WordPress Security Guide 2020 – Make Your Site Unhackable
Security is on the top list of essentials when you operate a website. If you dealt with hackers before, you’re probably familiar with the amount of time, effort and frustration to repair all the damage caused even by the lowest level attack. The truth is, all of this can be avoided by following an easy plan of action. In this article, we will discuss the best practices for significantly improving your WordPress security step by step.
Our team has worked with WordPress for over 12 years and we take these matters into the heart. With over 10 000 WP projects behind our backs, we have dealt with the platform and know its strengths and weaknesses, so now we will list our personal advice for improving WordPress security into 3 main categories.
Needless to say, we will be at your disposal if you have questions or need help with fencing WordPress websites.
- What are the statistics?
- Why do websites get hacked?
- How do websites get hacked?
- When do websites get hacked?
- How to prevent it?
- 1.1. Keep Everything Updated
- 1.2. Use Strong Passwords
- 1.3. Change Permissions
- 1.4. Use Premium WordPress Hosting
- 1.5. Use Trusted Sources for Download
- 1.6. Local Antivirus
- 3.1. Lockdown WordPress Admin
- 3.2. Disable File Editing
- 3.3. Disable PHP File Execution
- 3.4. Limit Login Attempts
- 3.5. Disable Directory Indexing
- 3.6. Disable XML-RPC
- 3.7. Add Two-step Authentication
- 3.8. Scan WP for Vulnerabilities
How secure is WordPress?
It’s natural for users to be distressed by statistics like these and question how safe exactly are their websites from cyberattacks. The short answer is, WordPress is indeed safe. The longer version, however, is much more complicated.
The platform is just a cog in a larger machine of elements that all play a role in providing security for WordPress websites. The open-source core of WordPress interacts with web hosting providers, website administrators, and third-party plugin and theme developers. This ecosystem defines the level of security for a website, which means any of these factors could cause security breaches.
One of the biggest concerns when it comes to the very core of WordPress is the fact that it’s a free open-source platform that all users can alter and modify as they please. This is not exactly the case. WordPress keeps its core secure while a dedicate team works daily on updating it and fixing vulnerabilities. The users simply need to download and install the latest updates.
The WordPress core is secure, but it is up to the users to do the right steps in configuring their website in order to prevent attacks.
What are the statistics?
- WordPress powers more than 35% of the websites out there which logically makes it a big target for cyber attacks.
- Nearly 100k security breach attempts to threaten WordPress websites daily.
- Almost half the cyber-attacks aim the small businesses.
- Almost 200k samples of malware are produced daily
- 40% of all WordPress attacks are caused by a bad hosting service
- There is a cyber-attack every 40 seconds averagely.
- Most attacks in 2020 so far focus on exploiting bugs in WP plugins including Flexible Checkout Fields for WooCommerce.
Why do websites get hacked?
We should start with the WHY, or the basic question of why do hackers hack. The hacking itself can cause serious damage to a business not only in terms of its revenue but also its reputation by stealing valuable financial information or installing and spreading malware. Most of the time, the reasons are stealing resources or sensitive information to sell, using servers to distribute attacks, hijacking websites in order to spam, or the most classic reason of all: for the fun of it.
How do websites get hacked?
We will proceed with the HOW. Hackers take advantage of different types of WordPress vulnerabilities in security.
One of those vulnerabilities cause more than 70% of the infected WP websites and act as the hidden passage known a Backdoor. It provides the attackers with an actual backdoor that avoids security encryption and give them access to the admin, FTP, and etc. Their encryption makes them look like regular system files.
The most classic method is the brute force login that uses auto scripts to “hack” the website’s password. This is strongly related to something we will discuss in the ways to improve your security, as most vulnerable are websites with weak passwords and lack of limited login attempts.
Other methods include the Pharma Hacks, that cause the search engine to return pharmaceutical ads instead of the website that’s been compromised. Most vulnerable are outdated WordPress websites.
Lastly, we will mention the most malicious of all, Denial of Service. This vulnerability targets errors in the code in such a way, it overwhelms the memory of the operating system of the WordPress website. Outdated websites remain the most vulnerable.
When do websites get hacked?
And last, we have the WHEN. We know a website has been hacked when some of the following factors or a combination of them is present.
- Google can no longer access your website.
- There is a Google Alert that informs you that someone has hacked your website.
- The browser alerts that your website is compromised.
- Your original URL redirects you to another URL that usually leads to the bad neighborhood of the web.
- Your website is infested with spam ads and popups.
- The website has new admins and FTP users
How to prevent it?
Although all of these statistics and hacking methods sound concerning, it’s actually really easy to prevent cyber attacks against your WordPress website. There are a few things you could do to improve WordPress security, starting with the basics and essentials. And if you feel you want to DIY further, there are also some advanced settings you could take advantage of and make your WordPress website impenetrable.
1. Let’s start with the basics
In this section, we will discuss the basic actions you could take in order to prevent cyber-attacks.
1.1. Keep Everything Updated
One of the most important things to keep in mind is always to make sure you use the latest version of everything: WordPress, plugins, themes, PHP. Most of the time, the new versions include bug fixes and security enhancements that could be the difference between a secure website and a vulnerable one.
In the case of PHP, make sure you run on a version above 7.1 or else you will no longer have security support.
Pay special attention to plugins single the outdated ones can often become a huge vulnerability. You should also make proper research before you download a plugin since they are open-source an and some malicious might slip through the cracks.
1.2. Use Strong Passwords
Although WordPress gives you strong default passwords, it’s important to change both default usernames and passwords. You could do that easily by choosing a strong combination of upper and lower case letters, numbers and symbols. With the newer versions of WordPress, you could also choose a new secured username and the platform will automatically generate a strong password.
Keep in mind never to tie your password to personal information and to keep it longer. And last, don’t reuse passwords.
1.3. Change Permissions
Always check your server and file permissions and make sure you specify the correct permissions for each user. Permissions for both server and files directory are “read”, “write” and “execute”. The first permission allows users to only read the files while the others, respectively, give them the right to modify and execute them as scripts. Needless to say, the latter two could cause some real damage in the wrong hands.
When it comes to this, there are three rules in terms of the permission modes.
- There are no directories that should have 777 permission mode.
- All directories should be 755 or 750, while files should be 644 or 640.
- The wp-config.php file should be 440 or 400.
1.5. Use Trusted Sources for Download
Stick to WordPress.org directories and always research outside sources by reading reviews and checking out the reputation of the sellers. In case you already have plugins that have been compromised, make sure to delete them.
1.6. Local Antivirus
Handling your personal machine matters as well. Make sure your OS regularly gets the newest updates. The same goes for your local antivirus software. In addition, always be cautious when you use public WiFi.
2. WordPress security essentials
After we finished with the basic security improvements, we will continue with the next 3 essential steps that could save a lot of trouble.
2.1. Schedule Backups
Always have a backup plan. Imagine the worst scenario where your website simply disappears. You will definitely wish to have a backup of your data and business in general. Scheduling backup, for example, once a day, will do the trick. There are many plugins that could help you automate the process and do it for you.
2.2. Add WordPress Security Plugin
You can count on some WordPress security plugins to automate the hard work and take care of essential such as scanning your website, monitoring your files, securing your login information and blocking hack attempts.
Below are some of the most preferable tools for this type of work.
Sucuri – A free WordPress plugin suite that packs a whole set of features designed to increase your website security. The features include blacklist monitoring, security notifications, file integrity monitoring, remote malware scanning, security activity auditing and post-hack actions. On premium, it adds a website firewall.
Wordfence – Specially built for WordPress, this is an advanced firewall and a malware scanner with the newest firewall rules, malware signatures and malicious IP addresses.
Bulletproof Security– Another AIO security tool that acts as a malware scanner, firewall, backup tool, anti-spam, and login security.
iThemes Security Pro – It features limiting login attempts, detection for file changes, strong password enforcement, lockout bad users, hides login and admin and BD backups.
2.3. Move to SSL/HTTPS
What makes HTTPS different from HTTP is the essential TLS/SSL certificate encryption. The abbreviation stands for Hyper Text Protocol Secure, so that “s” changes everything. It prevents from being intercepted and keeps your data secure. Another advantage of the HTTPS websites is that it could power up your SEO and help you climb the ranking as Google favors these websites.
3. Advanced settings
And last, these are the more advanced steps that will help create a powerful fence around any WordPress website and significantly protect it.
3.1. Lockdown WordPress Admin
This is another backdoor for hackers that you could take care of in order to improve your WordPress security. One way to do so is by limiting the login attempts, which we will discuss in the next step. The other is to change the default wp-admin login URL by using WPS Hide Login. It’s a free plugin that helps you change the URL of your admin login page easily. It also disables the wp-login.php so it’s advisable to bookmark the new URL.
3.2. Disable File Editing
The file editor allows you to modify the themes and plugin way easier, however, it could compromise your website should it fall into the wrong hands. You can easily disable the editor by adding this line to wp-config.php
It’s important to give the correct permissions to the other users and if possible to keep the number of admins at a minimum.
3.3. Disable PHP File Execution
Hackers often create backdoors by sliding PHP files that one could later easily mistake for the core ones. In order to prevent this, you could disable the PHP execution and directory browsing manually, however, this could appear to be very risky as the smallest misstep could seriously damage your website. Instead, you could do this by using a plugin. We recommend MalCare Security that arrives with Block PHP Execution as well.
3.4. Limit Login Attempts
This is especially good against brute force attacks that use bots to guess your password through an unlimited amount of attempts until they got it right. Plugins like Login LockDown records the IP address of every failed login attempt whenever it detects a certain number of such attempts in a short period of time, and it disables the login function.
3.5. Disable Directory Indexing
The absence of index.php returns a listing of all your files and directories which is basically a goldmine for hackers. In order to prevent your files fall into the wrong hands, you could disable the directory indexing and browsing by adding a single line of code in your .htaccess file. You can edit it by downloading it to your desktop and open it with Notepad. Add Options-Indexes to the bottom of the code and upload it back to your server.
3.6. Disable XML-RPC
XML-RPC is a protocol that custom websites use for app integration. If you aren’t using it, we recommend you to disable it because hackers can use it to enforce multiple password guesses in a single login attempt.
3.7. Add Two-step Authentication
This is one of the best ways to fight brutal force attacks as it makes it very difficult for hackers to brute force their way through the WordPress login. It requires to enter both a password and a secondary code. The latter will appear on your mobile device as a message.
We recommend Google Authenticator– it’s free and has a pretty simple interface that makes it easy to use.
3.8. Scan WP for Vulnerabilities
Frequently scanning your website for malware is essential. This is easy with well trusted and reliable WordPress security plugins.
WordPress security is a serious matter that any website owner should take care of. Despite the reality of the statistics, most cyber-attacks come from weaknesses in the security that otherwise would be really easy to prevent. With the help of a few options and installing the right plugins, you could increase your website security like a pro.
Was this tutorial helpful to you? Did we miss anything essential? Please, let us know in the comments.