If you have ever been hacked, you know what a nightmare it can be. It can be difficult to understand which WordPress security steps will help to keep your WordPress website secure.
Keep reading to learn how to keep your WordPress site secure. Learn the proper steps for hardening WordPress, and get a WordPress website security checklist.
What is WordPress Hardening?
WordPress makes up about 40% of all websites. Because of this, people who know how to exploit WordPress can easily find a lot of targets. Fortunately, there are many things you can do to make the job much harder for them. This is known as hardening WordPress.
Why WordPress Security is Important
Not only is getting hacked embarrassing, but it can lead to downtime, data loss, and leaked information. This can translate to lost sales and poor brand reputation. In addition to this, it can take a lot of work to get everything back up and running again.
Hardening WordPress: 10 WordPress Security Steps to Take
There are four main ways that hackers can gain access to hack your Wordpress site:
- Getting your password or session and logging in.
- Through indirect access such as FTP, SSH, or the database.
- By discovering information in your web root.
- Through vulnerabilities in the WordPress code or plugins.
The simplest way to gain access to your site is simply by logging in. Here are a few ways to harden WordPress against password thieves.
1. Secure the Machine You are Connecting From
One important thing that is easy to overlook is the computer you are connecting from. If it is not secure, then that can make your server vulnerable too. This is why it is very important to have a virus scanner and firewall, to keep your computer up to date, and to practice safe browsing habits.
2. Secure the Connection to the Server
Even if your computer is secure, your password or your sessions can still be stolen on the way to the server. To prevent this, it is important to make sure you are using HTTPS when logging into your WordPress backend.
It is preferable to always connect to your server using your home or business wired connection or a Wi-Fi connection that uses a long, random Wi-Fi password. If you must connect using a public hotspot, then you will absolutely want to invest in a VPN.
3. Prevent People from Guessing Your Password
When an attacker uses a script to rapidly try different username and password combinations until they guess the right one, this is called a brute force attack. To prevent brute force attacks, use a long password that contains upper and lowercase letters numbers and special characters.
To make this technique even more difficult, you can get plugins that will help. Look for two factor authentication plugins, plugins that add a captcha to the login form, and plugins that limit the number of incorrect attempts you can make.
4. Don't Use Admin
Another way to prevent brute force attacks and other methods of stealing passwords is to name your admin account something else. If they can't guess your username, then they can't guess your password. Any additional administrator accounts should be deleted when they are no longer needed. Any new accounts you make should only have as much access as they need.
If hackers can't access your administrator account directly, they may be able to access your site indirectly through SSH, FTP, or the database. Everything mentioned about keeping your local PC secure, choosing secure passwords, and using a VPN while on public internet applies to SSH, FTP, and connections to the database too, but here are some additional considerations.
5. Use SFTP or FTPS
FTP transmits your data and passwords over the internet in plain text, meaning that anyone who can intercept your data can see your passwords and your data. SFTP and FTPS both encrypt your data.
6. Close or Limit Access to the Ports
Generally, if your database and your website are on the same server, you do not need to have your database port open to the public. If you can manage your database through the portal or from inside the server, this is generally a better option because it gives attackers one less way to exploit your website.
Likewise with FTP, if you are able to use SFTP to connect to the server, there is no need to have the FTP port open. If you do need to use one of these ports to connect to your server, it may be a good idea to scope the ports to only your IP address.
If your IP address changes a lot, it can be inconvenient to have to call to get access to your server every time your IP address changes. One way around this is to use a VPN. Not only does a VPN encrypt the connections between yourself and the server, but it makes it so that you can use a static IP address that you can add to your firewall to prevent anyone else from accessing the ports.
One mistake many people make is to store files and database dumps in the web root. Remember that anything in your web root is accessible to anyone on the internet and it shouldn't have anything that you wouldn't want anyone to have.
7. Remove Anything Unnecessary From Your Web Root
It is worthwhile to look over your web root and make sure there is nothing that is unnecessary for your site to function stored in it.
For example, it can be convenient to dump the database to the webroot so that you can download it later. But remember that your database contains your password hashes and could contain other information that you don't want to be public.
A better idea would be to dump the database somewhere else and use SFTP to download it. If you want to keep it on the server as a backup you can simply move it up one level or put it anywhere except the webroot.
Likewise, zipped copies of the website code can be used to learn about your code and can be downloaded by anyone one the internet. Another common practice is to make a backup of a file like the .htaccess or a code file before modifying it.
It is certainly a good idea to backup your files before modifying them, but if you plan on keeping them in the web root, you should change the permissions so that they can't be accessed.
Related reading: Debunking WordPress Hosting Security Myths >>
For example, you can type chmod 000 .htaccess. Finally, even README files or anything else that could expose version numbers should be safe to remove — and removing them can improve security.
The final thing to consider is the code itself. Web application code security is a very complex topic with entire books written on the topic. Since you are using WordPress the immense task of keeping the code secure is done for you, all you have to do is install the patches.
If you are hosting with Nexcess, we take care of updating core WordPress for you, but the themes and plugins can also contain vulnerabilities.
8. Remove Any Unused Code
An easy way to keep your WordPress site secure is to simply remove anything you are not using. Look at all of your plugins and remove them if they are not adding any value to your site.
This not only improves security, but it can also speed up WordPress and improve the stability of your site. Keep in mind that in some cases, even plugins that are disabled can introduce bugs or provide an attack surface to hackers.
If you have any WordPress themes that are not using, you should also uninstall them — though you may want to consider leaving the most up-to-date default WordPress theme in place for troubleshooting later.
Lastly, it is most important to remove old installations that you are not using. If you have an entire subdirectory with an old blog or an old version of the website that you are no longer using, it is very important to remove it from the web root. If you want to save it as a backup, it can be safely stored above the web root.
9. Make Sure All of Your Plugins and Themes are Actively Maintained
New vulnerabilities are discovered every day and once they are known they can be quickly exploited by scripts en masse all over the internet. That is why it is important to be sure you have knowledgeable programmers that are actively responding to any flaws found in their code and are regularly releasing patches to close the vulnerabilities.
10. Apply the Patches
Since vulnerabilities are found in WordPress all the time and since WordPress vulnerabilities are so quickly and thoroughly exploited, it is very important to apply patches as soon as they are available. It is very important to do this to avoid downtime.
However, there is some risk that one of the patches will not be compatible with the rest of your code, so the best way to do this is to regularly take a backup then manually apply the patches then test your site.
If you find anything that is not working, you can recover the backup and get your site back quickly. If you have the resources, an even better method is to keep a copy of your website and apply all of the patches on the copy first. This prevents any downtime and allows you to troubleshoot any issues before the patches are applied to the live site.
WordPress Website Security Checklist
- Keep your PC secure
- Use secure protocols
- Use a strong password
- Use plugins to make it harder to guess your password
- Rename the admin account
- Close or limit access to ports in your firewall
- Clean database dumps, backups, and especially old code from your web root
- Choose plugins and themes carefully and remove any you don’t use
- Most importantly, keep them up to date
Nexcess Keeps Your WordPress Site Safe
Getting your site hacked can be a disaster. Not only does it make you look bad, but it can lead to extended downtime or even lost orders.
WordPress hosting with Nexcess is a first great step to keeping your WordPress site secure.
Nexcess provides a secure platform from which to host your WordPress website. With Nexcess, you get always-on security monitoring, free daily backups, SSL certificates, and IThemes Security Pro.
And with a team of WordPress experts and support professionals available around the clock to assist with any questions you have, you’ll always have the resources you need 24/7.
Explore our fully managed WordPress hosting plans to get started today.