WordPress security is extremely important and should not be ignored. Sometimes though, it’s not given the attention it requires which will leave holes in your website’s armour. This may be due to a number of reasons, ranging from lack of technical understanding to downright laziness. The fact that you’re reading this tells me you’re not in the lazy category, go you!
If you’re already a Cariad client, you can rest assured we’re doing everything we can to protect your website to its fullest. However there are still things you can do to help, which will be outlined in this article.
Is WordPress secure?
Well for the most part, yes it is. However, with WordPress websites taking up over 40% of the web, it is a highly targeted platform for hackers. This means you have to be extra vigilant and fortify all entry points. Like with any asset, if you don’t protect it, someone will come along and take it.
According to a report by Sucuri, WordPress was by far the most attacked CMS among their user base, accounting for 94.23% of their clients.
This doesn’t imply that any of these content management systems are more or less secure than each other, but hits home how targeted WordPress is due to its dominance in the market. By following the steps within this article, you will vastly reduce the possibility of being hacked.
WordPress Vulnerabilities
There are a number of ways hackers can exploit your website and ultimately the steps in this article are aimed at preventing them.
Here are some of the most popular vulnerabilities:
- Backdoors
- Pharma Hacks
- Brute-force Login Attempts
- Malicious Redirects
- Cross-site Scripting (XSS)
- Denial of Service
With proper care and by putting in a bit of work to implement all of our suggestions, you can rest assured knowing that you have all of your bases covered.
WordPress website security Guide 2022
Let’s have a look at all the possible ways you can lower your chances of getting hacked and keep your WordPress website as secure as possible.
General WordPress security tips
1. Use strong passwords (and usernames)
2. Limit the number of administrator accounts
3. Invest in secure WordPress hosting
4. Use the latest recommended PHP version
5. Keep software updated
6. Always take regular backups
7. Don’t install shady third party plugins and themes
8. Encrypt sensitive information with an SSL Certificate
9. Keep computers up to date with antivirus software
Plugins for WordPress Security
10. Enable two-factor authentication
11. Change the default WordPress login URL
12. Limit login attempts
13. Install a security plugin like Sucuri or WordFence
14. Install an anti-spam plugin
15. Disable author archives with Yoast SEO
Code Snippets for WordPress Security
16. Hide WordPress version number in functions.php
17. Password protect staging sites and prevent robots
18. Disallow wp-config.php in htaccess file
19. Disallow xmlrpc.php in htaccess file
20. Block the include-only files in htaccess file
21. Disable directory browsing in htaccess file
22. Disable theme editing in wp-config file
23. Disable error logs in wp-config file
24. Change wordpress database prefix in wp-config file
25. Change Unique Keys and Salts in wp-config file
General WordPress security tips
1. Use strong passwords (and usernames)
Starting with arguably the most important form of security in place on your website, your password. We cannot stress enough how important it is to choose a strong password.
The top 10 most common passwords used in 2021 according to Cyber News are:
- 123456
- 123456789
- qwerty
- password
- 12345
- qwerty123
- 1q2w3e
- 12345678
- 111111
- 1234567890
Can you believe that “123456” is the most popular password in 2021! You might as well just leave the website’s metaphorical door wide open. If you are using any passwords on that list, for your website or anything else, change them immediately!
Do not leave passwords lying around your home or office on sticky notes either. All it takes is for them to get into the wrong hands and then you will be in a very sticky situation. If you think that’s an unlikely scenario, think again – hackers got access to the Hawaii Emergency Management Agency’s system via a password that had been written on a Post-It note and stuck to a computer screen. A photo was then published in a newspaper as part of a PR exercise… and the whole world saw it!
Also, stop using your dog’s name which is barking at hackers all over your instagram account.
Instead, opt for a more cryptic password which is harder to guess. If you can’t come to terms with not using your dog’s name in your password, rather than jasper123, use something like JaSp3r_#7826. At least with a mixture of uppercase and lowercase letters, some special characters and a random string of numbers, there is less chance of someone guessing it, but it’s still not impossible with technology today!
Hackers use what’s called a dictionary attack, which will scan through thousands of possible combinations until it gets a match. So try to use a completely random set of numbers, letters and special characters, almost as if a cat ran across your keyboard.
If you’d like to know more about how passwords get hacked, Sucuri has written an interesting article on it.
If you’re still not sure what constitutes a super strong password, just use WordPress’s password generator or use an online password generator.
If, like most people, you struggle to remember all of your passwords and need somewhere safe to keep them, our preferred method would be to store them locally on your computer in an encrypted and password protected database. A great free desktop app for this is KeePass…
There are also online password managers such as LastPass, which are generally safer than using sticky notes.
Some people also use their iphone notes to store passwords and then lock the notes with a password and fingerprint/faceID. Make sure the password is very strong and do not write this down anywhere someone could find it. This can be a pretty safe way to store passwords, but like with everything, it is not 100% secure. Make sure your Apple ID account is very secure too as your notes can be accessed via iCloud.
It’s worth mentioning at this point that there is no perfectly secure way of storing passwords but the more you can do to make it harder for someone to get their hands on them, the better.
It’s also really important to not use the same password on multiple websites, as a hacker may get access to your whole network of websites simultaneously which would be quite disastrou
The last thing to mention here, is that usernames are also very important and you don’t want to use easily guessed usernames, such as admin, user, wordpress, account, your name, etc. Try to make these a bit tougher to guess.
2. Limit the number of administrator accounts
An administrator account is the star prize for a hacker. Once they have such access the possibilities are endless for them. Therefore it is crucial that you only have the absolute bare minimum of administrator accounts to reduce the amount of possible entry points.
Instead of giving administrator accounts to everyone on the team, just have one that is only used when necessary and give everyone else editor accounts. Avoid giving everyone the password for the administrator account too, to prevent it getting shared insecurely or left somewhere unsafe.
In addition, make sure you also delete any unused users accounts from the CMS to prevent them from being potential entry points too.
3. Invest in secure WordPress Hosting
When looking for a hosting provider for your WordPress website, it is a bad idea to simply base your decision on price alone. There are a wide range of hosting options out there and you should try to understand what these are before you commit to anything.
The main hosting options are:
- Shared Hosting
- Cloud Hosting
- VPS Hosting
- Dedicated Hosting
Shared Hosting is not recommended as these are typically the lowest quality hosting services, where you are essentially sharing the resources of the server with hundreds of other websites. Not only can this architecture be insecure in some cases, it’s usually pretty slow too. For example, if one website on the shared environment has a spike in traffic, the other websites on the server may experience degraded performance.
Cloud Hosting on the other hand, combats this problem by hosting your website on multiple servers. So if there is a problem with one server, it can easily switch to another functioning server. Cloud hosting generally provides high availability, seamless scalability, advanced security, excellent data redundancies and high website performance. We believe cloud hosting to be the future of web hosting for all of the above reasons.
VPS Hosting (Virtual Private Server) is when one physical server is divided into multiple smaller virtual servers. Since you have your own virtual server, you benefit from your own allocated resources and can customise the server the way you want. Sometimes though, as you are essentially sharing one big physical server with other smaller virtual servers, if one VPS hogs the resources, it can behave similarly to shared hosting. That being said, a lot of hosting providers have ways of partitioning the servers in a way that prevents that from happening. If you don’t opt for “managed” VPS hosting, be aware that you might be required to perform server maintenance and other scary sysadmin tasks you didn’t realise you signed up for.
Dedicated Hosting is when you have access to the entire machine’s resources to do with how you please. You will usually get the best performance with this option, however you will be paying handsomely for it. You will also have to understand how to manage a dedicated server, or employ someone to do it. For this reason it is usually reserved for enterprise level websites.
Our preferred choice from the list above would be Cloud Hosting, as it is affordable, offers great performance and it’s easily scalable.
You want to also ensure your provider offers all of the below features:
- 24/7/365 support
- Free migration(s)
- Free Let’s Encrypt SSL(s)
- Two-factor authentication
- PCI compliance
- Server security
- Daily backups
4. Use the latest recommended PHP version
At the time of writing this article, WordPress 5.8.2 is the latest version. PHP 8 is available and WordPress recommends using a minimum of PHP 7.4. You can see which version of PHP is recommended by WordPress, by going to your WordPress dashboard. If your version of PHP is below the recommended version, you will see a widget like this…
Old versions of PHP can allow hackers to exploit known vulnerabilities that have not been patched in newer versions. So it’s best practice to follow the recommendation of WordPress and update to the recommended version. Be sure to check that your theme and plugins are compatible with the recommended version of PHP before you update it within your server’s cpanel.
5. Keep WordPress software updated
Put simply, WordPress is composed of three parts:
- WordPress Core – The main WordPress codebase
- Plugins – Third party add-ons which extend WordPress
- Themes – The layout and styling of the website
Each of these parts need to be kept up to date to ensure they have the latest security fixes and patches. If you neglect your website by not updating these, hackers can take advantage of the out-of-date codebase and potentially get access to your website or inject malicious code into your files and database
Before you perform any updates, it’s best practice to take a full site backup in case a problem occurs. If you have automatic daily backups, you may feel comfortable doing this without taking a manual backup, but of course do whatever you feel comfortable with and take your time.
6. Always take regular backups
We recommend at least daily backups should be taken of your website to make sure you have recent restore points that reduce data loss as much as possible. Ideally these backups would be taken automatically by your web server or a third party service. These backups should be stored onsite and offsite for ultimate disaster recovery.
In the unlikely event that a hacker does get around all of the security measures listed in this article, you will have a secure backup to revert back to and you will be extremely grateful you took the time to get this set up. Not only does this offer a solution when the time comes, but the peace of mind you get from this is priceless.
If your server does not provide daily offsite backups, a popular third party WordPress backup solution is Updraft Plus.
7. Don’t install shady third party plugins and themes
When installing plugins and themes, you need to understand that once it is integrated into your website you are basically giving it all the access it needs to do whatever it likes. If you install a dodgy plugin from a hacker, they could do all sorts of malicious things, including stealing your customer’s details, adding malware to your pages and database, locking you out of your site and much worse.
Therefore, when downloading plugins and themes, ensure you are getting them from reputable companies or from the official WordPress plugin repository. Two popular and reputable WordPress marketplaces are Theme Forest and Code Canyon.
8. Encrypt sensitive information with an SSL Certificate
There are many more reasons for an SSL certificate than simply encrypting ecommerce transactions. SSL certificates encrypt all information that is sent between a web server and a browser, or a mail server and a mail client. This will include credit card details, passwords, and personal details.
Without an SSL certificate in place, information sent between the browser and server is transmitted in plain text. This can be easily intercepted and therefore private data, like credit card numbers and login credentials, are not protected.
To learn more about SSL certificates and why you might want one, read this article I wrote a while back.
9. Keep computers up to date with antivirus software
Sometimes, the problem can be rooted deeper than just your website being compromised. It’s entirely possible that your PC or laptop may have been hacked and the hackers were able to get access to your website or login details that way.
In this case, you will need to run a deep security scan on your machine with a reputable antivirus software and clean up any malware found. If you’re not sure how to go about this, ask your IT company or speak to an IT consultant.
There is a large selection of Antivirus software available online, some free and some paid. We’d always recommend going for a paid antivirus subscription for the best protection. Check out this article by Tech Radar for the best antivirus software 2021.
If you have any reason to believe that your computer is infected with a virus, you should act fast, as there are a number of malicious activities that can be performed by hackers with that level of control.
Plugins for WordPress Security
10. Enable Two-factor authentication
One of the most common tricks hackers use to gain access to your website is called brute force attacks. Hackers try to guess the correct username and password to break into your WordPress site using special scripts.
However, you can lock your WordPress admin down with two factor authentication so that even if your password did get stolen, they would need to enter the security code on your phone to get into the website.
WP 2FA is a lightweight two-factor authentication plugin which you can download for free and get set up in a few minutes.
You will also need an authenticator app such Google Authenticator or Authy.
We appreciate that it can be slightly annoying to have to get the code from your phone before you can log in, especially when you’re in a rush; however we feel the security benefits far outweigh the minor delay of that added step.
11. Change the default WordPress login URL
The standard WordPress login URL is:
www.yourdomain.com/wp-admin
This is of course no surprise to hackers and will therefore be the first place they target. By changing this URL it makes it much more difficult for hackers to access the login screen and for bots to perform brute force attacks.
There are a number of plugins which you can install to easily change the login URL to something else. One that is very popular and has over a million active installations is WPS Hide Login.
12. Limit login attempts
Without any limit in place for failed logins, you’re allowing a hacker unlimited attempts at guessing your password. In most cases it will not be a person who is trying to log in, but a piece of software designed to repeatedly try various usernames and passwords until it gets a match. This is what’s called a brute force attack or a dictionary attack.
There are plugins which you can install to protect your website from such attacks. One such plugin with over two million active installs is Limit Login Attempts Reloaded.
Wordfence and Sucuri also come with built-in login attempt features in case you want an all-in-one solution.
13. Install a security plugin like Sucuri or WordFence
There are a number of security plugins available online, and in our opinion Sucuri and WordFence are the leading players.
They both offer similar features, such as:
- Malware Scanner
- Login Security
- Blocklist Monitoring
- Security Hardening
- Website Firewall
- And more…
A security plugin is essential to keep your website safe from hackers. Without one you would be missing lots of fundamental security features and you might not even know if you had been hacked without one.
Security plugins will usually notify you if your website has been compromised in any way, which is crucial information. This is because it allows you to act quickly to get the malware cleaned up and removed before further damage can be done. It can also help you identify where the hack originated from so that you can harden that area further.
If you aren’t looking to spend any money, we’d recommend going with WordFence because along with their free plugin you get access to their free WAF (Web Application Firewall). Their free WAF rules are delayed by 30 days, compared to their “real time” premium version, but it is still well worth having.
However, if you are willing to spend a bit of money, then Sucuri would be our recommended option, as their WAF is very powerful and they also offer lots of other features such as a CDN (Content Delivery Network), Caching, Monitoring, free SSL certificates and much more.
14. Install an Anti-Spam plugin
There are a number of anti-spam plugins available, some free and some paid. We’d recommended going for a paid option as they provide a much better protection.
The one that comes with WordPress out of the box is called Akismet. This has a free option which gives you very basic cover and the paid plans start from around £8 per month. It’s a small price to pay for no spam emails clogging up your inbox and potentially leading to a scam.
Cleantalk is another plugin we recommend. It’s very affordable but offers great protection. It also offers other features, such as anti-crawler and anti-flood. We’ve been using it for many years now and it has worked brilliantly.
15. Disable author archives with Yoast SEO
As mentioned previously in this article, usernames are almost as important as passwords as they make up half of the puzzle. You therefore don’t want these being indexed on Google for anyone to find.
Out of the box, WordPress generates archive pages for the users on the website. This can sometimes lead to the username being indexed on Google. Hackers tend to look for these archive pages to essentially get half of the puzzle. To avoid this, assuming you are not utilising the author archives feature on your website, you can disable them with the Yoast SEO plugin.
Code Snippets for WordPress Security
16. Hide WordPress version number in functions.php
In order to obscure as much information about your WordPress installation as possible, hiding your WordPress version number is a good way to go.
A WordPress security plugin like WordFence or Sucuri will do this for you out of the box, but if your security plugin doesn’t, simply add the below code to your functions.php file:
return ”;
}
add_filter(‘the_generator’, ‘prefix_remove_wp_version’);
17. Password protect staging sites and prevent robots
It’s very easy to forget about old staging sites which get left unprotected and out of date. These can be ideal for hackers to target vulnerabilities in older code, to gain entry into your staging site. From there, they may be able to identify weaknesses present in your live website. They may also get access to all of your administrator usernames which they can then use in brute force attacks on your live website.
Therefore, make sure to password protect the entire directory so no one but yourself can access the website.
You should also prevent robots from being able to crawl the site within the robots.txt file. You can do this by adding this snippet to your robots.txt file in your root directory…
Disallow: /
Not only will the methods above make it more difficult for hackers to find your website, but it also ensures customers do not land on your staging website, with out-of-date content. Plus, if your staging site is indexed by search engines, it can negatively impact your SEO.
18. Disallow wp-config.php in htaccess file
<files wp-config.php>
order allow,deny
deny from all
</files>
19. Disallow xmlrpc.php in htaccess file
XMLRPC is used quite frequently by hackers to gain access to your website with brute force attacks. XMLRPC is not really used much so it’s best practice to simply deactivate it.
To disable this completely you can install the free Disable XML-RPC plugin.
Or you can add this code snippet to your htaccess file…
<files xmlrpc.php>
order allow,deny
deny from all
</files>
20. Block the include-only files in htaccess file
A layer of protection can be added for scripts that are not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
21. Disable directory browsing in htaccess file
Directory browsing can be used to find out if you have any files with known vulnerabilities. so hackers can take advantage of these files to gain access.
Directory browsing can also be used to look into your files, download images, look at your directory structure, etc. This is why it is highly recommended that you turn off directory indexing and browsing.
Simply add the below code snippet in your htaccess file…
Options All -Indexes
22. Disable theme editing in wp-config.php file
You may have noticed that by default WordPress allows administrators the option to edit the theme files within the “Appearance” section. This can be very dangerous for a couple of reasons. Firstly, someone could innocently try to modify files without any coding experience and cause the site to break. The more serious reason is that if a hacker gained access to the CMS, they could add all sorts of malicious code to your theme files, such as add spam links and malicious redirects.
To prevent file editing within the CMS for all users, just add this code snippet to your wp-config.php file…
23. Disable error logs in wp-config.php
When your site is live on the internet for anyone to see, you don’t want to give any secrets away about your website by logging any errors to the screen. This can potentially give a hacker information they could use to their advantage.
So prevent this from happening with these two lines of code that can be added to the wp-config.php file:
define(‘WP_DEBUG_DISPLAY’, false);
24. Change WordPress database prefix in wp-config.php file
By default, within the wp-config.php file, the database prefix is set to “wp_”. This means that all database tables will start with this prefix. Hackers are fully aware of this and therefore when trying to communicate with your database maliciously, they will try known database tables with the standard prefix. In order to harden your database, you should change the prefix to something that cannot be guessed.
Therefore, change the database prefix which can be found in your wp-config.php file, to something more cryptic like this:
25. Change Unique Keys and Salts in wp-config.php file
The WordPress Salts work in tandem with security keys to protect your login cookies from being hijacked.
You can change these at any point in time within the wp-config.php file, to invalidate all existing authentication cookies. This will force all users to have to log in again.
This is what they look like before you generate and add the salt keys:
To generate new salt keys, which should be done for every website at the beginning, visit this link and copy the salts that are generated.
You can paste them into the wp-config.php file in place of the empty keys that are included in the file by default. It should then look like this:
So there you have it, 25 ways to keep your WordPress website secure in 2022. Implementing all or most of these security measures will make your WordPress website very uninviting for hackers.
If you are a Cariad client, we will already have implemented everything on this list that is within our power. Of course, we rely on you to do your part too, like using strong passwords, looking after your computers and not installing shady software.
If you think your website might be compromised or you’d like to know more about how we can protect your website, get in touch today and we will be able to discuss your options.
