Complete Guide to WordPress Security
WordPress as a platform is pretty secure, but with the added nuisances of countless plugins, dodgy themes, easily crackable passwords, bad hosting, and just general overall negligence, WordPress websites are put at great risk from attackers across the web looking for targets.
It’s common knowledge that WordPress websites are an extremely lucrative, high yield target for attackers – this essentially means that one identified and exploited vulnerability could put several thousand similarly configured WordPress websites at risk.
In order to prevent anything of the sort from happening, here’s an updated and complete guide to WordPress security, for beginner and expert WordPress users alike. To start with the basics:
1. Trusted source
This is extremely important. Always make sure that whatever you’re downloading in terms of themes, plugins, or even plugin extensions/ add-ons and so on are downloaded from trusted sources only. Keep in mind that pirated goods (premium products offered for free download) are one of the most common ways to put your WordPress website at great risk (backdoors, malware and spyware, spam injections, and more).
Always download free as well as premium themes and plugins from trusted sources only: Official repositories (WordPress.org and WordPress.com for managed sites), iThemes, Envato market, StudioPress, etc. can be trusted. And there is a longer list for other providers on official WordPress website.
2. Admin login
The significance of strong passwords and username is often underestimated. That’s stupidly ignorant.
Brute force attacks are extremely common on every platform, WordPress included. Given enough time (and server resources) this algorithm can crack any login credential on the internet. But there’s a catch. With every extra character in a password or a username, the time taken (in seconds) to try every possible combination of letters, numbers, and characters is increased exponentially. Coupled with the fact that brute force attacks need great resources and are usually targeted on multiple websites at once, this means your admin can remain unforced for years on end.
Make sure to use a combination of characters (as many as there are allowed) for your admin and username. And since you won’t be able to remember it, get a password manager tool (search the internet and you’ll find many) to keep track of it.
Also make sure to never post using admin account. Create a separate account, assign user role ‘Editor’ to it, and use that account to publish any posts you have on WordPress website.
3. Security Plugins
Great security plugins can keep your site airtight. Make sure you’re using one.
The best in class are without doubt Sucuri and WordFence. Even if you can’t go pro (though I recommend you do), get either one of the plugins. Conduct frequent, consistent malware scans, and use their features of IP blacklisting and blocking, login security, htaccess security and more to harden WordPress security.
Outdated core, theme, and plugins are easier to crack. With every update, a maintenance note and list of vulnerabilities patched is also released, which attackers can use like a cheatsheet to attack any website that’s still using old versions of a popular WordPress theme/ plugin/ core.
So update consistently and as soon as updates are available. It’s good for performance, security, and you get new features. What have you got to lose? (If you keep regular backups, then the answer is ‘nothing’.)
5. WordPress Secret Keys
WordPress secures your users’ information (including admin, i.e., your own) on their own devices using cookies. These little data packets store session information and are generally used to provide a more personalized experience and session restore features (abandoned cart restore, user login and activity, etc.) features on a WordPress website. Unfortunately, cookies can also be intercepted and used for malicious purposes to gain unauthorized access. To prevent that, WordPress uses security keys (salts).
If your website is/has been threatened in the past, make sure to change these immediately. In your WordPress installation directory, find wp-config.php and find the code snippet given below. Use this online generator to create a new set of keys and copy-paste them in place:
define( 'AUTH_KEY', ‘put your key here’);
define( 'SECURE_AUTH_KEY', ‘put your key here’);
define( 'LOGGED_IN_KEY', ‘put your key here’ );
define( 'NONCE_KEY', ‘put your key here’);
define( 'AUTH_SALT', ‘put your key here’ );
define( 'SECURE_AUTH_SALT', ‘put your key here’ );
define( 'LOGGED_IN_SALT', ‘put your key here’);
define( 'NONCE_SALT', ‘put your key here’);
6. $table_prefix value
Database is the most attractive target for spam injections and mining attacks on your WordPress website by any wannabe hacker. So make sure to pay it extra attention and keep it secure as possible.
You can do that by changing your $table_prefix default value (wp_), which can be done using the same wp-config.php file as mentioned previously. Here’s the code snippet:
$table_prefix = 'FAIYU7_UGVYH'; // Replace the value in quotes with your own chosen prefix.
// Use only letters, numbers, and underscores.
7. Rewrite rules in .htaccess
.htaccess has information regarding your server configuration and can be used to boost your WordPress website’s security. One thing you can do is use plugins like BulletProof Security can be used to block an entire range of IP addresses that are known to attack your website.
You can also use the ReWriteRule in wp-includes.php file which will block access to WordPress core files by anyone other than you:
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
8. PHP error reporting
WordPress codex clearly states that error logs (if enabled) should not be located in a publicly accessible or similarly visible portion of your server. This is so because PHP error logs display the server path on any error that is logged, which is essentially a Christmas present for attackers. Make sure to disable PHP error reporting as soon as maintenance/ development is done and delete previous logs. To disable, add this code in wp-config.php file:
This guide should help you cover basic WordPress security strengthening procedures and keep your site secure. Keep in mind that good site security also depends on regular maintenance and judicious use of plugins (don’t go overboard, is what I’m saying).