Chapter 8: Deploying Security Measures in WordPress
WordPress security is a topic of huge importance for every website owner.
Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.
If you are serious about your website, then you need to pay attention to the WordPress security best practices.
While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.
The security is not just about risk elimination.
It’s also about risk reduction.
As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech-savvy).
We have a number of
actionable steps that you can take to protect your website against security
vulnerabilities.
8.1 Basics of WordPress Security
8.1.1 Why WordPress security is so important?
At its core WordPress is very secure, the CMS is audited by hundreds of expert coders who write security into WordPress.
Nonetheless, WordPress can still be hacked and often it is due to a lack of basic security practices.
WordPress sites that are hacked can be very damaging for the owner as it inevitably leads to a loss of reputation while also leading to financial loss.
A hacker can rob a business of its confidential user data, can install software that leads to further damage down the road or even install malicious programs on your user’s PCs.
Google plays a strong role in policing websites.
First, it can exclude potentially hacked websites from search results – and indeed it blacklists tens of thousands of sites every week.
Google also warns users away from infected sites by displaying a warning in Chrome.
The resulting warnings can lead to a huge drop in traffic for website owners.
The responsibility for securing a website lies, of course, with the website owner.
It’s no different from business security at a physical place of business.
Essentially, your website is your premises and you need to ensure that it is secured.
8.1.2 Keeping WordPress Updated
WordPress is an open-source software which is regularly maintained and updated.
By default, WordPress automatically installs minor updates.
For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website.
These plugins and themes are maintained by third-party developers which regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site.
You need to make sure that your WordPress core, plugins, and theme are up to date.
8.1.3 Strong Passwords and User Permissions
The most common WordPress hacking attempts to use stolen passwords.
You can make that difficult by using stronger passwords that are unique for your website.
Not just for the WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses which use your site’s domain name.
Many beginners don’t like using strong passwords because they’re hard to remember.
The good thing is that you don’t need to remember passwords anymore.
You can use a password manager.
Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to.
If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.
8.1.4 The Role of WordPress Hosting
Your WordPress hosting service plays the most important role in the security of your WordPress site.
A good shared hosting provider like Bluehost or Siteground takes the extra measures to protect their servers against common threats.
Here is how a good web
hosting company works in the background to protect your websites and data.
They continuously monitor their network
for suspicious activity
All good hosting companies have
tools in place to prevent large scale DDOS attacks
They keep their server software
and hardware up to date to prevent hackers from exploiting a known security vulnerability
in an old version
They have ready to deploy
disaster recovery and accidents plans which allows them to protect your data in
case of a major accident
On a shared hosting plan, you share the server resources with many other customers.
This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.
Using a managed WordPress hosting service provides a more secure platform for your website.
Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website.
8.2 WordPress Security in Easy Steps (No Coding)
We know that improving WordPress security can be a terrifying thought for beginners.
Especially if you’re not techy.
We will learn how you can improve your WordPress security with just a few clicks (no coding required).
If you can
point-and-click, you can do this!
8.2.1 Install a WordPress Backup Solution
Backups are your first defense against any WordPress attack.
Remember, nothing is 100% secure.
If government websites can be hacked, then so can yours.
Backups allow you to
quickly restore your WordPress site in case something bad was to happen.
There are many free and paid WordPress backup plugins that you can use.
The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).
We recommend storing it on
a cloud service like Amazon, Dropbox, or private clouds like Stash.
Based on how frequently
you update your website, the ideal setting might be either once a day or
real-time backups.
Thankfully this can be easily done by using plugins like VaultPress or UpdraftPlus.
They are both reliable and most importantly easy to use (no coding needed).
8.2.2 Best WordPress Security Plugin
After backups, the next
thing we need to do is set up an auditing and monitoring system that keeps
track of everything that happens on your website.
This includes file
integrity monitoring, failed login attempts, malware scanning, etc.
Thankfully, this can be
all taken care of by the best free WordPress security plugin, Sucuri Scanner.
You need to install and
activate the free Sucuri Security plugin.
Upon activation, you need to go to the Sucuri menu in your WordPress admin.
The first thing you will be asked to do is Generate a free API key.
This enables audit logging, integrity checking, email alerts, and other important features.
The next thing, you need to do is, click on the ‘Hardening’ tab from the settings menu.
Go through every option and click on the “Apply Hardening” button.
These options help you lock down the key areas that hackers often use in their attacks.
The only thing we recommend customizing is ‘Email Alerts’.
The default alert settings can clutter your inbox with emails.
We recommend receiving alerts for key actions like changes in plugins, new user registration, etc.
You can configure the alerts by going to Sucuri Settings » Alerts.
This
WordPress security plugin is very powerful, so browse through all the tabs and
settings to see all that it does such as Malware scanning, Audit logs, Failed
Login Attempt tracking, etc.
8.2.3 Enable Web Application
Firewall (WAF)
The
easiest way to protect your site and be confident about your WordPress security
is by using a web application firewall (WAF).
A website
firewall blocks all malicious traffic before it even reaches your website.
DNS Level Website Firewall –
These firewall route your website traffic through their cloud proxy servers.
This allows them to only send genuine traffic to your web server.
Application Level Firewall –
These firewall plugins examine the traffic once it reaches your server but
before loading most WordPress scripts. This method is not as efficient as the
DNS level firewall in reducing the server load.
The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee.
Basically, if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).
This is a pretty strong warranty because repairing hacked websites is expensive.
8.2.4 Move Your WordPress Site to
SSL/HTTPS
SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and a users browser.
This encryption makes it harder for someone to sniff around and steal information.
Once you
enable SSL, your website will use HTTPS instead of HTTP, you will also see a
padlock sign next to your website address in the browser.
SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year.
Due to the added cost, most website owners opted to keep using the insecure protocol.
To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners.
Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.
Now, it is easier than ever to start using SSL for all your WordPress websites.
Many hosting companies are now offering a free SSL certificate for your WordPress website.
If your hosting company does not offer one, then you can purchase one from Domain.com.
They have the best and most reliable SSL deal in the market.
It comes with a $10,000 security warranty and a TrustLogo security seal.
8.3 WordPress Security for DIY
Users
If you do everything that we have mentioned thus far, then you’re in pretty good shape.
But as always, there’s more that you can do to harden your WordPress security.
Some of
these steps may require coding knowledge.
8.3.1 Change the Default “admin”
username
In the old days, the default WordPress admin username was “admin”.
Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.
Thankfully,
WordPress has since changed this and now requires you to select a custom
username at the time of installing WordPress.
However, some 1-click WordPress installers still set the default admin username to “admin”.
If you notice that to be the case, then it’s probably a good idea to switch your web hosting.
Since
WordPress doesn’t allow you to change usernames by default, there are three
methods you can use to change the username.
Create a new admin username and
delete the old one.
Use the Username Changer plugin
Update username from phpMyAdmin
Note: We’re
talking about the username called “admin”, not the administrator role.
8.3.2 Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area.
In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can
easily do this by adding the following code in your wp-config.php file.
Alternatively,
you can do this with 1-click using the Hardening feature in the free Sucuri
plugin that we mentioned above.
8.3.3 Disable PHP File Execution
in Certain WordPress Directories
Another
way to harden your WordPress security is by disabling PHP file execution in
directories where it’s not needed such as /wp-content/uploads/
You can
do this by opening a text editor like Notepad and paste this code:
1 2 3
<Files *.php> deny from all </Files>
Next, you
need to save this file as .htaccess and upload it to /wp-content/uploads/
folders on your website using an FTP client.
Alternatively,
you can do this with 1-click using the Hardening feature in the free Sucuri
plugin that we mentioned above.
8.3.4 Limit Login Attempts
By default, WordPress allows users to try to login as many times as they want.
This leaves your WordPress site vulnerable to brute force attacks.
Hackers try to crack passwords by trying to login with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make.
If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.
However,
if you don’t have the firewall setup, then proceed with the steps below.
First, you need to install and activate the Login LockDown plugin.
For more details, see our step by step guide on how to install a WordPress plugin.
Upon
activation, visit Settings » Login LockDown page to set up the plugin.
8.3.5 Add Two Factor
Authentication
Two-factor authentication technique requires users to log in by using a two-step authentication method.
The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts.
You can also add the same functionality to your WordPress site.
First, you need to install and activate the Two Factor Authentication plugin.
Upon activation, you need to click on the ‘Two Factor Auth’ link in the WordPress admin sidebar.
Next, you need to install and open an authenticator app on your phone.
There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.
We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud.
This is very useful in case your phone is lost, reset, or you buy a new phone.
All your account logins will be easily restored.
We will be using the LastPass Authenticator for the tutorial.
However, instructions are similar for all auth apps.
Open your authenticator app, and then click on the Add button.
You will
be asked if you’d like to scan a site manually or scan the bar code. Select the
scan bar code option and then point your phone’s camera on the QRcode shown on
the plugin’s Settings page.
That’s
all; your authentication app will now save it. Next time you log in to your website,
you will be asked for the two-factor auth-code after you enter your password.
Simply
open the authenticator app on your phone and enter the code you see on it.
8.3.6 Change WordPress Database
Prefix
By default, WordPress uses wp_ as the prefix for all tables in your WordPress database.
If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is.
This is why we recommend changing it.
Note: This can
break your site if it’s not done properly. Only proceed, if you feel
comfortable with your coding skills.
8.3.7 Password Protect WordPress
Admin and Login Page
Normally, hackers can request your wp-admin folder and login page without any restriction.
This allows them to try their hacking tricks or run DDoS attacks.
You can
add additional password protection on a server-side level, which will
effectively block those requests.
8.3.8 Disable Directory Indexing
and Browsing
Directory
browsing can be used by hackers to find out if you have any files with known
vulnerabilities, so they can take advantage of these files to gain access.
Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information.
This is why it is highly recommended that you turn off directory indexing and browsing.
You need to connect to your website using FTP or cPanel’s file manager.
Next, locate the .htaccess file in your website’s root directory.
After that, you need to add the following line at the end of the .htaccess file:
Options –Indexes
Don’t
forget to save and upload .htaccess file back to your site.
8.3.9 Disable XML-RPC in
WordPress
XML-RPC
was enabled by default in WordPress 3.5 because it helps to connect your
WordPress site with web and mobile apps.
Because
of its powerful nature, XML-RPC can significantly amplify the brute-force
attacks.
For
example, traditionally if a hacker wanted to try 500 different passwords on
your website, they would have to make 500 separate login attempts which will be
caught and blocked by the login lockdown plugin.
But with
XML-RPC, a hacker can use the system.multicall function to try thousands of
password with say 20 or 50 requests.
This is
why if you’re not using XML-RPC, then we recommend that you disable it.
There are
3 ways to disable XML-RPC in WordPress, and we have covered all of them in our
step by step tutorial on how to disable XML-RPC in WordPress.
Tip: The
.htaccess method is the best one because it’s the least resource-intensive.
If you’re
using the web-application firewall mentioned earlier, then this can be taken
care of by the firewall.
8.3.10 Automatically log out Idle
Users in WordPress
Logged in users can sometimes wander away from the screen, and this poses a security risk.
Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user.
You can implement similar functionality on your WordPress site as well.
You will need to install and activate the Inactive Logout plugin.
Upon activation, visit Settings » Inactive Logout page to configure plugin settings.
Simply set the time duration and add a logout message.
Don’t forget to click on the save changes button to store your settings.
8.3.11 Add Security Questions to
WordPress Login Screen
Adding a
security question to your WordPress login screen makes it even harder for
someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin.
Upon activation, you need to visit the Settings » Security Questions page to configure the plugin settings.
8.3.12 Scanning WordPress for
Malware and Vulnerabilities
If you have
a WordPress security plugin installed, then those plugins will routinely check
for malware and signs of security breaches.
However,
if you see a sudden drop in website traffic or search rankings, then you may
want to manually run a scan. You can use your WordPress security plugin, or use
malware and security scanners.
Running
these online scans is quite straight forward, you just enter your website URLs
and their crawlers go through your website to look for known malware and
malicious code.
Now keep in mind that most WordPress security scanners can just scan your website.
They cannot remove the malware or clean a hacked WordPress site.
This
brings us to the next section, cleaning up malware and hacked WordPress sites.
8.3.13 Fixing a Hacked WordPress
Site
Many
WordPress users don’t realize the importance of backups and website security
until their website is hacked.
Cleaning up a WordPress site can be very difficult and time-consuming.
Our first advice would be to let a professional take care of it.
Hackers
install backdoors on affected sites, and if these backdoors are not fixed
properly, then your website will likely get hacked again.
Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again.
It will also protect you against any future attacks.
Conclusion:
As a site owner or developer, there will always be vulnerabilities and attack vectors to worry about but it’s never been easier to maintain a secure WordPress install than it is today.
The platform itself has been considerably hardened over the years and there are excellent plugin solutions to help you dial in your settings and sleep better at night.
Privacy Policy
About Mattched IT
Website Privacy Policy for mattchedit.com
The policy which we employ when dealing with any personal information submitted via this website is outlined below. We aim to take every possible measure to protect your information at all times.
Definitions
“We” or “us” in terms of Data Protection, and your information, refers to Mattched IT Ltd. “Personal Information” refers to all data you enter into this website which identifies you, or which can be considered privileged, including but not limited to your email address.
Your Consent
By using this website, you agree to this privacy policy, and when you submit any of your details or personal information, you are agreeing that you accept the manner in which we state we will use those details.
We will only make unsolicited contact by email when we require your consent for future contact – for instance if a site you have registered with has added a newsletter feature, we will contact you once to request your consent. Should you wish that we never contact you, please advise us and we will mark that your details should not be used for this purpose.
Changes to our Privacy Policy
We may change our Privacy and Security policies from time to time – we are constantly reviewing them to ensure that our customers (and their customers) are protected to the best of our abilities. Please check this page regularly for any updates and changes. Should any significant changes take place which could affect the use of your details (and providing you have not prohibited us from contacting you as above), we will request your consent for these changes.
Collection of Personal Information
Information may be collected when you use certain components of this website, but we will always warn you first. All information will be securely transmitted to our servers, where it is held. Only we have access to this information.
If you choose to register with this site, you will be given a password to protect your details – we advise that you choose a secure password, which you do not use elsewhere, and that you do not reveal it to anybody else.
Use of Cookies on our site
Cookies are small files placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
The table below list the cookies we use and why we do so.
Name
Set by/for
Description
Further reading
__unam
__stid
__uset
__utma
__utmz
ShareThis
We use various social sharing buttons provided by sharethis.com throughout our site in order to make it easier for you to share content with your friends and contacts.
APISID
HSID
NID
PP_TOS_ACK
S
SAPISID
SID
SSID
BEAT
ULS
Google +1
As part of the social sharing provided by ShareThis (see above), we also use the ‘Google +1’ button to allow you to recommend pages on our site to your network.
When you first visit our site, we’ll ask for you to agree to our privacy policy. We use this cookie so that your browser can remember if you’ve said yes – preventing it from showing you the message again.
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org. However, please note that if you choose to disable cookies (or not to accept them from our site), then parts of this site may not function correctly.
Mattched IT Limited are registered in accordance with United Kingdom Data Protection Legislation and will only store and use your data in compliance with these laws.
Your rights to access your personal information
You have the right to request a copy of all information held relating to you, and we are happy to comply with any requests made. However, we reserve the right to make a small charge to cover our costs, should you require a printed copy. We will provide electronic copies (via E-Mail) at no charge.
Please contact us directly should you wish to make such a request. We will only e-mail details to the address which we have recorded for you – and may require proof of identification if you request a printed copy of your information.
Updating your information
Should any of your details change, you may update them either by contacting us directly, or if you are a registered user, by logging into the site and editing your profile directly.
How to contact us
If you would like any further information or have any comments about our privacy policy, please contact our Data Protection Officer as per below:
By post:
Data Protection Officer
Mattched IT Ltd
26 Grassmere Way
Waterlooville
Hampshire
PO7 8RU
UK Registered Company 05861949
VAT Registration Number 909 8945 67
Terms & Conditions
About Mattched IT
Our standard Terms & Conditions
This page outlines the Terms of Service for our website (mattchedit.com) and any other sites owned and operated by us. We also give a summary of our terms of business, however the latter is neither exhaustive nor complete and a full copy will be provided to you along with your contract for any given engagement. If you are concerned over how we use your information, please see the mattchedit.com Privacy Policy.
Mattched IT Website Terms of Use
By using our website, you are accepting these terms of service
We take no responsibility for any external links (e.g. those pointing to sites not wholly hosted and/or owned by ourselves)
All material published within the pages of this site (including downloadable content) is the property of Mattched IT Ltd (unless otherwise indicated) and may not be reproduced, stored or copied without our express written permission
In accordance with the above, if you choose to submit a comment against one of our news items, blog posts or articles, we reserve the right to edit and reproduce your comments as we see fit
Where such material contains suggestions, advice or other information, no warranty is supplied and we can accept no responsibility for any damages or loss incurred from the use (or misuse) of any features, information or other content served from this website
Mattched IT Terms & Conditions
Specific terms and conditions apply to several of the services we offer (including web hosting, mail hosting and Cloudeware services). These are available upon request and will be provided to you prior to commencement of any agreements.
We operate under a standard “supplier agreement” for most bespoke work undertaken. A customised copy of this document will be provided for your review prior to commencement of any works.
By default, when undertaking web-based projects, we support the following web browsers. Where no version is specified, we support the latest version, tested on Windows 7.
Internet Explorer (7 and later)
FireFox (8 and later)
Opera
Safari
Chrome
Support for other browsers (and platforms) is available upon request.
We do not typically test projects on mobile platforms or on platforms other than PC/Windows unless a specific requirement is raised as part of the project brief, however we are happy to work with our clients should they have other requirements.
Where possible a UAT (User Acceptance Testing) version of the project will be made available for sign-off prior to live release and the acceptance of this test version forms “completion” of the project under our standard terms. This facilitates an improved testing and fault resolution process and helps us work with our clients to improve the quality of the service which they receive.