WordPress Security: 10 Tips to Secure your Site
WordPress is one of the most popular content management systems in use today. While it is a very user-friendly platform, it is also important to remember that it needs to be adequately secured to protect your website and its data.
This blog post will discuss some tips on securing and protecting your WordPress sites from malicious attacks.
Importance of WordPress security
Keeping a WordPress site is a critical element for the health of the website and the security of the underlying data, keeping it secure.
Hackers can gain an initial foothold or privileged access to a website in multiple ways, and once they have access, they can wreak havoc on your site and its data.
That is why it is essential to ensure that you take steps to secure your WordPress site and keep it protected from potential threats.
- Ratnayake, Rakhitha Nimesh (Author)
- English (Publication Language)
- 660 Pages - 03/21/2020 (Publication Date) - Packt Publishing (Publisher)
Shortcuts in security are highways to hell
It's essential to address one big misconception before we start deep diving into WordPress security and hacking mitigation steps.
Security by obscurity is using insecure ways of using shortcuts to show something as secure rather than on its quality for its security. In cybersecurity, shortcuts cost very dearly. There are numerous examples where the security by obscurity approach led to disastrous situations.
WordPress Security Plugins
There are hundreds of plugins and tools available to help you with any task related to a WordPress site.
However, they may or may not be reliable, supported or maintained WordPress security plugins by the time you need help (if ever). In addition, there are some simple things that you can do to help protect your site, such as keeping your WordPress version up to date, using strong passwords, and backing up your data regularly.
As of today, some of the popular WordPress security plugins are:
- Sucuri Security – Auditing, Malware Scanner and Security Hardening
- iThemes Security
- Wordfence Security
- WP fail2ban
- All In One WP Security & Firewall
- BulletProof Security
- WPScan – WordPress Security Scanner
- Google Authenticator – Two Factor Authentication
- Security Ninja
- Astra Web Security
- Shield Security
- Hide My WP
We are not against plugins but suggest using them with caution. Do your research on the reputation of plugins, authors and if/where better alternatives are available, prefer not to use plugins.
A small example would be using Cloudflare free or pro plans based on your requirements, saving you the use of many plugins for security protections.
10 security tips to keep your WordPress site secure
Keeping your website secure is mandatory to protect your data. Here are some essential tips to help keep your WordPress site secure:
1 – Update WordPress regularly – Patching
One of the WordPress essentials is to keep your WordPress site secure is ensuring that you are using the latest version.
Threat actors or attackers are constantly finding new ways to exploit vulnerabilities in older versions of WordPress, so it is vital to make sure that you have the latest version installed. You can update WordPress core by going to the “Updates” page in your dashboard directly.
2 – Use strong passwords
Another important security measure is to use strong passwords for all of your user accounts. A strong password should be at least eight characters long and include a mix of upper and lowercase letters, numbers, and special characters. You can generate strong passwords using a password generator tool such as KeePass (open-source) or commercially available options.
3 – Use reliable security tools
One of the pitfalls is installing security plugins that are buggy, insecure or run out of support. It is more important to give this task to relevant resources, i.e. security specialists, or if you are a micro-business, then find a reliable freelancer who can help you with security goals.
With that said, it does not mean all WordPress security plugins are bad. Some of the well-known plugins, including Sucuri, Wordfence, etc., are well-supported and helpful.
For WordPress, there is some excellent help available for free. This includes Cloudflare free plan that allows network and application layer firewall options and protects the site against DDoS/DoS attacks.
It also helps with caching and secure DNS options. The pro plan is not expensive based on your website functionality if you can afford it.
We are not endorsing Cloudflare; you are free to make other choices. However, based on the proactive and industry reputation, it is similar to choosing Microsoft's Active Directory against other directory services.
4 – Back up your data regularly
Back up your WordPress site regularly. It ensures that you have a copy ready if something happens to your site. There are many different WordPress backup plugins available, including direct Cloud backup options these days.
5 – Penetration Testing / Secure Configuration Reviews
As a business owner, if you are worried about your reputation, incoming revenue through the website or storing sensitive information, it is vital that you provide your website for third-party security assessments, also known as web application penetration testing.
Web application penetration testing is a process of assessing the security of a web application.
The goal here is to identify vulnerabilities that could be exploited by an attacker to gain access to sensitive data or to perform other malicious actions. Penetration testing can be conducted manually or automatically, and it may involve testing the application from both inside and outside the organisation's network.
Common types of tested vulnerabilities include HTML, SQL injection or command injection flaws, Cross-site scripting issues, authentication and authorisation bypass. These are typically checked against the top ten OWASP security risks.
However, it is not limited to the top 10 risks. Some in-depth checks involve business logic flaws and practical attacks with multi-sequence or multi-staged payloads based on the application or APIs functionality.
6 – Basic Secure Hardening Checklist
Reduce your attack surface significantly without much cost by following this step.
- Limit the admin login interface to known IP addresses only. You can do it easily using Cloudflare or a similar mechanism restricting by IP address or at the application level using URL path.
- Disable XML-RPC function usage over the Internet. XML-RPC is a remote procedure call protocol that uses XML to encode its calls and HTTP as a transport mechanism. “PHP” refers to the programming language in which WordPress is written. The xmlrpc.php file is used to handle communications between different WordPress installations. For example, if you have multiple WordPress sites, you can use the xmlrpc.php file to post content from one site to another. As long as the remote site supports XML-RPC, you should be able to post content to it using this method. However, because the xmlrpc.php file can be used to POST data to a WordPress site, malicious actors can exploit it. For example, an attacker could use xmlrpc.
- Disable directory indexing that may lead to information disclosures of website contents and the file system. The underlying issue with this relates to permissions configuration. You can disable directory indexing by adding “Options -Indexes” in the .htaccess file.
- Disable PHP file execution hazardous functions that could lead to threat actors abusing the code routines.
7 – Use a Web Application Firewall
A web application firewall (WAF) is a security tool that helps to protect your WordPress site from attacks. A WAF can block malicious requests before they reach your website and help mitigate the effects of an attack if your site is breached. Some popular WAFs include Cloudflare and Sucuri Firewall.
8 – Don't use nulled themes or plugins
A “nulled” theme or plugin is a pirated copy of a premium WordPress plugin or theme. These themes and plugins are often modified to include malicious code, which hackers can use to hack your site. It is essential to only use themes and plugins from reputable sources, such as the WordPress.org plugin repository.
Hackers often use nulled themes and plugins to gain access to WordPress sites. If you are using a nulled theme or plugin, we recommend that you replace it with a genuine copy as soon as possible.
Using an outdated or vulnerable theme or plugin is one of the easiest ways for hackers to access your WordPress site. Updated themes and plugins reduce the hacking risks.
9 – Use two-factor authentication
Two-factor authentication mechanism requires you to enter a second factor, such as a code from a mobile app and your password when logging into your WordPress site.
Use secure multi-factor authentication (using hard keys or passwordless sign-ins), as attackers need to have your password and the second factor for successful admin authentication.
Two-factor authentication is a great way to add an extra layer of security to your WordPress site. We recommend using a plugin such as Authy or Google Authenticator to set up two-factor authentication for your site.
10 – Logging and Monitoring
Logging and monitoring your WordPress site is essential to be aware of any cybersecurity threats or unusual events. By default, WordPress does not offer any admin security features to help you monitor your site.
However, you can install a few plugins that will help you keep an eye on things or utilise the previously mentioned solutions such as Cloudflare, Fastly, and the like.
Even if you take all of the precautions detailed above, there is always a chance that your WordPress site could be compromised due to supply chain security risks.
Compromised WordPress sites may also display these symptoms:
a) Your site is loading slowly
b) You see strange error messages
c) Your site is redirecting to another website
d) You are seeing new users or content on your site that you didn't add
If you see any of these signs, we recommend that you take immediate action to investigate the reasons behind such changes.
What to do if your website is hacked
You should take the following steps if you think that your site has been hacked:
1 – Remain calm
The first thing you need to do is remain calm. It can be tempting to panic when you think your site has been hacked, but it's essential to keep a clear head to take action to fix the problem.
2 – Turn on maintenance mode on your website
If you think your WordPress site has been compromised, you should first enable admin maintenance mode. This will prevent visitors from accessing your site while working to fix the problem.
You can enable maintenance mode by adding the code in your wp-config.php or the dashboard:
- Go to the WordPress administration panel.
- Settings – WP Maintenance Mode page.
- Under the “General Settings” section, switch the Status to Activated.
- Click the Save Settings button.
3 – Start creating an incident report
If you think your WordPress site has been hacked, it's crucial to create an incident report. This is your trail of events or recordkeeping to help you later with what happened and handy information if you need to contact your hosting provider, law enforcement or other authorities such as ICO (Information Commissioner Office).
Your incident report should include:
a) A timeline of events leading up to the hack
b) A list of any changes that have been made to your site
c) A list of any sensitive information that may have been compromised
d) Any other relevant information
4 – Reset access and permissions
If you think your WordPress site has been hacked, one of the first things you should do is reset all user passwords and admin permissions. This will help to prevent the hacker from reaccessing your site.
To reset passwords and admin permissions, you will need to connect to your WordPress site using an FTP client. Once connected, you will need to navigate to the /wp-content/ directory and edit the following files:
i) any other files that have been modified
Once you have edited these files, you will need to save and upload them to your WordPress site.
After you have reset the passwords and permissions, it is recommended that you change your WordPress password to a unique and robust password.
5 – Diagnose the issue
Once essential housekeeping is out of the way, you will need to diagnose the issue to discover how your WordPress site was hacked. It can be a complex step, but some tools can help.
Use site checkers, security checklists and incident analysis checklists to look for indicators of compromise. You can find any known security vulnerabilities using vulnerability scanning.
Once you have diagnosed the issue, it paves the way to think about admin fixes around these issues.
Online resources by famous incident responders, security experts and WordPress experts are often a great source of information. These could be mailing lists, social media profiles/blogging sites, websites or forums.
These days, finding analysis write-ups is often an excellent way to read about other issues and troubleshooting steps to learn and help yourself.
However, if this is not close to your skill-set, you should seek professional help. It is imperative because your actions may lead to data loss, change in website config or unintentionally running any tasks that may lead to further malicious actions.
7 – Reinstall backup, themes, and plugins
If you think your WordPress site has been hacked, one of the first things you should do is reinstall all backup themes and plugins. This will help to prevent the hacker from reaccessing your site.
To reinstall these files, you will need to connect to your WordPress site using an FTP client. Once you have deleted the version of the files in the FTP client, you will need to upload the backup version of these files to your WordPress site.
8 – Change your site passwords again
After taking the steps above, you will need to change your WordPress password to something solid and unique. Use password managers to store secrets and generate random passwords that do not have dictionary words or lists.
Once you have changed your password, we recommend that you update all user passwords and permissions. This will help to prevent the hacker from reaccessing your site.
9 – Alert your customers and stakeholders
If you think your WordPress site has been hacked, it's crucial to alert your customers and stakeholders as soon as possible.
There are multiple reasons why it's crucial to let stakeholders and customers know about a security breach.
It builds trust and transparency between the company and its customers. Additionally, it allows the company to take responsibility for its mistakes and show that it's committed to protecting its customers' information.
Finally, informing customers about a security breach can help prevent future attacks by allowing customers to trust that you will take additional steps to protect their sensitive user data. You might need to assess the potential breach if you need to report a breach to the local/national regulatory authority.
10 – Check for website blacklisting status
If your site was blacklisted (by Google or similar search engines) due to the attack, Google would subtly notify visitors about visiting your website. This is done by displaying a message to the user in the search results: “This site may harm your computer”.
If you see this message, it's crucial to take action immediately. Google will typically blacklist a website for one of two reasons:
a) The site has been hacked and contains malicious code.
b) The site is hosting malicious content.
It would be best if you took action to remove the malicious code or content from your website. Once clean, you can submit a request to Google to have your site removed from the blacklist.
This WordPress security guide shared the signs of compromise and the top ten steps to beef up security. Security is not an immediate investment, nor does it provide immediate ROI.
It is a continuous process that you should work on to reduce the probability of adverse events in the future.
We hope this WordPress security guide was helpful.
If you have any further questions, please contact the Cypher team. We will be happy to set up a call to discuss your security concerns.
Last update on 2023-12-01 / Affiliate links / Images from Amazon Product Advertising API