15 Ways To Harden The Security Of Your WordPress Site

15 WordPress Security Tips · Keep WordPress core, themes, and plugins up to date · Only install trusted WordPress plugins and themes · Remove ... Skiptocontent Blog Security 15WaysToHardenTheSecurityOfYourWordPressSite “Securityisnotaboutperfectlysecuresystems.Suchathingmightwellbeimpractical,orimpossibletofindand/ormaintain.Whatsecurityisthoughisriskreduction,notriskelimination.It’saboutemployingalltheappropriatecontrolsavailabletoyou,withinreason,thatallowyoutoimproveyouroverallposturereducingtheoddsofmakingyourselfatarget,subsequentlygettinghacked.”—codex.wordpress.org WebsitesecurityisoftenatopconcernforWordPresssiteownersandprospects.While28percentofallwebsitesontheinternetarepoweredbyWordPress,becauseofits popularitytheCMSisoftentargetedbyhackers.However,thatdoesn’tmeanyoursitehastofallvictimtomaliciousbehavior. Whilenosystemis100percenthack-proof,therearecertainmeasuresyoucantaketopreventahackedWordPresssite. Toreduceyourchancesofbeingaffectedbyadisastrousbrute-forceorDDoSattack,readbelowforthemostimportantWordPresssecuritytasksyoushould implementtobecomemoreproactiveagainstpotentialthreats. 15WordPressSecurityTips KeepWordPresscore,themes,andpluginsuptodate ThemostcommonculpritofahackedWordPresswebsiteisduetoanoutdatedcomponent.Outdatedplugins,themes,andcoreopentheportalforapotentiallyhackedsite.Whenleftun-updated,theseoutdatedfilesaretraceableand makeyoursiteatargetbyoutsideintruders. Infact,inonestudy 54percentofreportedWordPresssecurityvulnerabilitiesbelongedtooutdatedWordPressplugins(outdatedWordPresscoreaccountedfor37percentandoutdatedWordPressthemesaccountedfor11percentofvulnerabilities). EnsuringyourWordPresssiteisup-to-dateissimple.WhenyouseeanorangenotificationinyourWordPressdashboardnexttoplugins,themes,oranotificationtoupgradeWordPress,updateASAP! IfyoursiteishostedwithWPEngine,we’llautomaticallyruntheseWordPresscoreupdatesforyou,althoughyouwillneedtobeattentivewiththemesandpluginstoupdatethemaccordinglytoprotectyourwebsitefrommalware. ConsistentlyupdatingyourpluginsiskeytoanysuccessfulandsecureWordPresssite.Tohelpyoumanageyourpluginswithconfidence,WPEnginecreatedthe SmartPluginManager. SmartPluginManagerisanautomatedsolutionthatchecksyourpluginsforupdatesnightlyandensuresthatwhenupdateshappen,yoursitedoesn’tbreak. Howtoconfigureautomaticupdates Ifyou’drathernotdoitmanually,youcanconfigureautomaticupdates.Toauto-upgradeWordPresscore, insertthiscodeintoyourwp-config.phpfile: define('WP_AUTO_UPDATE_CORE',true); Forplugins,use: add_filter('auto_update_plugin','__return_true'); Forthemes,use: add_filter('auto_update_theme','__return_true'); OnlyinstalltrustedWordPresspluginsandthemes OnWordPress.orgthe“Popular”and“Featured”sectionsoftheplugindirectoryareagoodplacetostartwhenlookingfortrusted,secureplugins. Todetectifathemeorplugincanbetrustedornot,first,readitsratings.Thereyoucanfindcluestowhethertherehavebeensecuritybreachesorissuesinthepast,likebuggyupdates. You’llalsowanttochecktoseewhenaplugin/themewaslastupdated.Ifapluginorthemehasn’treceivedanupdateinsometime(sayyears),thentheinactivenessinthatplugin/themeisasignyoushouldlooksomewhereelse. Inaddition,analyzingapluginortheme’spopularityisanotherwaytobetterensureyouaren’tinstallingmaliciouscodeintoyourWordPresssite. Aplugin/themethat’swidelypopularisn’t necessarilylesslikelytobetargetedbyhackersbutismorelikelytobeupdatedwithsecuritypatchesregularlyduetoitswideuse. RemoveUnusedPluginsandThemes Overtime,yourWordPresssitewillrequiresomehousekeeping. Asyoustarttoaccumulatethemesandplugins,youshouldgothroughanddisposeoftheonesyounolongeruse. Gettingridofunnecessaryclutterislikelytomakeyoursiterunfaster,aswellasremovesecurityvulnerabilitiesfromstagnantoroutdatedadd-ons. IfusingWordPressmultisite,tryusingapluginlikePluginActivationStatustoperformapluginauditanddetectunusedpluginsacrossallsitesinthemultisitenetwork. Seethe codexonWordPresshousekeepingformoreinformationonhowtoremoveunusedpluginsandthemes. InstallaWordPresssecurityplugin InstallingaWordPress securityplugin isano-brainerwhenitcomestoenhancingthesecurityofyoursite.Tobecomemoreproactiveagainstsecuritythreats,tryinstallingapluginlikeoneofthesetominimizeanysecurityvulnerabilities. (Ifyou’reaWPEnginecustomer,besuretocheckourdisallowedpluginslistasthereareafewWordPresssecuritypluginswealreadyinstallforyou.) SucuriSecurity iThemesSecurity BulletproofSecurity RegularlybackupyourWordPresssite WPEngineoffersdailysitebackupsandone-clickrestoresoyoucanrestateaseknowingyourworkissafe. Evenifyoutaketheabovesecurityprecautions(andtheoneslistedafter)youshouldalwaysbackupyourWordPresssite. BackingupyourWordPresssiteisfairlyeasytodo,asgiventhese instructionsbyWordPress.OryoucantryapluginlikeBackupBuddy. Ifit’ssomethingyou’drathernothavetoworryabout,WPEngineconductsautomaticbackupsforyoueveryday.Thatwayyoucanrollbacktoyouroriginalsite*should* youeverloseyoursitedueto anoutsideinvasion. EnforceStrongPasswordsandUsernames We’reallguiltyofusingapasswordthat’ssimpletoremember.Butusinganeasypassword,sayonethatcontainsyourbirthyear,makesiteasierforhackerstocrackthecodeusingbruteforceautomatedscripts,whichcontinuouslytrytoguessyourpasswordandusernameoverandover. Toensureyourpasswordisstrongandsecureenough, useatoollike StrongPasswordGeneratororStrongRandomPasswordGenerator. Youshouldalsoforceotherusersonyoursitetouseastrongpassword.YoucanuseaWordPresspluginlikeForceStrongPasswords toenforcestrongpasswords.(Ifyou’reaWPEnginecustomer,weautomaticallyinstallthispluginforyou.) Usetwo-factorauthentication(2FA) Enabling2FAaddsanextralayerofsecuritytoyourlogincredentials.2FAworksbyrequiringasecondfactorofinformationthatonlyyoucangive,likeacodesenttoyourphonetoverifyyouractivityonaspecificcomputer. Thatwayit’sharderforanintrudertostealyourinformationiftheyloginthroughadifferent device. HerearesomeWordPresspluginsyoucanusefor2FA: GraphicSource:GoogleSupport •GoogleAuthenticator •DuoTwo-FactorAuthentication •TwoFactorAuthentication •Clef •Authy •Rublon2FA AsaWPEnginecustomer,youcanimplement Two-Factorauthentication throughtheUserPortal. Changeoromitthe“admin”username Bydefault,WordPressgivestheprimarydomainaccounttheusername“admin”.Leavingtheusernameas“admin”isaninstantsecuritythreattoyoursite.Ifanattackerwantstocrackthecode,halfofthepuzzleisalreadysolvedandallthat’slefttoguessisyourpassword. Removingorchangingthe“admin”usernameisthenextsteptoimprovingsitesecurity.Todothis,simplygotothe“users”sectionoftheWordPressadminpanelandrenameordeletethe“admin”accountorusername. WPEnginedoesnotallowtheuseofthe“admin”usernameandwillautomaticallyremoveitforyou,replacingtheadminnamewitha“wpengineaccount”name.Thisaccountisusedbyoursupportteam.Weimplementspecialconfigurationstopreventattacksonthe“wpengine”useraccountspecifically. LimitLoginAttempts WordPressdoesn’thavealimitastohowmanytimesonecanguessapasswordtologin.Thispresentsaproblembecausedeterminedhackerswon’tgiveup. Forexample,ahackercoulduseascripttoenterdifferentpasswordcombinations(calledbrute-forceattacks)until they’vecrackedthecode. Toresolvethisissue,youshouldlimitloginattempts.Herearesomepluginsbuiltforlimitinglogins: •LoginLockdown •LimitLoginAttempts • JetpackProtect Topreventforgetfulcustomersoremployeesfromgettinglockedout,youcanalsowhitelistcertainIPaddresses(JetpackProtectisgreatforthis). Ifyou’reonWPEngine,we’vealsobuilt proprietarysecurityintoourplatformtohelplimitloginattempts. Monitor IncomingAttacks It’svitaltologincomingsecurityattackssoyou’reawareofwhat’sgoingoninsideyourWPinstallationfromahistoricalperspective.Hereareacoupletoolsthatcanhelpyouwith malwaremonitoring: •SucuriSecurity • WPSecurityAuditLog Gettinginsightintowhat’shappeninginyourWordPressinstallationviaawebsitemalwarescantoolisagoodideafortightersecurityandaneasierdiagnosisofanyissuesthatmightarise.YoucanalsousemalwareservicessuchasWPSecurityforcheck-upsandremoval. UseSSLfordatasecurity EnablingSSListhenextcrucialsteptoamoresecuresite.SSL(SecureSocketsLayer)encryptsallinformationsenttoandfromyoursite.Thatwaytheprivatedatavisitorssharewithyoursitestaysprivate. UsingSSLensuresthathackerscan’tseeorinterceptthedatayourusersshareonyoursite.ThesecuretunnelSSLcreatesisespeciallyimportantwithsensitiveinformation,likecreditcardnumbers,usernames,andpasswords. IdentifyingwhetherornotasiteisSSLcertifiedissimple.AnSSLcertifiedsitewillstartwithan HTTPSintheURLaddress,whileasitethat’snotSSLcertifiedwillbeginwith HTTP. AnSSLcertificatehelpsauser’sbrowserverifythattheyarenotonlyaccessingasecurewebsite,butthecertificateisalsogenuineandlinkedtothedomain/websitethatwasrequestedbytheuser. WithWPEngine,allcustomersareencouragedtoobtainafreeSSLcertificatewithLet’sEncrypt. FormoreonSSLandLet’sEncrypt,checkoutTorque’sWhyLet’sEncryptHasCompletelyChangedTheSSLLandscape. HideYourWordPressVersion IfyoudeferWordPressupdates, youshouldconsiderhidingyourWordPressversionbecauseitleavesfootprints,tellingthehackerusefulinformationaboutyoursite. TherearethreeareaswhereyourWordPressversionnumberwillbehidden: 1.Thegeneratormetatagintheheader: 2.Querystringsonscriptsandstyles: subscriptions.css?ver=4.0 3.GeneratortaginRSSfeeds: http://wordpress.org/?v=4.0 TogetridofyourWordPressversionnumberinallthreeareas,addthiscodetoyourfunctions.phpfile: /*HideWPversionstringsfromscriptsandstyles *@return{string}$src *@filterscript_loader_src *@filterstyle_loader_src */ functionfjarrett_remove_wp_version_strings($src){ global$wp_version; parse_str(parse_url($src,PHP_URL_QUERY),$query); if(!empty($query['ver'])&&$query['ver']===$wp_version){ $src=remove_query_arg('ver',$src); } return$src; } add_filter('script_loader_src','fjarrett_remove_wp_version_strings'); add_filter('style_loader_src','fjarrett_remove_wp_version_strings'); /*HideWPversionstringsfromgeneratormetatag*/ functionwpmudev_remove_version(){ return''; } add_filter('the_generator','wpmudev_remove_version'); Inaddition, youshouldalsomakesureyourreadme.htmlfileisremovedfromyourinstall,asthisexposesyourversionnumber. AtWPEnginewepreventaccesstothisfileonourplatformtomakefingerprintingWordPressversionsmoredifficult. Relocateorrenameloginpage Tomakeyoursitemorebulletproof,relocatingyourloginpageisworththeeffort.Notonlydoesithidethefactthatyou’reonWordPress,butitlimitsbrute-forceattacksonyourloginpage. IfsomeonewastryingtohackyourWordPresssiteandcameacrossa404erroruponenteringyourloginpage,saywww.mysite.com/wp-login.php,they’dlikelybedeterredfrombreakingin. TryusingapluginlikeRenamewp-login.php,MoveLogin,oriThemesSecuritytoassistinmovingorrenamingyourloginpage.Butbeforeyoutakethisaction,dobesuretotalktoyourwebhostordevelopertoensurethestepsyouaretakingarecorrect. Securethewp-configfile Thewp-configfilecontainsyour website’sbaseconfigurationdetails,like databaseconnectioninformation.Toprotectyour wp-config.phpfilefromintrusion,addthefollowingcodetoyour.htaccessfiletodenyaccesstoanyonesurfingit: orderallow,deny denyfromall Formoreinformationonmovingthewp-configfile,seethe WordPresscodex. UseASecureHostingEnvironment Youcanfollowallofthesecuritymeasuresabove,however,ifyoudon’tinvestinasecureWordPresshostingprovider,theseeffortsareallfornothing. Securehostingwith WPEngineaddressesmanyoftheabovetasks(dailybackups,2FA,etc.)withitsproprietarysecuritytechnology. Here’sjustsomeofthesecuritybenefits WPEngine’senterprise-grade infrastructurecontains: AutomaticupdatestonewversionsofWordPress AssoonasanewversionofWordPressrollsout,weautomaticallyupgrade yoursiteforyousoitcontainsthelatestsecuritypatches. Blockspotentialhacksastheyoccur Ourplatformcontainsreal-timesecuritythreatdetection.Wehavethetechnologytoblockeventhemostsophisticatedhacks,likeJavaScript/SQLinjectionandXML-RPCattacks,alongwithgardenvarietyDDoSandbruteforceattacks. ThistechnologyalsoblocksIPaddressesidentifiedasbelongingtospammersorhackers. Periodicsecurityauditsandcodereviews WPEngine conductsperiodiccodereviewsandsecurityauditsofourinfrastructure.Wealso partnerwithoutsidesecuritybusinessestoensureweofferthebestpossiblesecuritymeasuresintheindustry. High-performance,securetechnologystacks Securingyourwebenvironmentrequiresproperserverconfiguration.OursoftwarestackincludesprovisionstoensureoptimalWordPressperformance,includingdiskwritelimitationsandprotectionagainstscriptsknowntocontainvulnerabilities.WealsoimplementPHPtuningtodisallowdangerousorinsecurecommands. Hacked?We’llfixitforfree. Whilesomeconsultantswillchargethousandstofixahackedsite,intheunlikelyeventthatyoursiteiscompromised,we’llfixitatnoextracosttoyou. Nowthatyouknowaboutsomewaysinwhichtomakeyoursitemoresecure,ifyoueverdohappentodiscoveravulnerability,besuretogivebacktotheWordPresscommunitybyreportingit.Youcansendadetailedemailto[email protected],orifthere’sapluginsecurity,email[email protected] Sharethisarticle: Jointhe1.2MwebsitesthattrustWP EngineastheirWordPresshost. ViewOurPlans SubscribetoourblogtogreattipsforyourWordPresssite. EmailAddress Submit ThissiteisprotectedbyreCAPTCHAandtheGooglePrivacyPolicyandTermsofServiceapply. LearnmoreaboutWPEngine'sPrivacyPolicy. Topcategories.Corporate(196) Culture(112) Announcements(127) Events(114) PressRelease(84) MoreWordPressNewsfromWPEngine Postnavigation CreatingAReal-TimeWebExperienceExploitingDigitalCurrentsWithWordPress Jointheconversation. LeaveaComment.CancelreplyComment*Name* Email* Thereare13comments Mikeon October31,2016at12:08pm WhenistartedwithWpEngineyouaskedmetoremoveLIMITLOGINATTEMPTSandGoogleAuthenticatorwhatsthenewpolicy? Reply DarcyWheeleron November1,2016at12:03pm HiMike–Currentlyweofferboth2FAandlimitloginattemptsthroughourplatform.Thereforeyoushouldn’tneedtoinstallthoseotherplugins,butIencourageyoutoreachouttosupportifyou’dlikefurtherclarification. Here’remoredetailson2FAandlimitloginswithWPEngine: https://wpengine.com/resources/two-factor-authentication-wordpress/ https://wpengine.com/blog/replacing-limit-login-attempts-plugin/ Reply Matton November15,2016at11:53am Thelinkto2FAarticleonWPEngineblogisbroken(doubledup) Reply DarcyWheeleron November15,2016at12:03pm Here’sthecorrectlink: https://wpengine.com/resources/two-factor-authentication-wordpress/ Reply Tommyon November4,2016at4:53am IalsosuggestHideMyWP.ItsIDSfeatureisfantastic! Reply iFlairon November12,2016at8:45am thisisthegreatinformation.Rarelypeoplesharesuchuptodateinformation.WordPressisthesecureauthenticateopensource. Reply photogridon November29,2016at10:42pm Goodstuff,reallysuperb.Becausewecangetmoreviewsthroughthesite.Sopleasekeepupdatelikethis.Theinformationyouhavepostedisveryuseful.ThankstoUsefulInformationShare.Ireallyenjoyreadthisarticle. Reply AmitPatelon December20,2016at5:07am Keepingallwordpressthemesandpluginsupdatedisveryessential.However,doesitreallymattertoremoveUnusedpluginsandThemesfromwordpress?Renamingwordpressversionisalsoagoodsuggestion. Reply DarcyWheeleron March14,2017at10:48am Removingusedpluginsandthemesisagoodideaastheyarewastedspaceandcandetractfromsiteperformance. Reply nadiraon February1,2017at3:22am Thanksforsomeusefultips…Lolbriberywillalwaysseemtowork.I’lltakeyourrecommendationsandimplementthemonebyoneuntilIgetitright. Reply AlyssaCudaon October10,2017at12:06pm HiRay, HostingserviceslikethoseofferedbyWPEnginecanprovidethesecurityenvironmenttohelpprotectyourWordPresssitefrommaliciousattacks.However,thereareadditionalpracticessuchasimplementingstrongpasswordsandincorporatingtwo-factorauthenticationthatcanstrengthensecurity.CheckoutourvettedsecuritypluginsfromourSolutionCenter. Hopethishelps! Reply MdAlfaazon February15,2018at7:34am Wow!Whatagreatpost.Thetipswhichyouhavesharedareamazing.Thanksforthisarticle. Reply TheCyberSecurityReviewon July15,2020at3:27am HelloDarcy, I’mabouttocreateawebsiteusingwordpressandthisreallyhelpedmeoutalot.Thanksforsharingthiswonderfularticle.Doupdateuswithmoresucharticles. Regards Reply Cookies&Privacy WPEnginecollectsandstoresyourinformationtobettercustomizeyoursiteexperienceandtooptimizeourwebsite.However,yourconsentisrequiredbeforewecanprovidethisfreeservice.PrivacyPolicy IAgree