Securing Your WordPress Site
In 2020 over 455 million websites use WordPress. That's a market share of around 35% of all the websites in the world. As WordPress's market share has grown, so have the number of attacks. However, this is often due to WordPress sites following poor security practices.
Many attacks use automated tools to exploit weak security. A successfully hacked site can give attackers ongoing access, even if you subsequently change passwords. An attack can take control of a site, use it to send unsuspecting visitors to other sites, infect visitor's computers, compromise your information and all the data on your site, including your customer's personal data which could lead to fines and loss of reputation and business.
There are several steps you can take to stop your WordPress site being hacked.
Note: Remember to always back up your files and database before making any changes.
The latest available data linked outdated WordPress sites to 44% of hacking cases.
Regularly check for updates to ensure your WordPress site is always using the latest version of WordPress, plugins, and themes. Every good software developer supports its product by issuing updates. These updates fix bugs and vulnerabilities, add functionality required to run the latest plugins, and sometimes include vital security patches.
You can set WordPress to automatically install minor updates but you usually have to manually install major version updates.
To carry out a manual update look in your WordPress dashboard. You should see a notification when a newer version is available, one in the banner area at the top of the admin dashboard, another in the "At a Glance" section and lastly under Updates in the left hand menu area.
Click any of these links and you'll be taken to the updates page, where you can install the latest Wordpress verion by clicking the Update Now button.
A survey by security experts WordFence of over 1,000 WordPress site owners that had been victims of attacks found that plugin vulnerabilities accounted for 55.9% of known entry points for hackers. Updating your plugins can better ensure that you are not one of these victims.
Only install trusted plugins. The 'featured' and 'popular' categories in the WordPress repository can be a good place to start. Or download it directly from a developer's website.
It's important to note that developers don't always keep their plugins up to date. An analysis by WP Loop found that nearly 50% of the plugins in the WP repository had not been updated in over 2 years. A plugin that has not been updated recently may still work with the current version of WordPress, but it is recommended that you use plugins that are actively updated.
Out of date plugins are more likely to contain security vulnerabilities. If your site relies on a plugin, look at when the plugin was last updated, the reviews it has received and use your best judgement while you look for a better alternative.
To update your WordPress plugins, click 'Updates' in your WordPress dashboard, select the plugins you want to update, and click on 'Update Plugins'. You can also update a plugin manually by obtaining the latest version from the plugin developer or via the WordPress repository and uploading it via SFTP which will overwrite the existing plugin within the /wp-content/plugins directory.
You should only use themes and plugins from the original creators. Nulled plugins or themes from third-party websites are likely to contain malware.
To update your themes, go to Themes under Appearance. The outdated ones will be marked. To update them click 'Update now'.
As well as keeping all the above updated, also remove the plugins and themes that your site no longer uses. They are just unnecessary extra weight and potential vulnerabilities.
You should also use the latest version of PHP. PHP is often the backbone of a WordPress site, and each major release of PHP is usually fully supported for two years after initial release. During that time, bugs and security issues are fixed and patched regularly. Today any site using version PHP 7.1 or below no longer has security support and is exposed to security vulnerabilities.
According to WordPress over 57% of their users are still on PHP 5.6 or lower. If you combine this with PHP 7.0, nearly 80% (77.5%) of users are currently using PHP versions that are no longer supported. This means millions of businesses are running outdated versions of WordPress software and plugins.
Sometimes it takes businesses and developers time to test and ensure compatibility with their code, but there is no good reason to run something without security support, and keeping to older versions will have a tremendous impact on performance.
If you do not know which version of PHP you are currently using, most hosts include this in a header request on your site. A quick way to check is to run your site through Pingdom. Click into the first request and look for a X-Powered-By parameter. Usually, this will show the PHP version your web server is currently using. However, some hosts remove this header for security reasons.
If you are on a WordPress host that uses cPanel, you can usually switch between PHP versions using 'PHP Select' under the software category.
Use Secure Usernames and Passwords
Some website vulnerabilities rely on default usernames being used, so the easiest way to avoid automated attacks is to change the usernames.
You can change usernames in cPanel within phpMyAdmin. Don't forget to backup your database before doing any editing.
Alternatively, you can create a new user account with a new username and delete the old admin account. However, before you delete the old account, you must assign the posts made by the original admin account to your new admin account. Do this by choosing the "Attribute all content to" option and select your new administrator profile. If you don't do this all your posts under the previous admin account will be deleted.
You can change passwords in the Users tab in WordPress. WordPress helpfully supplies strong password via it's random password generator.
Limit access to your site as much as possible. Ideally, use separate accounts for admin purposes and for creating posts on your site.
If you have to allow others access to your site, do not let allow unlimited username and password login attempts. This lets hacker software attempt to login an infinite number of times until it eventually discovers your login data. Specialised plugins can limit possible login attempts e.g. WP Limit Login Attempts.
Changing your passwords every 2-3 months will also reduce any hacker's chances of breaking into your site.
Installing an SSL (Secure Socket Layer) certificate and running your site over HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows a browser or web application to maintain a secure connection with a website. If your site does not have an SSL certificate your login and ecommerce details are sent as plain text rather than being encrypted.
With SSL encryption, you won't just secure your site, you could also rank higher in Google and avoid trust issues. Google has officially stated that HTTPS is a ranking factor. The use of SSL is now so widespread that a site is unlikely to rank well if it doesn't have it. Since 2018 Chrome has labelled all non-HTTPS sites as 'Not Secure'. A label unlikely to encourage visitors to hand over information like email addresses or bank account details.
Enable Security Scans
Setup a security plugin and use it to scan your website regularly.
We recommend Wordfence. It's easy to use, combines a firewall, login security, malware scanning, and other security tools, and there is a free version available.
File and Directory Protection
The wp-config.php file holds crucial information about your WordPress installation. It's the most important file in your site's root directory. Protecting it makes it difficult for hackers to breach the security of your site.
You can protect the wp-config.php file by moving it to a higher level than your root directory. This move will not affect your WordPress site, but hackers won't be able to find it anymore.
As an extra security measure you can disable file editing by adding the following code to the end of the wp-config.php file:
This will remove the theme editor link under Appearances. This stops hackers using the theme editor for automated attacks to introduce backdoors into your website, even if they've gained admin access to your WordPress dashboard. If you want to edit files yourself, change true to false in the above code while you edit, and remember to change it back to true once you've finished.
The WordPress admin area is already protected by your WordPress password. However, adding password protection to the admin directory adds another layer of security.
You can password protect your wp-admin folder either using the security section in cPanel or create a .htaccess and .htpasswds file for your wp-admin directory.
cPanel: Log into your site's cPanel and look in the Security section. Click on the 'Password Protect Directories' or 'Directory Privacy' icon. Next select your wp-admin folder, which is normally inside the /public_html/ directory. On the next screen check the box next to 'Password protect this directory' and provide a name for the protected directory. Then click the save button to set the permissions. Next create a user by entering a username and password and click save. The next time someone tries to visit the WordPress admin or wp-admin directory on your website they'll be asked to enter the username and password.
.htaccess and .htpasswds: Create a .htpasswd file in the wp-admin directory. Generate a secure password using e.g. LastPass password generator. Next create an .htaccess file within the directory. Add the following code into the .htaccess file. Make sure you change the highlighted section to your own username and domain.
AuthName "restricted area"
Save the file.
When visiting the site your website/wp-admin directory should now be locked behind an authentication window.
Allowing write access to files has potential security issues, particularly if the site is in a shared hosting environment.
If another website in your shared hosting is running with out-of-date versions of WordPress, plugins or themes a hacker can gain access to that site, infect the site and then locate any world-readable wp-config.php files for other websites running on the same server. If they can read the contents of your file, they can see the database credentials needed to connect to your WordPress database, connect to it and create an admin account for themselves and compromise your site from there. So having the correct file permissions can be crucial.
You should lock down your file permissions as much as possible and only loosen those restrictions when you need to allow write access, or to create specific folders with fewer restrictions to do things like uploading files.
Disable Directory Listing
If you do not disable directory listing your site is vulnerable in two ways: first, a simple Google search can reveal whether your site uses any specific plugin. This is potentially useful information for a hacker trying to access your site without permission, particularly if the plugin has a vulnerability they can exploit. Second, if you create a new directory as part of your website and do not put an index.html file in it, your visitors can get a full directory listing of everything in that directory. No password is needed.
To disable directory listing go to the .htaccess file and add:
Use SFTP Encryption
When connecting to your server you should use SFTP encryption if your web host provides it. Using SFTP is the same as FTP, except your password and other data is encrypted as it's transmitted between your computer and your website. This means an attacker cannot intercept your password.
Use HTTP Security Headers
When a user visits a website via a web browser, the server reacts with HTTP Response Headers. These headers inform the web browser how to act throughout its interaction with the website. Using HTTP response headers with security in mind will improve your website security and also prevent or mitigate attacks.
Here is a list of some of the headers you can use:
Clickjacking is an attack that displays an invisible or disguised page or HTML element on top of the page the user sees. The user believes they are clicking the visible page, but in fact, they are clicking an invisible element in the additional page transposed on top of it. It can cause users to visit malicious web pages unwittingly, download malware, provide credentials or sensitive information, transfer money, or purchase products online.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, not HTTP. If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to send visitors to a malicious site instead of the secure version of the original site.
The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.
Content Type Sniffing Protection
A drive-by download allows software to be downloaded to a device without the permission or knowledge of its owner.
You can combine these 3 HTTP security headers together by adding the following to your .htaccess file:
Header always append X-Frame-Options SAMEORIGIN
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-Content-Type-Options nosniff
Note: the Theme Customizer site preview may go blank/not work if
Header always append X-Frame-Options SAMEORIGIN is present.
Set Content-Security-Policy Directives
Cross-Site Scripting (XSS) attacks involve malicious scripts being injected into a website's code. A visitor's browser has no way to know the malicious script should not be trusted and executes the script. The script can then access cookies, session tokens, or other sensitive information kept by the browser and used with that site. Hackers can even rewrite the content of an HTML page, get your site blacklisted by Google or other blacklist authorities, and damage your business's reputation. According to WebsiteBuilder, Google blacklists 70,000 websites because of security issues every week.
A Content Security Policy (CSP) is a tool which can lock down a website's applications in various ways, reducing the risk of content injection vulnerabilities such as cross-site scripting. It will not stop attackers exploiting vulnerabilities in your website, but it will stop modern browsers executing injected malicious scripts that may be on your site.
Add the following to your .htaccess file:
Header set Content-Security-Policy "script-src 'none';"
The W3C website has a list of content security policy directives you can set.
Use Two-Factor Authentication
Two-factor authentication requires users to log in with a regular username and password followed by a secret question, a secret code, a set of characters, or more popular, an authenticator app, which sends a secret code or time-based one-time password (TOTP) to a specified phone.
Using a "two factor" authentication makes it harder for a hacker to gain access to your site.
Change The WordPress Database Table Prefix
The WordPress database uses the table prefix wp_. Using this default prefix makes your site database prone to SQL injection attacks.
SQL injection uses malicious SQL code that allows an attacker to view data not intended for display. This can include sensitive company data, user lists, passwords, credit card details, or personal user information. Many high-profile data breaches in recent years have resulted from SQL injection attacks.
You can add an extra layer of security to prevent such attacks using a plugin like WP-DBManager to change the database table prefix to something unique. For example, dpr_ or owp_. Make sure you back up your site before changing the database table prefix.
WordPress has a file named xmlrpc.php (XML-RPC) that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. The file helps connect a WordPress site with web and mobile apps.
Unfortunately, XML-RPC can also significantly amplify brute-force attacks e.g. a hacker wanting to try 500 different passwords on your website would usually have to make 500 separate login attempts. A login security plugin could catch and block many of these. By taking advantage of XML-RPC, a hacker can use the system.multicall function to try thousands of passwords with fewer than 50 requests. Fewer attempts may not be as likely to be stopped by a login security plugin.
The best way to prevent this type of attack is to disable XML-RPC if it is not being used. The least resource-intensive way to do this is to add the following code to the .htaccess file.
deny from all
allow from xxx.xxx.xxx.xxx
Change xxx.xxx.xxx.xxx to the IP address you wish to allow to access xmlrpc.php or remove this line completely.
Enable Logging On The Server
Go to Raw Access in your cPanel and configure it to archive log files to your home directory after the system has processed statistics. It's recommended that you keep about 12 months' worth of logs.
By keeping logs you can investigate any website breaches and find out how a hacker gained access to your site.
If your site gets hacked, restoring it from a backup is the best way to recover from an attack. Some hosts have backups built into their plans or you can use a plugin. The frequency with which you backup your site should be related to how often you make changes. If you publish updates or make changes daily, then make backups daily. We recommend Backup Buddy.
Approaching website security seriously and taking precautions now is far easier than trying to recover a hacked site later.
If your web designer cannot provide a security solution, contact us and we will talk you through your options.