The Ultimate WordPress Security Guide

The Ultimate WordPress Security Guide 2019 (Stay Secure Online)

Updated On:

The Ultimate WordPress Security Guide (WordPress Security Checklist) to enhance security of your WordPress Site or Blog from almost 75% of common vulnerabilities and security loopholes. Before starting with the detailed steps, let us understand what are the factors which decides and why that leaded WordPress to be prone to security breaches in brief.

With regards to WordPress Security or The WordPress Security Checklist, there are a considerable measure of things you can do to secure your website to keep programmers and vulnerabilities from influencing your business or blog. The exact opposite thing you need to happen is to get up one morning to find your site in shambles. So today I will be sharing a considerable measure of tips, strategies, and techniques you can use to harden your WordPress Security, try to implement most of and stay secured.

WordPress Vulnerabilities

WordPress gets unfavorable criticism now and then to be inclined to security vulnerabilities and innately not being a sheltered stage to use for a business. Be that as it may, this is quite often because of the way that clients continue following industry-demonstrated security most exceedingly bad practices. Utilizing obsolete WordPress programming, poor framework organization, qualifications administration, and absence of essential Web and security learning among non-geek WordPress clients keeps programmers over their digital wrongdoing diversion.

new_releases

Google Fixes Critical PNG Security Bug, Though Billions of Android Users Still Vulnerable

Indeed, even industry pioneers don’t generally utilize best practices. Reuters was hacked in 2012 on the grounds that they were utilizing an obsolete variant of WordPress.

Now this is not to say vulnerabilities don’t exist. According to a Q2 2016 study by Sucuri, a multi-platform security company, WordPress continues to lead the infected websites they worked on (at 74%). And the top three plugins affecting that platform are still Gravity Forms, TimThumb, and RevSlider. This is however down quite a bit from Q1 2016.

Pie Chart Blogging Platforms

WordPress powers over 52% of all blog on the internet, and with hundreds of thousands of theme and plugin combinations out there, it is not surprising that vulnerabilities exist and are constantly being discovered. However, there is also a great community around the WordPress platform, to ensure these things get patched ASAP. The WordPress security team is made up of approximately 25 experts including lead developers and security researchers — about half are employees of Automattic and a number work in the web security field.

Check out some of the different types of WordPress security vulnerabilities below.

new_releases

Germany Move To Restrict Facebook’s Data Gathering Activities

Backdoors

The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server. In Q2 2016 Sucuri reported that backdoors continue to be one of the many post-hack actions attackers take, with 71% of the infected sites having some form of backdoor injection.

Backdoors are often encrypted to appear like legitimate WordPress system files, and make their way through to WordPress databases by exploiting weaknesses and bugs in outdated versions of the platform. The TimThumb fiasco was a prime example of backdoor vulnerability exploiting shady scripts and outdated software compromising millions of websites.

Fortunately, prevention and cure of this vulnerability is fairly simple. You can scan your WordPress site with tools like SiteCheck which can easily detect common backdoors. Two-factor authentication, blocking IPs, restricting admin access and preventing unauthorized execution of PHP files easily takes care of common backdoor threats, which we will go into more below. Canton Becker also has a great post on cleaning up the backdoor mess on your WordPress installations.

new_releases

How To Install Let’s Encrypt SSL Certificate Manually In cPanel

Pharma Hacks

The Pharma Hack abuse is used to embed maverick code in obsolete versions of WordPress sites and plugins, causing search engines to return advertisements for pharmaceutical products when a traded off site searched for. The powerlessness is to a greater extent a spam threat than conventional malware, yet gives web indexes enough reason to block the website on allegations of distributing spam.

Moving parts of a Pharma Hack include backdoors in plugins and databases, which can be cleaned up following the instructions from this Sucuri blog. However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hacks by using recommend WordPress hosting providers with up to date servers and regularly updating your WordPress installations, themes and plugins. And remember to tally with the WordPress Security Checklist!

Brute-force Login Attempts

Brute-force login attempts use automated scripts to exploit weak passwords and gain access to your site. Two-step authentication, limiting login attempts (I will show how to do it below in details), monitoring unauthorized logins, blocking IPs and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks. But unfortunately, a number of WordPress website owners fail to perform these security practices whereas hackers are easily able to compromise as much as 30,000 websites in a single day using brute-force attacks.

Malicious Redirects

Malicious redirects create backdoors in WordPress installations using FTSP, SFTP, wp-admin and other protocols and injects redirection codes into the website. The redirects are often placed in your .htaccess file and other WP core files in encoded forms, directing the Web traffic to malicious sites. WordPress users can use free scanners that effectively detect malicious directs such as SiteCheck, Virus Total, Bots vs. Browsers and listening to user comments. I will go through some ways so you can prevent these in my WordPress Security steps further below.

new_releases

Cybersecurity For SEO: How Website Security Impacts In Google Ranking

Denial of Service

This, perhaps the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems. Hackers have compromised millions of websites and raked millions of dollars by exploiting outdated and buggy versions of WordPress software with DoS attacks. Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating botnet chains to attack large businesses.

The Ultimate WordPress Security Guide 2018 (WordPress Security Checklist)

As indicated by internet live stats more than 60,000 sites are hacked each day. That is the reason it is so essential to take some time and experience the following recommendations below on the most proficient method to better solidify your WordPress Security (WordPress Security Checklist).

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked. WordPress Security Codex

I will make a point to stay up with the latest with pertinent data as things change with the WordPress stage and new vulnerabilities develop.

WordPress Security Guide (WordPress Security Checklist)

  1. Secure WordPress Hosting
  2. Use Latest PHP Version
  3. Unusual Usernames and Passwords
  4. Latest Versions
  5. Lock Down WordPress Admin
  6. Two-Factor Authentication
  7. HTTPS – SSL Certificate
  8. Hardening wp-config.php
  9. Disable XML-RPC
  10. Hide WordPress Version
  11. HTTP Security Headers
  12. WordPress Security Plugins
  13. Database Security
  14. Secure Connections
  15. File and Server Permissions
  16. Disable Editing in Dashboard
  17. Prevent Hotlinking
  18. Always Take WordPress Backups
  19. Secure The Uploads Folder
  20. Turn Off Apache Signature Information
  21. Unset Apache Response Headers
  22. DDoS Protection

1. Choose in Secure WordPress Hosting

With regards to WordPress security, there is considerably more than simply securing your site, in spite of the fact that we will give you the best recommendations on the best way to do that below. There is likewise web server-level security for which your WordPress host is responsible. It is critical that you pick a host that you can trust for your business. Or on the other hand in the event that you are hosting WordPress all alone VPS, at that point you need the technical knowledge to do these things yourself.

Server hardening is the way to keeping up an altogether secure WordPress condition. It takes numerous layers of hardware and software level security measures to guarantee the IT framework hosting WordPress destinations is equipped for shielding against complex dangers, both physical and virtual. Thus, servers hosting WordPress ought to be updated with the most recent operating system and (security) software and additionally completely tried and examined for vulnerabilities and malware.

new_releases

Artificial Intelligence (AI) And Online Data Security Today And Tomorrow

Server-level firewalls and intrusion detection frameworks ought to be set up before introducing WordPress on the server to keep it very much secured notwithstanding amid the WordPress establishment and site development stages. Notwithstanding, every software installed on the machine proposed to ensure WordPress substance ought to be good with the most recent database administration frameworks to keep up ideal execution. The server ought to likewise be designed to use secure networking and file transfer encryption protocols, (for example, SFTP rather than FTP) to conceal away delicate substance from malicious intruders.

I personally use the true Unlimited Free Cloud Web Hosting from Viewen. It is hard to believe that when all paid and premium hostings are facing similar issues, then what is the point in using or even talking about a free hosting company!

It’s true, but not completely true. Even before using Viewen I too had a similar kind of image about the free hosting providers. But seriously when I think of any other PAID or PREMIUM hosting provider now, it’s impossible to remove Viewen from my mind. The wonderful support forum and friendly service is just something one should try to understand the difference of perception between Good and Bad. Below is my article with details on Viewen’s Free Cloud Web Hosting, just go through it and you will love it. Though you are always free to choose your hosting from anyone!

Free Cloud Web Hosting

new_releases

What Is MITRE ATT&CK? Why Should You Pay Attention For Cybersecurity

2. Use Latest PHP Version

PHP is the backbone of your WordPress site and so using the latest version on your server is very important. Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patch on a regular basis. As of right now, anyone running on a version of PHP below 5.6 no longer has security support and are exposed to unpatched security vulnerabilities.

What’s more, prepare to be blown away. As indicated by the official WordPress Stats page, as of writing this, more than 40.5% of WordPress users are as yet using a version of PHP 5.6 or lower than that. That is alarming! Now and then it takes businesses and developers time to test and guarantee compatibility with their code, yet they have no reason to keep running on something without security support.

In the event that you are on a WordPress host that uses cPanel, you can easily switch between PHP versions by clicking into “MultiPHP Manager” under the software category. Still if you are unsure, then simply reach out to your hosting provider.

3. Use Unusual Usernames and Passwords

Shockingly outstanding amongst other approaches to solidify your WordPress security is to just use smart usernames and passwords. Sounds entirely simple right? All things considered, look at SplashData’s 2017 annual list of the most popular passwords stolen consistently (arranged by popularity).

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou

That is correct! The most famous password word is “123456”, trailed by an amazing “Password”. Some of the best security starts from the basics. Google has some great recommendations on how to choose a strong password. Or you can use an online tool like Strong Password Generator.

new_releases

The Divergence Between Intelligence, Data And Information

There are also online password managers such as LastPass or TeamPassword to store your all passwords on the go. Even you can save all your passwords in a simple notepad file and store that in your G Drive or Drop Box whichever suites you.

4. Always Use Latest Version of WordPress and Plugins

Another imperative method to solidify your WordPress security is to dependably stay up to date with the latest. This includes WordPress core and your plugins. These are updated for a reason, and a great deal of times these incorporate security improvements and bug fixes.

Sadly, a huge number of organizations out there running obsolete versions of WordPress software and plugins, and still accept they’re on the correct way of business achievement. They refer to purposes behind not updating, for example, “their site will break” or “core modifications will be gone” or “plugin X won’t work” or “they simply needn’t bother with the new usefulness”.

Truth be told, sites break for the most part as a result of bugs up older WordPress versions. Core modifications are never suggested by the WordPress group and master engineers who comprehend the dangers included. What’s more, WordPress updates for the most part incorporate must-have security fixes alongside the additional functionality required to run the most latest plugins.

How to Update WordPress Core

There are a couple easy ways to update your WordPress installation. But always take backup before any update. Use UpdraftPlus for automatic backups with a one-click restore option. This way you can test new versions of WordPress and plugins without having to worry about it breaking anything. Or you could also first test in our staging environment like on your localhost. To update WordPress core you can click into “Updates” in your WordPress dashboard and click on the “Update Now” button.

new_releases

World Wide Web (WWW): Turns 30! Google Observes With An Analog Doodle On 12th March

WordPress Core Update

In the same way, you can also update a plugin manually or automatically. Simply grab the latest version from the plugin developer or WordPress repository and upload it via FTP, overwriting the existing plugin within the /wp-content/plugins directory.

Use your best judgment when it comes to plugins. Look at the “Last Updated” date and how many ratings a plugin has.

There are also a lot of resources out there to help you stay on top of the latest WordPress security updates and vulnerabilities. See some of them below:

new_releases

Advanced Contact Form 7 DB WordPress Plugin Vulnerable To SQLi Injection Detected

5. Lock Down Your WordPress Admin

Now before heading further, let me introduce to the very well known and free Best WordPress Security Plugin. The All In One WP Security & Firewall. I use it for my website, solid but easy and so I highly recommend for everyone.

WordPress All In One Security Plugin

Some of the time the prevalent strategy of WordPress security by indefinite quality is fittingly compelling for a normal online business and WordPress website. In the event that you make it harder for hackers to find certain backdoors then you are more averse to be attacked. Securing your WordPress admin area and login is a decent method to augment your security. Two great ways to do this is first by changing your default wp-admin login URL and furthermore limiting login attempts.

How to Change Your WordPress Login URL

By default your WordPress site’s login URL is domain.com/wp-admin. One of the problems with this is that all of the bots, hackers, and scripts out there also know this. By changing the URL you can make yourself less of a target and better protect yourself against brute force attacks. This is not a fix all solution, it is simply one little trick that can definitely help protect you. We will use the All in One Security & Firewall Plugin to do this.

Change Your WordPress Login URL

As shown in the above image after installing and activating “All in One Security & Firewall Plugin”, simply go to the “Brute Force” option and rename the login URL to something that only you can remember. Isn’t that simple?

new_releases

Germany Move To Restrict Facebook’s Data Gathering Activities

How to Limit Login Attempts

While the above solution of changing your admin login URL will decrease a majority of the bad login attempts, putting a limit in place can also be very effective. So to do this simply go to the “User Login” option tab and set the Max Login Attempts, Login Retry Time Period (min), Time Length of Lockout (min), Instantly Lockout Invalid Usernames and Instantly Lockout Specific Usernames.

Login Lockdown Options

6. Take Advantage of Two-Factor Authentication

Also, obviously, we can’t overlook two-factor authentication! Regardless of how secure your password is there is always a risk of somebody finding it. Two-factor verification includes a 2 stage process in which you require your password to login as well as a second method. It is for the most part a text (SMS), telephone call, or time-based one-time password (TOTP). As a rule, this is 100% effective in preventing brute force attacks to your WordPress site. Why? Since it is relatively impossible that the attacker will have both your password and your cell phone.

Here is a completely free option than the Google Authenticator plugin is a great alternative. It also allows an unlimited amount of users. Once installed you can click into your user profile, mark it active and create a new secret key or scan the QR code.

new_releases

Google Set to Name and Shame Sites Lacking HTTPS

WordPress two factor authentication setup

You can then use one of the free Authenticator Apps on your phone:

After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone. You will notice an additional field that now appears on your WordPress login page. So make sure to take advantage of two-factor authentication, it can be an easy way to boost up your WordPress Security.

7. Use HTTPS for Encrypted Connections – SSL Certificate

One of the most overlooked ways to harden your WordPress security is to install an SSL certificate and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or web application to securely connect with a website. A big misconception is that if you aren’t accepting credit cards that you don’t need SSL. Well, let me explain a few reasons why HTTPS is important beyond just eCommerce. Many hosts, including Viewen, now even offer free SSL certificates with Let’s Encrypt.

new_releases

Formjacking Now Reports Most Of Web Data Breach Infringements

1. Security

Of course, the biggest reason for HTTPS is the added security, and yes this does pertain strongly to eCommerce sites. However, how important is your login information? For those of you running multi-author WordPress websites, if you are running over HTTP, every time a person logs in, that information is being passed to the server in plain text. HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website. So even WordPress blogs, news sites, agencies, all can benefit from HTTPS as this ensures nothing ever passes in plain text.

2. SEO

Google has officially said that HTTPS is a ranking factor. While it is only a small ranking factor, most of you would probably take any advantage you can get in SERPs to beat your competitors.

3. Trust and Credibility

According to a survey from GlobalSign, 28.9% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online. By seeing that green padlock, customers will instantly have more peace of mind knowing that their data is more secure.

A lot of people don’t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just lumped together with the “direct traffic” section. If someone is going from HTTP to HTTPS the referrer is still passed.

new_releases

All In One WordPress Optimization Guide With Cloudflare Integration 2019

5. Chrome Warnings

The Chrome team announced that beginning in January 2017, they will mark HTTP sites that transmit passwords or credit cards as non-secure. This is especially important if your website get’s a majority of its traffic from Chrome. You can look in Google Analytics under the Audience section in Browser and OS so see the percentage of traffic your WordPress site gets from Google Chrome. Google is making it a lot more clear to visitors that your WordPress website might not be running on a secured connection.

6. Performance

Because of a new protocol called HTTP/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP/2 requires HTTPS because of browser support. The improvement is performance is due to a variety of reasons such as HTTP/2 being able to support better multiplexing, parallelism, HPACK compression with Huffman encoding, the ALPN extension, and server push. And with TLS 1.3 around the corner, HTTPS connections will be even faster.

new_releases

WordPress Website “1800ForBail – One+Number” Or “1800ForBail”, “Blogname” Hack

8. Harden Your wp-config.php file

Your wp-config.php file is like the heart and soul of your WordPress installation. It is by far the most important file on your site when it comes to WordPress security. It contains your database login information and security keys which handle the encryption of information in cookies. Below are a couple things you can do to better protect this important file.

1. Change Permissions

Typically files in the root directory of a WordPress site will be set to 644, which means that files are readable and writable by the owner of the file and readable by users in the group owner of that file and readable by everyone else. According to the WordPress documentation, the permissions on the wp-config.php file should be set to 0600, 0440 or 0400 to prevent other users on the server from reading it. You can easily change this with your FTP client. I personally recommend setting it to 0600 is best.

2. Disable “wp-config.php” Editing Completely Through “.htaccess”

This is another great method to block any editing possibilities from any intruders. Just add the following code on top of the “.htaccess” file through All In One WP Security & Firewall. Go to the Firewall >> Custom Rules tab or option.

# START WPConfig File
order allow,deny
deny from all
# END WPConfig File

Disable wp-config.php Editing Completely

new_releases

Amazon’s Alexa Analysts Have Access To Clients’ Home Addresses, Bloomberg Reveals

9. Disable XML-RPC

In the past years XML-RPC has become an increasingly large target for brute force attacks. As Sucuri mentioned, one of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request. But what also happens is that it is used for malicious intent.

To disable XML-RPC completely go to the “Firewall” tab again, you see the 2 options, Completely Block Access To XMLRPC and Disable Pingback Functionality From XMLRPC (This option is useful if you use Jetpack or WP iOS or other apps which need WP XML-RPC functionality then check this. This will enable protection against WordPress pingback vulnerabilities.)

Completely Block Access To XMLRPC

As already mentioned above, a few WordPress plugins like Jetpack that rely on XML-RPC, but a majority of people out there won’t need this and it can be beneficial to simply disable access to it. Not sure if XML-RPC is currently running on your website? Danilo Ercoli, from the Automattic team, wrote a little tool called the XML-RPC Validator. You can run your WordPress site through that to see if it has XML-RPC enabled. If it isn’t, you will see a failure message such as shown in the image below on the my blog.

new_releases

What Is Search Engine Blacklist By Google, Bing, Yandex, McAfee, Norton

Disable XML RPC

10. Hide Your WordPress Version

Hiding your WordPress version touches again on the subject of WordPress security by obscurity. The less other people know about your WordPress site configuration the better. If they see you are running an out of date WordPress installation, this could be a welcome sign to intruders. By default, the WordPress version shows up in the header of your site’s source code. Again, I recommend simply making sure your WordPress installation is always up to date so you don’t have to worry about this.

To do this simply go to the “Settings” option then to “WP Version Info” tab and just check the box Remove WP Generator Meta Info and you are done!

Hide Your WordPress Version

11. Add Latest HTTP Security Headers

Another step you can take to harden your WordPress security is to take advantage of HTTP security headers. These are usually configured at the web server level and tell the browser how to behave when handling your site’s content. There are a lot of different HTTP security headers, but below are typically the most important ones. KeyCDN has a great in-depth post if you want to read more about HTTP security headers.

Below is an example of Secure Header Options.

# START SECURE HEADER INFO
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options nosniff
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Content-Security-Policy: "report-uri https://yourdomain.com/contact/"
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
# END SECURE HEADER INFO

You can check which headers are currently running on your WordPress site by launching Chrome devtools and looking at the header on your site’s initial response.

new_releases

Web Application Maintenance – Building Genuine Resolution

I have combined both the Secure Header Codes and the Unset Headers option in Point No. 21 to get the clear picture of complete Secure Header. Jump to Unset Apache Response Headers Section to see the example.

You can also scan your WordPress website with the free securityheaders.io tool by Scott Helme. This will show you which HTTP security headers you currently have on your site. If you aren’t sure how to implement them you can always ask your host if they can help. Below is our websites result which you ca also see directly on their website by scanning.

Visual Information Lab (VILab India) Secure Header

Note: It is also important to remember that when you implement HTTP security headers how it might affect your WordPress subdomains. For example, if you add the Content Security Policy header and restrict access by domains, that you need to add your own subdomains as well.

12. Use WordPress Security Plugins

Also, obviously, I need to give some WordPress security plugins a few notices. There are a considerable measure of incredible developers and organizations out there which give extraordinary answers for enable better to secure your WordPress site. Here are some of them. I have already introduced and using All In One WP Security & Firewall as mentioned above.

Here are some typical features and uses of the plugins above:

  • Generate and force strong passwords when creating user profiles
  • Force passwords to expire and be reset on a regular basis
  • User action logging
  • Easy updates of WordPress security keys
  • Malware Scanning
  • Two-factor authentication
  • reCAPTCHAs
  • WordPress security firewalls
  • IP whitelisting
  • IP blacklisting
  • Monitor File change logs
  • Monitor DNS changes
  • Block malicious networks
  • View WHOIS information on visitors

Another incredible plugin that merits a respectable specify is the WordPress Security Audit Log plugin. This is magnificent for those of you taking a shot at WP multisite or simply multi-author sites. It guarantees client profitability and gives administrators a chance to see everything that is being changed, for example, logins, password changes, theme changes, widget changes, new post creations, WordPress updates, and so forth. Practically anything that happens is logged! As of writing this the WP Security Audit Log plugin has more than 40,000+ active installs with a 4.7 out of 5-star rating.

new_releases

The Ultimate Guide to WordPress and GDPR Compliance: Made Easy

13. Harden Database Security

There are a couple ways to better the security on your WordPress database. The first is to use a clever database name. If your site is named Magic Music, by default your WordPress database is most likely named wp_magicmusic. By changing your database name to some more obscure it helps protect your site by making it more difficult for hackers to identify and access your database details. The folks over at WPMUDEV wrote up a great little tutorial on how to change your database name on existing installs.

A second recommendation is to use a different database table prefix. By default WordPress uses wp_. Changing this to something like 47xw_ can be much more secure. When you install WordPress it asks for a table prefix. There are also ways to change the WordPress table prefix on existing installations.

14. Always Use Secure Connections

I can’t pressure enough how vital using secure connections is! Guarantee that your WordPress host have it avoiding potential risk, for example, offering SFTP or SSH. SFTP or Secure File Transfer Protocol (otherwise called SSH file transfer protocol), is a network protocol used for file transfers. It is a more secure technique vs standard FTP. Refer to this article on How to use SFTP to access your WordPress site’s plugins, themes, content, and other files.

new_releases

FTC: Romance Scams Ranking Higher In Dissipation Than Any Other Forgeries

It is also important to ensure that your home router is setup correctly which is another most important part of WordPress Security Checklist. If someone hacks your home network they could gain access to all sorts of information, including possibly where your important information about your WordPress site(s) is stored. Here are some simple tips:

  • Don’t enable remote management (VPN). Typical users never use this feature and by keeping it off you can keep from exposing your network to the outside world.
  • Routers by default use IPs in the range such as 192.168.1.1. Use a different range, such as 10.9.8.7.
  • Enable the highest level of encryption on your Wifi.
  • IP white-list your Wifi so that only people with the password and certain IP can access it.
  • Keep the firmware on your router up to date.

You should always be careful when logging into your WordPress site in public locations. Take precautions such as verifying the network SSID before you click connect. You can also use a 3rd party VPN service such as SetupVPN to encrypt your internet traffic and hide your IP address from hackers.

15. Check File and Server Permissions

File permissions on both your installation and web server are crucial to beefing up your WordPress security. If permissions are too loose, someone could easily gain access to your site and wreak havoc. On the other hand, if your permissions are too strict this could break functionality on your site. So it is important to have the correct permissions set across the board.

File Permissions
  • Read permissions are assigned if the user has rights to read the file.
  • Write permissions are assigned if the user has rights to write or modify the file.
  • Execute permissions are assigned if the user has the rights to run the file and/or execute it as a script.
new_releases

Live Chat With Facebook Messenger Plugin Critical XSS Vulnerability Revealed

Directory Permissions
  • Read permissions are assigned if the user has the rights to access the contents of the identified folder/directory.
  • Write permissions are assigned if the user has the rights to add or delete files that are contained inside the folder/directory.
  • Execute permissions are assigned if the user has the rights to access the actual directory and perform functions and commands, including the ability to delete the data within the folder/directory.

You can check your current folder and file permissions with All In One WP Security & Firewall to scan the permissions on your WordPress site.

File and Folder Permissions

Notice carefully that I have left 2 permission untouched even when my security plugin is advising to set to the recommended permissions.

new_releases

DLP: Data Loss Prevention Tools And It’s Importance

You can find some typical recommendations for permissions when it comes to file and folder permissions in WordPress. See the WordPress Codex article on changing file permissions for a more in-depth explanation.

  • All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
  • All directories should be 755 or 750.
  • No directories should ever be given 777, even upload directories.

16. Disable File Editing in WordPress Dashboard

Many WordPress sites have multiple users and administrators, which can make WordPress security more complicated and one of the most important part of WordPress Security Checklist. A very bad practice is to grant authors or contributors “administrator” privilege, but unfortunately, it happens all the time.

It is important to give users the correct roles and permissions so that they don’t misuse anything. It will be good if you simply disable the “Appearance Editor” in WordPress. Most of you have probably been there at one point or another. You go to quickly edit something in the Appearance Editor and suddenly you are left with a white death screen. It is best to edit the file locally (on localhost) and upload it via FTP. Nevertheless, in best practice, you should be testing things like this on a development site first.

To disable WordPress File editing, simply go to Filesystem Security >> PHP File Editing and check the Disable Ability To Edit PHP Files option. Repeat the same action on the next tab Prevent Access to WP Default Install Files and you are done!

Disable File Editing in WordPress Dashboard

Incase, if your WordPress site is hacked the very first thing they might do is try to edit a PHP file or theme via the Appearance Editor. This is a quick way for them to execute malicious code on your site. If they don’t have access to this from the dashboard, to begin with it can help prevent attacks.

new_releases

What Is MITRE ATT&CK? Why Should You Pay Attention For Cybersecurity

17. Prevent Hotlinking

The concept of hotlinking is very simple. You find an image on the Internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is actually theft as it is using the hotlinked site’s bandwidth. This might not seem like a big deal, but it could generate a lot of extra costs.

To prevent hotlinking in WordPress simply go to the Firewall option then to “Prevent Hotlink” tab and check the Prevent Image Hotlinking and save, you are done!.

Prevent Hotlinking

Prevent Hotlinking on Content Delivery Network (CDN)

If you are using a CDN then the setup might be slightly different. Here are some resources with popular CDN providers.

new_releases

Google Fixes Critical PNG Security Bug, Though Billions of Android Users Still Vulnerable

18. Always Take Backups

Backups are the one thing everybody knows they require yet don’t generally take and one of the most important part of WordPress Security Checklist. A large portion of the recommendations above are security efforts you can take to better secure yourself. In any case, regardless of how secure your site is, it will never be 100% safe. So you need backups in case the worst happens. Most of the managed WordPress hosting providers now provide backups.

WordPress Backup Plugins

WordPress backup plugins allow you to take your backups via FTP or integrate with an external storage source such as Amazon S3, Google Drive, or Dropbox both automatic and manually. I highly recommend going with an incremental solution so it uses less resources. I personally use UpdraftPlus, which is very light and takes good care of my backups, automatically and as well as manually.

19. Secure The Uploads Folder

Now this is another very important thing to keep in mind, that the WordPress “uploads” folder is another vital backdoor for hackers. Many of the bots and other hacking script will target particular this folder to execute some malicious scripts. As most of us are not aware of this incident, we do overlook these issues.

To secure your WordPress uploads folder we need to add a small yet powerful code by creating a separate “.htaccess” file simply in notepad and upload to the “wp-content/uploads” folder through SFTP or FTP. Below is the code you need to write in a separate .htaccess file.

# DISABLE ALL PHP EXECUTION START
deny from all
# DISABLE ALL PHP EXECUTION END
Note: All hosting provider does not allow multiple .htaccess files. If you are unsure, just get in touch with your hosting provider.

20. Turn Off Apache Signature Information

Turning off Apache Signature Information is really an easy but very important security measure. When there is nothing in your web directory by default it shows a screen with the server information “Apache/2.2.20 (Ubuntu) Server at localhost Port 80” provided you have Options -Indexes code already on the .htaccess file otherwise anyone can see your list of directories.

new_releases

Amazon’s Alexa Analysts Have Access To Clients’ Home Addresses, Bloomberg Reveals

Now to implement this login to your cPanel and go to the File Manager, now you can see all your files and folders. Select the main .htaccess file which is outside of your public_html folder.

main htaccess

Right click on the file and select edit and add the following code:

# START UNSET SERVER SIGNATURE INFO
ServerSignature Off
# END UNSET SERVER SIGNATURE INFO

Save the file and that’s it! Before addition of the code you would see similar to this image below.

server sign before

Now when you have added the code into the .htaccess file, you will see something like this.

server sign after

21. Unset Apache Response Headers

It’s also a good practice to hide as much information using Apache Header Directive. The apache header directive will be processed before the server responds to the client and hence it allows you to set or unset response headers. For WordPress users this is very important thing, as it may look like small and insignificant vulnerability but who knows what may come! So always prevention is better than cure.

HTTP/1.1 200 OK
Date: Fri, 05 Apr 2018 09:48:46 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: Apache/2.2.3 (CentOS) PHP/7.0.29
Location: http://domain.com
X-Powered-By: W3 Total Cache/0.9.2.3
X-Powered-By: PHP/7.0.29
X-Pingback: http://domain.com/xmlrpc.php
X-Mod-Pagespeed: 1.6.29.7-3343
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN or DENY
Set-Cookie: 1P_JAR=2018-04-05-09; expires=Fri, 06-Apr-2018 09:48:46 GMT; path=/; domain=.domain.com
Set-Cookie: NID=115=fiuswfiuweufewiu82y3ry872487fg87834yr374yr34897ty38973h34879yuwfgfgiuhf8723r8gfb ewgf87g8g; expires=Sat, 28-Apr-2018 09:48:46 GMT; path=/; domain=.domain.com; HttpOnly; Secure
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked

So we can see from the above example, everyone can see information such as Apache version, operating system name, PHP version, Pingback URL, Mod-Pagespeed version etc. It doesn’t stop there, sometimes third party tools and plugins might push few information into headers and that are visible publicly. We have plugins to unset these options but sometimes those may not work with other plugins for compatibility issue.

new_releases

PHP Web Shell Backdoor: Analyzing Scripts And Removing Malicious Codes

So now we set the global code in the same .htaccess file just used in the previous step. Add the following code with the existing ones.

# START PREVENT INDEX VIEW
Options -Indexes
# END PREVENT INDEX VIEW
# START SECURE HEADER INFO
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options nosniff
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Content-Security-Policy: "report-uri https://yourdomain.com/contact/"
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
# END SECURE HEADER INFO
# START UNSET ALL HEADER INFO
Header unset ETag
Header unset Server
Header always unset X-Powered-By
Header unset X-Powered-By
Header unset X-CF-Powered-By
Header unset X-Mod-Pagespeed
Header unset X-Pingback
# END UNSET ALL HEADER INFO
# START UNSET SERVER SIGNATURE INFO
ServerSignature Off
# END UNSET SERVER SIGNATURE INFO

Apache Secure Header Codes

So now we get the complete picture on how to protect WordPress from these nitty-gitty loopholes. The above mentioned code is meant for advanced level Ultimate Security Header, but you should always take a backup before changing any codes in the .htaccess file. Now you can relax as even if your plugin is not working properly, these settings will protect your site from leaking out informations.

new_releases

The Ultimate Guide to WordPress and GDPR Compliance: Made Easy

22. DDoS Protection

A DDoS (Distributed Denial of Service) attack is an attempt to exhaust the resources available to a network, application or service so that genuine users cannot gain access.

Unlike someone hacking your site, these types of attacks don’t normally harm your site but rather will simply take your site down for a few hours or days. What can you do to protect yourself? One of the best recommendations is to use a reputable 3rd party security service like Cloudflare which provides “Unmetered mitigation of DDoS to maintain performance and availability”.

DDos Protection by Cloudflare

Their advanced DDoS protection can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks. Other benefits include putting you behind a proxy which helps to hide your origin IP address, although it is not bulletproof.

new_releases

Germany Move To Restrict Facebook’s Data Gathering Activities

Cloudfalre global network has defended against sustained attacks over 400Gbps. If you’re under DDoS attack, they can get your site back online within minutes.

Conclusion
As should be obvious there are various ways you can solidify your WordPress Security (WordPress Security Checklist). Using difficult passwords, keeping core and plugins up to date, and picking a protected secure WordPress host are only a couple of that will keep your WordPress site up and running securely. For a considerable lot of you, your WordPress site is your both your business and income, so it is critical to require some investment and execute a portion of the security best practices specified above, within the near future.

Simply in other words, take good care of your blog, love your blog, as you care about your loved ones. And never forget to tally with the WordPress Security Checklist at any point of time!

Previous Post
Web Application Maintenance – Building Genuine Resolution
Next Post
All In One WordPress Optimization Guide With Cloudflare Integration 2019

Related Posts

14 Comments. Leave new

  • Lucio Collings
    April 15, 2018 5:48 PM

    Wonderful points altogether, you simply won a new reader. What could you recommend in regards to your put up that you simply made some days ago? Any sure?

    Reply
    • Rahul Mukherjee
      April 17, 2018 9:20 PM

      Thanks buddy! Well what I can say you need to check your blog regularly, and use plugins only from authentic publishers, otherwise unknown or new plugin can insert any script in your blog! So play safe!

      Reply
  • Earnestine Costa
    April 16, 2018 6:36 AM

    Greetings! I’ve been following your website for a while now and finally got the bravery to go ahead and give you a shout out from New Caney Texas! Just wanted to say keep up the great work!

    Reply
  • Nilsson Brandt
    May 8, 2018 7:52 PM

    Wonderful paintings! This is the kind of info that are meant to be shared around the web. Shame on the search engines for no longer positioning this submit upper! Come on over and discuss with my website . Thank you =)

    Reply
    • Rahul Mukherjee
      May 9, 2018 2:21 PM

      Hi Nilsson,

      Thanks for your kind words of appreciation. One thing I would say, Google is not the internet, but of course Google is a very important part of internet. They have billions of sites to index, it’s not their fault when thousand sites go offline everyday forever! Also you can join me with my social networks, I am mostly active on Facebook and LinkedIn.

      Reply
  • Mallory Hodgkinson
    May 24, 2018 5:07 PM

    I’m not that much of a online reader to be honest but your sites really nice, keep it up!
    I’ll go ahead and bookmark your site to come back later.
    All the best!

    Reply
  • Larisa Edelson
    May 26, 2018 7:43 PM

    I really can’t believe how great this site is. Keep up the good work. I’m going to tell all my friends about this place.

    Reply
  • Anabel Stach
    May 27, 2018 10:40 AM

    This site looks better and better every time I visit it. What have you done with this place to make it so amazing?!

    Reply
    • Rahul Mukherjee
      May 27, 2018 1:06 PM

      Hey, thanks for your kind words of appreciation. As mentioned, I have always focused on user perspective. If you find it nice and easy that’s all! Keep coming back!

      Reply
  • Viêm khớp
    May 28, 2018 11:15 PM

    Hey there are you using WordPress for your site platform?
    I’m new to the blog world but I’m trying to get started and set up my own. Do you need any html coding expertise to make your own blog? Any help would be really appreciated!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu

Pin It on Pinterest