WordPress Security Guide
- 1How To Secure & Protect Your WordPress Site
- 1.1Data Loss
- 2The First Thing You Should Do
- 3User-Level Security
- 4User Level Security Recommendations
- 4.1Set Up Two Factor Authentication
- 4.2Create a Strong Password with Special Characters
- 4.3Don’t give your password out to anybody
- 4.4Make sure you give each user the required role they need
- 5Recommended Plugins
- 5.2Lockdown WP Admin
- 5.3UpdraftPlus Backup
- 5.4User Locker
- 6Wordfence Security
- 7WordPress Level Protection
- 7.1Keep Everything Updated
- 7.2Disable File Editing
- 7.3Switching Off “Anyone Can Register”
- 7.4Creating a Replacement Admin User
- 8Recommended Plugins
- 9Server Level Protection
- 9.1Switch off Displaying Errors
- 9.2Serve Pages Over Secure HTTP
- 10Stopping Wordpress DDOS Attacks
- 11Further Resources
How To Secure & Protect Your WordPress Site
Security for your website is absolutely paramount. In today’s world there are plenty of ways in which your site can get attacked. Attacks range from having hidden links inserted into posts to getting data captured on the site exposed to unsavoury types. It is you, as the maintainer of your website, to make sure that your site is as secure as it could possibly be.
WordPress is a CMS (Content Management System) that is used by millions of websites and blogs all over the world such as CNN, NY Times, OMG! Ubuntu! and of course RefuGeeks. With so much time and effort going into managing a website or blog, especially when it’s done by one main person like myself for RefuGeeks or Joey Sneddon at OMG! Ubuntu! it’s extremely important to protect your assets.
There are three main things that I feel are important to protect your WordPress site against. They are data loss, hackers and spam. There are many ways to protect against these three ‘problems’, I’ve found a way that works for me so in the spirit of ‘Opensourceness’ I decided to share them with you guys. In particular I take a detailed look at Hackers in some detail.
Imagine the scenario, you’re making some changes to the code on your site and you delete and important file like stylesheet.php by accident. Or your web hosts have a catastrophic outage and lose all of your data (unlikely but not impossible). Or your site or web hosts get hacked and your data gets deleted.
Any of these scenarios plus a thousand more could happen at any time which would result in your WordPress site being at best damaged and at worst completely ruined or deleted. If this kind of thing was to happen it’s almost impossible to prevent so the only way to protect your data is to backup, backup again and finally BACKUP AGAIN!
My web hosts run weekly backups automatically – that’s great but I don’t want to just rely on a weekly backup that someone else is running. I take matters into my own hands and run manual backups using a free plugin called Online Backup for WordPress.Â You can use this to generate regular backups automatically which can then be downloaded for offline storage or uploaded to there paid for cloud storage solution (you get 100MB for free).
I have RefuGeeks setup to backup once a week and then email the results to me so that I can download the encrypted backup file to my machine. I then delete it from my web host so as not to take up space on there. Once the WordPress backup is on my machine I then move it to my Dropbox folder so that it is synced to the cloud (I only keep my two most recent backups in Dropbox) and I also copy it to a 1TB USB hard drive that I have at home.
This means that I have my live WordPress site, a weekly backup from my hosts and also a weekly backup of all my data (database and files) stored in two different locations. I also run a manual backup whenever the feeling takes me, usually after a big article like this. So, even if my hosts got hacked, all my data was deleted and my house burnt down, my WordPress site is still safe…let’s hope that doesn’t happen though.
The last of the three ‘problems’ that I protect WordPress against is spam, whilst not malicious it can be very annoying and make your site look very unprofessional. As with hacking it’s almost impossible to completely prevent spam but I use two plugins that significantly reduce it. They are Disqus and Akismet.
Disqus is free and is used by thousands of sites all over the world. It ties in with numerous providers like Google and Facebook so you can use your social accounts to login and post comments. Disqus also have there own anti-spam filtering in order to prevent spam. If a comment gets marked as spam then you, as the WordPress administrator or Disqus moderator have to approve the comment before it’s published – you can also set this on all comments if you like.
Akismet is also very widely used spam filtering plugin that is used all over the world by WordPress users. It’s free for personal blogs, but you can make a donation. I emailed the support guys at Akismet to see which ‘contract’ I should take and they said RefuGeeks qualifies for the personal account so it’s free. I decided to make regular donations though in order to help the project.
Like the Disqus spam filtering, Akismet also checks comments for spam and flags them for approval if it thinks a comment is spam. Akismet works with a number of commenting systems including Disqus and the default WordPress commenting system. It’s a great system and this coupled with the Disqus spam filtering means that I am yet to see a spam comment slip through the net and be published on RefuGeeks.
As mentioned above, it’s pretty much impossible to completely stop someone hacking your WordPress site and/or web host but there are ways to make it extremely difficult for a hacker to gain entry to WordPress. Here’s how I do it…
I have numerous, amazing guest authors here on RefuGeeks, all of which have their own account to logon and submit articles for publication. Unfortunately I can’t control what passwords the guests use (although I am working on it) so they could have a completely insecure password. So, to get around this all my guests have a very restricted Contributor account in WordPress. A WordPress Contributor account only allows users to write and manage their own posts, but not publish anything. This means that even if a password is insecure and a guest account gets hacked then a hacker can only submit an article for me to read and that’s it – pretty useless by hacking standard.
Obviously I have an administrators account on RefuGeeks and it’s the only one, so I keep it very secure. First of all the password is 40 characters long and very, very complicated. Secondly I have 2-factor authentication enabled on my account by way of Google Authenticator. What Google Authenticator does is ask for a six digit generated code from an app on your phone which changes every 30 seconds. Without this code you won’t be able to log in. So effectively my password changes every 30 seconds.
So, for someone to get admin access to my WordPress environment they need my user name (which is also cryptic), my extremely long & complicated password and also my phone (which is also password protected for use). So I think it’s safe to say that my WordPress admin account is pretty secure.
To enable Google Authenticator on your WordPress site, all you need to do is install the Google Authenticator plugin for WordPress. It’s free and very simple to setup. Once enabled you can select which users require Google authentication from the users menu. So simple yet so secure.
Contrary to popular opinion WordPress itself is pretty secure. At the time of writing, a quick check of the United States’ National Vulnerability Database for “WordPress Core” has seen just two notices of possible exploits discovered in the last two months. Whilst this is two more than is desirable, both were patched fairly quickly. Due to the open source nature, it means that, whilst anybody can feasibly find exploits, those exploits can be patched incredibly quickly.
In fact, the majority of attacks on WordPress come from three sources:-
- Insecure Servers.
- User Issues (such as easily discovered passwords).
- A Botnet attacking your site (such as DDOS or brute force attacks).
In this post, we’ll look at each of these issues – as well as general WordPress improvements to make WordPress as secure as possible.
The First Thing You Should Do
Before doing anything, even before the steps in this article, please make sure you are effectively backing up both your database and your files. One of the best free plugins out there is BackWPUp, which allows you to backup your site to Dropbox, or cloud services.
Install it, set up the plugin, and test the backups work. Also, test the backups are working every month or so, just to be sure.
You can have the most secure site possible, with everything up to date, behind a Fort Knox-esque firewall, and it be worth it for nothing if the Intern’s password is their dog’s name, and they share it to anybody who asks for it, and they have administration access to the site.
As the site owner, you need to know everybody who has access to your site at an Contributor level or above, and what levels of access they have. As site owner, you need to also make sure that everybody with access to any privileges to your site adheres to strict standards.
User Level Security Recommendations
Set Up Two Factor Authentication
The best way to keep secure is to use Two Factor Authentication on your site. Two factor authentication is a method of logging into accounts using your phone, as well as your password. Three recommended plugins are Rublon – which is ideal for those who work on one or two computers, Clef – which is useful for those who work remotely on many different machines or Google’s Two Factor Authentication – which useful for those who have multiple users on the site, and you may want to switch off two factor authentication for some users. Ideally all users should have two factor authentication, but certainly at least Administrators should have this level of security.
Create a Strong Password with Special Characters
it is recommended that passwords are 15 characters and are a mixture of alphanumeric characters and symbols. Whilst tricky to remember, using a service like LastPass means you should only have to enter each password once, and save it to your LastPass account.
You can test your password and see how long it would feasibly take to crack by entering it into this website – https://www.grc.com/haystack.htm – which looks secure and doesn’t appear to send any data to any server, but please for testing change your password slightly (like replace each letter with the next one in the alphabet, or change any numbers).
Don’t give your password out to anybody
This is key, as often the most insecurities are caused by people asking for passwords. If you are a user, you shouldn’t give your password to anybody, but instead speak to the site owner or manager. They should be able to create a user within WordPress with the required level they need.
Make sure you give each user the required role they need
Try not to set up everybody as an administrator. Ideally you should only need one or two administrators and assign all other users in different role, dependant on the access they need. WordPress provides documentation of what each user role can do, but – for a quick reference, here are the rough guide to what each role does:-
- Administrator – Add/Remove Plugins, Themes and Users. Add/Edit/Delete Posts and Pages. Access to all settings.
- Editor – Add/Edit/Delete Posts and Pages.
- Author – Add Posts.
- Contributor – Can Submit posts for review.
- Subscriber – Can comment on blog posts/pages.
Note: There is also a Super Administrator, which is only present on WordPress Multisite, that can create/delete individual blogs.
There are very few plugins to help with setting up WordPress at a user level beyond the ones mentioned above.
Installing plugins to secure WordPress is a great start, but the best way of avoiding security breaches is to be vigilant at all times. Forgetting to do the basics like having complex passwords, or renaming the default “admin” account to something else will leave your WordPress site (or any site/service for that matter) extremely vulnerable.
There are many plugins to secure WordPress available on the market today. However, I’ve personally found these the best, and easiest to use.
Force Strong Passwords allow the blog to force users to sign up to the blog with strong passwords, refusing the user to change to Medium or Weak passwords. Since WordPress 3.7, the user signup has used the zxcvbn method of password strength auditing, which is considered to be one of the best out there.
Note: Whilst the plugin is secure, there are ways that a tech-savvy user can bypass this check and register with less secure password. However this is tricky to do, so this plugin is extremely useful to have on your site with a less than tech savvy audience.
Members Plugin is a plugin that allows you to create user roles with different capabilities. Say for example you wish to create a user that has access to e-commerce sections of your site, but not the blog, members allow you to create a user role (such as “Shop Manager”), that can access the e-commerce sections. This is useful for large sites with many custom post types, to help aid security and only give access to areas of the site to those who need it.
WordPress is a great system, which is run on millions of sites across the globe. However, such massive popularity breeds security risks so securing your WordPress site is extremely important. Here are five of the best plugins to secure WordPress…
Cloudflare is a double whammy, as not only does it help secure your WordPress site my monitoring the traffic that hits your site, learning from it, and mitigating any threats by blocking the access before it hits your site. It also helps speed up your site by the use of content caching and a Content Delivery Network (CDN).
Cloudflare can be a bit of a faff to setup, but once it’s running it really helps things along. Once Cloudflare is setup and working, remember to install their plugin so that they can keep track of any IP changes so that you stay protected.
Lockdown WP Admin
Lockdown WP Admin is a great plugin to secure WordPress, it allows you to both hide and rename the default /wp-admin URL that is used by default. Because all default WordPress sites will use a URL like website.com/wp-admin for their admin backend on WordPress, it makes it very easy for hackers to find your login screen in order to try and hack into your site.
Once you’ve setup Lockdown WP Admin, ensure you set your admin backend address to something completely random, using /admin or /wordpress won’t do it, as these are easily guessed. Why not try something like /table, or /bananas as these will be much more difficult for hacker to guess, yet still simple to remember.
Using plugins to secure WordPress is only part of the story. You also need backups; that way, if your site does somehow get hacked then you have a complete backup you can revert to. UpdraftPlus has saved my skin on more than one occasion. A while back I wrote a more in-depth review about UpdraftPlus.
Backups are arguably the most important thing you can implement on your WordPress site; I can’t recommend them enough, if you take do nothing to secure WordPress, please ensure that you have backups as you never know when you might need them.
By default WordPress is vulnerable to brute force hack attempts as there is no limit to the amount of times a user can attempt to login before an account is locked out. This means that a hacker can try, and try, and try without being locked out of your WordPress site.
User Locker stops this from happening by limiting the amount of login attempts that a user can try. So if a user incorrectly enters the wrong password more than a certain amount of times, then their account will be locked out and they will be required to use the forgotten password link to unlock their account (it sends an email to the users email address).
Wordfence Security is an incredibly powerful plugin that actively scans the content that’s hitting your site for malicious actions like virus’ and hacking. It will then take action to prevent damage to your site. You can also use Wordfence Security to run regular scans of your WordPress installation for vulnerabilities. If it finds any then it will alert you via email so that you can pro-actively take action.
Wordfence Security can also be used to block IP access to your WordPress site should you notice something that Wordfence hasn’t picked up on. Finally, Wordfence has a live traffic monitor; this comes in very useful during an attack as you can see in real-time what’s happening with your site.
WordPress Level Protection
As stated earlier, WordPress is generally secure. Security issues come mainly from people uploading insecure or hacked plugins, or WordPress incorrectly being set up in the wrong way. Thankfully there are a few ways to strengthen WordPress security at the software level.
Keep Everything Updated
This is key. WordPress has made it incredibly easy to keep the software and the plugins up to date (including a developmental cycle that supports the previous two releases for security upgrades, and automatic upgrades for minor releases, which should be left on), but you will need to check every now and again your site and make changes.
First of all, check you can make automatic upgrades to your site, to do this, I would test on a plugin that is installed but not being used, or one of the default WordPress Themes that you are not using. If that is okay, simply go to Dashboard > Updates, and click “Update Now”, “Update Plugins” or “Update Themes” to upgrade the core, plugins or themes respectively.
If you have a lot of sites to manage, then an upgrade manager such as the easy to use WP Remote can save time upgrading all.
Also, if you have a resources, set up a staging site that runs the beta version of WordPress, that way you can be made aware of any possible issues before the latest version of WordPress is released. To do that, install WP Beta Tester and within the Tools > Beta Testing menu click the checkbox next to “Bleeding Edge Nightlies”.
Please Note: You should only have to check these whenever the release candidates are announced.
Disable File Editing
One of the ways in which hackers can ruin your blog straight away once they get access is by accessing the rudimentary PHP Editor when you’re logged in. From their they can cripple your blog pretty quickly.
It’s a good idea to disable this. To do so, open up your wp-config.php file, and add the following line.
That will disable the ability to edit your PHP files, making your site more secure.
Switching Off “Anyone Can Register”
If you don’t have comments, forums or an e-commerce shop, it’s a good idea to switch off the “User Can Register” section. It is switched off by default, but people may have switched it on at some point.
To switch it off, head to Settings > General from the WordPress Dashboard and make sure “Anyone Can Register” next to “Membership” is Unchecked.
Creating a Replacement Admin User
On installation, WordPress creates a user with the username you have chosen, but with an ID of 1. This can lead to security issues as basically when people try sniffing for usernames and logins, the ID they use is usually 1. If you go to Users > Add New, create a new Administration User, log in under that user, and delete the initially set up administration user, that will remove permanently the ability for a user to be ID’ed 1. It’s not an essential thing to do, as usernames are quite easily found in WordPress (in URL slugs of authors), however if you had security issues previously, doing this step should stop a few attackers in their tracks.
There are a few plugins available that do improve the rudimentary security of WordPress. Please note that some of these are good, they will not stop you from suffering should the hacker bypass WordPress in the first place, or DDOS attacks.
Limit Login Attempts should be essential on every installation, as this prevents hackers from brute forcing your password, by blocking IP addresses should there be multiple failures, increasing the time they are blacklisted each time there has been a bunch of failures. You can also whitelist IP’s, should they be safe, as to prevent those who have forgotten passwords from getting locked out accidentally.
The plugin sends you an email every day or so of the last 24 hours activity, it’s fascinating to see how many times sites get attacked, so it’s pretty much an essential plugin to install!
WordFence is an essential plugin that not only scans your site for vulnerabilities, it also employs a cloud based blocking path, so if a known attacker is attacking another site that is using WordFence it is automatically blocked from your site. WordFence is also pretty up-to-date, scanning your site for known vulnerabilities such as the recent Heartbleed vulnerability.
WP Security Scan is another recommended plugin. This has similar features to WordFence but presents the data and recommendations cleanly. It can recommend changes in your file permissions, and can also change your database prefix in realtime. This is particularly useful as hackers will attack the most common database prefix “wp_”. If you didn’t change it at installation to something else (such as a random string), WP Security Scan can do this for you.
Server Level Protection
Having WordPress secure is one thing, however the most common form of attack comes at server level. Here’s a few suggestions on how to improve this.
Note: Due to the seemingly infinite amount of ways in which servers are set up, a lot of these require either a knowledge on how your server is hosted, or you speaking to your host. It is recommended that you speak to your host for pretty much all of the below.
Switch off Displaying Errors
By switching off the errors from being displayed, you prevent potential hackers to find out your server architecture. If you have access to your php.ini file, add this line to it (or get your server manager to do so).
display_errors = Off
Serve Pages Over Secure HTTP
If you are collecting data from a user, you really should serve pages over the secure HTTPS protocol. Yoast has a good resource on how to set this up in WordPress.
Stopping WordPress DDOS Attacks
Stopping Distributed Denial of Service (DDOS) attacks within WordPress is nigh on impossible, as by the time WordPress loads the damage has already been done – as nobody can access your site. As such DDOS attacks are tricky to defend against.
Speak to your Web Host as to what they do to prevent DDOS attacks. Each host should have a protocol in place to prevent this.
One thing you can do is disable XML-RPC, to prevent your site being used as a botnet. XML-RPC is a WordPress function that does do a lot of good, and allows you to post from applications or third parties. However, if a blog is exploited, then it can be used maliciously.
If you don’t have any reason to use XML-RPC (like, you haven’t downloaded a WordPress App), then you should disable it.
To disable it, open your wp-config.php file, and after the line require_once(ABSPATH . ‘wp-settings.php’); at the bottom of the file, add the following line:-
Alternatively, you can use the Disable XML-RPC Plugin instead.
Below are some great resources for protecting WordPress further, as well as educating yourself on WordPress:-
- Hardening WordPress: Various Tweaks For Better WP Security by Bastian Grimm
- Sucuri Blog (in particular the WordPress Security: Cutting through the BS article)
- Wordfence Blog
- Hardening WordPress on the WordPress Codex
- Brute Force Attacks on the WordPress Codex
- FAQ: My Site Was Hacked on the WordPress Codex, for what happens in the unfortunate situation if you are hacked.