The Ultimate WordPress Security Guide (WordPress Security Checklist) to enhance security of your WordPress Site or Blog from almost 75% of common vulnerabilities and security loopholes. Before starting with the detailed steps, let us understand what are the factors which decides and why that leaded WordPress to be prone to security breaches in brief.
With regards to WordPress Security or The WordPress Security Checklist, there are a considerable measure of things you can do to secure your website to keep programmers and vulnerabilities from influencing your business or blog. The exact opposite thing you need to happen is to get up one morning to find your site in shambles. So today I will be sharing a considerable measure of tips, strategies, and techniques you can use to harden your WordPress Security, try to implement most of and stay secured.
WordPress gets unfavorable criticism now and then to be inclined to security vulnerabilities and innately not being a sheltered stage to use for a business. Be that as it may, this is quite often because of the way that clients continue following industry-demonstrated security most exceedingly bad practices. Utilizing obsolete WordPress programming, poor framework organization, qualifications administration, and absence of essential Web and security learning among non-geek WordPress clients keeps programmers over their digital wrongdoing diversion.
Indeed, even industry pioneers don’t generally utilize best practices. Reuters was hacked in 2012 on the grounds that they were utilizing an obsolete variant of WordPress.
Now this is not to say vulnerabilities don’t exist. According to a Q2 2016 study by Sucuri, a multi-platform security company, WordPress continues to lead the infected websites they worked on (at 74%). And the top three plugins affecting that platform are still Gravity Forms, TimThumb, and RevSlider. This is however down quite a bit from Q1 2016.
WordPress powers over 52% of all blog on the internet, and with hundreds of thousands of theme and plugin combinations out there, it is not surprising that vulnerabilities exist and are constantly being discovered. However, there is also a great community around the WordPress platform, to ensure these things get patched ASAP. The WordPress security team is made up of approximately 25 experts including lead developers and security researchers — about half are employees of Automattic and a number work in the web security field.
Check out some of the different types of WordPress security vulnerabilities below.
The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server. In Q2 2016 Sucuri reported that backdoors continue to be one of the many post-hack actions attackers take, with 71% of the infected sites having some form of backdoor injection.
Backdoors are often encrypted to appear like legitimate WordPress system files, and make their way through to WordPress databases by exploiting weaknesses and bugs in outdated versions of the platform. The TimThumb fiasco was a prime example of backdoor vulnerability exploiting shady scripts and outdated software compromising millions of websites.
Fortunately, prevention and cure of this vulnerability is fairly simple. You can scan your WordPress site with tools like SiteCheck which can easily detect common backdoors. Two-factor authentication, blocking IPs, restricting admin access and preventing unauthorized execution of PHP files easily takes care of common backdoor threats, which we will go into more below. Canton Becker also has a great post on cleaning up the backdoor mess on your WordPress installations.
The Pharma Hack abuse is used to embed maverick code in obsolete versions of WordPress sites and plugins, causing search engines to return advertisements for pharmaceutical products when a traded off site searched for. The powerlessness is to a greater extent a spam threat than conventional malware, yet gives web indexes enough reason to block the website on allegations of distributing spam.
Moving parts of a Pharma Hack include backdoors in plugins and databases, which can be cleaned up following the instructions from this Sucuri blog. However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hacks by using recommend WordPress hosting providers with up to date servers and regularly updating your WordPress installations, themes and plugins. And remember to tally with the WordPress Security Checklist!
Brute-force Login Attempts
Brute-force login attempts use automated scripts to exploit weak passwords and gain access to your site. Two-step authentication, limiting login attempts (I will show how to do it below in details), monitoring unauthorized logins, blocking IPs and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks. But unfortunately, a number of WordPress website owners fail to perform these security practices whereas hackers are easily able to compromise as much as 30,000 websites in a single day using brute-force attacks.
Malicious redirects create backdoors in WordPress installations using FTSP, SFTP, wp-admin and other protocols and injects redirection codes into the website. The redirects are often placed in your .htaccess file and other WP core files in encoded forms, directing the Web traffic to malicious sites. WordPress users can use free scanners that effectively detect malicious directs such as SiteCheck, Virus Total, Bots vs. Browsers and listening to user comments. I will go through some ways so you can prevent these in my WordPress Security steps further below.
Denial of Service
This, perhaps the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems. Hackers have compromised millions of websites and raked millions of dollars by exploiting outdated and buggy versions of WordPress software with DoS attacks. Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating botnet chains to attack large businesses.
The Ultimate WordPress Security Guide 2018 (WordPress Security Checklist)
As indicated by internet live stats more than 60,000 sites are hacked each day. That is the reason it is so essential to take some time and experience the following recommendations below on the most proficient method to better solidify your WordPress Security (WordPress Security Checklist).
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked. WordPress Security Codex
I will make a point to stay up with the latest with pertinent data as things change with the WordPress stage and new vulnerabilities develop.
WordPress Security Guide (WordPress Security Checklist)
- Secure WordPress Hosting
- Use Latest PHP Version
- Unusual Usernames and Passwords
- Latest Versions
- Lock Down WordPress Admin
- Two-Factor Authentication
- HTTPS – SSL Certificate
- Hardening wp-config.php
- Disable XML-RPC
- Hide WordPress Version
- HTTP Security Headers
- WordPress Security Plugins
- Database Security
- Secure Connections
- File and Server Permissions
- Disable Editing in Dashboard
- Prevent Hotlinking
- Always Take WordPress Backups
- Secure The Uploads Folder
- Turn Off Apache Signature Information
- Unset Apache Response Headers
- DDoS Protection
1. Choose in Secure WordPress Hosting
With regards to WordPress security, there is considerably more than simply securing your site, in spite of the fact that we will give you the best recommendations on the best way to do that below. There is likewise web server-level security for which your WordPress host is responsible. It is critical that you pick a host that you can trust for your business. Or on the other hand in the event that you are hosting WordPress all alone VPS, at that point you need the technical knowledge to do these things yourself.
Server hardening is the way to keeping up an altogether secure WordPress condition. It takes numerous layers of hardware and software level security measures to guarantee the IT framework hosting WordPress destinations is equipped for shielding against complex dangers, both physical and virtual. Thus, servers hosting WordPress ought to be updated with the most recent operating system and (security) software and additionally completely tried and examined for vulnerabilities and malware.
Server-level firewalls and intrusion detection frameworks ought to be set up before introducing WordPress on the server to keep it very much secured notwithstanding amid the WordPress establishment and site development stages. Notwithstanding, every software installed on the machine proposed to ensure WordPress substance ought to be good with the most recent database administration frameworks to keep up ideal execution. The server ought to likewise be designed to use secure networking and file transfer encryption protocols, (for example, SFTP rather than FTP) to conceal away delicate substance from malicious intruders.
I personally use the true Unlimited Free Cloud Web Hosting from Viewen. It is hard to believe that when all paid and premium hostings are facing similar issues, then what is the point in using or even talking about a free hosting company!
It’s true, but not completely true. Even before using Viewen I too had a similar kind of image about the free hosting providers. But seriously when I think of any other PAID or PREMIUM hosting provider now, it’s impossible to remove Viewen from my mind. The wonderful support forum and friendly service is just something one should try to understand the difference of perception between Good and Bad. Below is my article with details on Viewen’s Free Cloud Web Hosting, just go through it and you will love it. Though you are always free to choose your hosting from anyone!
2. Use Latest PHP Version
PHP is the backbone of your WordPress site and so using the latest version on your server is very important. Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patch on a regular basis. As of right now, anyone running on a version of PHP below 5.6 no longer has security support and are exposed to unpatched security vulnerabilities.
What’s more, prepare to be blown away. As indicated by the official WordPress Stats page, as of writing this, more than 40.5% of WordPress users are as yet using a version of PHP 5.6 or lower than that. That is alarming! Now and then it takes businesses and developers time to test and guarantee compatibility with their code, yet they have no reason to keep running on something without security support.
In the event that you are on a WordPress host that uses cPanel, you can easily switch between PHP versions by clicking into “MultiPHP Manager” under the software category. Still if you are unsure, then simply reach out to your hosting provider.
3. Use Unusual Usernames and Passwords
Shockingly outstanding amongst other approaches to solidify your WordPress security is to just use smart usernames and passwords. Sounds entirely simple right? All things considered, look at SplashData’s 2017 annual list of the most popular passwords stolen consistently (arranged by popularity).
That is correct! The most famous password word is “123456”, trailed by an amazing “Password”. Some of the best security starts from the basics. Google has some great recommendations on how to choose a strong password. Or you can use an online tool like Strong Password Generator.
There are also online password managers such as LastPass or TeamPassword to store your all passwords on the go. Even you can save all your passwords in a simple notepad file and store that in your G Drive or Drop Box whichever suites you.
4. Always Use Latest Version of WordPress and Plugins
Another imperative method to solidify your WordPress security is to dependably stay up to date with the latest. This includes WordPress core and your plugins. These are updated for a reason, and a great deal of times these incorporate security improvements and bug fixes.
Sadly, a huge number of organizations out there running obsolete versions of WordPress software and plugins, and still accept they’re on the correct way of business achievement. They refer to purposes behind not updating, for example, “their site will break” or “core modifications will be gone” or “plugin X won’t work” or “they simply needn’t bother with the new usefulness”.
Truth be told, sites break for the most part as a result of bugs up older WordPress versions. Core modifications are never suggested by the WordPress group and master engineers who comprehend the dangers included. What’s more, WordPress updates for the most part incorporate must-have security fixes alongside the additional functionality required to run the most latest plugins.
How to Update WordPress Core
There are a couple easy ways to update your WordPress installation. But always take backup before any update. Use UpdraftPlus for automatic backups with a one-click restore option. This way you can test new versions of WordPress and plugins without having to worry about it breaking anything. Or you could also first test in our staging environment like on your localhost. To update WordPress core you can click into “Updates” in your WordPress dashboard and click on the “Update Now” button.
In the same way, you can also update a plugin manually or automatically. Simply grab the latest version from the plugin developer or WordPress repository and upload it via FTP, overwriting the existing plugin within the /wp-content/plugins directory.
Use your best judgment when it comes to plugins. Look at the “Last Updated” date and how many ratings a plugin has.
There are also a lot of resources out there to help you stay on top of the latest WordPress security updates and vulnerabilities. See some of them below:
- WP Security Bloggers: An awesome aggregated resource of 20+ security feeds.
- WPScan Vulnerability Database: Catalogs over 10,000 WordPress Core, Plugin and Theme vulnerabilities.
- Official WordPress Security Archive
5. Lock Down Your WordPress Admin
Now before heading further, let me introduce to the very well known and free Best WordPress Security Plugin. The All In One WP Security & Firewall. I use it for my website, solid but easy and so I highly recommend for everyone.
Some of the time the prevalent strategy of WordPress security by indefinite quality is fittingly compelling for a normal online business and WordPress website. In the event that you make it harder for hackers to find certain backdoors then you are more averse to be attacked. Securing your WordPress admin area and login is a decent method to augment your security. Two great ways to do this is first by changing your default wp-admin login URL and furthermore limiting login attempts.
How to Change Your WordPress Login URL
By default your WordPress site’s login URL is domain.com/wp-admin. One of the problems with this is that all of the bots, hackers, and scripts out there also know this. By changing the URL you can make yourself less of a target and better protect yourself against brute force attacks. This is not a fix all solution, it is simply one little trick that can definitely help protect you. We will use the All in One Security & Firewall Plugin to do this.
As shown in the above image after installing and activating “All in One Security & Firewall Plugin”, simply go to the “Brute Force” option and rename the login URL to something that only you can remember. Isn’t that simple?
How to Limit Login Attempts
While the above solution of changing your admin login URL will decrease a majority of the bad login attempts, putting a limit in place can also be very effective. So to do this simply go to the “User Login” option tab and set the Max Login Attempts, Login Retry Time Period (min), Time Length of Lockout (min), Instantly Lockout Invalid Usernames and Instantly Lockout Specific Usernames.
6. Take Advantage of Two-Factor Authentication
Also, obviously, we can’t overlook two-factor authentication! Regardless of how secure your password is there is always a risk of somebody finding it. Two-factor verification includes a 2 stage process in which you require your password to login as well as a second method. It is for the most part a text (SMS), telephone call, or time-based one-time password (TOTP). As a rule, this is 100% effective in preventing brute force attacks to your WordPress site. Why? Since it is relatively impossible that the attacker will have both your password and your cell phone.
Here is a completely free option than the Google Authenticator plugin is a great alternative. It also allows an unlimited amount of users. Once installed you can click into your user profile, mark it active and create a new secret key or scan the QR code.
You can then use one of the free Authenticator Apps on your phone:
After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone. You will notice an additional field that now appears on your WordPress login page. So make sure to take advantage of two-factor authentication, it can be an easy way to boost up your WordPress Security.
7. Use HTTPS for Encrypted Connections – SSL Certificate
One of the most overlooked ways to harden your WordPress security is to install an SSL certificate and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or web application to securely connect with a website. A big misconception is that if you aren’t accepting credit cards that you don’t need SSL. Well, let me explain a few reasons why HTTPS is important beyond just eCommerce. Many hosts, including Viewen, now even offer free SSL certificates with Let’s Encrypt.
Of course, the biggest reason for HTTPS is the added security, and yes this does pertain strongly to eCommerce sites. However, how important is your login information? For those of you running multi-author WordPress websites, if you are running over HTTP, every time a person logs in, that information is being passed to the server in plain text. HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website. So even WordPress blogs, news sites, agencies, all can benefit from HTTPS as this ensures nothing ever passes in plain text.
Google has officially said that HTTPS is a ranking factor. While it is only a small ranking factor, most of you would probably take any advantage you can get in SERPs to beat your competitors.
3. Trust and Credibility
According to a survey from GlobalSign, 28.9% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online. By seeing that green padlock, customers will instantly have more peace of mind knowing that their data is more secure.
A lot of people don’t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just lumped together with the “direct traffic” section. If someone is going from HTTP to HTTPS the referrer is still passed.
5. Chrome Warnings
The Chrome team announced that beginning in January 2017, they will mark HTTP sites that transmit passwords or credit cards as non-secure. This is especially important if your website get’s a majority of its traffic from Chrome. You can look in Google Analytics under the Audience section in Browser and OS so see the percentage of traffic your WordPress site gets from Google Chrome. Google is making it a lot more clear to visitors that your WordPress website might not be running on a secured connection.
Because of a new protocol called HTTP/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP/2 requires HTTPS because of browser support. The improvement is performance is due to a variety of reasons such as HTTP/2 being able to support better multiplexing, parallelism, HPACK compression with Huffman encoding, the ALPN extension, and server push. And with TLS 1.3 around the corner, HTTPS connections will be even faster.
8. Harden Your wp-config.php file
Your wp-config.php file is like the heart and soul of your WordPress installation. It is by far the most important file on your site when it comes to WordPress security. It contains your database login information and security keys which handle the encryption of information in cookies. Below are a couple things you can do to better protect this important file.
1. Change Permissions
Typically files in the root directory of a WordPress site will be set to 644, which means that files are readable and writable by the owner of the file and readable by users in the group owner of that file and readable by everyone else. According to the WordPress documentation, the permissions on the wp-config.php file should be set to 0600, 0440 or 0400 to prevent other users on the server from reading it. You can easily change this with your FTP client. I personally recommend setting it to 0600 is best.
2. Disable “wp-config.php” Editing Completely Through “.htaccess”
This is another great method to block any editing possibilities from any intruders. Just add the following code on top of the “.htaccess” file through All In One WP Security & Firewall. Go to the Firewall >> Custom Rules tab or option.
# START WPConfig File order allow,deny deny from all # END WPConfig File
9. Disable XML-RPC
In the past years XML-RPC has become an increasingly large target for brute force attacks. As Sucuri mentioned, one of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request. But what also happens is that it is used for malicious intent.
To disable XML-RPC completely go to the “Firewall” tab again, you see the 2 options, Completely Block Access To XMLRPC and Disable Pingback Functionality From XMLRPC (This option is useful if you use Jetpack or WP iOS or other apps which need WP XML-RPC functionality then check this. This will enable protection against WordPress pingback vulnerabilities.)
As already mentioned above, a few WordPress plugins like Jetpack that rely on XML-RPC, but a majority of people out there won’t need this and it can be beneficial to simply disable access to it. Not sure if XML-RPC is currently running on your website? Danilo Ercoli, from the Automattic team, wrote a little tool called the XML-RPC Validator. You can run your WordPress site through that to see if it has XML-RPC enabled. If it isn’t, you will see a failure message such as shown in the image below on the my blog.
10. Hide Your WordPress Version
Hiding your WordPress version touches again on the subject of WordPress security by obscurity. The less other people know about your WordPress site configuration the better. If they see you are running an out of date WordPress installation, this could be a welcome sign to intruders. By default, the WordPress version shows up in the header of your site’s source code. Again, I recommend simply making sure your WordPress installation is always up to date so you don’t have to worry about this.
To do this simply go to the “Settings” option then to “WP Version Info” tab and just check the box Remove WP Generator Meta Info and you are done!
11. Add Latest HTTP Security Headers
Another step you can take to harden your WordPress security is to take advantage of HTTP security headers. These are usually configured at the web server level and tell the browser how to behave when handling your site’s content. There are a lot of different HTTP security headers, but below are typically the most important ones. KeyCDN has a great in-depth post if you want to read more about HTTP security headers.
- Content-Security Policy
- Feature Policy
Below is an example of Secure Header Options.
# START SECURE HEADER INFO Header always set X-XSS-Protection "1; mode=block" Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" Header always set X-Frame-Options SAMEORIGIN Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set X-Content-Type-Options nosniff Header always set X-Permitted-Cross-Domain-Policies "none" Header always set Content-Security-Policy: "report-uri https://yourdomain.com/contact/" Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' # END SECURE HEADER INFO
You can check which headers are currently running on your WordPress site by launching Chrome devtools and looking at the header on your site’s initial response.
I have combined both the Secure Header Codes and the Unset Headers option in Point No. 21 to get the clear picture of complete Secure Header. Jump to Unset Apache Response Headers Section to see the example.
You can also scan your WordPress website with the free securityheaders.io tool by Scott Helme. This will show you which HTTP security headers you currently have on your site. If you aren’t sure how to implement them you can always ask your host if they can help. Below is our websites result which you ca also see directly on their website by scanning.
12. Use WordPress Security Plugins
Also, obviously, I need to give some WordPress security plugins a few notices. There are a considerable measure of incredible developers and organizations out there which give extraordinary answers for enable better to secure your WordPress site. Here are some of them. I have already introduced and using All In One WP Security & Firewall as mentioned above.
- All In One WP Security & Firewall
- NinjaFirewall (WP Edition)
- Sucuri Security
- iThemes Security
- WordFence Security
Here are some typical features and uses of the plugins above:
- Generate and force strong passwords when creating user profiles
- Force passwords to expire and be reset on a regular basis
- User action logging
- Easy updates of WordPress security keys
- Malware Scanning
- Two-factor authentication
- WordPress security firewalls
- IP whitelisting
- IP blacklisting
- Monitor File change logs
- Monitor DNS changes
- Block malicious networks
- View WHOIS information on visitors
Another incredible plugin that merits a respectable specify is the WordPress Security Audit Log plugin. This is magnificent for those of you taking a shot at WP multisite or simply multi-author sites. It guarantees client profitability and gives administrators a chance to see everything that is being changed, for example, logins, password changes, theme changes, widget changes, new post creations, WordPress updates, and so forth. Practically anything that happens is logged! As of writing this the WP Security Audit Log plugin has more than 40,000+ active installs with a 4.7 out of 5-star rating.
13. Harden Database Security
There are a couple ways to better the security on your WordPress database. The first is to use a clever database name. If your site is named Magic Music, by default your WordPress database is most likely named wp_magicmusic. By changing your database name to some more obscure it helps protect your site by making it more difficult for hackers to identify and access your database details. The folks over at WPMUDEV wrote up a great little tutorial on how to change your database name on existing installs.
A second recommendation is to use a different database table prefix. By default WordPress uses wp_. Changing this to something like 47xw_ can be much more secure. When you install WordPress it asks for a table prefix. There are also ways to change the WordPress table prefix on existing installations.
14. Always Use Secure Connections
I can’t pressure enough how vital using secure connections is! Guarantee that your WordPress host have it avoiding potential risk, for example, offering SFTP or SSH. SFTP or Secure File Transfer Protocol (otherwise called SSH file transfer protocol), is a network protocol used for file transfers. It is a more secure technique vs standard FTP. Refer to this article on How to use SFTP to access your WordPress site’s plugins, themes, content, and other files.
It is also important to ensure that your home router is setup correctly which is another most important part of WordPress Security Checklist. If someone hacks your home network they could gain access to all sorts of information, including possibly where your important information about your WordPress site(s) is stored. Here are some simple tips:
- Don’t enable remote management (VPN). Typical users never use this feature and by keeping it off you can keep from exposing your network to the outside world.
- Routers by default use IPs in the range such as 192.168.1.1. Use a different range, such as 10.9.8.7.
- Enable the highest level of encryption on your Wifi.
- IP white-list your Wifi so that only people with the password and certain IP can access it.
- Keep the firmware on your router up to date.
You should always be careful when logging into your WordPress site in public locations. Take precautions such as verifying the network SSID before you click connect. You can also use a 3rd party VPN service such as SetupVPN to encrypt your internet traffic and hide your IP address from hackers.
15. Check File and Server Permissions
File permissions on both your installation and web server are crucial to beefing up your WordPress security. If permissions are too loose, someone could easily gain access to your site and wreak havoc. On the other hand, if your permissions are too strict this could break functionality on your site. So it is important to have the correct permissions set across the board.
- Read permissions are assigned if the user has rights to read the file.
- Write permissions are assigned if the user has rights to write or modify the file.
- Execute permissions are assigned if the user has the rights to run the file and/or execute it as a script.
- Read permissions are assigned if the user has the rights to access the contents of the identified folder/directory.
- Write permissions are assigned if the user has the rights to add or delete files that are contained inside the folder/directory.
- Execute permissions are assigned if the user has the rights to access the actual directory and perform functions and commands, including the ability to delete the data within the folder/directory.
You can check your current folder and file permissions with All In One WP Security & Firewall to scan the permissions on your WordPress site.
Notice carefully that I have left 2 permission untouched even when my security plugin is advising to set to the recommended permissions.
You can find some typical recommendations for permissions when it comes to file and folder permissions in WordPress. See the WordPress Codex article on changing file permissions for a more in-depth explanation.
- All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
- All directories should be 755 or 750.
- No directories should ever be given 777, even upload directories.
16. Disable File Editing in WordPress Dashboard
Many WordPress sites have multiple users and administrators, which can make WordPress security more complicated and one of the most important part of WordPress Security Checklist. A very bad practice is to grant authors or contributors “administrator” privilege, but unfortunately, it happens all the time.
It is important to give users the correct roles and permissions so that they don’t misuse anything. It will be good if you simply disable the “Appearance Editor” in WordPress. Most of you have probably been there at one point or another. You go to quickly edit something in the Appearance Editor and suddenly you are left with a white death screen. It is best to edit the file locally (on localhost) and upload it via FTP. Nevertheless, in best practice, you should be testing things like this on a development site first.
To disable WordPress File editing, simply go to Filesystem Security >> PHP File Editing and check the Disable Ability To Edit PHP Files option. Repeat the same action on the next tab Prevent Access to WP Default Install Files and you are done!
Incase, if your WordPress site is hacked the very first thing they might do is try to edit a PHP file or theme via the Appearance Editor. This is a quick way for them to execute malicious code on your site. If they don’t have access to this from the dashboard, to begin with it can help prevent attacks.
17. Prevent Hotlinking
The concept of hotlinking is very simple. You find an image on the Internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is actually theft as it is using the hotlinked site’s bandwidth. This might not seem like a big deal, but it could generate a lot of extra costs.
To prevent hotlinking in WordPress simply go to the Firewall option then to “Prevent Hotlink” tab and check the Prevent Image Hotlinking and save, you are done!.
Prevent Hotlinking on Content Delivery Network (CDN)
If you are using a CDN then the setup might be slightly different. Here are some resources with popular CDN providers.
18. Always Take Backups
Backups are the one thing everybody knows they require yet don’t generally take and one of the most important part of WordPress Security Checklist. A large portion of the recommendations above are security efforts you can take to better secure yourself. In any case, regardless of how secure your site is, it will never be 100% safe. So you need backups in case the worst happens. Most of the managed WordPress hosting providers now provide backups.
WordPress Backup Plugins
WordPress backup plugins allow you to take your backups via FTP or integrate with an external storage source such as Amazon S3, Google Drive, or Dropbox both automatic and manually. I highly recommend going with an incremental solution so it uses less resources. I personally use UpdraftPlus, which is very light and takes good care of my backups, automatically and as well as manually.
19. Secure The Uploads Folder
Now this is another very important thing to keep in mind, that the WordPress “uploads” folder is another vital backdoor for hackers. Many of the bots and other hacking script will target particular this folder to execute some malicious scripts. As most of us are not aware of this incident, we do overlook these issues.
To secure your WordPress uploads folder we need to add a small yet powerful code by creating a separate “.htaccess” file simply in notepad and upload to the “wp-content/uploads” folder through SFTP or FTP. Below is the code you need to write in a separate .htaccess file.
# DISABLE ALL PHP EXECUTION START deny from all # DISABLE ALL PHP EXECUTION END
20. Turn Off Apache Signature Information
Turning off Apache Signature Information is really an easy but very important security measure. When there is nothing in your web directory by default it shows a screen with the server information “Apache/2.2.20 (Ubuntu) Server at localhost Port 80” provided you have
Options -Indexes code already on the
.htaccess file otherwise anyone can see your list of directories.
Now to implement this login to your cPanel and go to the File Manager, now you can see all your files and folders. Select the main .htaccess file which is outside of your public_html folder.
Right click on the file and select edit and add the following code:
# START UNSET SERVER SIGNATURE INFO ServerSignature Off # END UNSET SERVER SIGNATURE INFO
Save the file and that’s it! Before addition of the code you would see similar to this image below.
Now when you have added the code into the
.htaccess file, you will see something like this.
21. Unset Apache Response Headers
It’s also a good practice to hide as much information using Apache Header Directive. The apache header directive will be processed before the server responds to the client and hence it allows you to set or unset response headers. For WordPress users this is very important thing, as it may look like small and insignificant vulnerability but who knows what may come! So always prevention is better than cure.
HTTP/1.1 200 OK Date: Fri, 05 Apr 2018 09:48:46 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Server: Apache/2.2.3 (CentOS) PHP/7.0.29 Location: http://domain.com X-Powered-By: W3 Total Cache/0.9.2.3 X-Powered-By: PHP/7.0.29 X-Pingback: http://domain.com/xmlrpc.php X-Mod-Pagespeed: 220.127.116.11-3343 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN or DENY Set-Cookie: 1P_JAR=2018-04-05-09; expires=Fri, 06-Apr-2018 09:48:46 GMT; path=/; domain=.domain.com Set-Cookie: NID=115=fiuswfiuweufewiu82y3ry872487fg87834yr374yr34897ty38973h34879yuwfgfgiuhf8723r8gfb ewgf87g8g; expires=Sat, 28-Apr-2018 09:48:46 GMT; path=/; domain=.domain.com; HttpOnly; Secure Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked
So we can see from the above example, everyone can see information such as Apache version, operating system name, PHP version, Pingback URL, Mod-Pagespeed version etc. It doesn’t stop there, sometimes third party tools and plugins might push few information into headers and that are visible publicly. We have plugins to unset these options but sometimes those may not work with other plugins for compatibility issue.
So now we set the global code in the same
.htaccess file just used in the previous step. Add the following code with the existing ones.
# START PREVENT INDEX VIEW Options -Indexes # END PREVENT INDEX VIEW # START SECURE HEADER INFO Header always set X-XSS-Protection "1; mode=block" Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" Header always set X-Frame-Options SAMEORIGIN Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set X-Content-Type-Options nosniff Header always set X-Permitted-Cross-Domain-Policies "none" Header always set Content-Security-Policy: "report-uri https://yourdomain.com/contact/" Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none' # END SECURE HEADER INFO # START UNSET ALL HEADER INFO Header unset ETag Header unset Server Header always unset X-Powered-By Header unset X-Powered-By Header unset X-CF-Powered-By Header unset X-Mod-Pagespeed Header unset X-Pingback # END UNSET ALL HEADER INFO # START UNSET SERVER SIGNATURE INFO ServerSignature Off # END UNSET SERVER SIGNATURE INFO
So now we get the complete picture on how to protect WordPress from these nitty-gitty loopholes. The above mentioned code is meant for advanced level Ultimate Security Header, but you should always take a backup before changing any codes in the .htaccess file. Now you can relax as even if your plugin is not working properly, these settings will protect your site from leaking out informations.
22. DDoS Protection
A DDoS (Distributed Denial of Service) attack is an attempt to exhaust the resources available to a network, application or service so that genuine users cannot gain access.
Unlike someone hacking your site, these types of attacks don’t normally harm your site but rather will simply take your site down for a few hours or days. What can you do to protect yourself? One of the best recommendations is to use a reputable 3rd party security service like Cloudflare which provides “Unmetered mitigation of DDoS to maintain performance and availability”.
Their advanced DDoS protection can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks. Other benefits include putting you behind a proxy which helps to hide your origin IP address, although it is not bulletproof.
Cloudfalre global network has defended against sustained attacks over 400Gbps. If you’re under DDoS attack, they can get your site back online within minutes.
As should be obvious there are various ways you can solidify your WordPress Security (WordPress Security Checklist). Using difficult passwords, keeping core and plugins up to date, and picking a protected secure WordPress host are only a couple of that will keep your WordPress site up and running securely. For a considerable lot of you, your WordPress site is your both your business and income, so it is critical to require some investment and execute a portion of the security best practices specified above, within the near future.
Simply in other words, take good care of your blog, love your blog, as you care about your loved ones. And never forget to tally with the WordPress Security Checklist at any point of time!