Post

WordPress Website Security Hardening

What you can do to stop your WordPress site from getting hacked.

In today’s ever-evolving digital landscape, ensuring the robust security of your online presence is paramount. One crucial aspect that demands attention is WordPress website security hardening. As the popularity of WordPress continues to soar, so does the need for fortified defenses against potential cyber threats. In this article, we delve into the essential measures and best practices for bolstering the security of your WordPress website, offering a comprehensive guide to safeguarding your digital assets in an interconnected world. Over the years of my web development career I’ve come across many hacked sites and it can be truely devastating for website owners. Personally I know how it feels to wake up and see your beloved labour of love or business storefront is now a dancing Russian bear, cheerfully gloating about hacking your site. It’s an absolute nightmare. It’s okay though. Hacked Sites can be cleaned and once they are cleaned and the feeling of dread fades it’s time for some security hardening and ongoing site health maintenance. You can prevent Security breaches by implementing the following procedures.

Install Wordfence

Install and Enable the Wordfence WordPress plugin which provides you with a firewall.

Limit login attempts

The firewall will limit the amount of failed login attempts users or bots can attempt. You can set the amount of login attempts manually. I usually set this to be very strict (5) for personal sites and a little more lenient for client websites (10).

Some clients are not using password managers and are often forgetting their passwords. So 10 login attempts gives them some wiggle room.

WordFence will ban any suspicious user login attempts automatically. It also produces a report which notifies you of suspicious user activity in which you can ban the suspect users of your choosing by blocking their ip address.

Set strong, unique passwords

Most WordPress website hacking is due to weak passwords. Hackers can simply brute force (guess your password) their way into your site if you have a weak password and weak username.

Your passwords should be super long and absolute jibberish. Your password should be impossible to remember. You will need a password manager to remember your unique passwords for all your sites.

If you ever need to share login access with a colleague, A password manager such as 1pass will allow you to share temporary access securely.

2 Factor Authentication

Enable 2 factor authentication (2fa). This feature is built into the Wordfence plugin. You just need to activate it in the configuration settings.

WordPress Security hardening with site maintenance.

  1. Deactivate and remove unused plugins and themes
  2. Keep plugins, themes and Wordpress core up to date.
  3. Run the most updated version of PHP.
  4. Remove users that don’t need their own logins
  5. Limit permissions of administration account holders that don’t require such high level access
  6. Scan logs for hacking attempts and blacklist suspicious IP addresses.
  7. Remove “backup” files from server such as export MySQL files and theme.zip files
  8. Disable “Anyone can signup” option in Wordpress admin settings
  9. Upgrade php to the latest version of php
  10. Another popular solution is to move the login url to a private login url such as ‘/our-secret-login’ instead of WP-Admin.

Have a Backup system in place

Security is never 100% bullet-proof. So it’s best to account for the worst case scenario.

  1. Install and configure updraft to send regular offsite backups to Google Drive.
  2. This can be done every hour if your site requires that amount of backups.
  3. Choose a premium hosting provider that performs daily automated backups

Install a firewall on the server level

If you’re hosting your own WordPress website on a barebones self managed vps then you will need to Install a firewall on the server level with UFW

wp-config.php

  • Set file permissions on wp-config.php to be chmod 440 wp-config.php
  • Define siteurl in wp-config.php

htaccess file

Limit wp-config access

Prevent unauthorized access to wp-config.php by adding this to your .htaccess file:

1
2
3
4
<files wp-config.php>
order allow,deny
deny from all
</files>

Limit file execution

Prevent PHP files in the uploads directory from being executed:

1
2
3
<Files *.php>
deny from all
</Files>

Disable directory listing

Prevent directory listing by adding this line to your .htaccess file:

1
Options -Indexes

Disable Default registration

If your registration is enabled purposely, but your using a registration plugin to handle the user registration requirements. Disabling default registration form can help reduce spam.

1
2
3
4
add_action('login_form_register', function() {
    wp_redirect(home_url()); // Replace 'home_url()' with the URL you want to redirect to.
    exit;
});
This post is licensed under CC BY 4.0 by the author.