WordPress Security Tips & Tricks
WordPress is the most popular Content Management System in the world, and with good reason. It’s versatile, simple to use and powered by a huge open-source community. It’s no wonder then that WordPress powers around 40% of all websites on the internet.
But, this popularity is a double-edged sword. The more popular a piece of technology, the more likely it is to be targeted by hacker groups.
Below are some of my top WordPress security tips. Of course, security is a huge subject, but you can consider these recommendations a good starting point – a cheatsheet of some quick wins for increased security. Some of them are dead simple and others require a little technical knowledge, but I’d encourage you to check as many of them off as you can.
#1. Choose a hosting provider with decent security features
The first step towards securing any WordPress site is to invest in a hosting company that has strong security features. This includes support for the latest version of PHP, MySQL, and Apache as well as other peripherals such as a firewall and 24/7 security monitoring.
If possible, choose a hosting company that performs daily backups and regular malware scans (like WP Engine or SiteGround for example). You can even find hosting companies that include various DDOS (Direct Denial of Service) prevention measures.
Your hosting company is usually the first gate that hackers have to break through to gain access to your site, so investing more upfront and purchasing a more expensive hosting plan will definitely pay off. I recommend choosing a managed WordPress hosting provider, such as WP Engine.
#2. Use a sensible username
Back in the day, WordPress used to set the default username as admin and most users never bothered to change it. As a result, admin is usually the first username hackers will try when they launch a brute-force attack.
Therefore, you should never use the admin username for your WordPress website. If you’re recently installed your website, chances are you’ve had to set your own username. This is a good start, but many people still set usernames that can easily be guessed. My recommendation would be not to use your full name, and generally be sensible about the name you’re choosing – can it be linked to you and easily guessed?
If you need to create a new admin username you can do so by heading to Users > Add new and choosing a strong username and password. Set the role to the Administrator and then click the Add new user button.
#3. Does ‘this user’ actually need to be an admin?
Far too often I audit sites with 10+ admin users. There is almost never a good reason for this.
The admin level user privilege is the highest within WordPress, giving full access to user data, customisation options, and much more. In the context of security that means the more admin users you have in the user table, the more potential high-level entry points for any hacker.
So, when you’re adding staff members or other users on your site, just think… ‘does this person really need access to everything?’
Most of the time the answer will be no, and an editor role or even author role will often suffice. You can find more on WordPress user roles here.
#4. Use strong passwords
Make sure the passwords for your WordPress website (as well as your hosting account) are secure. Use a mix of uppercase and lowercase letters, numbers, and symbols to come up with a strong password. Better yet, use a passphrase rather than a password (more on that here).
You can also use a password manager like 1Password to generate and store secure passwords for you.
#5. KEEP THINGS UPDATED
Whether it’s WordPress core, plugins, or PHP, you need to keep things updated as regularly as humanly possible. As with any piece of tech, vulnerabilities will come about over time and need to be patched with said updates. I’ve lost count of the number of compromised sites I’ve seen that could’ve been protected, if only their owners had stayed on top of these updates.
The latest major version of WordPress shipped with a handy feature to assist with this, in the shape of automatic updates. By default nothing is added to the auto-update list, however you can easily change this for chosen plugins by heading to Plugins > Select via checkbox > Enable automatic updates from the actions dropdown.
Caveat: Only do this if you know what you’re doing. Many plugins should have extensive testing in a staging environment before being deployed to your production site. Therefore, whilst it’s a handy feature I would only ever use auto-updates sparingly or as a last resort. It’s definitely better than not updating at all, but by far the best way to keep on top of plugin updates is manual testing.
Want to know more about manual testing and updates as part of my WordPress Maintenance service? Send me a message and let’s talk!
#6. Use SSL & HTTPS
For a long time now, the internet has been ablaze with articles about the importance of the HTTPS protocol, and adding SSL security certificates to your site.
HTTPS stands for Hypertext Transfer Protocol Secure, while SSL stands for Secure Socket Layers. In a nutshell, HTTPS allows a visitor’s browser to establish a secure connection with your hosting server (and therefore your site). The HTTPS protocol is secured via SSL.
Together, HTTPS and SSL ensure that all the information between a visitor’s browser and your site is encrypted.
Using both on your site will not only increase your security, but it will also benefit your search engine rank, establish trust in your visitors, and will likely improve your conversion rate as a result.
Talk to your hosting provider and ask about the possibility of obtaining an SSL certificate if you don’t already have one. In some cases you may need to purchase a certificate, however for most sites a certificate by LetsEncrypt will be perfectly fine and the bonus… LetsEncrypt certificates are free!
#7. Remove WordPress version number
Anyone who takes a peek at the source code of your website or runs an exploit probe will be able to tell which version of WordPress you’re using. Since each WordPress version has public changelogs that detail the list of bugs and security patches, hackers can easily determine which security holes they can take advantage of if they can detect that you’re running an unpatched version.
Below is an example from an enumeration scan I ran against sonymusic.com, purely to see if a random large company I know to be using WordPress have hidden the version number.
As you can see, the part of the script that shows this information took just 1 second and gave me the information I was looking for. Running this scan is perfectly legal, but if I was a nasty person (don’t worry, I’m not) I could use this information to my advantage. Now, in Sony’s defence this is the latest version at time of writing and they’re bound to have other strong security controls in place. But the point is, with it being so easy to hide why would you not just do it?! So, how do you hide it?
There are actually two methods. Firstly, if you’re comfortable with code you can edit your theme’s functions.php file and add the following single line:
Alternatively there are many well respected security plugins out there that will give this as an option, meaning you don’t need to edit any code yourself. Two recommended free plugins that include this option amongst many other great hardening features, are Sucuri and Wordfence.
#8. Disable theme and plugin editing inside the WordPress dashboard.
The option to directly edit theme and plugin files right within your dashboard will exist in a default WordPress installation. While this can be handy if you want to quickly add a line of code, it also means that anyone who logs into your site can also access those files and potentially cause massive damage.
Similar to point 7 above, this can be achieved both through security plugins such as Sucuri, but you can also disable this feature by adding one line of code to your wp-config.php file, as below;
#9. Check and change file permissions
According to the WordPress codex, permissions should be set as follows:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
If your settings are different to these recommended values, hackers could easily read the contents as well as change the contents of the files and folders, which can then lead to your site being hacked. If your site is on a shared server, this could also lead to other sites on the same server being hacked… no one wants to be ‘that’ guy.
You can easily check and change file permissions either from cPanel or via an FTP client such as Filezilla (this is what I’m using in the screenshot below)
#10. Disable XML-RPC to block brute-force attacks
This final tip is possibly my favourite, because it’s often overlooked but is incredibly useful. For this particular approach to work your site will need to be on Cloudflare, so with that assumption, let’s take a look…
What we’re tackling
There are two common ways to login to WordPress: wp-login.php and xmlrpc.php. Both of these, but particularly xmlrpc.php, are targeted heavily by bots and hackers when running DDOS (Direct Denial of Service) attacks
What we’re going to do is tell Cloudflare to perform an in depth browser check to determine if the visitor is a bot or an actual person. We will do this by setting up Page Rules. If Cloudflare determines the visitor is not a legitimate person, it blocks access to the php file. If they can’t access the file, they can’t continue trying logging into your account!
Create your Page Rules
First, log in to your Cloudflare account and click on the Page Rules section. You should see a page like this:
(Note: If you’ve never added any page rules, you’ll have 3 available to you)
Click Create Page Rule.
Set If the URL Matches to *yourdomain.com/xmlrpc.php*, replacing yourdomain.com with whatever your actual domain name is.
Click + Add a Setting and choose Browser Integrity Check from the dropdown menu. Toggle it to On.
Click + Add a Setting and choose Security Level from the dropdown menu. Choose I’m Under Attack from the next dropdown menu.
Click Save and Deploy
What this should look like:
Bonus: Do the same thing for wp-login.php
Run the same steps as above but Set If the URL Matches to *yourdomain.com/wp-login.php*, again making sure to replace yourdomain.com with whatever your actual domain name is.
Once you’ve set both page rules, it should look like something this:
WordPress Security Tips; A Summary
Of course, every website is different and in reality there are far more than just 10 things to do in order to have a highly secure site, but in my opinion the tips shared here all form a decent starting point. Since they’re all relatively easy to implement, I think it’s a no brainer personally!