Simple Ways to Implement All-around WordPress Security

WordPress security is a hot buzz in the industry these days, as the CMS is quite popular among the small businesses as well as enterprises. Hence, it is the most relevant thing to discuss about at present, without any shadow of doubt. Securing a WordPress site is called ‘hardening’ of WordPress. It is like building a wall around your house and making sure all the windows and doors are closed.

WordPress is used by more than 70% of the site owners today according to a research and hence it is vulnerable to the security breaches all the time. The most popular content management system is attacked by more than 20,000 spammers and 50,000 and above malware, as per Google SE reports.

Securing WordPress is not a fixed target to achieve. It is a continuous process which may need upgradation and amendment every day. There might be several causes of a WordPress site to be hacked, like –

  • There might be security issues in a hosting program where the WordPress site is being hosted.
  • WordPress theme code is having security issues
  • Plugin that being used is not secure enough
  • Username or password is weak etc.

Therefore, following some simple tricks to secure your WordPress along with taking professional security help of WordPress security plugins is a must.

Securing WordPress Host

  1. Check WordPress hosting options – Hosting platform is the most important part of owning a WordPress site. There are options available for hosting WordPress such as shared hosting, managed hosting and dedicated hosting. Each type of hosting way has its own security algorithms. But when you use shared hosting, your WordPress can be accessible by the cross-site attack. Managed and dedicated hosts are considered to be more secure in this context. Also, each hosting site has its own security filters and it is good to use them.
  2. A good and secure host ensures of having some features to enforce security. These include –
  • Inbuilt web application firewall
  • Inbuilt and fast updates
  • Good server monitoring that is inbuilt
  • Flexible to updates and changes in PHP and MySQL
  • Backups and server monitoring

Securing WordPress Login Options

Login is hackers’ favorite area to try their hands on. Therefore, securing login is one of the primary tasks while you are making your WordPress secure.

      1. The WP admin login is the bird’s eye of an attacker and he always starts with the name ‘admin’ for obvious reasons. Admin username should not be kept as ‘admin’ as it is an easy guess. If an old WP site has already having username ‘admin’, the owner should delete the admin user and must create a new one with some complexity.
      2. Using a secure password which is long more than 8 characters at least and complex enough to include special characters, numeric, alphabets both small and capital letter etc. There are some tips to choose a password for your WordPress site, like
        • The password should not have similar alphabets and patterns of arranging alphabets like the username.
        • The password should not contain website’s name anyhow in it.
        • Latest buzzwords should not be there in the password, like “Selfie” etc.
        • The password can be generated through password generation tools.
      3. User enforcement is needed to enter only and only strong password. All of the team members and admin users should be creating a mandatorily strong password with all the rules duly followed. There are some plugins to implement this on the WordPress site.
      4. Password changing rules should be implied for the WP site. It can be once in a month or once in a quarter etc. Once the duration is completed for one password, a notification should be shooting to all the users to change the password.
      5. Predictable passwords that include a common sequence of numbers, alphabets, username should be highly prohibited.
      6. Using two-step authentication is recommended for WordPress sites. Even if the attacker is successful to guess your password, he can’t guess the one time code generated by the system and sent to the authorized email or phone of the admin user.
      7. User access rules need to be implemented in order to prevent every user to crawl and access all of the administration features. The user should be given access to the features they only need to have and access to other features should be prohibited.
      8. Attackers use bots or scripts to attempt to login in any WordPress website. The number of attempts to login into the system from any particular user is counted. If the threshold of the login attempt set has been exceeded, the user should be blocked then and there.
      9. Session timeout option should be there for idle users. The user can leave the session while logged in and it can impose a great security risk to the website. The session should be timed out and automatically logged out after a defined period of time. The help of plugins can be taken to implement this functionality.
      10. Implementing SSL certificates to the user login page can help to secure the WordPress site to a greater extent.
      11. Once a failed attempt is made to log in, PHP code from WordPress generates error messages which include the filename, class name, code snippets etc. to notify where exactly the error has been generated. These error messages have to be removed from the logout page as the attackers can get information and clues to find ways to break the code. This can be achieved by doing a simple change in the functions.php file.
        add_filter(‘login errors’, create function(‘&a’, “return null”));
      12. WordPress admin page URL is a good source of a clue to the attackers. It lets them know that it is an admin user. The URL should be changed from wp-admin to anything that is not regular, will prevent common brute force attacks.
      13. When an admin user logs in to the WordPress, it shows the author name by default. It can be the security vulnerability, as the attackers get information about the author name. To hide the author name, some changes can be done in the wp-admin.php file.
        Create a function and add a condition inside it like –

        {
        if (is_author())
        {
        wp-redirect(home_url());
        exit;
        }
        }
      14. A server-side login can be layered over the WordPress login to protect the WP password from brute force attack.
      15. .htaccess file in the WordPress admin folder should be used to protect the /wp-admin/ and wp-login.php file from being accessed other than the admin or authorized user.
      16. To prevent trackbacks and pingbacks by the remote blogging users, XML-RPC file should be disabled.

    Securing Database and Data files

    Data files of any website contain all the information related to user authentication and business. To protect the data files from being hacked, some tricks can be done to the admin files.

    1. Database password should be strong enough just like the WordPress admin password.
    2. UserID of the database should not consist of the word “user” and password can’t be literally “password” either. This will be the easiest guess for the brute force attacks on data files.
    3. The user should use SFTP over FTP to connect to the server. SFTP creates a security layer around the sensitive information being transferred between the user and the server.
    4. The WordPress database uses WP-<database name> as the prefix of data-files by default. This welcomes attackers to check the structure of your database using bots and tools. So, the data-file prefix should be anything other than “WP”.
    5. MySQL database names should not be easily recognizable like “WordPress” etc. A strong name should be given to the MySQL databases.
    6. Permissions to read, write and execute the files in databases should be given sensibly. The owner should only be given the permission to write. In that case, CHMOD 755 need to be given. In case of any other user, file permission should be like CHMOD 644, only read, no write and no execution.
    7. A WordPress site owner should use advanced solutions like a server-side scanner to monitor the activity of malware and how many files are infected. There are plugins to achieve the same.

Continuous Monitoring

When you want to know if someone is intruding into your house or when he is doing it, you have to keep watch at the entry points of your house all the time, right? Continuous monitoring is the same. It monitors the activities of users, malware, and another activity that is happening on the server.

There are different tools for this and also some good plugins like Cleantalk, are there to help. Monitoring tools can be of different categories

  1. Online Scanners – These type of monitoring tools work from remote and online.
  2. Application monitors – It scanners the files locally on the system it is installed on. Security plugins help to achieve this type of monitoring.
  3. Availability Monitors – These check the website availability or uptime. When the WordPress site is up and running or down, it sends a notification to the admin user through email and/or SMS. These services can raise alarms when the site has been hackers as they can monitor the WordPress site.
  4. The monitor of reputation – the cleanliness of the site is the prime monitoring subject for tools like google.com or any other premium search engines. The best part is it blocks the site but before that, a notification is sent before 24 hours of it.
  5. Monitoring of File and integrity-Whenever the integrity of the files, monitoring file system send a notification to the admin user. It also identifies the changes of integrity that took place.
  6. Email Notification about admin login – Plugins like CleanTalk has feature to send email notification, whenever admin user accesses the site using username and password successfully. This alerts an admin user if there is an unauthorized successful login by attacker. However, if a logged in session is saved and a user accesses the WP dashboard through it, it won’t send any email notification. This feature can be enabled from the option “Receive notifications for admin authorizations in your CleanTalk Dashboard. Choose “Site Security” in the “Services” menu, then click on “Settings.

Take help of Security Plugins to secure your site

All the above tricks and tips are not enough alone to harden your WordPress. There are plugins that are needed to be used to provide all-around protection to the WordPress website. Security plugins protect the WP sites from different kind of threats being discovered every day. Among many ways it protects the WP site, here are some –

  1. Secure User Accounts – plugins detect the easy to guess admin username and password and helps the user to change the value easily. It detects the bots or automation scripts and stops user enumeration just immediately so that bots can’t be able to guess the username using the author information and permalink.
  2. Plugins use optimized logins to prevent the brute force attacks with a feature called – “Login Lockdown’. It even blocks the IP, Network or country of the attacker. There is a list called blacklist which is easily accessible by the admin user and he can manipulate it according to the requirement. It has the feature to force log out of all the users after a defined timeline. It monitors the failed attempts of login continuously and sends a notification to the admin user.
  3. User account number, account access, file access permissions can be implemented and edited through the plugins only.
  4. wp-config.php is manipulated and edited to change the prefix to the database, scheduling automatic backups every day, email notifications for the integrity changes – all of these can be achieved by a good security plugin.
  5. Plugins protect the file system from the WordPress site by disabling the file editing by changing the code in the wp-config.php file. System log monitors help the user to detect the unauthorized activities on the site.
  6. The most important feature of security plugins to protect WP site is web application firewall. It protects the site against dangerous threats like Cross-site scripting, malicious bots which overwhelm the resources of the WP server. It disables the XML.rpc to prevent pingback or traceback feature which can be good sources for attackers to gain information. Also, it prevents the readers to post comments through proxy servers and blocks all the access of the external readers of generic users to the debug files.

WordPress security issues are discussed every day all over the world. New vulnerabilities are discovered and security tricks are also discovered to prevent them. But this is a continuous learning and implementation process and WordPress site owners should be active enough to prevent their sensitive business information to get exposed in the world.

There are simple things like not downloading themes from unknown resources, deleting themes and plugins that are not being used anymore, staying updated with the WordPress and security plugin versions to get protection from the new threats etc. These should be followed religiously for every WordPress site in according to protect it from as many corners as possible.

Leave a Reply