Post

WordPress Website Security Hardening

What you can do to stop your WordPress site from getting hacked.

Over the years of my web development career I’ve come across many hacked sites and it can be truely devastating for website owners. Personally I know how it feels to wake up and see your beloved labour of love or business storefront is now a dancing Russian bear, cheerfully gloating about hacking your site. It’s an absolute nightmare. It’s okay though. Hacked Sites can be cleaned and once they are cleaned and the feeling of dread fades it’s time for some security hardening and ongoing site health maintenance. You can prevent Security breaches by implementing the following procedures.

Many people will tell you its to keep your plugins up to date. but there is more to it then that.

Install Wordfence

Install and Enable the Wordfence WordPress plugin which provides you with a firewall.

Limit login attempts

The firewall will limit the amount of failed login attempts users or bots can attempt. You can set the amount of login attempts manually. I usually set this to be very strict (5) for personal sites and a little more lenient for client websites (10).

Some clients are not using password managers and are often forgetting their passwords. So 10 login attempts gives them some wiggle room.

WordFence will ban any suspicious user login attempts automatically. It also produces a report which notifies you of suspicious user activity in which you can ban the suspect users of your choosing by blocking their ip address.

Monitoring and alerts

You need to know when there are issues to be fixed so you can jump on it right away. Time is absolutly critical when you have a compremised site. and no one expects you to sit watching the wordfence dashboard 24 hours a day.

Critical issue Monitoring

Set strong, unique passwords

Most WordPress website hacking is due to weak passwords. Hackers can simply brute force (guess your password) their way into your site if you have a weak password and weak username.

Your passwords should be super long and absolute jibberish. Your password should be impossible to remember. You will need a password manager to remember your unique passwords for all your sites.

If you ever need to share login access with a colleague, A password manager such as 1pass will allow you to share temporary access securely.

2 Factor Authentication

Enable 2 factor authentication (2fa). This feature is built into the Wordfence plugin. You just need to activate it in the configuration settings.

WordPress Security hardening with site maintenance.

  1. Deactivate and remove unused plugins and themes
  2. Keep plugins, themes and Wordpress core up to date.
  3. Disable “Anyone can signup” option in Wordpress admin settings

Site Scanning

  1. Site scans done with Wordfence provide valuable information on abandoned plugins, plugins with critical vulnerabilities.
  2. Scan logs for hacking attempts and blacklist suspicious IP addresses.

Server Level

  1. Run the most updated version of PHP.
  2. Remove “backup” files from server such as export MySQL files and theme.zip files
  3. Check server for non-wordpress files. Wordfence scans should find these but manual checks are always required for due diligence.

User hygeine

  1. Remove users that don’t need their own logins
  2. Limit permissions of administration account holders that don’t require such high level access

Site recovery

If you have been hacked. Panic for a bit, then breath, then stop panicing. Now, Follow these steps:

  • Put site into maintenance mode so people think your doing siteup dates and they will come back later.
  • Reinstate your latest uncompremmised backup.
  • Download a copy of server logs
  • Update all plugins and vulnerabilites
  • Check server logs for logins by ip addresses you dont recognize.
  • Scan site with wordfence to ensure no more malicious files.
  • Block any malicious ips you found.

Site recovery checklist

plugin hygiene Remove any unused plugins, update plugins, remove any malicious plugins.

User hygeine Check your website users to ensure no new users have been added.

scanning Wordfence scan for vulnerabilities

Website Backups

As Security is never 100% bullet-proof. It’s best to account for the worst case scenario. Website Backups are the cornerstone of your recovery plan.

Ideally backups are performed by the server rather then a plugin.

  1. Install and configure updraft to send regular offsite backups to Google Drive.
  2. This can be done every hour if your site requires that amount of backups.
  3. Choose a premium hosting provider that performs daily automated backups

Reset all wp-admin Passwords

Hackers may have stolen all the login details including Passwords so these should be reset for all admins in the wp-admin/users/

Remove unused themes

Not to often themes are comprimised but it can be considered good practice to remove the unused themes.

Maintenance managers

Your site can be hacked via managers like managewp. Your site itself maybe secured with 2fa but managewp is often left unsecured. If your using a manager like managewp to help with plugin updates ensure to reset your pw there to. Ensure managewp has 2fa enabled. Or better yet delete your account entirely.

Install a firewall on the server level

If you’re hosting your own WordPress website on a barebones self managed vps then you will need to Install a firewall on the server level with UFW

wp-config.php

  • Set file permissions on wp-config.php to be chmod 440 wp-config.php
  • Define siteurl in wp-config.php

htaccess file

sftp user hygeine

ensure the list of ftp users has been optimized

Limit wp-config access

Prevent unauthorized access to wp-config.php by adding this to your .htaccess file:

1
2
3
4
<files wp-config.php>
order allow,deny
deny from all
</files>

Limit file execution

Prevent PHP files in the uploads directory from being executed:

1
2
3
<Files *.php>
deny from all
</Files>

Disable directory listing

Prevent directory listing by adding this line to your .htaccess file:

1
Options -Indexes

Disable Default registration

If your registration is enabled purposely, but your using a registration plugin to handle the user registration requirements. Disabling default registration form can help reduce spam.

1
2
3
4
add_action('login_form_register', function() {
    wp_redirect(home_url()); // Replace 'home_url()' with the URL you want to redirect to.
    exit;
});
This post is licensed under CC BY 4.0 by the author.