25 Best WordPress Security Practices (Updated 2024)
Updated on: December 25, 2023
Anastasia Stefanuk
15 mins read
Article Summary
WordPress is currently powering millions of websites on the internet. While this Content Management System is easy-to-use, it has also fallen victim to repeated security attacks over the last 5 years. In this post, you’ll find out what are the platform’s vulnerabilities, the most common attacks, and best WordPress security practices.
WordPress is currently powering millions of websites on the internet. While this Content Management System is easy-to-use, it has also fallen victim to repeated security attacks over the last 5 years. In this post, you’ll find out what are the platform’s vulnerabilities, the most common attacks, and best WordPress security practices.
It goes without saying, a high number of security attacks doesn’t mean WordPress is the most vulnerable CMS out there. A lot of high-profile companies (Reuters, WSJ, The New York Times, TechCrunch, Forbes, and so on) use the platform to host websites – as a result, it has become a lucrative target for hackers.
If you use WordPress to manage a blog or a corporate page, it’s crucial to be on the lookout for threats and scan your website for possible attacks.
Most common WordPress attacks
Hacker attacks have a handful of negative effects on a website. For one thing, all the data can be taken a hostage and held for ransom. A hacker can use WordPress blog search for sending spam, mining cryptocurrency and many other malicious activities. Before getting to the security practices let us discuss what are the common attacks
Even if the attack is seemingly harmless, the reputation of the website is likely to take a hit. That’s why it’s crucial for an owner to be aware of the main types of WordPress attacks.
Here is a list of attacks that are common yet detrimental for your WordPress websites :
1. Brute force attacks
Brute force, the most popular among WordPress attacks, is aimed at guessing the login and password to the WordPress account. A hacker normally uses a bot to automatically generate thousands of potential combinations and tries them until there’s a 100% match.
After a brute attack is successful, a hacker has full control over the website, all the data stored on servers, and its backend code.
2. Cross-site scripting
Cross-site attacks are another popular form of WordPress hacking that allows hackers to benefit from plugin vulnerabilities. When a user adds a plugin that would be used for an XSS attack to the website, a malicious JavaScript code is loaded in the background mode.
While the attack will have no effects on the user experience, a hacker will be able to steal server data without the admin knowing.
Login and newsletter subscription form plugins are the most frequently used for cross-site attacks.
3. SQL injections
This type of WordPress attacks is aimed at users who use MySQL databases to store user information. If a hacker has access to your website’s database, infiltrating the website will be a breeze.
You can spot an SQL injection in case suspicious accounts have registered on the website. Most likely, a hacker assigned them with the admin access – this way, a website can be freely manipulated.
4. Denial-of-service attacks
The DDoS attack is not WordPress specific – most CMSs aren’t immune to it either. In a nutshell, a hacker will direct a flood of traffic to the website’s server. As a result, the system will be crashed.
It takes a lot of resources and time to restore a website from a DDoS attack. You will be forced to temporarily stop running the website losing active users and potential clients.
Top 25 WordPress Security Practices
Protecting a website from hacker attacks can seem complicated at first glance. Turns out, there are simple yet working tips to keep your WordPress web page secure and immune to all the common schemes. Must adopt 10 security practices to a safer WordPress site:
1. Update your website’s PHP to the latest version
PHP is the core programming language of WordPress. Its older versions are known to contain multiple security vulnerabilities that put the website at the risk of security attacks. Make sure to update the version of PHP to the latest one (7.3 as of May 2019) as v7.1 and those below no longer have security support.
In case you’re using PHP 7.2, keep in mind that it will no longer be supported after November 30, 2019.
2. Strengthen website with a basic HTTP authentication
HTTP authentication requires a user to type in his login and password in order to get access to the admin dashboard login page. While the practice is not efficient for e-commerce or membership websites where website users have their own accounts, it’s highly useful for portfolio websites, event presentation pages, and so on. Learn here how HTTPS affects your SEO rankings.
3. Make a habit to update WordPress security keys
WordPress security keys encrypt and protect the information stored in users’ cookies. There are for types of these variable strings:
l AUTH_KEY;
l SECURE_AUTH_KEY;
l LOGGED_IN_KEY;
l NONCE_KEY.
A set of WordPress keys is usually secure as it’s generated randomly for each user. However, in case you bought an off-the-shelf website, make sure to generate fresh security keys. For that purpose, WordPress has created a free proprietary tool.
After a new set of keys is generated, access the wp-config.php file and replace the old security keys with the fresh ones.
4. Customize the login page
Most users know that typing /wp-login or /wp-admin next to the website hosted on WordPress is a way to access the login tab. Naturally, those are also the most famous combinations tried by hackers.
Customizing the URL of a login page is the first step to prevent the website from hacking. By coming up with a new address like my_admin_tab or dashboard_login, you will reduce the risk of a brute force attack success. Custom Login Page Customizer is a free WordPress plugin which could be of much help here.
Related Article – How to fix WordPress admin dashboard
5. Spot multiple login attempts and set up website lockdown
Another way to bulletproof the website from bullet force attacks is to install a plugin that will spot unusual login activity. As soon as multiple attempts to access the website are detected, it will automatically shut down. This way, a hacker will not be able to get access to the blog. A website owner will be notified about a brute force attack attempt so that he can take additional security measures or consult a professional.
Having Astra Firewall on your website can help you immensely here as this firewall identifies the IPs which tries more login attempts than normal on your website and it blocks them. You can also use WordPress plugin Limit Login Attempt to limit the number of attempts anyone can make on your website.
6. Setup automatic logout plugin
In case there are several users with admin rights, there’s a risk they forget to log out of the dashboard or even leave an open tab when leaving a PC. Such scenarios put your website in potential jeopardy – it’s better to be prepared.
The good news is, there’s a variety of plugins that log out idle users. As soon as the admin tab is not used for a selected timeframe, the access to it will be denied automatically.
7. Strengthen your passwords
Smart password management is a way to protect your website from brute force hackers. Here are a few practices WordPress blog owners should use:
l Improve the password’s strength by adding uppercase and lowercase letters, special characters, and numbers.
l Keep your passwords fairly long – this way, you’ll increase the number of possible combinations a hacker has to go through.
l Use password managers to store strong passwords so that you don’t forget them.
8. SSL data encryption
Adding SSL certificates to protect the admin page is helpful in order to prevent any type of connection-related hacks. Security Socket Layer ensures safe data transfer between browsers and users.
Most hosting companies should be able to help you with SSL implementation. If that’s not the case, you can get a certificate from a third-party provider.
9. Create a unique database prefix
It’s a simple way to protect a website from SQL injections. Instead of a default wp- prefix, create a custom one – namewp- wpentry-, and so on. In case you have already be3en running a website with a standard database prefix, use security plugins to customize it.
10. Check user activity logs
In order to ensure a hacker hasn’t infiltrated your website by creating a new account with admin rights, it’s helpful to control user activity. Also, make sure that writers, content moderators, and other people involved in management can’t make in-depth code-based changes.
In case you want to be notified when it’s time to do a user activity audit, there are more than a few plugins that send website admins reports with all user activity once in a selected timeframe.
User Activity Log is a WordPress activity tracking plugin with the ultimate functionalities. Using this plugin, the admin gets a user logs whenever any user does something on the website. Moreover, you can set up email notification and track specific user logging activities. It also helps you to track WordPress core updates, posts & pages updates, user activities user-wise, and many more.
11. Update plugins regularly
Using older versions of components can compromise the security of the website as a page owner will be missing out of new security patches and updates. In case you’re wondering ‘How do I update my WordPress website?’, the good news is, all the updates are installed automatically. As for plugins, however, admins have to upgrade them manually in the ‘Plugins’ tab in the admin dashboard.
12. Hide the WordPress version number
Though it’s seemingly an innocent detail, keeping the WordPress version up for display in the source view mode can compromise your website. This way, hackers will have a better understanding of how to take advantage of the vulnerabilities of the current WordPress version 5 or the older ones.
In order to remove the version number from the source view and RSS feeds, a developer has to change the functions.php file and add a ‘remove_version’ attribute.
13. Keep an eye on all stored files
Another way to get infected by malware is by storing it on your website’s server. To make sure this will not happen, install a firewall plugin that will scan all files and alert you in case malware is detected.
14. Create fresh website backups
Thanks to backing the blog up regularly, you will be able to restore the website after a security breach. If a hacker gets ahold of the website, you can delete its current version and restore it later in one click.
In case you run a blog with multiple users and entries, it makes sense to consider daily or even hourly backup. For small-scale websites, backing the page up on a weekly or monthly basis is enough so that you don’t waste storage space.
15. Disable file editing
In case your blog is run by a team of editors with admin access, make sure to limit their file editing access. To ensure you’re the only one who can edit plugins and themes, modify the admin access to the WordPress dashboard.
In order to do this, go to the wp-config.php and add define(‘DISALLOW_FILE_EDIT’, true); at the end of the file.
16. Tweak directory permissions
Protecting the directory is highly important as it stores all important subdirectories as well as the individual files. In order to ensure your directory access is limited and impossible to breach, change the directory permission the “755” value and file permissions – to “644”.
To change directory permissions, access the hosting control manager via File Manager or the terminal. You will also be able to install a dedicated WordPress plugin (such as IThemes Security) to check the permissions status of stored files in real time.
17. Use secure connections
To protect your WordPress blog from potential attacks, make sure your host offers an SFTP (short for ‘Secure File Transfer Protocol’). The protocol is more efficient in terms of connection security than a traditional FTP.
It’s also a good practice to improve the security of your home router connection as access to your home network will give a hacker a way to get ahold of the WordPress data. Keep in mind that logging into a WordPress account using public Wi-Fi connections is not recommended.
18. Disable PHP execution when not needed
While WordPress automatically runs PHP file execution for all directories of the website, it’s best that you disable it for such directories as /wp-content/uploads/. You’ll be able to do this using FTP access.
Open a code editor and paste the following code:
<Files *.php>
deny from all
</Files>
Save the document under the .htaccess format.
19. Add additional authentication factors
Another way to improve the state of WordPress blog security is by adding security questions to the login page. This way, it’ll be harder for a brute force hacker to get access to the dashboard.
The good news is, you don’t have to change the code manually in order to strengthen the security of the login page. You can use plugins like WP Security questions.
20. Scan the blog for malware
Taking a proactive approach toward security monitoring is crucial. That means scanning the blog every once in a while for viruses and malware. There is a wide range of dedicated plugins as well as third-party scanners. The list includes:
l ScanWP
By scanning the website, you’ll be able to detect the risk of security breaches instead of having to deal with actual attacks as they happen.
21. Improve hardware protection
It’s easier for hackers to attack a WordPress blog in case a user’s PC is compromised. By improving the security of a gadget, you will be able to decrease risks of not only WordPress attacks but any online security threats.
Here are a few guidelines to use to protect your PC:
l Install security software and the firewall;
l Remove unnecessary applications;
l Use the principle of least privilege.
22. Disable script injections
This way, you will be able to prevent hackers from injecting malicious code into existing PHP documents. To disable script injections, use the following code:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
23. Secure WordPress core files
To ensure nobody can meddle with files that are crucial to keep the website running, store them in the wp-includes folder. This way, while keeping the most important code secure, you’ll still be able to edit theme and plugins as those files will be stored in a different folder.
24. Lock out for malicious IPs
In case you have noticed IPs that consistently try to get access to the blog, it’s helpful to lock them out from your website altogether. To block malicious users, save the following code in the .htaccess file.
order allow,deny
deny from 456.123.8.9
allow from all
25. Download plugins from reputable sources
There are over 40 thousand available WordPress plugins in the market. Some of them are fairly secure, others require additional patches. To ensure your website is protected, follow the guidelines listed below:
l Ensure the provider offers support;
l The plugin author look for feedback from users;
l Be sure to check reviews on different sources (GitHub, WordPress Plugin Directory, and so on).
Secure With a WordPress Security Solution
Even with all the measures in place, your website runs the risk of getting compromised for hackers are on continuous hunt to exploit an overlooked vulnerability. Installing an effective web application firewall will add greatly to your website’s security.
Astra Website Security provides a continuous and comprehensive web application firewall that ensures that your website is protected from SQLi, XSS, bad bots, spam and 100+ other cyber attacks. Further, Astra’s On-demand Malware Scanner scans your website in less than 10 minutes and takes even lesser time for subsequent scans. Click here to get an Astra demo now.
Conclusion
While WordPress is a user-friendly CMS with an impressive number of features, security has always been one of its weaker points. Brute force attacks, SQL injections, or cross-site hacking are all valid threats for WordPress website owners.
The good news is, there’s no need to transfer from the WordPress website builder in order to stay in the clear from security threats. If you’re using updated software, take time to monitor user activity, have secure login data, and use protection plugins, your website will not be at risk for attacks.
Anastasia Stefanuk
