WordPress security: how to protect and secure your site?

Tick, tock. Tick, tock. Tick, tock. Every second that passes on your watch, 2,800 attacks on WordPress sites.

Hacking into your site? You probably think that it only happens to other people. Then, one day, it happens to you.

Fortunately, there are ways to prevent this from happening, even though no website can claim 100% protection.

At the end of this article, you’ll know how to strengthen the security of your WordPress site, thanks to 15 practical and detailed tips, including screenshots.

Is WordPress a secure CMS?

With 65% of the market share, WordPress is the most used CMS (Content Management System) on the planet, far ahead of its main competitors Shopify (4.4%) and Wix (2%).

Even more telling, perhaps: 43% of the 10 million most visited websites on the Internet run on WordPress.

From this dominant position comes a major drawback: due to its massive adoption by freelances and agency, WordPress is the target of many malicious attacks.

Despite this, it remains a secure CMS. In its analysis of vulnerabilities within the WordPress ecosystem, security expert Patchstack reports that 96% of security vulnerabilities come from third-party code (extensions and third-party themes), compared to 4% within the WordPress Core.

In total, plugins are responsible for 82% of the vulnerabilities reported, with hackers most often taking advantage of them to inject malicious content into their code.

WordFence goes further to say that the most common security threat to WordPress comes from malware that comes from cracked plugins and themes (known as nulled plugins).

These types of plugins and themes are highly sought after by webmasters who do not want to pay for the premium version(s) of a theme or plugin.

In addition, beyond themes and plugins, security issues also arise due to bad practices of webmasters.

What kind of attacks can happen to a WordPress site?

As you can see, WordPress remains a first choice prey for hackers and other malicious bots.

They attack it in different ways. In its security report mentioned above, WordFence Security highlights the following 5 frequent attacks:

1. Directory Traversal attacks are the most common threat, with 43% of vulnerabilities detected.
2. SQL injections (21%), which attack your database.
3. Malicious file downloads (11%).
4. The site-to-site script (8%). With the cross-site scripting (or XSS), malicious code is injected into the content of your pages.
5. Authentication Bypass vulnerabilities (3%), which exploit an authentication mechanism (e.g. website login) that is too weak.

And unfortunately, the threats do not stop there. The following vulnerabilities can also affect a WordPress site:

• The backdoors (backdoors), which give remote access to your site, without you being aware of it.
• Bruteforce attacks. Here, bots attempt to connect to your website by testing different combinations of passwords and credentials.
• Malicious redirects to unauthorized pages.
• Denial of service attacks (Dos), which make your site unavailable by blocking your server for example.
• The pharma hacks which redirect your site to pages selling pharmaceutical products such as Viagra, for example.

Finally, the white paper dedicated to security on WordPress indicates that “misconfiguration of security”,”exposure of sensitive data”, or CSRF (Cross Site Request Forgery) attacks are potential threats to your WordPress site.

Why should you secure a WordPress site?

Faced with all these risks of attack, it is important to reinforce the security of your WordPress website. Indeed, a hacked site has several negative consequences

• A loss of time to repair the security problem. This is the most common complaint from hacked websites, according to a survey by Sucuri. Because of this loss of time, you can’t focus on higher-value, business-generating tasks.
• Damage to your brand image. No Internet user likes to visit a hacked website. It doesn’t inspire confidence and doesn’t encourage them to come back in the future. Your reputation and that of your team is also affected.
• A degradation of the user experience (UX). A visitor appreciates to find easily and quickly what he is looking for on a website. If this is not met, a user is likely to turn to the competition.
• A negative impact on your SEO. Access to an unsecured site can be blocked by search engines, especially Google. Google may even remove your website from its SERP (search results page) if you are a victim of SEO spam (spamdexing).
• A decrease in your turnover. If you are a freelancer or a web agency specialized on WordPress, and you offer products and/or services on an online store such as WooCommerce, you will not be able to make sales when your site becomes inaccessible
• A threat to your personal information. A hacker can hack your site to retrieve your personal information and the banking data of your customers and team members. You expose yourself to ransomware and also to a possible usurpation of your identity.

Unfortunately, a hack doesn’t only happen to others. But there’s no need to panic

Now, find out how to secure your WordPress site with the help of tried and tested tips and best practices.

15 tips to secure your WordPress site

Use HTTPS

This is probably the first thing you should do to strengthen the security of WordPress: use HTTPS (Hypertext Transfer Protocol Secure ).

As the Google documentation states documentation, HTTPS “protects the integrity and confidentiality of data when information is transferred between the user’s computer and the site.

Its use is preponderant. HTTPS reassures by showing that the connection to your site is secure, by displaying a padlock in the browser bar.

It is therefore essential to ensure the protection of data circulating on your site (banking, personal), especially if you sell online.

On the other hand, unsecured sites (in HTTP) are “sanctioned” by the main browsers (Chrome, Firefox, Safari, Opera) which display a warning message when a visitor wishes to access them:

To switch your WordPress site to HTTPS, you must first obtain an SSL (Secure Sockets L ayer) certificate. This is the certificate that displays the famous padlock on your browser.

Most hosting companies offer one free of charge, most often through the Let’s Encrypt certification authority.

To activate this certificate, go to your hosting interface in the section dedicated to security:

To finish securing a WordPress site in HTTPS, remember to perform 301 redirects and to solve any problems with mixed content (content always loaded in HTTP and not in HTTPS). The Really Simple SSL extension can do this for you automatically.

Opt for strong passwords

The number makes your head spin. In the first half of 2021, 86 billion password attacks were blocked by the WPScan tool.

Automated password attacks are on the rise, especially because they are a fairly easy way for a hacker to gain access to your site.

To secure WordPress, start by making life difficult for malicious software and bots by avoiding passwords that are too obvious to detect.

For example, “123456”, “123456789”, “qwerty”, “password”, “111111”, or “iloveyou” are some of the easiest and fastest passwords to crack.

In order to protect yourself, apply the following best practices :

• Don’t choose passwords related to your pet, your family, your birth date, your name, your children, colors, cars or countries. In short, anything that is too obvious should be banned.
• Use numbers, special characters, upper and lower case letters in your password. An example of a strong password? Xuiop5209MLoP654$M*
• Your WordPress password should be unique: you should not use it to log into other tools or applications.
• Avoid words in the dictionary, which are targets of “dictionary attacks”.
• To create strong passwords, use a free generator or a more complete paid manager like Dashlane or 1Password
• Transfer your passwords by email in a secure way with a service like One Time.

By extension, passwords often mean usernames. By the way, don’t use an admin username, it’s much too easy to guess!

Installing WordPress security plugins

Reinforcing the security of WordPress is done through the use of security extensions. There are two ways to do this.

The first is to use plugins that are targeted to a specific use:

• Limit Login Attempts Reloaded fights against brute force attacks.
• BBQ Firewall protects your site against SQL injection attacks.
• Login Lockdown limits the number of login attempts to the WordPress administration.

The list is not exhaustive and gives you a first idea of what you can do. These extensions will be very effective but if you want to use them together, you will have to activate them one by one

To simplify your life, there is a second way to proceed: install a free “general purpose” WordPress security plugin.

This toolkit will somehow contain several security solutions in one, so you don’t have to activate different plugins

There are three very strong main players in the WordPress ecosystem in this regard

• iThemes Security.
• WordFence Security.
• Sucuri.

All three have the advantage of offering free versions. For the rest, their features are quite similar.

For example, you will benefit from protection against brute force attacks, a security scanner, IP address and user blocking, two-factor authentication, WordPress secret key update, file permissions settings, etc

To decide, check the details of the options offered and take your budget into account: some major features are only available with the Pro version of the extension in question.

For example, WordFence offers a Web Application Firewall (WAF) in its free version, while Sucuri only offers it in its premium version.

Update your WordPress site regularly

Relying on a third-party plugin is still very important to reinforce the security of your WordPress installation, but it won’t be enough, as you can imagine.

You’ll also need to do your homework, starting with updating your WordPress site regularly, to use the latest version of the WordPress core, your plugins and your themes.

To do this, WordPress has a very handy mechanism: it automatically notifies you on your dashboard when an update is available

Go to the Dashboard > Updates menu to get an overview of what you have left to do

Click on the box corresponding to the extension or theme you’re interested in, and then click on the “Update extensions” button:

Performing updates is crucial to maintain your WordPress site: it allows you to fix bugs and security flaws, while ensuring that your site remains efficient.

We recommend that you pay attention to two things

• When upgrading to a new major version of WordPress, wait a few days before updating your back office. Indeed, bugs are often fixed in the hours and days following its deployment. It is better to wait a little to avoid any incompatibility.
• Remember to back up WordPress before performing a major upgrade of the WordPress core (e.g., moving from WordPress 5.8 to WordPress 5.9). More on this in the next tip.

Also, upgrade your PHP version to a recent version of PHP. If your hosting company uses the cPanel interface, you can do this in the “Software” box by choosing “Select a PHP version”.

Save your site frequently

Here is an excellent webmaster practice for securing WordPress: back it up as often as possible!

A backup includes saving your files and your database. The database is the most important part of your WordPress site, since it lists all the content of your site (posts, pages, comments, options, etc.). Don’t forget it in the manipulation!

Having backups of your WordPress site will allow you to restore it in case of a hack

You can back up your site using an FTP(File Transfer Protocol) client such as Filezilla, but the manipulation is technical and dangerous if you are not a skilled technician

Finally, the easiest method for a novice is to activate a dedicated backup plugin, which will take care of everything for you automatically.

The most popular one on the official directory is called UpdraftPlus. Very easy to configure, it allows you to schedule your backups and export them to third-party services like Google Drive, Dropbox or Amazon S3.

Other good points: UpdraftPlus allows you to restore a backup from the plugin interface, and its free version is comprehensive enough to get started.

In addition to a plugin to secure WordPress, cover your back by also using a backup module offered by your host (if they offer it). This will kill two birds with one stone.

Choose a secure hosting

Speaking of hosts, they also play a role in the security of your WordPress website

It must offer a sufficient degree of security to limit the risks of malicious attacks. ” The configuration of the operating system and the underlying web server hosting the software are equally important to preserve the security of WordPress applications,” says the WordPress security guide.

What exactly is a good and secure host? To choose the right one, pay attention to

• Its reputation. A solid host that has been on the market for several years will often be more credible.
  Check out customer reviews and read up on specialized groups and forums to get a better idea of the host you are looking for.
  
• Its use of good security practices: presence of a firewall and anti-virus to protect its servers, regular updates and backups, use of the latest versions of software, SSL support, malware scanning.
  Read carefully the websites of the hosting companies you are looking at to find out this information.
  
• The quality of their customer service. Prioritize responsive support that can be reached 24 hours a day in case of problems.

Ideally, a dedicated or specialized WordPress host is often better for security than a shared hosting. On shared hosting, you share bandwidth resources with other sites. If each site is not isolated, you will also be affected if an infected site is hacked onto your server.
Nevertheless, dedicated or specialized hosting will be more expensive than shared hosting.

Protecting the WordPress admin login page

Since the beginning of this article, we’ve talked about WordPress admin login attempts, which malicious bots are very fond of.

It must be said that WordPress “baits” them by making the login form page visible, publicly accessible in two ways

• monsite.com/wp-admin
• monsite.com/wp-login.php

This works on any WordPress site, unless the webmaster has changed the URL of the login form page for added protection!

It is possible to do this very easily with the help of the free extension WPS Hide Login.

As described on the official directory,“the wp-admin directory and the wp-login.php page become inaccessible, so you have to bookmark or remember the URL” to be able to login.

Here is how to do it. Once the extension is enabled, go to Settings > WPS Hide Login.

Change the slug of your login URL to something complex, such as a combination of numbers and letters

Use two-factor authentication

To go even further in securing the connection to your administration interface (admin), activate the two-factor authentication

The principle of this mechanism is simple: after entering your login and password, it is necessary to validate access to your site using a verification code sent to your smartphone or tablet

This is the system that is now used on most ecommerce sites when you make a purchase. In order to accept the payment, your bank asks you to confirm it on its app or by SMS.

Several free WordPress extensions allow you to set up two-factor authentication

• Two Factor Authentication.
• WP 2FA.
• miniOrange’s Google Authenticator.

Whichever one you choose to use, you will have to scan a QR code to authenticate yourself:

Blocking spam

Now let’s talk about spam. On WordPress, spam comes in the form of unwanted comments that may contain malicious code and links to unsavory sites.

To reinforce the security of your site, protect yourself against this plague by activating the Akismet extension, which is present by default on every WordPress installation.

This will filter out the vast majority of spam and save you from having to approve hundreds of spam comments per day.

For the rest, apply the following settings to your comment settings

• As an admin, always approve comments manually.
• Ask the author of a comment to fill in his name and email.
• If needed, you can also close comments on articles older than X days (you decide how long).

For all this, go to Settings > Comments as you can see on the screenshot below:

In order to fight effectively against spam, a good practice is also to install a captcha system on your site, in order to differentiate humans from robots. To do this, activate one of the two following extensions: reCaptcha by BestWebSoft or Login No Captcha reCAPTCHA. You can also directly integrate the free reCAPTCHA system from Google, but this requires a minimum of code knowledge.

Improve the security of the wp-config.php file

Without transition, let’s continue this overview of security on WordPress by talking about a key file: wp-config.php. This file, located at the root of your site, manages its settings.

By default, it contains directives to reinforce the security of your WordPress site, but nothing prevents you from going even further by adding additional code.

Here are some of the things you can do:

Update WordPress security keys

These keys are used to encrypt your users’ cookies. Replace the default ones with new ones at random with this free tool.

Check the prefix of your database tables

By default, WordPress offers you the wp_ prefix each time you install the CMS… but this is a bad practice in terms of security because this prefix is easily detectable by a hacker.

To avoid any problem, the best thing to do is to change it at each new installation. If it is already too late, you will have to modify this prefix in wp-config.php.

Don’t forget to do it in each table of your database with the Database Search and Replace script.

For a novice, the easiest and least risky way is to use an extension like Brozzme DB Prefix & Tools Addon. But be careful, save your site beforehand.

Restrict access to file editors

Finally, you can secure the way you edit files for your plugins and other themes by simply disabling file editing on the WordPress admin.

This simple line of code will disable the “Edit” menus on your back office:

define('DISALLOW_FILE_EDIT',true);

Protecting your site with the .htaccess file

After the wp-config.php file, let’s move on to another strategic file to ensure the security of WordPress: the .htaccess file.

This file is a configuration file for the Apache server, used by most hosting companies. Chances are, yours does too.

The .htaccess can be very useful for SEO, to fight against spam and therefore to reinforce security.

However, you must handle it with care: the slightest syntax error in it can trigger the display of a error 500 for example, and make your site inaccessible.

If you’re not sure (this also applies to wp-config.php), don’t do it or get a professional team to help you.

Want to go it alone? These pieces of code might interest you:

• Options All -Indexes allows you to disable the display of your site’s directory contents in a browser.
• <files .htaccess>
order allow,deny 
deny from all 
</files>
  protects access to the .htaccess file.
• <files wp-config.php>
order allow,deny 
deny from all 
</files>
  protects access to the wp-config.php file.

Hiding your WordPress version

By default, WordPress displays the version it is running on in its code. This means that anyone can access it and see if your site is up to date, or if it’s running an outdated version of the CMS.

Hackers can take advantage of this public information to find out what known security flaws are present on your site, and take advantage of them to harm you.

To limit their scope of action, it is possible to hide your version of WordPress by adding this line of code in your functions.php file:

remove_action("wp_head", "wp_generator");

To verify that the version display has disappeared, refresh your page. Right click on Google Chrome and select “View page source code”

Using the keyboard shortcut Ctrl + F (PC) or Cmd + F (Mac), search for the word “generator”. In principle, you should not find anything. If not, for your information, the following line of code will be displayed:

Finally, delete the readme.html file located at the root of your site, since it also contains your version number.

Check the access rights to files and directories

Speaking of files, it is important to control their access rights – as well as those of their directories – in order to secure your WordPress site.

By default, it is possible to assign read, write and execute permissions on your files and directories.

Obviously, if a permission is not set correctly, hackers could take advantage of it to access it and perform malicious actions

Regarding file and folder permissions, the WordPress documentation recommends the following

• All directories must be in permission 755 or 750.
• All files must be set to 644 or 640 permission. One exception: wp-config.php should be set to 440 or 400 to prevent other users on the server from reading it.
• No 777 permission should ever be given to a directory.

To find out if your files and directories have the right permissions, log into your FTP client, then take a look at the “Access Rights” column.

If something is wrong, right-click on the file or directory and change its permission by choosing “File Access Rights”:

Install plugins and themes from the official directory first

We’ve talked a lot about plugins and themes in these lines, and you may have noticed that we always recommend extensions from the official WordPress directory.

Beyond the huge number of extensions it offers – nearly 60,000 – the official directory offers a security advantage.

Both extensions and themes “are manually reviewed by volunteers before being made available on the repository,” says the white paper dedicated to security on WordPress.

Even if WordPress specifies that this does not guarantee “that they are free of security flaws”, this first filter is still appreciable.

You won’t necessarily find this verification formalism on third-party stores. So be careful with them when looking for themes or extensions.

Choose stores with a good reputation and/or solid platforms, such as ThemeForest for themes or CodeCanyon for WordPress plugins.

You don’t need an extension or a theme on your back office anymore? Deactivate and delete them to limit security risks.

Be a vigilant webmaster

Finally, the last tip mostly takes the form of general advice, applicable to WordPress as well as to your web browsing: be vigilant.

To do this:

• Don’t open emails that look suspicious to avoid any risk ofphishing.
• Create separate accesses for each user who will collaborate on your site (freelancers, team members, etc.). Don’t give them your login and password to log in, even if it’s easier and faster.
• Define the right roles according to the actions each user will perform. For example, an editor does not need to be an administrator of your site.
• Avoid allowing files to be uploaded to your site.
• Clean your database regularly, for example with a multi-tasking extension like WP Rocket.
• Activate a maintenance mode you can also use the “update” button when it is appropriate, for example when a major update is carried out.

Security on WordPress : the summary

The security of a WordPress website should be a priority for all webmasters. Even if no website is infallible, implementing the tips and best practices presented in this article will help you considerably limit the risks of hacking

By the way, a hacked website can present some characteristics that should alarm you

• It becomes impossible to connect to it.
• The hyperlinks on your pages redirect to third-party sites that you do not know (e.g. adult content).
• New users are added to your site without your permission.
• Your browser or Google tells you that your site has been hacked.

When in doubt, act quickly. The impact on your revenue, SEO, brand image and user experience can be disastrous.

Do you need help securing or updating a WordPress site that has been attacked?

WP Maintenance’s team of experts is available 7 days a week to help you. Contact us to learn more.