17 Actionable WordPress Security Practices

Of over 24,466 infected websites, a recent security analysis shows that 90% of them were using WordPress. That’s huge right?

Another security report proves that 41% of infected WordPress sites were hacked through a security vulnerability on their host, 51% were hacked via a vulnerability in the WordPress themes and plugins they were using and 8% were hacked due to a weak admin password.

There is no doubt that the WordPress system core is quietly secure, but the more tweaks and tools you add on top of it, such as themes and plugins, the more likely it is to be hacked.

I’m not sure how else to say this: Not all third party developers live up to the same code review standards as the WordPress core team.

The bottom line is that your WordPress site could get hacked at any moment. But there are several things you can do to toughen up your site’s security and make it a little harder for attackers to mess things up.

Let’s spend some time today exploring a bunch of actionable WordPress security techniques you can use right now to enhance your site and ensure it remains safe.

01. Keep the Core, Themes and Plugins Updated

The WordPress core system, themes, and plugins can occasionally have security vulnerabilities and flaws which, 90% of the time, get patched by the developer as soon as they’re discovered.

I can’t say enough about the importance of updating your WordPress installation and everything else whenever a new version is released. By not doing so, you leave the door open for hackers and malicious bots to discover the vulnerabilities on your site and access your information.

Since WordPress 3.7, minor and security updates are automatically taking care of in the background. But major updates are still something you need to manually approve.

To enable automatic updates for major releases, you can add the following line to your wp-config.php file:

# Automatic core updates
define( 'WP_AUTO_UPDATE_CORE', true );

This will remove the need for you to ever update WordPress manually again. To achieve the same thing for plugins and themes, add the following lines:

# Automatic updates for all plugins
add_filter( 'auto_update_plugin', '__return_true' );

# Automatic updates for all themes (if it has support)
add_filter( 'auto_update_theme', '__return_true' );

Info tip: When you edit the wp-config.php file, make sure to add the code above the “stop editing” line otherwise it won’t work.

Friendly warning: Be careful enabling automatic updates as it could break your website and cause front-end errors when there is incompatibly issues between core/theme/plugins.

We also recommend using WPSec.com to keep all your plugins updated and get notifications about new vulnerabilities.

02. Protect the Login Screen

The time between a brand new WordPress site going live and the first malicious login attempt is ridiculously slim, few weeks at most. If your site allows user login, login attempts are unavoidable. It’s just a matter of time before it starts to experience the same thing.

Most of these logins attempts originate from malicious bots and scripts that are automated to crawl the web looking for WordPress powered sites. Once they find one they’ll add /wp-admin or /wp-login.php to the end of the site’s domain to get to the login screen and use the brute force attack technique.

To protect your login screen you can use a plugin that allows you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time.

Many plugins are available to setup this option with no hassles. The most interesting ones are Login Lockdown and WP Limit Login Attempts.

03. Relocate the WordPress Login Page

To cut down on the number of malicious login attempts, we can also move the login page from the known, default address, to a custom URL. By doing so, we make the login page hard to find at first place. A script/bot that can’t find your login page can’t try to log in.

In order to change the location of your login page without getting too techy, you can simply install a plugin that does the task for you. There are multiple hide login plugins in the WordPress plugin directory, the one I find most interesting is WPS Hide Login. It just gets the job done with no frills.

Info tip: I don’t recommend you to use this on a membership site, however, as you will want your login page to be easy to find for your users.

04. Avoid Obvious Usernames

When you install WordPress, the username of the default administrator account is admin. This is one of the first things any hacker or bot will try to use in combination of random passwords.

All they have left to do is to guess the right password and your entire site gets into the wrong hands. Now, you don’t want that to happen, do you?

Unfortunately, WordPress doesn’t allow you to change your username by default, at least not easily. But I have good news. There is a trick.

The trick is to create a new user, assign administrator roles and all the content to it. Finally, delete the default admin user from the Users section in the WordPress admin area.

Alternatively, if you know your way into phpMyAdmin or any other database manager, you can execute the following SQL query to change the default admin username straight away:

UPDATE wp_users SET user_login = 'newusername' WHERE user_login = 'admin';

05. Always use Strong Passwords

The use of a strong, unique password is one of the most important things a WordPress user can do to keep his site secure and yet many of us still pay no attention to this critical security measure.

Make sure you use a long (more than 15 characters) and complex (uppercase and lowercase letters, numbers and symbols) password. Make it too complex, even for you to remember. Avoid using the same password for more than one site/service.

Don’t ever write down your password on a piece of paper or store it in plain text on your machine. Grab a password wallet like 1Password or Dashlane which can help you manage and create random passwords.

These password managers encrypt and store all your accounts credentials with one master password. All you have to remember is one password to access them all.

You can even enforce all your users to use a strong password on their profile page with a plugin like Force Strong Passwords. Useful for a membership site or multi-author blog.

06. Add Two-Step Authentication

Another effective way to prevent brute force attacks is to set up two-factor authentication at the login page. This will add an extra layer of security by requiring your normal WordPress password plus a time-sensitive code or token that is sent to your phone in order to login to your site.

The benefit of this approach to security is that even if someone manages to guess your password, they need to have also stolen your secondary device in order to break into your account. It’s recognized as top-of-the-line security standard today.

There are several plugins that allow you to deploy two-step authentication on your site in no time, including Authy, Duo Two-Factor Authentication, and Google Authenticator.

07. Wisely Assign User Roles and Capabilities

WordPress have a built-in user roles and capabilities management system. The roles can be broken down as follows:

• Super Admin – has access to the site network administration options and all other features.
• Administrator – has access to all the administration options.
• Editor – can publish and manage posts including the posts of other users.
• Author – can publish and manage their own posts
• Contributor – can write and manage their own posts but cannot publish them.
• Subscriber – can only manage their profile and leave comments.

When you have to assign roles and capabilities to users, you should use the principle of least privilege. Basically, give appropriate access and permissions to those that need it, when they need it, and only for the time they need it. No more and no less.

You can extend the built-in roles and capabilities with a plugin like User Role Editor to sweet your needs.

08. Transfer your Files via a Secure Connection

When you transfer files from your machine to your site’s server, you should always ensure that the connection your are using is secure.

Protocols like SFTP and SSH encrypt the communication between your machine and your site’s server. Most decent hosting providers offer SFTP for free. If you’re not sure, ask your host.

If you are doing day-to-day operations with your site’s files avoid leaving the wp-config.php file on your machine as it contains the username, password and hostname of your database server.

09. Prevent Directory and File Browsing

When your server doesn’t find an index file in a certain directory, it’ll display a page showing all the contents of that directory, making sensitive information available to anybody.

To see if directory browsing is enabled on your site, you can create a new folder in the root of your WordPress directory containing a simple, text file.

Now type your site’s URL followed by the name of the new folder (example: yourdomain.com/newfolder), If you get an error message or just a blank page, then directory browsing is disabled.

If, however, it displays a link to the text file then directory browsing is enabled. To prevent this, you can add the following line of code to your .htaccess file:

Options All -Indexes

You can go furthermore with the .htaccess to protect some important files like wp-config.php :

# Block access to wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Adding the above code will prevent the file from being accessed.

To limit access by IP address, let’s say to protect the WordPress admin area, create a new .htaccess file in the /wp-admin/ directory with the code below (change x.x.x.x with your own IP address):

# Block access to wp-admin
order deny,allow
allow from x.x.x.x 
deny from all

Info tip: The .htaccess file is present in the root of your WordPress directory. If you don’t see it, be sure to click the option to see hidden files in your FTP client settings. It is a very powerful configuration file that you can take advantage of to harden your site’s security. The possibilities are endless!

10. Add an SSL Certificate

SSL, or Secure Sockets Layer, is the standard security protocol used to establish an encrypted connection between a web server and a browser.

It’s essential for any serious business owner who is collecting sensitive user information on his website. Plus, Google nowadays ranks SSL-enabled sites higher in search engine results pages.

 

Any good hosting company now offers a free certificate provided by Let’s Encrypt with their hosting packages. You can also buy a commercial SSL certificate from issuing providers like Comodo and ask your host to install it for you.

Once your server is SSL ready (make sure you test that HTTPS is working properly first!), you can force your WordPress admin area to work with SSL by adding the following line of code to your wp-config.php :

# Force HTTPS in admin area
define('FORCE_SSL_ADMIN', true);

If everything is working smoothly, you can start forcing HTTPS everywhere by adding the following code to the .htaccess file at the root directory:

# Force HTTPS everywhere
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

You’ll also want to change the URL settings in General Settings on the dashboard:

By enabling SSL and in turn HTTPS on your site, you get a little SEO boost with a secure, trustworthy site as well! Now who doesn’t want that?

11. Backup your Site Frequently

There’s no bulletproof way to completely make your website secure. Even with the most sophisticated hardening techniques, data can always be compromised and lost, forever. Long story short, you need to backup your site and on a schedule.

Scheduled backups ensures that if your site is compromised by hackers, you can always restore it to a working state with ease, any time you want.

Making backups should be a painless process. If your host doesn’t already provide daily backups out-of-the-box, you can use an external backup service like VaultPress or BlogVault. These providers have a built-in restore option, which is a pretty nice feature.

If you are looking for a free solution, there are plenty of awesome WordPress backup plugins out there, here is a few:

• UpdraftPlus ~1+ million active installs
• BackWPup ~ 500k+ active installs
• BackUpWordPress ~200k+ active installs

All of the above plugins handle backup scheduling, automation, database and files exporting, and uploading to storage services like Dropbox, Google Drive and Amazon s3.

Good practice: For additional security, separate the database export file from your site’s files. For example, you can schedule a daily database backup upload to Amazon S3 and weekly files backup upload to Dropbox.

12. Pick the Right Plugins

The official WordPress plugin directory is a good start to look for a plugin. It contains an extensive list of free plugins and the directory is maintained by a great team of contributors.

When it comes to plugin selection, I have developed over the time a checklist that helps me decide on whether or not I should trust and install a plugin:

• I check the compatibility with my current WordPress version
• I check the rating, the reviews, and the last update date
• I browse the support forum to see if there are some issues
• I look for the Github repository of the plugin (if there is one)
• I check the author’s background
• I test it out locally to see how it performs

Yes, I’m ruthless when it comes to plugins and you should be, too. Plugins are the #1 attack vector that gets exploited. You, therefore, need to pay attention to what gets installed on your website.

Pick your plugins wisely and always remember that it’s not the quantity of the plugins that matters, it’s the quality.

13. Be Selective with Themes

There is roughly 3000 free themes in the official WordPress theme repository. But let’s face it: many of them are poorly coded. So the selection criteria of plugins should be the same for themes too.

Avoid downloading free themes from untrusted sources and random shops you’ve never heard of before and don’t waste your time trying to find a free version of a premium theme on Google, you’ll most probably end up with a zip file that contains a malware or altered code.

If you like a premium theme, then just get it directly from the original author. Not only you will support the developer but you will get bug-free files as well as help to install and setup the theme.

Tip: I highly recommend you getting a theme from reputable sources like Elegant Themes and ThemeForest.

14. Disable File Editing From the Dashboard

There is a built-in file editor in the WordPress admin area that lets you modify themes and plugins files. Authorized WordPress users are given access to this editor and can add or remove the code found there. This is potentially dangerous.

If you really need to make changes to those files, do it over SFTP. To remove this method of file editing, simply add this following code snippet to your wp-config.php file:

# Disable admin area file editor
define( 'DISALLOW_FILE_EDIT', true );

For extra protection, you can also remove the ability for users to install or update themes and plugins by adding the next line of code:

# Disable theme and plugin install/update + file editor
define( 'DISALLOW_FILE_MODS', true );

The above code will also deactivate the theme and plugin editor.

15. Install a WordPress Security Plugin

A security plugin can complement your existing WordPress security strategy or act as an all-in-one security solution for the non-techie.

Let’s take a look at the most popular all-in-one security plugins out there. Remember, each plugin is designed to solve different problems.

• iThemes Security – Formerly, Better WP Security, This plugin is maintained by iThemes, the company behind BackupBuddy and more awesome products. It’s the Swiss-knife of security plugins with a lot of features like brute force protection, hardening, file scanning, obscurity options, backups and much more.
• Sucuri Security – Sucuri Security is run by a well-known and trusted company that specializes in WordPress security. It acts as an auditing plugin, featuring an activity logging tool, file integrity monitoring, malware scanning, hardening options, firewall and post-hack security actions.
• BulletProof Security – BulletProof Security is by far the most downloaded WordPress security plugin on the WP.org directory. Although it had its ups and downs, it’s still considered a major player in its field. The plugin features a firewall, blocking options, login security, scanning, monitoring and multi-site support.
• Wordfence Security – Wordfence Security is an option packed plugin that focuses on protection with .htaccess, login security, monitoring activity logging and a couple of other hardening features. It also includes a Front-end/Back-end maintenance mode and an automated database backup wizard.
• WP Security Audit log – Keep a detail log on the events on your websites. If something bad happens such a successful password spraying attack you can trace which user the attackers used as an example.

Tip: Several of the above plugins aren’t intended to work together. You don’t want to load your site up with too many plugins. The key is to pick the one that work best for you and your situation.

16. Monitor your Site’s Files

If someone manages to get into your WordPress site’s backend, they’ll likely add, remove or change files and inject malicious scripts. To prevent this, you have to regularly scan your site’s files and check if they have been altered or not but you can’t do this manually, every day.

File integrity monitoring tools can actively watch the current state of your files and alert you If any suspicious activity has been detected.

Here is a handy list of plugins and services to help you implement an early-warning system on your site:

• CodeGuard – CodeGuard monitors your site’s files along with your database for daily changes and sends you an alert if something goes wrong. It also takes backups and lets you restore your website to a given point. It’s a time machine-like tool.
• WP Security Audit Log – This plugin keeps a log of everything happening on your WordPress website in real time. From user activity to PHP errors and failed login attempts. It has a dashboard widget that highlights the most recent activity and supports multisite installations.
• WordPress File Monitor – WordPress File Monitor tracks changes on file size, modification date, permissions, and file content. The plugin displays alerts in the admin area and it is multisite compatible.
• WPSec – Our free automated WordPress Security scanner. Can monitor your WordPress installation and send notifications. Scan daily, weekly or monthly.
• Sucuri Scanner – This is a free scanner provided by Sucuri that allows you to run a check for any website for known malware, blacklisting status, website errors, and out-of-date software.

Tip: When turning notifications on in monitoring plugins, make you sure you enable it only for important reporting otherwise your email inbox will be flooded very quickly.

17. Choose a Good Managed WordPress Host

You can be smart and perk up your site with all the latest security techniques. But at the end of the day, if you don’t have a reliable hosting provider, all your vigorous efforts aren’t going to matter all that much.

If you don’t already have a good host you need to seriously think about moving your site to a provider that specializes in WordPress. A managed WordPress hosting provider take care of all the technical aspects, including:

• Automatic WordPress core updates and daily backups
• Security with firewall and malware scanning
• Built-in caching and speed optimization
• Expert support and scalability

Take a look at providers like Seravo, Flywheel, and WP Engine. They have a rock-solid background in managing WordPress sites.

Wrapping up

The security of your WordPress site is a serious thing and an ongoing process that you should always keep under your radar. Having your site hacked absolutely sucks, so better be safe than sorry.

Your turn now! What actions did you take to secure your WordPress site? Did I miss something here that you think is important? Feel free to comment below.