WordPress Hardening: A Complete Guide - Astra Security

Steps to WordPress hardening ; Sign into WordPress account and go to WordPress general settings; Update your WordPress address, to begin with, “ ... CMS WordPressHardening:ACompleteGuide Updatedon:February17,2022 AakanchhaKeshri 9minsread WordPresspowersmorethan350millionwebsitestoday.Withamarketshareofover38%,ithasespeciallybeenaboontonewbieswhocancreateablogoranyotherwebsiteinjustamatterofafewclicks. ThisBlogIncludes show Whatiswebsitesecurity? GettheultimateWordPresssecuritychecklistwith300+testparameters StepstoWordPresshardening 1.Getagoodhost 2.Beup-to-date:Foryourwebsite’ssecurity 3.StrongPasswords:AbasicinWordPresshardening 4.RunningyourwebsiteonHTTPS 5.UsingSFTPandSSH 6.FilePermissions 7.Backingupyourwebsite 8.ProtectingyourWordPresssitewithaFirewall SeeourIntelligentFirewallandMalwareScannerinaction Conclusion Wasthisposthelpful? Withitsready-to-usefeaturesandsimpleinterface,WordPresshassurelyrevolutionizedthewaywecreateandmanagewebsites.Nowonder,thishasalsothrownitbeforethelurkingeyesofmaliciousactors.Inthisblog,weexplainhowyoucanensureyourWordPresswebsite’ssecuritythroughWordPresshardening. RelatedGuide–WordPressHackRemoval ThedireneedforWordPresssecurityisfurtherprovedbythefactthatover90%ofallwebsiteattackstargetWordPresswebsites.Thisiswaytoohighcomparedtoitssuccessor,Magento,whichsuffersonly4%oftheseattacksandstandsatsecondinthelist. Onereasonbehindthisdisproportionaltargetingisofcourse!thevastusageanddatathatWordPresswebsiteshold.Anotheristhefactthatmorethan70%ofallWordPresswebsitesareill-mangedandsupervulnerable;thusagoldmineforhackers.ThisisbecausetheaverageWordPressuseriseitherabloggerorahobbyistwebsiteownerwhoiseitherunawareofsecurityknow-howorisnotsohands-onwiththetechnicalitiesofwebsitesecurityandconvenientlyavoidsindulginginthat.Thisneedstochangeandweexplainhowinthisblog.Readontofindout. Whatiswebsitesecurity? Websitesecuritydoesnotmeanacompletelysecuresystem,whichispracticallyimpossibletocreateormaintain.Itismoreriskreductionthanriskelimination.Itincludesusingallresourcesatyourdisposaltoimproveyourpositiontoreducethechancesofgettinghackedandmakeyouronlineassetssecure. Therearenoquickfixestoachievecompletewebsitesecurity.However,youcantakebasicprecautionsandsafetymeasurestokeepyourwebsitesafefromattackers.Mostofthecyber-attacksexploitbasicsecuritylapseswithinwebsiteswhichcouldbeavoidable.ThisguidewillhelpyouunderstandthebasicsofWordPresssecurityandstepstoWordPresshardening.Readontofindouthowyoucanbetterprotectyourwebsite. GettheultimateWordPresssecuritychecklistwith300+testparameters GettheChecklistNow! StepstoWordPresshardening 1.Getagoodhost Choosinga securehostingproviderwillensurethattheirserversareproperlysecuredandsoyourhostedwebsite/s.While,optingforacheaperorasharedhostingprovidermightonlyofferyourwebsiteabasicsecurityprotocolandalsoyouwillbesharingtheserverwiththemultiplesiteshosted.Insuchacase,anyvulnerabilityintheservercanimpactallwebsiteshostedonit,leavingasingle-point-of-failureforyoursite. ItisalwaysadvisedtoinvestinadedicatedhostingproviderforyourwebsiteforbettersecurityoptionssothatwillalsohelpinprovidingWordPresshardeningforyoursite.Agooddedicatedhostingprovidertakescareofthephysicalsecurityofyourdata,cabling,power,andcoolingofinfrastructure,routersforthenetwork,serverapplications,andvirtualmachines. RelatedGuide–WordPressMalwareRemoval Theprimarygoalofahostingproviderisgenerallytoprovidehostingtotheircustomersbutnottakingblameofanysecurityincidentshappeningonthehostedwebsite.Basically,ittakescareofeverythingbelowthatlayer.YouwillstillneedtomaintainsecurityprotocolsandstepsforyourWordPresshardening.Thiscompleteguidewillhelpyoutodothat. 2.Beup-to-date:Foryourwebsite’ssecurity Morethan54%ofWordPressvulnerabilitiesareduetooutdatedpluginsandolderversions(source?).WhenevervulnerabilitiesarediscoveredincoreWordPresscode,theWordPressteamprovidespatchesandupdatestofixthoseissues.Ifyouareusingolderversions,thenitisatriskofgettinghackedthroughknownordiscoveredsecuritygaps.UpdatingyourWordPressversionswillprotectagainstsuchknownsecuritythreatsandattacks. Pluginscanbecomevulnerableiftheyarenotupdatedregularly.MostofthepremiumpluginsprovideregularsecurityupdatesandpatcheswhichensurethattheydonotbecomesecurityliabilitiesforyourWordPresswebsite.Itisadvisedtoavoidusingpluginsthatarenotupdatedperiodically,astheywillnothavepropersupportandsecurityfeatures.Majorityofthetimetheyarepotentialentrypointsforattackers. Keepingeverythingup-to-dateisanimportantstepinWordPresshardening.YouwillfindthelatestversionontheofficialwebsiteofWordPresshere.Afterversion3.7,WordPressupdatesautomatically.Youcanalsousethedashboardtogetthestatusofupdatesforpluginsandextensions.Additionally,toconfigureautomaticupdates,insertthiscodeintothe“wp-config.php”file: define('WP_AUTO_UPDATE_CORE',true); Forpluginsandthemes: add_filter('auto_update_plugin','_return_true'); add_filter('auto_update_theme','_return_true'); 3.StrongPasswords:AbasicinWordPresshardening Itcan’tbestressedenoughhowimportantastrongpasswordisforWordPresshardening.Alwayschangethedefaultpasswordsfromallaccounts,sincetheycanbeeasilyguessedandcompromiseyouraccount.Agoodpracticeistohaveastrongphrasewithalphanumericcharacters.Passwordsaregenerallycrackedusingbrute-forcetechniques.Attackersuseprogramsthatcanchurnoutnumerouscombinationsandcheckiftheyarecorrect.Longerthepassword,moretimewillittaketoguess,asitincreasescomplexityandnumberofcombinationsexponentially. Tryusingdifferentpasswordsfordifferentaccountsandchangeyourpasswordsperiodically.Two-factorauthenticationhasbecomethenewsecuritystandard,asitprovidesadditionallevelsofsecurity.Enforceitforallaccounts,i.e.,forwebsiteuserstoo. 4.RunningyourwebsiteonHTTPS  HTTPShasbecomeanimportantstepforWordPresshardening.Itisbeingusedextensivelybytoday’swebsitesforkeepingencryptedcommunicationbetweenwebsitesanditsvisitors,especiallyforfinancialtransactions.HTTPSencryptsalldatabetweenbrowserandwebservertopreventman-in-middleattacks,snoopingandcapturingimportantinformation. ToenableHTTPSonyourWordPresswebsite,youwillneedtogetanSSLcertificatefromareputableprovidersuchasthese.FollowthebelowstepsafterHTTPSisenabledonyourwebsite: SignintoWordPressaccountandgotoWordPressgeneralsettingsUpdateyourWordPressaddress,tobeginwith,“HTTPS”insteadof“HTTP”Updateyourwebsiteaddresstostartwith“HTTPSinsteadof“HTTP”Savethechanges Thenedityour“.htaccess”fileandaddtheselinesatthetop: RewriteEngineOn RewriteCond%{SERVER_PORT}80 RewriteRule^(.*)$https://www.example.com/$1[R,L] Also,addthebelowlinetothe“wp-config.php”fileandsaveit: define('FORCE_SSL_ADMIN',true); Afterthis,yourwebsitewillloadwithHTTPS. 5.UsingSFTPandSSH Totransferfilesandadministerwebsites,FTP(FileTransferProtocol)isused.IthasbeenreplacedbythemoresecureSFTP.ComparedtoFTPwhichsendfilesacrossthenetworkwithoutanyencryption,SFTPencryptsallfilesandcredentialswhensendingitoverthenetwork.YouwillfindSSHinstalledonmostserverssoitiseasytouseSFTPforWordPresshardening. UsingFTPwillmakeyourfilesandcredentialsvulnerable,especiallywhileyou’reusingpublicnetworks,andcanbecapturedbyattackers.Oncethehackersgetyourcredentials,theycangetaccesstoyourentirewebsite.SoalwaysuseSFTPtoprotectyourcredentialsandforanytypeoffiletransfersorwhileusingcommands. 6.FilePermissions NoteveryoneneedstoaccessallfilesonyourWordPresswebsite.Ifyoursitevisitorshaveaccesstothecorefilesthentheattackerscanusethisvulnerabilitytotakecontrol.YoucanprotectthesefilesbyusingsuitablefilepermissionsandensureabetterWordPresshardening. WordPressfilepermission;Source:AstraSecurity Belowareafewmaincategoriesoffilesandfolder: RootWordPressdirectory:FilesshouldbewritablebyyouWordPressadministrationarea(/wp-admin/):AllfileswritablebyonlyyouApplicationlogicofWordPress(wp-includes/):AllfilesshouldbewritablebyonlyyouContentsuppliedbytheuser(/wp-content/):FilesshouldbewritablebyyouandthewebserverThemefiles(wp-content/themes/):FileswritablebyeitheryouorwebserverPluginfiles(wp-content/plugins/):Allfileswritablebytheonlyuser Recommendedfilepermissions: Wp-admin:755Wp-content:755Wp-content/themes:755Wp-content/plugins:755Wp-content/uploads:755Wp-config.php:644.htaccess:644Otherfiles:644 7.Backingupyourwebsite HavingacleanbackupofyourWordPresswebsitewillserveitspurposeifyourwebsitegetshackedordefaced.Youcanusethesebackupstoquicklyreplaceyourinfectedwebsitewithacleancopy.Mosthostingprovidersprovideautomaticbackupoptions,whichstoreacopyofyourwebsiteperiodically. However,whilecreatingabackup,youneedtobecarefulofdataintegrity.Youcandothisbyensuringtoencryptyourbackup,storeanindependentrecordofhashesforeachbackup,andstoringyourbackupsinread-onlystoragedevices.Havingaperiodicplantobackupyourentirewebsiteincludingcorefilesanddatabases)willensurethatyouhaveanuncompromisedversionofyourwebsite. 8.ProtectingyourWordPresssitewithaFirewall TheabovestepswillhelpinWordPresshardening,however,tohavecompleteprotectionagainstattacksyouneedastrongfirewall.Afirewallshouldhavethefollowingfeatures: Malwarescanner:YourfirewallshouldbeabletodetectandremovemalwarefromyourwebsiteLoginprotectionfrombruteforceattacksProtectionagainstattackerreconnaissancetechniques.Forexample,protectyourusernamesfromattackersAfully-featuredWebApplicationFirewallwithregularupdatesPasswordauditingandtwoFactorAuthenticationAdvancedblockingtechniquestocounterthelatestthreatsandnewmethodsofattacks Apartfromthese,thereareseveralotherparametersastrongfirewallshouldhave.Therearenumeroussuchservicesontheinternet,AstraSecurityisoneofthem.Withtheirwidevarietyofsecuritytoolsintheirarsenal,AstraSecurityofferscompleteprotectiontoyourwebsite.Ifyouwanttomonitorhowyoursecurityserviceisperforming,ourdashboardwillshowyouallnecessarydatasuchasthenumberofattacksblocked.NumeroustestimonialsfromsatisfiedusersareproofofAstraSecurity’sexcellentwork. SeeourIntelligentFirewallandMalwareScanner inaction Stopbadbots,SQLi,RCE,XSS,CSRF,RFI/LFIandthousandsofcyberattacksandhackingattempts. TryFreeTrial Letusknowifyoulikeit😃 Conclusion Securityofawebsiteisanongoingprocess.Thereisnodefinitesolutionforacompletelysecurewebsite.WordPresshardeningisacombinationofbasicsecurityprotocolsandastrongfirewall.Anattackcanbringdownyourwebsiteandcauseyoulossesonmultiplefronts.Andweunderstandhowmucheffortgoesintocreatingandmaintainingawebsite. WeatAstraSecurityareheretohelpyouprotectyourwebsiteandensurethatyouspendyourtimeworkingonyourwebsiteratherthanworryingaboutit. Wasthisposthelpful? Yes0 No0 Sharethis...FacebookPinterestTwitterLinkedin AakanchhaKeshri Aakanchhaisatechnicalwriterandacybersecurityenthusiast.Sheisanavidreader,researcher,andanactivecontributortoourblogandthecybersecuritygenreingeneral.Todate,shehaswrittenover200blogsformorethan60domainsontopicsrangingfromtechnicaltopromotional.WhensheisnotwritingorresearchingsherevelsinagameortwoofCS:GO. Label {} [+] Name* Email* Label {} [+] Name* Email* ThissiteusesAkismettoreducespam.Learnhowyourcommentdataisprocessed. 0Comments InlineFeedbacks Viewallcomments RelatedArticles CMS 8BestWordPressCachePlugins–WordPressCachingExplained,ExtensiveList,ProsandCons CMS PenetrationTestingasaService:ThingsYouMightHaveMissed CMS BreakingDownthePentestProcess:A5-StepGuide Psst!Hithere.We’reAstra.Wemakesecuritysimpleandhassle-freeforthousands ofwebsitesandbusinessesworldwide. Oursuiteofsecurityproductsincludeavulnerabilityscanner,firewall,malwarescannerandpenteststoprotectyoursitefromtheevilforcesontheinternet,evenwhenyousleep. Madewith❤️in Copyright©2022ASTRAIT,Inc.AllRightsReserved. PrivacyPolicyTermsofServiceReportavulnerability SearchAstra’sblogfor: wpDiscuzInsert