To say that WordPress security is important is to understate it significantly. It’s obvious that you don’t want hackers infiltrating your WordPress site, but WordPress is a very tempting target.
Part of the attraction is that it’s incredibly popular – 37% of all websites, and 33% of the top 1 million sites are built on this platform, which means that it’s worth it for hackers to try to sneak in. Once they crack one, they can crack a lot more.
The fact that WordPress isn’t secure is all over the internet, but that reputation isn’t really fair. WordPress as a system – and especially the core files – is very well secured, maintained and improved by hundreds of programmers who are part of the open-source community. But with so many plugins and themes, there are too many opportunities for vulnerabilities to creep in.
The sad truth is that the vast majority of security issues on a WordPress site are caused by human error, usually either using the wrong settings or failing to maintain the system correctly. But the upside of that is that you can fix those errors once you know what to do.
For the average non-techie website owner, this guide should help you to address all the main issues without using a complicated code. But if you’re a web developer or programmer, you’ll appreciate this set of advanced security tips to lock a WordPress site down tight.
Note: This is for WordPress sites installed on Linux servers, but it may also be relevant for those on Windows servers.
On this page
Restrict access to the login/management area
By default, hackers and malware can access the administration area (wp-admin) or login page (wp-login.php) of your site without any restriction, which means they can try to hack in further or carry out a DDoS attack.
To prevent this, set your firewall to restrict access to the admin/login areas exclusively to authorized IP addresses only.
Alternatively, you could protect these areas with a server-side password (common on Apache Linux servers), which provides an extra layer of security before the hacker or malware reaches the login/management area.
Disable XML-RPC protocol
XML-RPC protocol is enabled by default, starting with WordPress version 3.5 and above. This option helps to remotely connect your WordPress site with various sites and applications, but it’s far less secure than REST connections.
It can also significantly increase Brute Force attacks by permitting hackers to use the system’s multi-call functions and try thousands of different passwords with a small number of requests, so we highly recommend disabling the option.
Although the easiest way for non-techies is to use the Disable XML-RPC-API plugin, you might not want to add yet another plugin to the site. Instead, you could:
- Restrict access to the xmlrpc.php path at the server firewall level
- Restrict access at the server-level by .htaccess or nginx.conf file.
Add 2-step authentication
Enabling two-step authentication of your WordPress site can significantly improve the site security and provide an additional layer of verification before allowing someone to connect to the site’s management area.
One of the easiest ways to do this is through the Google Authenticator plugin, available for download from the official WordPress plugin directory, which installs two-factor authentication via an app on your mobile phone.
Note: To enable this, you need to install the Google Authenticator app on your mobile phone.
Remove inactive plugins and formatting templates
It’s not enough just to deactivate unused plugins and formatting templates; you need to ensure that they’re deleted, too. That’s a lesson learned from the TimThumb attack in 2011 when a vulnerability in the program was exploited to introduce malware into thousands of WordPress sites.
Most of the TimThumb victims didn’t even know that the plugin was on their site because it was bundled with other tools and had been deactivated.
Even when a template or plugin is turned off, the code can still constitute a security breach. Any software that’s not in use should be removed from the server entirely.
Choose a secure host
Your managed WordPress hosting company plays the most important role in securing your WordPress site, so look for one that monitors the network for security threats and takes additional measures to protect their servers from future attacks.
Some of the features to look for include:
- Monitoring network activity frequently to detect suspicious activity
- Resistance to DDOS attacks at the communication line level
- Regular updates to all software/hardware components
- Disaster Recovery Service and an emergency plan that protects your information in the event of an incident
- PHP support for version 7.4 or greater
- MYSQL version 5.6 version OR MariaDB version 10.1 or greater
- Uses a separate database for each of the sites on the server
- User isolation – complete separation between users on shared servers
- Built-in server firewall, preferably an active application firewall (WAF) designed for WordPress
- An intrusion detection system that reviews site activity
- Frequent, comprehensive site scanning and updating
- Ability to track files that have changed on the site
Block and prevent bad bots
Most hackers, before attacking proactively, send bots as “spies” to check your site. Even if they don’t follow up on the bot report, these “bad bots” affect site performance, steal content, occupy valuable bandwidth, and significantly disrupt user metrics, so it’s obvious that you want to block them.
You can find a list of most “bad bots” on botreports.com. If you’re already using a security plugin or dedicated WordPress managed storage service, they’re probably already blocked automatically, but it never hurts to check.
Otherwise, you can block bad bots by:
- Blocking them at the firewall level (this is ideal if you’re managing many sites)
- Blocking them at server-level using .htaccess or nginx.conf file
- Blocking them with a plugin called StopBadBots, available from the official WordPress plugin directory.
User Scan Protection
WordPress sites by default show all the posts published by the author/user on the user archive page, but bots can exploit this to make multiple consecutive login attempts by using the user’s tracking number ID (User ID) until they succeed in impersonating the user and hacking their details.
Their code looks like this:
You can block them by restricting access to the path with this code:
Hackers also use Rest APIs, which allow information sharing between different sources to access user information. With the Rest API, they can easily hack data from a remote server database (WordPress site) by reading the HTTP. Starting with version 4.7 of WordPress, Rest API is part of the WordPress core and is active on all sites by default.
For example, if they are approaching a path:
They can access a tidy JSON output of all users on your site and their details.
You can’t entirely block the Rest API, because WordPress and certain plugins, like the Gutenberg visual editor, need to use parts of it, but you can close off sensitive paths associated with it.
Here are some of the options:
- Block the wp-json / wp / v2 / users path at firewall level
- Block the wp-json / wp / v2 / users path at server level by an .htaccess or nginx.conf file
- Using the Disable Rest API plugin that allows you to block specific API paths
Hide your WordPress version
If you take a quick look at the WordPress site source code, you’ll see that WordPress automatically embeds a meta tag that contains information about the version you’re using.
<meta name=”generator” content=”WordPress 4.9.10”>
This information is, by default, accessible to hackers and malware, which then searches the web for information about security vulnerabilities in your version to help them choose the best method of attack. It’s often successful because the internet is full of detailed articles describing known vulnerabilities in WordPress versions.
As well as automatically updating your version of WordPress, so that you’re not running an old one with numerous well-documented vulnerabilities, it’s also a good idea to hide your version so that hackers can’t see it. Just add the following code to the functions.php file of your design template:
Hide error messages in PHP
WordPress has a built-in error display system as part of the core system, which is awesome for developers who want to “debug” code errors in the design template or plugin, but it’s also awesome for guiding hackers and malware to find vulnerabilities in the site.
Error messages usually look like this:
PHP: syntax error , unexpected '^' in /wp-content/plugins/plugin.php
on line 6
But you can hide them by adding this code to the wp-config.php file:
Reset folder and file permissions
A folder with permission 777, for example, means that anyone can create and edit files within the folder. Normally, you wouldn’t expect folder and file permission values to change, but it’s still best to check that they’re set according to official WordPress recommendations.
According to WordPress (July 2021), these are the correct permissions for your WordPress site:
- All WordPress files should have 644 file permissions.
- All WordPress folders should have 755 file permissions.
- The official WordPress Codex recommends 440 or 400 for the wp-config.php file
You can change the file and folder permissions using FTP, and resetting the file permissions button in some storage companies.
Use Authentication Keys
Every WordPress installation comes with a wp-config.php file that contains blank encryption keys. When you implement the installation, it produces unique encryption keys which can significantly increase site protection. These keys are also known as security keys.
The WordPress system uses them to encrypt information stored in the user’s cookies when they are logged in to the site. Authentication information is stored in the form of a complex hash along with the encryption keys, thus minimizing the risk that a hacker could retrieve the username and password from stolen cookies.
If you don’t have unique encryption keys defined in the wp-config.php file, we recommend that you create random keys on the WordPress dedicated key generator and update them in the wp-config.php file.
Disable the option to run PHP files unnecessarily
Another way to tighten site security is to block anyone from running PHP files in folders where it’s not necessary. For example, the folder / wp-content / uploads / should not contain any PHP files. If you block the folder from running PHP files, you’ll make it impossible for hackers or malware to run a PHP file that’s already in the site directory, but contains a security breach.
You can activate this block at the server level through the .htaccess file with this code:
# .htaccess - Disable PHP Execution <Files *.php> Order Allow,Deny
Deny from all </Files>
uPress clients: This option is an integral part of the admin panel, and is implemented for each site by default.
Secure your most important files
The wp-config.php file probably contains all the most sensitive information on your sites, such as database access information, encryption keys, settings, and more, so it’s crucial to block direct access.
You can activate this block at the server level through the .htaccess file with this code:
# .htaccess - Protect wp-config.php <Files wp-config.php> Order
Allow,Deny Deny from all </Files>
You should also block the .htaccess file on Apache servers, which contain all the site settings. You should be able to do this at the server level, but if it’s not possible, add this code to the .htaccess file:
# .htaccess - Protect .htaccess <Files ~ "^.*.([Hh][Tt][Aa])">
Order Allow,Deny Deny from all Satisfy all </Files>
A TLS certificate encrypts data packets running between your computer (when it’s in use by a connected user) and the server where the site is stored. It uses the Transport Layer Security (TLS) protocol, which is the currently accepted standard for transmitting encrypted information over the internet.
TLS-based communication ensures that malicious actors can’t listen to communications or view information transmitted between the user and the storage server.
Currently (July 2021) most storage companies offer a TLS certificate, also called an SSL certificate, for free, like the one from Let’s Encrypt.
It is possible to achieve a fully secure WordPress site
If you’re a techie reader, you’ll now have plenty of information at your fingertips to ramp up WordPress site security by several notches. Each tip will harden your site attack surface and increase protection, so it doesn’t have to be all or nothing.