WordPress Website Security Hardening
What you can do to stop your WordPress site from getting hacked.
Over the years of my web development career I’ve come across many hacked sites and it can be truely devastating for website owners. Personally I know how it feels to wake up and see your beloved labour of love or business storefront is now a dancing Russian bear, cheerfully gloating about hacking your site. It’s an absolute nightmare. It’s okay though. Hacked Sites can be cleaned and once they are cleaned and the feeling of dread fades it’s time for some security hardening and ongoing site health maintenance. You can prevent Security breaches by implementing the following procedures.
Many people will tell you its to keep your plugins up to date. but there is more to it then that.
Install Wordfence
Install and Enable the Wordfence WordPress plugin which provides you with a firewall.
Limit login attempts
The firewall will limit the amount of failed login attempts users or bots can attempt. You can set the amount of login attempts manually. I usually set this to be very strict (5) for personal sites and a little more lenient for client websites (10).
Some clients are not using password managers and are often forgetting their passwords. So 10 login attempts gives them some wiggle room.
WordFence will ban any suspicious user login attempts automatically. It also produces a report which notifies you of suspicious user activity in which you can ban the suspect users of your choosing by blocking their ip address.
Monitoring and alerts
You need to know when there are issues to be fixed so you can jump on it right away. Time is absolutly critical when you have a compremised site. and no one expects you to sit watching the wordfence dashboard 24 hours a day.
Set strong, unique passwords
Most WordPress website hacking is due to weak passwords. Hackers can simply brute force (guess your password) their way into your site if you have a weak password and weak username.
Your passwords should be super long and absolute jibberish. Your password should be impossible to remember. You will need a password manager to remember your unique passwords for all your sites.
If you ever need to share login access with a colleague, A password manager such as 1pass will allow you to share temporary access securely.
2 Factor Authentication
Enable 2 factor authentication (2fa). This feature is built into the Wordfence plugin. You just need to activate it in the configuration settings.
WordPress Security hardening with site maintenance.
- Deactivate and remove unused plugins and themes
- Keep plugins, themes and Wordpress core up to date.
- Disable “Anyone can signup” option in Wordpress admin settings
Site Scanning
- Site scans done with Wordfence provide valuable information on abandoned plugins, plugins with critical vulnerabilities.
- Scan logs for hacking attempts and blacklist suspicious IP addresses.
Server Level
- Run the most updated version of PHP.
- Remove “backup” files from server such as export MySQL files and theme.zip files
- Check server for non-wordpress files. Wordfence scans should find these but manual checks are always required for due diligence.
User hygeine
- Remove users that don’t need their own logins
- Limit permissions of administration account holders that don’t require such high level access
Site recovery
If you have been hacked. Panic for a bit, then breath, then stop panicing. Now, Follow these steps:
- Put site into maintenance mode so people think your doing siteup dates and they will come back later.
- Reinstate your latest uncompremmised backup.
- Download a copy of server logs
- Update all plugins and vulnerabilites
- Check server logs for logins by ip addresses you dont recognize.
- Scan site with wordfence to ensure no more malicious files.
- Block any malicious ips you found.
Site recovery checklist
plugin hygiene Remove any unused plugins, update plugins, remove any malicious plugins.
User hygeine Check your website users to ensure no new users have been added.
scanning Wordfence scan for vulnerabilities
Website Backups
As Security is never 100% bullet-proof. It’s best to account for the worst case scenario. Website Backups are the cornerstone of your recovery plan.
Ideally backups are performed by the server rather then a plugin.
- Install and configure updraft to send regular offsite backups to Google Drive.
- This can be done every hour if your site requires that amount of backups.
- Choose a premium hosting provider that performs daily automated backups
Reset all wp-admin Passwords
Hackers may have stolen all the login details including Passwords so these should be reset for all admins in the wp-admin/users/
Remove unused themes
Not to often themes are comprimised but it can be considered good practice to remove the unused themes.
Maintenance managers
Your site can be hacked via managers like managewp
. Your site itself maybe secured with 2fa but managewp
is often left unsecured.
If your using a manager like managewp
to help with plugin updates ensure to reset your pw there to. Ensure managewp has 2fa enabled. Or better yet delete your account entirely.
Install a firewall on the server level
If you’re hosting your own WordPress website on a barebones self managed vps then you will need to Install a firewall on the server level with UFW
wp-config.php
- Set file permissions on
wp-config.php
to bechmod 440 wp-config.php
- Define siteurl in wp-config.php
htaccess file
sftp user hygeine
ensure the list of ftp users has been optimized
Limit wp-config access
Prevent unauthorized access to wp-config.php by adding this to your .htaccess
file:
1
2
3
4
<files wp-config.php>
order allow,deny
deny from all
</files>
Limit file execution
Prevent PHP files in the uploads directory from being executed:
1
2
3
<Files *.php>
deny from all
</Files>
Disable directory listing
Prevent directory listing by adding this line to your .htaccess
file:
1
Options -Indexes
Disable Default registration
If your registration is enabled purposely, but your using a registration plugin to handle the user registration requirements. Disabling default registration form can help reduce spam.
1
2
3
4
add_action('login_form_register', function() {
wp_redirect(home_url()); // Replace 'home_url()' with the URL you want to redirect to.
exit;
});