential of a security issue down the road.
We’ve found you can adequately secure most WordPress websites with some of the well-known tools on the market against most attacks. Our choice (and one we license for free for all our WordPress support service clients) is iTheme’s Security. Just installing it and running the Security Check is great, but it’s well worth the yearly license to get further coverage.”
Michelle Phillips
Rotate SALT Keys
– “One of the easiest ways for hackers to access a website is through brute force attacks if the user has set up a weak password.
WordPress keeps your login data in cookies so that you can remain logged into your site as long as you want.
But these cookies can be compromised if a hacker gets hold of them.This is where SALT keys can help with your WordPress security.
SALT keys protect your WordPress login against unauthorized access attempts by “hashing” or encrypting these credentials so a hacker can’t easily read your password in plain text.
Where are SALT Keys Stored?
The SALT keys are stored in the WordPress configuration file, wp-config.php.
They look something like this:
If your site is very old, you may have a less secure version of the SALT keys. Or perhaps you have no SALT keys at all. Both of these situations make your site more vulnerable to hacking attempts.
If you DO have SALT keys, they should be rotated on a regular basis. Doing so will force all logged in users out of the site and require them to log back in.
This means that if someone has unauthorized access to your site, they will be locked out when the SALT keys are rotated.
If you DON’T have SALT keys, then it’s time to generate them and add them to wp-config.php.
How to Rotate SALT Keys
1. Log out of your site
2. Log in to your server root directory via FTP or cPanel
3. Locate wp-config.php in the root folder of your website:
4. Make a backup of the wp-config.php file:
- Click once on wp-config.php
- From the File Manager click “COPY”
- Enter the file path for the copied file.
- Click the Copy File(s) button.
5. Next generate a new set of SALT keys using the latest version of the SALT key generator:
https://api.wordpress.org/secret-key/1.1/salt/
Go directly to that link instead of clicking on the generator link in your wp-config.php to ensure you are using the most up-to-date secure version of SALT keys.
6. Once you click on that link, copy the entire contents ~ that is, all 8 keys. The generated values will be unique to you and look something like this:
7. Edit the wp-config.php file and locate the existing SALT keys. They will have a comment at the beginning that says “* Authentication Unique Keys and Salts.”
8. The existing keys will be below this comment. Highlight the existing keys and paste the new set of keys to replace them.
9. Click SAVE CHANGES and close the file.
That’s it! At this point, any logged in user will be logged out and forced to log back in.
Next, log into your WordPress site. If you didn’t have any syntax errors in wp-config.php, you’ll be able to log in.
If you can’t log into your site or experience the “white screen of death,” simply access your website via FTP or cPanel and replace the wp-config.php file with your backup.
Then go through the process again making sure you follow the above steps exactly.
NOTE: Please do NOT copy text from a Word document into a PHP file. You will likely create an error that will make your site inaccessible. Remember to just copy the keys from the SALT key generator link and paste over your existing keys.
What if Your Site has No SALT Keys?
If your site has no salt keys, you can still use the SALT key generator link at: https://api.wordpress.org/secret-key/1.1/salt/
But you’ll need to be careful to copy the keys into the correct area of your wp-config.php file.
- Log into the root directory of your website via FTP or cPanel
- Make a copy of your wp-config.php file as shown above
- Open wp-config.php
- Look for *WordPress Database Table Prefix. Copy and paste the keys just above it.
That’s it! Now log into your WordPress site to make sure everything works properly. If you cannot access your site, you have an error in your wp-config.php file. Restore the original file and attempt these instructions again.”
Rob Marlbrough
Never Rely on Any One Layer of Security
– “My tip, among the many great answers about having backups and HTTPS, is to never rely on any one layer of security, always use multiple layers! One firewall or that one plugin is not enough to fight all the ways automated bots can drill into your site.
Security at each layer is vital, because each layer has its own types of attacks, such as: Network > Server > Application > Attack-specific Blocking > Strong Passwords > 2FA
This may overlap many of the other tips, but here’s more detail on each layer and how you can secure each of them:
Network Layer:
Cloudflare or another Web Application Firewall is a great network security layer, blocking all the bot attacks right up front. Cloudflare has a nice Bot attack setting, and it’s free. It’s also a caching CDN, with optional Full HTML caching that can speed up your site quite a bit, even if you’re on a slow shared host, as it doesn’t even hit the web host server for read-only requests.
Server Layer:
Server firewalls and Fail2Ban are great server layer security, responding to attacks that have made it through the network layer. If you use a trusted web host they probably have this covered. Or you could try spinning up your own Plesk-based Virtual Private Server (VPS) on Vultr.com, they give you Plesk free for 30 days to try out, and free forever for up to 3 domains. Plesk is a great self-hosted control panel with Fail2Ban and integrated firewall, handles all your server updates, and comes with the superb WordPress toolkit for managing all your sites, built in partnership with Automattic.
Application Layer Security and Blocking Specific Attacks:
WordFence is a great application firewall, and blocks a ton of WordPress-specific attacks via its custom attack signatures… so it’s not just a scanning tool, but it’s also the best scanning tool I’ve found, and it’s free. Oh and keep all your plugins updated, it’s the #1 way a site will get hacked.
Strong Passwords:
All administrators (ideally all users) should use random and minimum 25 character passwords, no exception. How do you remember and type them? You don’t. You should use a password manager like LastPass.com or other favorite. They securely store, auto-fill, and generate super-strong passwords.
2FA:
Two-factor Authentication (2FA) means that even if someone somehow gets your password, they would still need a time-based code from your 2FA app, email, or Text/SMS to access things. It’s worth it to be bulletproof on the Internet. Just do it.
BONUS: IP-Based Access
Lock down your login areas to be accessible only from certain IPs. Sure IPs can change, and you need to keep them updated over time, but it might be worth the trouble for your site.
Assuming you have a good host that helps on the network and server layers, and perhaps you add Cloudflare as well, then activate Wordfence and configure it properly, and use strong passwords – I think your site will be just fine, and you can sleep peacefully at night, laughing as the bots drill away.”
Rob Dobson
Use a Captcha Service on All Forms
– “There are lots of important security recommendations here already. One more step I’d recommend is using a good captcha service on all website forms. There’s a number of reasons why this is a good idea and they are generally to do with spam or fake users abusing your site. A good captcha service can stop brute force attacks on login forms, and protect you against fake registrations. On comment forms they can stop you having to manage a daily influx of spam comments.
For an ecommerce site they are an added layer of security that can stop you getting fake orders that while obvious can certainly waste your time. And while the risk of a hack from a form is limited, abuse of forms can be equally annoying, overwhelming your inbox and bringing some irate messages from your hosting provider. All in all, they can save you a lot of hassles if implemented early.
One of the simplest captchas is Google’s reCaptcha service. You can find it here –
https://www.google.com/recaptcha/admin/create
The reason I like this one is that as well as the standard “I’m not a robot” option, version 3 is invisible and based on a scoring system, so it doesn’t affect conversions.
So get checking those website forms! And get a captcha service on each of them as soon as possible.”
Derek Rippe
Update Update Update!
– “Arguably the single most important thing you can do for keeping your website secure is to keep the WordPress core, your theme and plugins up-to-date. Check for and perform those updates at least once a week, and enable auto-updates to whatever capacity you can. The WordPress core can automatically update itself for minor version releases, and some plugins (like Jetpack) can automatically update your plugins for you.
Also, make sure you’re running regular backups so that, in the off chance something goes awry because of an update, you can quickly and easily roll your site back to a pre-update version.”
David Lockie
Ensure You are Producing Secure Code
– “When you’re building a WordPress site, the last thing on your mind might be that you’d be partially responsible for a massive breach of highly embarrassing and controversial data but that’s exactly what’s at stake as illustrated by the Panama Papers.
Whilst the other experts in this post have talked a lot about the importance of maintenance, secure hosting and the like, all of which are critical, I’d like to make a more opinionated statement – that you need to be very confident that you (or your team) are producing secure code.
This means following WordPress coding standards, using peer code review, going through thorough testing processes, investing in training around cybersecurity and considering data risks and mitigations as part of every project.
If you or your team are not doing these things yourselves, you might consider relying on trustworthy 3rd party developers in the form of off-the-shelf themes and plugins and then hosting them securely and keeping them up to date. Remember that every line of code you write is also technical debt and a potential security vulnerability.
In these days of rampant cyber-criminality and ever tighter legislation around the protection of personal data, our clients rely on us understanding and taking seriously all our responsibilities as WordPress experts. Infosec is an important one.”
Richard Carter
Disable Plugin and Theme File Editing in WordPress
– “The administration panel gives you the ability to edit your plugins and theme files directly – this can be a handy feature, but it also poses a WordPress security risk if hackers gain entry to your website via a user account. So – this feature is best disabled, and it’s really easy to do that!
You can disable file editing in WordPress via the wp-config.php file:
Simply add the following line to your file (or replace the value if it already exists).
define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can add a plugin to do this for you, but this is overkill for a simple file edit!”
Kody Thompson
Always Force Strong Passwords for All Users
– “You can use all the security tools you want to keep your WordPress website safe, but if you don’t force your users to use strong passwords, you’ll still be an easy target for hackers because of three simple reasons:
Reason #1: People Love Simple Passwords
For most people, the convenience of using a password like “password1234” far outweighs the fear of getting hacked. After all, who has the time (and patience) to remember a password like “HNdi*&[email protected]/”, right?
So, unless you force them to create a strong password, there’s a big chance they’ll go with something easy to remember — which is probably the same one they use for all their other accounts.
And this brings us to reason number 2…
Reason #2: Hackers Love Simple Passwords Too
Of course, the simpler the password, the easier it is for hackers to crack. They don’t even have to do it manually. They can just use a bot to do it for them, cracking thousands of accounts in one go.
Just imagine how bad you would look if a large percentage of your users get hacked one day. No one would want to do business with you again.
It wouldn’t even matter if it was because your users had weak passwords. Everyone would immediately pin the blame on you because people expect you to keep your users’ data safe as the owner of the site.
Reason #3: People Don’t Know What Strong Passwords Look Like
As a general rule, a strong password…
- Has no sequential characters or numbers
- Is at least eight characters long (the longer the better)
- Is a mix of uppercase and lowercase letters
- Has numbers and special characters
- Is not an actual word”
Michiel Tramper
Match the Level of Security Efforts to the Profile of a Site
– “Security is a vast topic about which you could write tons of tips, even whole books (and books are written about it). It ranges from network and server security to writing safe PHP and JavaScript code (which are, as you may know, the languages WordPress is built with).
It’s good to be aware of the various kinds of attacks, which require different strategies to mitigate them. The three most common attacks are:
- Injection, where an attacker tries to alter or modify the records of a database. This attack is often executed by using insecure forms or modifying requests.
- Authentication attacks, where passwords are brute-forced or compromised.
- The exposure of sensitive data. For example, the WordPress rest API used to expose user names, which is useful information for an attacker.
And this is just a selection of the vast array of attacks a hacker can choose from.
Therefore, it’s good to take a step back first and think about the possible ramifications of a hack for all the sites you are managing. Some sites may be high-profile. Consequences would be disastrous in the event of a security breach. Other sites are less prone to attacks and a security breach would have little impact.
The majority of security attacks can be averted with not too much effort, using the tips from the experts in this article.
So, for sites that need a reasonable security level, opt for these quick wins:
- Install a security plugin
- Enforce strong passwords and 2FA
- Choose a secure host that supports backups
- Only use trusted plugins and themes (and update them!)
For high-profile sites, consider a security audit from a (WordPress) security expert. Usually, you want to at least consider the following things in such an audit:
- The security at hosting-level. (For example, is software patched, what server and application-level firewalls are there, how are accounts isolated, etc, etc).
- The security at application-level. (For example, are inputs and requests properly sanitized and escaped, what data is exposed, who has access who and at what level, etc, etc).
- The security policies in place (what is the security at the human or behavioural level, an important and often forgotten topic).
So, go for the quick security wins in general, and give dedicated attention to sensitive, high-profile sites.
And as a bonus tip to round off my contribution…If you’re managing multiple WordPress websites, WordFence Central is a great tool to ensure security policies and settings are up to date and consistent for each site.”
Joe Stone
Limit Login Attempts
– “A simple but very effective way to improve security on your WordPress website is to limit login attempts. Brute force attacks (using bots) on WordPress websites happen all the time so without limiting the amount of attempts a user can guess their credentials opens the door for this type of attack.
There are different solutions to adding this functionality on your website; by using a plugin or using custom code in your functions.php file. A popular plugin to achieve this is called Limit Login Attempts Reloaded. The set up is simple and it even allows you to configure how strict you would like the rules to be for allowed attempts. It can also notify you when users have been locked out and for how long.
You can also limit login attempts relatively simply by adding some PHP code to the theme functions.php file. You can do this by making use of the built in “check_attempted_login” and “login_failed” functions. Here’s the snippet you would need to add:
function check_attempted_login( $user, $username, $password ) { if ( get_transient( 'attempted_login' ) ) { $datas = get_transient( 'attempted_login' ); if ( $datas['tried'] >= 3 ) { $until = get_option( '_transient_timeout_' . 'attempted_login' ); $time = time_to_go( $until ); return new WP_Error( 'too_many_tried', sprintf( __( 'ERROR: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) ); } } return $user; } add_filter( 'authenticate', 'check_attempted_login', 30, 3 ); function login_failed( $username ) { if ( get_transient( 'attempted_login' ) ) { $datas = get_transient( 'attempted_login' ); $datas['tried']++; if ( $datas['tried'] <= 3 ) set_transient( 'attempted_login', $datas , 300 ); } else { $datas = array( 'tried' => 1 ); set_transient( 'attempted_login', $datas , 300 ); } } add_action( 'wp_login_failed', 'login_failed', 10, 1 ); function time_to_go($timestamp) { // converting the mysql timestamp to php time $periods = array( "second", "minute", "hour", "day", "week", "month", "year" ); $lengths = array( "60", "60", "24", "7", "4.35", "12" ); $current_timestamp = time(); $difference = abs($current_timestamp - $timestamp); for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) { $difference /= $lengths[$i]; } $difference = round($difference); if (isset($difference)) { if ($difference != 1) $periods[$i] .= "s"; $output = "$difference $periods[$i]"; return $output; } }
Both options will be a big step forward to get your WordPress website fully secure.”
Micah Wood
Select Trusted Themes and Plugins
– “One of the easiest ways to avoid security issues on your site is to only use trusted themes and plugins. WordPress itself is very secure and any issues that may arise are handled very quickly by the WordPress security team. However, the themes and plugins that we use on our sites may not be as secure and the developers may not be as responsive to security issues.
If you have an existing site, just making sure that WordPress, themes, and plugins are up-to-date will go a long way. Not updating means that you may be missing out on important security updates. Even so, it is possible that you are still running software that isn’t secure.
How to Check for Security Vulnerabilities
The first thing you want to do when considering a theme or plugin is to check and see if there is any record of unresolved security issues. The easiest way to do this is using the WPScan website.
Simply type in the name of the plugin or theme you want to check and it will show you a list of any known vulnerabilities. Many popular plugins have had vulnerabilities in the past, so don’t let that worry you. What you want to see is that the vulnerability has been addressed and that the latest version of the plugin is safe.
Using a plugin like WordFence will also automatically alert you to any vulnerabilities in plugin or theme versions that you have installed on your site.
How to Use Quality Indicators
If you aren’t a programmer, how can you know if a plugin or theme is good, secure, and worth using? The best approach is to look at some key indicators of quality. For example, many of the themes out there are released and never or rarely updated. If a developer isn’t actively maintaining the software, how often do you think they are looking at potential security issues? Probably not at all.
Some of the key indicators you should be checking are:
– Is the software updated regularly? If the software has been updated in the last 90 days or when the last major WordPress update occurred, you are probably safe.
– How popular is the software? Generally, you should avoid anything that has only a handful of users, downloads, or active installs. The more popular, the safer the bet that you are looking at something of quality.
– How positive are the reviews? If you look at the reviews or the support forums and see a lot of comments like “Doesn’t work”, “Terrible support”, or “Broke my site”, then you should definitely avoid it.
– How supportive are the developers? It should be clear how you would get support for a plugin or theme. You should also see quality interactions in any public support forum. Paid plugins typically provide better support since that is part of what you pay for. Free plugins may or may not have a responsive developer.
– How focused is the software? Focused plugins and themes are often higher quality. It is better to pick a plugin that does the one thing you need rather than one that tries to do everything under the sun. While some plugins and themes are larger and more complex than others, a lack of focus is a bad sign. For example, if your theme not only handles the look and feel of your site, but also tries to incorporate a page builder, 150 shortcodes, adds custom post types, and has a bunch of settings pages then you’re better off finding another theme and selecting a few different plugins to get the same functionality.
– How reputable is the source? If you ask around and nobody has ever heard of the company, developer, or website you will be obtaining the software from, then you may want to do more research or simply move on. If free plugins aren’t on the official WordPress.org plugin directory, then you should be extremely careful. Premium plugins and themes should be obtained from a reputable company or well-known developer in the WordPress community.
– How compatible is the software? Once you decide to try out a theme or plugin, if things start behaving oddly or another plugin starts acting up, it is usually related to the most recent thing you installed or changed. Tools like Plugin Detective will help you determine the culprit and follow up with the developer if necessary. Trying out a free plugin is easy, but doing this with a paid plugin requires spending money. If the company offers a money back guarantee, this is another big plus.
Keep in mind that one indicator shouldn’t necessarily be a deal killer. Watch for patterns that consistently point to a lack of quality.
How to Perform Quality Checks
There are some great tools out there that can help non-technical people vet themes and plugins.
Theme Checks
The Theme Check plugin is a tool that is used by the WordPress theme review team and performs a number of quality checks automatically. Simply running this on your desired theme can give you a better idea of how well it meets standards.
Plugin Checks
The WP Hive website performs a number of checks on plugins in the WordPress plugin directory to help you determine if there are any issues. Without ever installing the plugin, you can see if the plugin throws any errors, doesn’t work with the latest version of WordPress or PHP, how it impacts memory and site performance, etc.
Another similar tool is the PluginTests website, which is targeted toward more technical users.”
Matthew Upton
Use a WordPress Specific Hosting Company that Handles Security for You
– “Picking the right hosting company should be your first step in providing proper security for your website(s). There are many hosting companies out there who host WordPress websites, but do they have your best interests in mind, and do they provide any hardware or software security solutions to help keep your website safe? Do they really know what they are doing when it comes to WordPress, or is it just another product they sell, usually at a cheap price, just to gain more customers? And should something terrible happen to your site (like it getting hacked), what then? Will they help, or will they point the finger at you – both in blame, and to figure out how to recover?
I can answer those questions from experience, as I have been hosting websites for my clients for 25+ years, and WordPress sites for about 10 years. When I first started hosting WordPress websites, I was using HostGator. I also worked with clients who were hosting their own sites at other various hosting companies, such as GoDaddy, BlueHost, and even (gasp!) Network Solutions. While I was fortunate to never have a site hacked that I was responsible for, I helped many clients recover their site (and a few that couldn’t – we had to start over with a new site).
In each instance, the hosting company provided no help. None of them provided any security tools for any WordPress hosted sites. Furthermore, none of them provided any guidance on ways or techniques for their clients to improve security themselves.
I found myself thinking, what if there existed a hosting company that only hosts WordPress websites. No email, no domains, no DNS – nothing but WordPress sites. What if that company was truly passionate about WordPress hosting and everyone that worked there shared the same vision – to make their WordPress hosting product the safest and fastest available? What if they provided all of the security at an infrastructure level, and didn’t leave their clients to fend for themselves?
So I started researching and what I found was just that company – WP Engine. I’ve been with them for about 6-7 years now. During that time, I’ve been responsible for at least 500 websites. Not once have I had a website go down from a lack of security. Furthermore, I use no extra security plugins on any of the sites. I am 100% confident that what WP Engine provides for security is all I need to keep all my client’s (and my own) sites safe!
There are other WordPress only hosting companies out there now, but I’ll stick with WP Engine. On top of the security and speed they provide, their customer service is the best! So remember, who you pick as your WordPress hosting company should be the first step in your security journey!”
Travis Buck
Backup Your Website Regularly
– “What do you think of when WordPress security comes up? Many new website owners set up a security plugin and leave it at that. But, did you know there are more steps you can take to secure your WordPress website and make it hacker-proof?
The keys to website security are knowledge and preparation. First, you have to know the basics of hacking. The most common way a hacker will try to breach your site is by inserting code into your website’s database, which is often extremely difficult to find.
In the event that this happens, you will want to be prepared and have a full backup solution in place. I recommend a service like BlogVault. It’s the most reliable backup and restore tool I’ve used. It offers automatic daily website backups, fast recovery, free encrypted offsite storage, and 24/7 customer support. Even better, they don’t store a version of your site on their servers, which keeps your data and sensitive information safe.
Having this backup plan in place will give you that extra piece of security—and extra peace of mind. With it, you could restore your website to a pre-hacked state anytime you need to. This allows you to look for exploits, outdated plugins, weak passwords, etc. and it also saves you a lot of time. Rather than spending days cleaning a hack, a backup plan like this could restore your website in a matter of hours. It’s essential to keeping your website safe and hacker-proof. Having a good backup plan in place is an integral part of your overall website security solution.”
Stephen Starr
Install Wordfence
– “Wordfence is a firewall and malware scanner plugin you can install in your WordPress site that can provide a great deal of protection from external sources that may be attempting to breach your files. There is a free version and a paid version. It detects malware when you initiate a site scan and in many cases, eliminates it with an on-the-spot repair. The plugin scans all site files and provides feedback on any harmful files. The scan dashboard looks like this:
Wordfence works by comparing your core files, themes and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you.
Another great feature of Wordfence is it catalogs all live traffic. When there is an unauthorized bot attempting access to your site, you can block attackers by IP or build advanced rules based on IP Range, Hostname, User Agent and Referrer as shown here:
It will alert you by email to suspicious activity on your site and the plugin authors send a regular email to alert you when there has been a known breach to anything that might create a vulnerability for WordPress installs in general.
Thankfully, I have only had one site hacked in my career to date, but when I cleaned it up, I installed Wordfence and it has kept that site clean ever since.”
Carlos Longarela
Limit User Options Using the WP.Config File
– “This configuration in our WordPress website is handled with database options and some configuration in the wp-config.php file in our webroot installation.
The first step that we can take is to move that file one level up. If our installation config file is located in /hosting/folder/our-awesome-website/public/wp-config.php we can move the file to /hosting/folder/our-awesome-website/wp-config.php, and the file will be inaccessible from the public website, and WordPress will read it anyway.
In our config file we can define the website url so that users can’t change it from the admin panel. We do this by adding these two lines to our wp-config.php file:
define( 'WP_SITEURL', 'https://our-awesome-web.site' ); define( 'WP_HOME', 'https://our-awesome-web.site' );
Then limit the cookie domain with the following code:
define( 'COOKIE_DOMAIN', 'our-awesome-web.site' );
Another good option is to deny file editing in WordPress, as that can be a big problem if someone is granted admin permissions to your website, allowing them to edit theme and plugin files. We can disable it with this code:
define( 'DISALLOW_FILE_EDIT', true );
We could also force https for user autentication and force https to enter the admin panel with these two lines:
define( 'FORCE_SSL_LOGIN', true ); define( 'FORCE_SSL_ADMIN', true );
There are a lot of options that can be configured in the wp-config.php file, and you can view the options with the parameters specific to your website with the browser extension “Best WordPress Tools” (available for Chrome –https://chrome.google.com/webstore/detail/best-wordpress-tools/miepkfdpkfdnfefoobohbfdenldodpfi– and Firefox – https://addons.mozilla.org/es/firefox/addon/best-wordpress-tools/-)”
Stacy Castleton
Hide Your WordPress Version
– “With new exploits becoming available for WordPress every day, one of the most important things is to make it more difficult for bad actors to easily identify your version of WordPress – especially if you don’t have automatic updates enabled for WordPress core and don’t regularly install updates in a timely manner.
Sites running legacy versions of WordPress are attractive targets because exploits of any vulnerabilities are readily available to potential (even incredibly novice) attackers. By default, the WordPress version number appears in a few known places, such as in a META tag on every single page:
This makes it simple for an attacker to identify known vulnerabilities and execute exploits – and suddenly your site is selling knock-off Viagra. (Not kidding – my first foray into security involved helping someone investigate and clean up after such a hack.)
There are two easy options that I recommend for removing the version of WordPress, depending on your comfort level with PHP code.
The first option is to modify the functions.php file for your theme. The one caution here is that, unless you are using a child theme, any updates to the core functions.php file for third party themes will overwrite changes. If you have no idea what that means, opt for a plugin instead. Otherwise, this code will remove the version number wherever it’s automatically generated:
// remove version from scripts and styles function remove_css_js_version( $src ) { if( strpos( $src, '?ver=' ) ) $src = remove_query_arg( 'ver', $src ); return $src; } add_filter( 'style_loader_src', 'remove_css_js_version', 9999 ); add_filter( 'script_loader_src', 'remove_css_js_version', 9999 ); // remove version from head and rss function site_remove_version() { return ''; } add_filter('the_generator', 'site_remove_version');
If you prefer to keep your hands out of the code, there are many plugins available that will not only allow you to block WordPress from exposing the version number, but also include more features to harden your overall WordPress security.
One such plugin is WP Hide & Security Enhancer. This plugin is updated frequently and packed with options to enhance your site’s security. Importantly, it has the option to remove WordPress Generator META, as well as other generator META, including the name and version number of your theme (yes, sometimes themes are exploitable, too).
If you install WP Hide & Security Enhancer, once it’s activated, you can hide your WordPress version number in just 3 steps:
- Go to WP Hide > General / Html
- On the Meta tab (usually selected by default), change the option from “no” to “yes” for Remove WordPress Generator Meta
- Scroll to the bottom and click “Save”
It’s that easy! Of course, you are encouraged to check out the other security options it offers as well.
If you don’t find that plugin intuitive or it conflicts with another plugin (hopefully you’re testing things like this on a dev or staging environment before updating your production site), all you have to do is search plugins for “hide WordPress version” and look for plugins that will do the job. Many firewalls also have this capability – sometimes only in the premium versions.
Overall, I recommend the first option because, well, even the most secure plugins sometimes get exploited, so why add yet another thing to the attack surface?”
Surya Panda
Secure .HTACCESS Configurations
– “A lot of security concerns can be addressed through .htaccess Configurations. You can find this file in the root directory of the WP installation where folders like wp-admin, wp-content, wp-includes live. Any code added to this file should be placed in between the # BEGIN WordPress and # END WordPress statements.
1. Secure wp-config.php: This is one of the most important files of the WordPress setup as it contains database access and lots of other important data. So securing this file is a top priority.
Add the following:
# Protect wp-config Apache 2.2 order allow,deny deny from all #Protect wp-config Apache 2.4 Require all denied Require ip 1.1.1.1
2. Prevent Directory Browsing: This prevents attackers from viewing the folder content of your WordPress setup.
Add the following to your .htaccess file:
# Prevent directory browsing Options All –Indexes
3. Prevent Image Hotlinking: Though this is not technically a security breach, it increases resource use of your server and can slow it down. So why not prevent the misuse of the resources you have paid for. Change “example.com” to your website.
Add this to your .htaccess file:
# Prevent image hotlinking RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)example.com/.*$ [NC] RewriteRule .(gif|jpg|jpeg|bmp|png)$ – [NC,F,L]
4. Protect .htaccess: The WP installation contains these files on multiple directories for different purposes. These files can be exploited to breach securities. So let’s prevent access to these files.
Add the following your .htaccess file:”
# Protect htaccess Apache 2.2 order allow, deny deny from all satisfy all # Protect htaccess Apache 2.4 Require all denied
Kim Blake
Change WordPress Database Prefix
– “By default, WordPress uses “wp_” as the prefix in the database tables which makes it easier for hackers to figure out what prefix you’re using, but you can change that to help keep your site more secure.
New WordPress Installation
If you’re installing WordPress for the first time, changing the prefix is simple.
Most web hosting companies have a “WordPress Installer” tool you can use. When using this tool, make sure to open “Advanced Options”. Here, is where you can set the prefix to your liking. Once you have entered in your prefix, move forward with installing WordPress.
Existing WordPress Installation
If you have an existing website that uses the default prefix, you’ll need to do a little more work.
First, make sure to create a backup of your database. If something goes wrong you’ll be able to revert back.
Next, edit your wp-config.php file, which can be found in your WordPress root directory. Change the table prefix from “wp_” to whatever you want it to be (only numbers, letters, and underscores can be used). Example, “wp_tb1234”.
The line in your wp-config.php file would end up looking something like this:
$table_prefix = 'wp_tb1234_';
Once your wp-config.php file has been saved, you will need to change all of the database table names via phpMyAdmin.
Tip: If you have more than one WordPress installation on your server, note which database you will be accessing from your wp-config.php. This will make it easier to identify the database you need to work with in phpMyAdmin.
The line looks something like this:
define('DB_NAME', 'dbname_zif9n');
If your web host uses cPanel, you will find “phpMyAdmin” under the “Database” section.
Once you have located the correct database, you will be ready to change the prefix.
There are a total of 12 default WordPress tables, so changing them manually is time consuming, but using a SQL query will make your life easier.
Choose the SQL tab to run any and all queries. Replacing ‘wp_tb1234_’ with your selected prefix.
RENAME table `wp_commentmeta` TO `wp_tb1234__commentmeta`; RENAME table `wp_comments` TO `wp_tb1234__comments`; RENAME table `wp_links` TO `wp_tb1234__links`; RENAME table `wp_options` TO `wp_tb1234__options`; RENAME table `wp_postmeta` TO `wp_tb1234__postmeta`; RENAME table `wp_posts` TO `wp_tb1234__posts`; RENAME table `wp_termmeta` TO `wp_tb1234__termmeta`; RENAME table `wp_terms` TO `wp_tb1234__terms`; RENAME table `wp_term_relationships`wp_tb1234__term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_tb1234__term_taxonomy`; RENAME table `wp_usermeta` TO `wp_tb1234__usermeta`; RENAME table `wp_users` TO `wp_tb1234__users`; RENAME table `wp_users` TO `wp_tb1234__users`;
You may have to add lines for any plug-ins you’re using, but for this task you are only changing the default WordPress table prefixes to the one you entered in your wp-config.php file.
The Options Table
Search the options table for any other fields that are using wp_ as a prefix, a. Use the SQL query below:
SELECT * FROM `wp_tb1234__options` WHERE `option_name` LIKE '%wp_%'
This will return a lot of results and you will need to go to change each line individually.
UserMeta Table
Search the “usermeta” fields and replace the wp_ prefix as well. Use the following SQL query:
SELECT * FROM `wp_tb1234__usermeta` WHERE `meta_key` LIKE '%wp_%'
The number of entries may vary, depending on how many plug-ins you are using. Just change everything that has wp_ to your selected prefix.
Mission Accomplished
Test your site to make sure all is working as expected. If it is, create a new backup of your database.”
Craig Burgess
Check Content for Strange Links
– “Recently we discovered something we’d never seen before on one of our high-traffic websites. It made us update our weekly checks. Let me explain what happened. It might make you do the same.
We use SEMrush and Screaming Frog to run checks on content and technical SEO each month. I happened to run the External links check in Screaming Frog and noticed several strange links to “Horse CBD”.
This is an example screenshot and doesn’t include the links
I scrambled to remove the links from the website as quickly as I could. Despite all our checks, links to strange websites had appeared on a page on this website.
Targeted Backlinks is Still a Big Industry
Inserting backlinks on websites is still a common tactic for hackers. Backlinks are important and people will pay big money for them. Backlinks are still the number one thing that Google takes into account when ranking your website. They’re still big business. So some people will go to extremes to get them on your website.
We’re not quite sure how this link ended up on the website. After a lot of investigation, we didn’t discover any breaches of the website. This left me to assume it had been copy and pasted in.
I’ve since discovered 1 or 2 other websites where links to content like this has been copy and pasted in by users of the website. They may be copying quotes as sources for their article. They may be copying statistics.
What makes them hard to spot is that they’re purposefully hidden. You won’t see them by glancing at web pages.
Example:
This is a sentence__.
The underscore represents where the link is hiding. They’d then change it so that the space was only 1 pixel wide with CSS.
Remember: The goal isn’t to make these links clickable. It’s to get a backlink — a link to their website from your high-traffic website.
Let’s stop it.
How to Protect Against This
As these links hide inside content, you need an external checker. I use Screaming Frog to check weekly on our websites for these kinds of links. Flick over to the External tab on Screaming Frog and it will show you all links that link out from your website.
You’ll need to manually browse this list for any “dodgy” looking links.
In my experience, these are the kinds of links I’ve caught.
Pay special attention to mentions of these words:
CBD
Download
Movie
Free
PornOnce you discover a link you believe might not be right, click on it.
From there, click the Inlinks tab at the bottom left of your screen to see where it is and what the anchor link is called. You can then delete it if it’s not meant to be there.
Train Your Website Users
If it’s possible, ask your website users to check for these links too. Ask them to copy and paste their content into a code editor (such as Visual Code) before they paste it into the website. This will strip out all links and hidden formatting.
WordPress has gotten good at stripping out formatting but links will stay. It doesn’t strip out links.
This still isn’t popular
As I mentioned, I’ve caught only a couple of links so far like this. Out of around 50 websites, that’s a low risk. It’s a low risk that I’m beginning to see rise and I thought I’d bring it to your attention.
Hopefully it’ll help you in the future.”
Cindy Bouchard
Periodically Delete Old Users/Admins
– “It’s sometimes necessary to add a new user or a new administrator to your WordPress website, especially when we need technical support or there is a new employee at our company. Most of us forget to recheck our users over time. While it’s rare that a disgruntled employee or technical support person would abuse their privilege, it’s best practice to delete users who no longer need access to your website.
To check who has access to your website, go to the WordPress Dashboard and find the users section. There you can easily delete users who don’t currently need access. Even if you think they might need access later, it’s best to only keep users who are currently working on your website.”
Alexanndre Levan
Monitor Your User Activity Logs
– “Keeping tabs on all the activity happening on your website can be essential in avoiding potential problems and helpful in shedding light on the cause when things do go wrong.
Often referred to as a “user audit log” or “user activity log” plugin, this runs in the background of your website and can be accessed to view a detailed list of virtually every event that takes place on your website, including all login attempts, password changes, content updates, profile updates, and all other system changes. You’ll know exactly who did what and when.
From a WordPress security standpoint, if your website has multiple users or contributors, it’s important to ensure that they’re not trying to change vital aspects of your site without approval. (Like removing critical pages, changing permalinks, changing themes, etc)
In the event that one of your users’ accounts may be compromised, reviewing your user activity logs can assist you to uncover any malicious activity from one of your users.
There are several free standalone user audit plugin solutions available such as WP Activity Log and Stream.
– WP Activity Log: https://wordpress.org/plugins/wp-security-audit-log/
– StreamThe audit logging functionality is also included as part of certain paid WordPress security plugins such as Defender Pro.
Steve Perry
Use File Change Monitoring and Keep an Audit Trail
– “According to the book Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response (L Johnson, 2013), there are 7 stages to incident response. However, today we’ll keep things brief and focus on stage 2 – identification. In other words – how do you know if your website has been compromised, and how can you get a head start on the bad actors?
This is mostly an on-going process, and can be complex to configure, but it can really help you keep on top of things, catch intrusions quickly if they happen, and if the worse does happen it can help incident response and forensics teams remediate a hack.
As an overview, here are some general tips to help; Store as many logs as you can (access logs, error logs etc) and feed them into a SIEM for ease of access (if this is not possible then just know where and how to access your logs). This can help detect vulnerabilities and help you defend your website. Monitor for logins, either successful or unsuccessful. Run regular scans for malware and credit card data. Monitor for file changes (if a malicious user gets access and uploads a backdoor then you should know about it right away) and keep an audit trail for every authenticated user.
Today we’ll focus on monitoring for file changes and keeping an audit trail.
File Monitoring
You don’t need to understand how systems work to know what looks right. Monitoring for file changes can be as simple as logging in to your website directory using basic SFTP skills and taking a screengrab of what files are present and their modification timestamps. Then, periodically check your website directory against this screen grab to see if any new files have turned up or if any files have suspicious modification dates. You don’t need forensic skills; you just need to have a reference to work from.
There are also lots of free WordPress plugins available (Wordfence is a great option) that can alert you when your website’s files change. This is a great next step as it can automate the process and then send an email alert if anything is picked up. Be sure to enable the checking of non-WordPress files, if that option is present, to help improve the chances of malicious files being found. For more complex systems or advanced users, there are malware monitoring tools available and you can set up automated scripts that compare your file system against a Git repository or similar.
User Audit
Another useful step is to install a plugin that keeps an audit trail of all authenticated user activity (WPMU’s Defender Pro is very good for this but does require a paid account). This will then provide you with a step-by-step process of a user’s activity if you feel that something is suspicious or out of place. For example, I was once called in to check on some malicious activity on a website. Employing user audit techniques, we were able to see that a user account was created with escalated privileges. That user then uploaded a specific plugin file which provided a way for them to keep access if their account was deleted – a backdoor. Using this information. we were able to quickly mitigate this and clear up the site. Without user auditing, this would have been more difficult to pinpoint.
An added bonus is that this can also help in the process of bug fixes if a user is having an issue with your website. This step will also help a forensic investigation team if your website does become compromised and you need to have an investigation carried out.
References
Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response, Leighton Johnson, 16/12/2013.”
Cheryl Russell
Use Two-Factor Authentication
– “Do you use the same password on several sites? Perhaps you alter it by a few letters or numbers but have a “system” that helps you remember from one site to the next. If not, that’s great but are you certain there is no other user on your WordPress site that doesn’t do this?
One of the most breached WordPress securities is through a common password that has been compromised. It is almost impossible to ensure every user practices good password etiquette – such as choosing a strong and completely unique password and changing it frequently. But you can be fairly certain they are the authentic user of that username/password combination by implementing two-step/two-factor authentication.
This technology has come a long way from carrying a fob on a keychain. You can now verify who you are by activating two-factor authentication on your WordPress site and then use an authentication app on your smart device. It does require a bit more time. You enter your username and password as you usually would, but then you will open up the associated app on your smartphone, and you have about 30 seconds to input a code. Once you’ve successfully done that, you have your usual dashboard view as is appropriate for your user/admin settings. It is a bit more time consuming but is one of the more important things you can do to secure your WordPress website – particularly if you have multiple users.
There are multiple plugins and apps that can handle this and a simple search will give you more choices than you need. There are a few nuances so review the top 5 and see if there are any that particularly suit your needs. But this is one of the easiest and most effective things you can do to secure your site.”
Leave a Reply