Being used by one-third of the total websites, WordPress always manages to catch the eye of hackers. In recent years, the extent of attacks on WordPress is alarming and calls for action. Despite the attacks, WordPress Security is still a massively misunderstood and underappreciated concept. And, web owners find it more convenient to overlook it. 

However, in the wake of these exploits, a lot of people are coming to terms with the need to upgrade their WordPress security standards. But they often find themselves at sea deciding what security practices are legit and what aren’t. Don’t worry! We have done the research for you. In this article, you are about to find the complete list of essential & actionable WordPress security measures for your site. Further, this list is independent of your tech-savviness and can be easily applied by anyone. 

Also, go through the below URLs if you are looking for

Contents of This Guide

WordPress Security – Let’s Talk About Numbers

WordPress is maintained by a group of competent developers. Still, it remains the most viciously attacked CMS in the world. According to a study, more than 70% WordPress websites are vulnerable to attacks. Moreover, the recent hacks on WordPress plugin like GDPR, WP Live chat have put thousands of website on risk. Also, CVE details reveal that most of these attacks are of cross-site scripting.

As you can see in the graph, most WordPress sites have suffered XSS, followed by Code Execution. Additionally, another research unveils that 40% of all attacks are targeted at small and medium websites. So, people believing that only big websites get hacked get the answer.

Further, most of these attacks are a direct result of neglected WordPress security. According to Kinsta, 55% of hacked websites had outdated versions of plugins, themes or CMS.

Now, we already know that the consequences of a hack can be disastrous for a business. There are a whole lot of things that can go wrong. For instance, the attacker can meddle with your confidential & customer data. They can steal your credentials, misconfigure your website and whatnot. And if they get a hold of your financial/payment details you can be bankrupt too. Other hidden consequences of a hack may include, mistrust for your brand, loss of authority, domain value, etc. Furthermore, a hack can also result in a downfall of your site’s search rankings.

Related Guide – WordPress Security Issues 2019

How to Harden WordPress Security

Building a worthy website requires time, effort and energy. But, all these efforts will turn to a fiasco if the security is not taken care of. Certainly, not paying due attention to WordPress security can have lasting aftereffects. 

Yet, protecting your website is much easier than you thought. So, if you diligently followed this list of WordPress security measures for your website, I guarantee that the risks will reduce to a bare minimum.

Website Vulnerability Scanner
Scan your website for 140+ security issues like header security, cookie security, CORS tests, HTTPS security etc.

1. Backup Regularly your WordPress website

Let’s face it – no one is hack-proof on the internet. So, the first thing to do for your WordPress website is proper risk management. This is to say, plan beforehand for a scenario like a hack. And, with good backups in store, you can confidently delete the hacked version and restore your website back to normal immediately. Clearly, in an event like a sudden hack, backups can save you from a complete debacle.

The motive of backup is to restore your website to its best working condition in case of a hack. Also, backups should be taken often and regularly. Now, the frequency could vary from daily to weekly to monthly depending on how often you update the website’s content.

Plus, make sure to take multiple backups (with time & date properly mentioned). Since a hack may remain hidden for days, in that case, you might need a backup dated way back.

Hence, to make your backups more functional, you should include the following files and folders in your backup:

1. The WordPress Files

  • The Core Installation
  • WP Plugins
  • WordPress Themes
  • Images and Files
  • JavaScript and PHP scripts, and other code files
  • Additional Files and Static Web Pages

2. The WordPress Database

The WordPress database stores crucial information like details of posts, pages, comments, tags, users, categories, custom fields, etc. Hence, it is extremely important to include this in the backup.

Verifying that the backup is functional is part of the process. In the end, make sure to test if the backup completes its motive and allows quick and full recovery of your working website.

Note – Maintain your backup against a date and time stamp.

a) Backup of the WordPress Database

For the WordPress database backup, use the MySQL command line. Otherwise, administrative interfaces like phpMyAdmin can also be used.

You can take backups manually, through cPanel, cloud, etc. We have covered a few methods here:

a) How to do Manual backup of WordPress

Follow these steps to take a backup manually –

  • Compress your website files
  • Download it to your local device
  • Store it remotely
  • Build a backup manager with files name, backup date & time as a parameter

Now, backing up manually can prove to be a tedious & time-consuming task. You have to monitor the download of each & every file carefully. Further, the management of backups is again a lot of work.

The one free alternative offering full backup capabilities that stand out of the list is BackWPup. You can skip all this, and use a WordPress plugin instead. Plugins like Updraftplus, Backupbuddy, etc automate the whole process of backing up and is super easy to use.

b) WordPress backup through cPanel 

Another option is to backup through Cpanel. Here is how you can do this:

  1. Log into your cPanel control panel.
  2. Click on the “Backup” icon.
  3. Select “Generate / Download a Full Backup”.
  4. Select “Home Directory” in “Backup Destination” and enter your email address, before clicking the “Generate Backup” button.
  5. You’ll receive an email when the backup is ready.

c) Cloud Backup of your WordPress

Backing up on the cloud is the most convenient way for backing up a WordPress website. Various cloud services like Amazon S3, Dropbox, stash, etc simplifies the backup procedure.

2. Enhance Security by Updating CMS, Plugin & Themes to Latest Versions

After securing a backup plan, the easiest way to secure your website is to update. Every update, whether it for core CMS, or plugins or themes, comes with vulnerability patches & security amendments. Being quick with these updates can reduce risk incredibly. Even the top security experts believe that keeping your website up to date eliminates most of the risks.

But, a major update can sometimes break some functionalities of a website. Hence, it is good practice to take a backup beforehand. After that, put your website in the maintenance mode before initiating a major update.

 Moreover, the WordPress core has three different types of updates:

  • Core development updates, known as the “bleeding edge”
  • Minor core updates, such as maintenance and security releases
  • Major core release updates

The minor releases are automatically updated by WordPress in the backend. So, it is only the major core releases that you have to take care of. Likewise, update the themes are plugins too.

Pro-Tip – You can use our WP Hardening Plugin to fix 12+ issues like (Stop User Enumeration, Disable XMLRPC, Hide Version No. & many more)

WP Hardening plugin

Again, there are two ways to update core, themes, and plugins – Manual & Automated. Both the methods have been explained below –

a) Manual

Core Update – Updating a WordPress website is pretty easy. Since WordPress automatically installs all the minor patches, you have to push the major version updates only. To do this,

  1. Log into your wp-admin
  2. Go to the Updates section.
  3. See if there are updates are available. If there are, update all of them.

Themes and Plugins Update – To update the themes and plugins, follow the following process,

  1. Log into your wp-admin
  2. Go to the Updates section.
  3. See if there are updates are available. If there are, update all of them.

b) Automated

Core Update – As discussed already, WordPress by default automates the minor security patches. However, you can override those changes by editing the wp-config.php file by adding or modifying the following statement – 

define( 'WP_AUTO_UPDATE_CORE', true )

For the major updates, check the updates section in your WordPress backend and initiate update if available.

Themes and Plugins Update – The themes and plugins can be updated automatically using filters. The best place to put a filter is in a must-use plugin. Also, WordPress doesn’t recommend putting filters in the wp-config.php file.  This is because putting filters in the wp-config.php can create conflict with other parts of the code.

To enable automatic updates for themes and plugins, add the following code

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

 

Update wordress security

3. Update your PHP, to the latest version

Speaking of updates, there is another update that you need to take care of – the PHP version. PHP is the core programming language of WordPress. Certainly, updating it to its latest stable version will enhance your WordPress security.

Note: PHP version 7.0 and older do not have security support and are susceptible to known and unpatched vulnerabilities. Therefore, you must update to the latest PHP version i.e. 7.3.

Note: The PHP version 7.2 will no longer be supported after November 30, 2019.

Here is how you can update your PHP:

  1. Log into your cPanel
  2. Navigate to the Software section. Click on PHP configuration
  3. Next, select the latest stable version of the PHP and click on update.
  4. Review the changes in phpmyinfo

4. Remove defunct Plugins/themes

If you have not used a plugin for the longest time, you must get rid of it to secure your WordPress. This is because even though the plugin is no longer in use or is disabled, the files still exist. Further, these files might contain vulnerabilities unknown to you. Above all, attackers could exploit these vulnerabilities easily. Thus, delete the defunct plugins & themes.

Here is how you can do that:

  1. Log into your WordPress dashboard
  2. Go to the Plugins sections
  3. Identify the inactive plugins, and delete them.

5. Install a WordPress Firewall Plugin 

Need I say, that monitoring your website ceaselessly is humanly impossible? So, the best bet here is a Web Application Firewall. A firewall is a continuous monitoring system for your website. Most importantly, it detects and blocks malicious traffic from coming to your website. 

Although there are scores of firewalls to choose from, you should only go for the hacker-tested ones. Astra’s Firewall is a rock-solid solution. It will protect you in real-time against cyberattacks. Moreover, it works on your own server and requires no DNS change.

Related Blog – How Firewall can help you to secure your WordPress website

Firewall working
How Astra Web Application Firewall protects your WordPress website

 

Here are the distinct features of the Astra firewall:

  • Filtering good traffic from bad traffic and blocking unwanted web traffic.
  • Blocking coming threats like SQLi, brute force attacks, CSRF, DDoS attacks, LFI, RFI, Cross-site scripting, bad bots, Spam, and other zero-day exploits
  • Apart from being intuitive, it is also an intelligent firewall for detecting patterns of attacks and configure itself for the next attack.
  • The Astra firewall is also a great way to block/whitelist IP addresses.
  • Further, Astra’s WAF also enhances the speed and performance of a website.

Speed and security are two desirable aspects of website security and a firewall improves both. Moreover, in this growing age of online threats and attacks, a firewall is a must.

6. Host your WordPress website on a secured server

Hosting server plays an important role in the security of your WordPress website. Choosing a host wisely can be a game-changer in WordPress security. While selecting a server you must consider the following:

  • Authority
  • Reviews and ratings
  • Support
  • Customization
  • Loading time

7. Customize the login page to increase security against Brute-Force attacks

Protecting your login and admin pages is another way to secure your WordPress. Attackers can break into your website through brute-forcing if it is left unsecured. Now, brute-force attacks use the hit and trial method to guess the combination of username and password of your website at a freakingly high speed.

Set strong and unique usernames & passwords for each of these pages. Avoid using an obvious username like ‘admin’, your website’s name, your own name, a proper word that could be found in the dictionary. Same goes with the passwords, refrain from using ‘Password’, your own name, your website’s name, etc as your password.

Related GuideHow to change Admin URL in WordPress

8. Limit login attempts

Another way to protect your WordPress admin area from brute-force is to limit the number of login attempts on it. Plugins like Limit login attempts & Loginizer may come handy in this.

9. Set correct user roles

Not all users need to have all the privileges in your WordPress. You can distribute the required roles for each user according to their responsibilities on the website. You can better control and monitor who does what on your website with these roles. By default, WordPress defines six roles namely, in the descending order of their powers – Super administrator, administrator, Editor, Author, Contributor, and Subscriber.

 You can use the predefined set of user roles or can create custom roles as per your needs. The predefined can be assigned from the dashboard itself, whereas for custom roles a plugin would be needed. The User Roles Editor plugin is best suited for this.

 Here is how you can define custom user roles with this plugin:

  1. Install a plugin ‘User role editor”
  2. Go to ‘Users’>Other rolesStep
  3. Define/add custom roles for a particular user.

10. Protect wp-config File

 wp-config.php contains the configuration details of your WordPress website. Any absurd compromisation in this file can break your website completely. Hence, the wp-config file should be handled with extra care and must be secured with utmost urgency. Further, it also stores sensitive information about WordPress database credentials.

Some ways to secure the wp-config file are:

  • Moving it outside the root folder
  • Blocking internal access and code modifications to your wp-config.php
  • Modifying the default wp-config.php File
  • Setting 400 permission in the wp-config.php file. This means that the user and groups have permission to only read and others have no access at all.

11. Restrict Access To wp-admin

The wp-admin is the administrator area of your website. It can be said that it is the controller of your website. Hackers constantly try to brute-force it to hijack the whole website. This makes it vital to secure the wp-admin area to tighten your WordPress security. You can secure your wp-admin area as follows:

Restricting access and allowing only select IP addresses to your admin page is one way to secure it. This way, any unknown IP automatically gets blocked. In your wp-admin folder, create a .htaccess file and paste the following code there:

Order Deny, Allow
Deny from all
Allow from xx.xx.xx.xx
Edit the xx.xx.xx.xx to contain your IP address.For multiple IP whitelisting, repeat the “Allow from” in the next line and so on.

Usually, there is a Register link on your WordPress login page. Disable this Registration form to discourage access to wp-admin. 

 12. Update WordPress security keys

Secret security keys ensure the security of cookies in your WordPress website. You must set up security keys to discourage any stealing of cookie and impersonation of users. After you have set the secret security keys, it will nullify all the current sessions and will require the user to re-authenticate. Above all, the administrator must change the security keys if there is any compromisation to them or even suspicion of compromisation.

You can generate secret keys both manually as well as with the help of an online key generator. WordPress also has its official secret key generator. Generate keys from here and paste these keys in the wp-config file and you are good to go.

13. Create a unique database prefix

WordPress database is the area where important information/data regarding the website and users sits. Quite obviously, this makes it a desired target. By default, the wpdb contains 11 tables which include tables for – users data, site URLs, posts, pages, comments, etc.

Further, all these tables have the universally known default prefix wp_ before them. The names of these tables are also commonly known. In case of improper validation and sanitization rules for query insertion, a hacker can run SQL commands to fetch data from known database table.

In order to secure the database, you must change the database prefix to something else. Moreover, changing database prefix at the time of installation is the ideal way. However, if you haven’t changed it then, you can also change it by SQL command or with the help of a plugin. Both of these methods are depicted below:

a) Manual

Like mentioned earlier, database prefix can be changed by the help of SQL command. By running a series of commands. For the detailed instruction and procedure follow this link.

b) Automated

There are several plugins on WordPress that help in automating this whole process of prefix change. One such free plugin is the change table prefix plugin.

14. Additional authentication factors for WordPress admin security

To secure your website, even more, the two-factor authentication is a smart tool. This tool ensures the true identity of a user on your website by requiring more than a password to log in. This way, it prohibits any fake, unauthenticated user to access it, even if they happened to guess your password. The two-factor authentication plugin is a great way to apply this security on your website.

15. Setup automatic logout plugin

Not all users on your WordPress are careful and vigilant enough to logout after each session completion. The stealing of cookies and session hijacking also make for major attack vectors on WordPress. You must set an automatic logout so that all the idle customers are logged out of the website.

16. Strengthen your passwords to harden WordPress security

It may look too obvious a security measure, but even then many neglect this. Always opt for unique and strong passwords for your WordPress accounts. Also, refrain from using the word password, admin and proper words from the dictionary as your passwords. Make sure that your password is a combination of letters(upper and lower case), numbers and special characters.

17. SSL data encryption 

Having an SSL( Secure Socket Layer) certificate for your website’s domain adds to its authority and security. It encrypts data transfer between the user and the server. Since Google rankings started getting affected by HTTPS, a lot of authorization companies sprouted. However, not all of these are deemed authoritative by Google. Hence, you must get the SSL certificate from a verified and trusted source.

Further, not redirecting all of your web pages to HTTPS can also have adverse effects on your website. Having both HTTP and HTTPS pages in a website is known as MIxed Content. Now, Google regularly flags websites for mixed content. Thus, make sure to redirect all your pages to HTTPS.

18. Control Comments

WordPress is infamous for pervasive spammy comments. Hence, you must review carefully comments before allowing them on your website. Moreover, you can either disable it altogether or add several conditions to block spam. This requires manual effort. You can also choose a plugin like Askimet to do the job.

19. Set Strict Files  & Folder Permissions in WordPress

You can achieve another WordPress security milestone by setting stricter files and folder permissions. The recommended file/folder permissions for different files/folders are:

  • For wp-config.php = 400
  • For uploads folder = 755
  • For .htaccess files = 400
  • For wp=content = 755
  • For wp-includes = 755
  • For index.php = 444

Wordpress File/Folder Permissions

20. Hide the WordPress version number to protect WordPress from known vulnerabilities

Known vulnerabilities in different WordPress versions are easily available on the internet. These databases serve as a treasure for hackers. They use bots/botnets to hunt for WordPress websites with these outdated versions. Once a bot reaches your website, the first thing it looks for its version number and the listed vulnerability in it. When they do find one such website, they exploit the vulnerability.

 You can protect your website from these attacks by simply hiding your WordPress version number.

Manual

Hide the WordPress version number from Generator meta tag,

  1. Navigate to your root directory
  2. Go to /wp-content/themes/ directory
  3. In the functions.php file, add the following line of code

    remove_action('wp_head', 'wp_generator');

Hide the WordPress version number from the default RSS feeds as follows

  1. Navigate to your root directory
  2. Go to /wp-content/themes/ directory
  3. In the functions.php file, add the following lines of code at the bottom

1

2

3

4

5

function remove_wp_version_rss() {

 return”;

 }

 

add_filter(‘the_generator’,’remove_wp_version_rss’);

Automated 

There are plugins available which hide the WordPress version number, we recommend using the Meta Generator and Version Info Remover plugin.

21. Disable PHP execution when not needed

While WordPress automatically runs PHP file execution for all directories of the website, it’s best that you disable it for such directories as /wp-content/uploads/. You’ll be able to do this using FTP access. Here is how:

  1. Access your website with FTP
  2. Navigate to /wp-content/uploads/ directory
  3. Paste the following code and save the document under the .htaccess format.
    <Files *.php>
    deny from all
    </Files>

22.  Improve hardware protection

It’s only logical to protect the hardware you are accessing your website with. A non-secured PC with security vulnerabilities serves as a way for hackers to enter your website. Ensure that your gadget is well-protected by a firewall and anti-virus software installed. This will not only block WordPress attacks but also any coming online security threats.

Like in the case a website, defunct plugins are a problem, similarly obsolete & defunct applications are an invitation to the threat too. Thus, remove all unnecessary/obsolete applications from your device.

Most applications ask for different permissions right after you install them. As a thumb rule, try giving the least privileges to them.

23. Disable script injections

Disallow script injections to prevent hackers from injecting malicious code into existing PHP documents. You can disable the script injections by adding the following code:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

24.  Download plugins from reputable sources

Not all the plugins have dedicated developers behind them. A lot of plugins on WordPress aren’t even maintained that often. So, before opting for any random plugin by a third party you must consider the following points:

  • Reviews and ratings
  • Last update and the frequency of updates
  • Support

25. Scan WordPress for malware & backdoors regularly

Monitoring your website is equally important than securing it. Having a proactive malware scanner which scans your website periodically is crucial for WordPress security. Scanning your site every once in a while for viruses and malware lets you be updated with the well-being of your website.

Astra’s machine-learning powered malware scanner is a perfect fit for this. Other scanners include:

By scanning the website, you’ll be able to detect the risk of security breaches instead of having to deal with actual attacks as they happen.

26. WordPress Security Audit

You applied every security measure on your site, however, even then it needs regular maintenance. A premium security audit can greatly help you here. Every now and then your website needs to be checked for new vulnerabilities and broken security.

Astra’s Vulnerability Assessment and Penetration testing program has engineers look into your website for possible vulnerabilities. In a security audit like this, your source code, plugins, and themes are thoroughly audited. It also uncovers loopholes and backdoors in your website.

Related Guide –  How to WordPress Security Audit & Pentesting

Wordpress security issues & prevention

 Conclusion

The WordPress security measures listed in this guide here are security gospels. You must persevere to apply and maintain these on your WordPress site for enhanced security. These WordPress security tips will ensure that your website remains protected from online threats.

Found this article helpful? Share it with your friends

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cyber security community and shared his knowledge at various forums & invited talks.

2 Comments

  1. This Guide is exactly what i am looking for. Thank for Astra Team.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close