Disclosure: This site may contain affiliate links. If you make a purchase through these links, I may receive a commission at no additional cost to you. However, all opinions are my own.
WordPress is so popular that an increasing number of developers are creating ready-made themes and plugins for it. While most of these facilitate the operation of your site and expand its functionality, some may harbor viruses or open doors for hackers. This article will help minimize the risk of your site being hacked and teach you to be prepared for any situation.
Choosing a hosting provider
If you are reading this article, it means you already have hosting, and it’s too late to recommend anything 🙂 Remember for the future that hosting should not be chosen based on price alone. I recommend paying attention to hosting providers in the review at https://dieg.info/en/vps-vds-hosting/.
Managed WordPress hosting services are now gaining popularity. If you have purchased such a service, you don’t need to read further. Most of the steps described below are either already implemented by technical support or will be configured upon your request.
Rule 1: It’s the Web server that should be running, not WordPress
Currently I prefer to configure the Nginx+PHP-FPM bundle for WordPress, without a hosting control panel. So this article will provide the code to configure Nginx, for Apache and LiteSpeed you can find similar code on the internet. In case you have managed WordPress hosting and you don’t have access to your web server settings, please contact the technical support of your hosting provider.
What do I mean by the statement: it’s the Web server that should work, not the WordPress engine? All user requests that the web server can handle, it should handle them, not WordPress. Any request to your site puts a load on it. The greater the load, the worse your site performs. In general case my recommendation will help to remove the load from caching plugins, security plugins, that is not only to speed up your site, but to make it more secure. So, the web server should be optimized to work with WordPress, not the other way around. WordPress is a powerful platform, but it can be demanding on resources. If the web server is not optimized to work with WordPress, it can lead to performance and availability issues.
Let’s look at my recommendation with the simplest example to understand how your site on WordPress or other CMS will become more secure and faster. So, the readme.html and license.txt files are located in the root folder of any WordPress installation. These are just text files that don’t affect WordPress in any way, it is recommended that you delete them immediately after installation. You do not need these files, but they help hackers to find out the current version of your WordPress and many other useful things for hacking a website.
As you can see the recommendation is correct and seemingly simple to implement. But the same txt files are also in plugin directories. So you need to delete them there as well. And after updating the plugin, they will appear again. Also the load of hackers’ requests on your site can significantly slow down its work. Elegantly this problem is solved in any web server, for example in Nginx, the code prohibits access to files with extension log, txt, sql in any directory of your site.
location ~ \.(log|txt|sql)$ { deny all; access_log off; log_not_found off;}
We have secured your site with this line of code. The next line of code will also speed up your site by denying access to the xmlrpc.php file, which is used for remote access to your site:
location = /xmlrpc.php { deny all; access_log off; log_not_found off;}
Rule 2: Enable auto-update engine, plugins, themes
If you don’t want to update WordPress because you made changes to the files, it’s better to create a child theme, transfer the changes to it, and still enable updates.
Since version 5.5 in WordPress is a built-in feature to automatically update themes and plugins.
- Turn on theme auto-update: Go to “Appearance” -> “Themes”, hover your mouse over the desired theme, click “Theme info” -> Enable automatic updates.
- Turning on plugin auto-update: Go to the “Plugins” section and turn on auto-update against the desired one.
If you have software on your site that is not compatible with newer versions of WordPress, plugin or theme, you can enable selective automatic updates.
Rule 3: Do not use nulled templates for WordPress
Nulled products are pirated copies of paid themes and plugins that are distributed on the Internet illegally.
To put it briefly, in the end, you will pay the developer more for cleaning your site of malicious code than you save by installing a nulled template or plugin.
Rule 4: Back up your data as often as possible
Even the biggest sites get hacked every day, despite the fact that their owners spend thousands to improve WordPress security.
Not all attacks can be prevented, but just one successful attack can destroy all efforts to work on your site. We recommend that you make regular backups of your site.
There are several ways to create backups. You can manually download the site files and export the database, or as I wrote above, use the tools offered by your hosting plan (I did not use the word tariff for nothing – hello to the marketers). Another way, use WordPress plugins. The most popular ones are:
- BulletProof Security is a very interesting plugin for both site protection and backups.
- WordPress Database Backup – plugin settings allow you to set the option to send a daily database backup to your contact mailbox.
There are a large number of special security plugins developed for WordPress. You can find them at https://wordpress.org/plugins/tags/backup/.
Protecting your WordPress site, recommendations
Remove all unnecessary plugins, themes, files
Boldly remove all unused plugins and themes. Hackers often use disabled and outdated templates and plugins (even official WordPress plugins) to gain access to your control panel, or upload malicious content to your server. By removing plugins and templates that you no longer use, you reduce your risks and make your WordPress site more secure.
For example, you installed plugins to test and choose the one you will use. After selecting, don’t forget to delete any unnecessary ones.
- Remove unused plug-ins.
- Remove unused themes. You should have maximum 3 themes: the first one you use on your site, its child theme and Twenty One theme (the last official WordPress theme for 2021). Twenty One should be kept, that in case of failure (white screen often appears because of PHP errors, the more so if you have custom theme or plugins) your main theme, you can switch to Twenty One and fix problems.
Hide the version of WordPress, scripts, and styles
WordPress by default adds the current version number to the source code of its files and pages.
<meta name="generator" content="WordPress 5.7.1" />
<meta name="generator" content="WooCommerce 5.2.2" />
Not always being able to update your WordPress version on time can be a weakness of your website. Knowing what version of WordPress you have can do a lot of damage to a hacker. To prevent your platform’s version information from being displayed, add a line to your functions.php file:
remove_action('wp_head', 'wp_generator');
I use the Clearfy Pro plugin, which has settings for:
- Removes meta tag from head section. Allows attackers to find out the WP version installed on the site. This meta tag has no useful function.
- Removes versions from styles. WP, themes and plugins often include styles with the version of the file, plugin or engine, it looks like this: ?ver=4.7.5. Such a connection allows attackers to know the version of the plugin, engine. Also not all proxy-servers and CDN services can cache files with parameter ver at the end of their addresses, which increases download time of your site.
- Removes versions from scripts. As with styles, scripts are connected with the version of the file, plugin or engine, it looks like this: ?ver=4.7.5.
How to enable two-step authentication in WordPress
Two-step authentication is an account security method based on the application of the following two factors: information known only to you (password) for logging in and your physical device (mobile device or key).
After you enter your password on the site, you are sent a request for a new one-time password, which you receive to your contact phone number or email (it is possible to follow a certain link from the email). So even if your main password has been compromised, the hacker won’t be able to enter your account without access to your phone number or email.
Popular two-factor verification plugins for WordPress:
- Keyy Two Factor Authentication allows you not to remember a password, but to use a QR code scan to log in.
- Google Authenticator provides two-factor authentication using the Google Authenticator app for Android / iPhone / Blackberry.
Use non-standard login credentials
Do not use a username such as admin. It is strongly recommended that you change your admin username to something else.
The easiest way to set up a login when you install WordPress. But if you already have it installed – create a new administrator account with different data.
- Log in to your WordPress control panel
- Find the “Users” section and click “Add New”.
- Create a new user and give him administrator rights.
- Re-enter WordPress with your new data.
- Go back to “Users” and delete the default Admin account.
I recommend using specialized tools for creating and securely storing passwords, such as the free KeePass Password Safe.
Additionally, there is an option to remove the display of the message that the login and password entered is incorrect in the functions.php file located in the current theme folder of your website (wp-content/themes/current_theme_WordPress). But I removed the code as it is different for different versions of WordPress. Use the Clearfy Pro plugin or the WP Cerber Security plugin to disable the incorrect password information.
Disable WP JSON
WP JSON is short for WordPress JSON REST API. WP JSON is used to write applications on different platforms and in different languages that can manage your site: add, change and delete content, customize themes, menus, widgets and more. As you have already guessed it allows you to do unsafe things!
Search engines often index /wp-json/ as a subsection of the site. From the point of view of SEO in the index should be only pages that bring traffic, not technical (garbage) pages /wp-json/.
When disabling WordPress REST API, keep in mind that some popular plugins use it, such as Contact Form 7. So if your feedback form suddenly stops working, see if the REST API is disabled.
We have at least two reasons to disable wp-json – security and SEO. To disable wp-json I use Clearfy Pro pluginor you can use the code below.
Using .htaccess in Apache to improve WordPress security
Proper and safe customization of .htaccess is a very broad topic and requires certain professional competencies. I strongly recommend not to copy .htaccess settings from obscure sites, especially from forums and use them without understanding.
.htaccess is a file necessary for correct work of WordPress links when using Apache, LiteSpeed web server (in Nginx .htaccess file is not used). Without the correct entries in the .htaccess file, you will receive many 404 errors.
Right after installing WordPress, all the .htaccess settings are correct! You may only need to set up redirects from www and http to https. The classic way to configure these redirects is really through editing the .htaccess file, but before you edit – study the documentation of your hosting provider, very often hosts offer their own solution for configuring redirects.
Use the code below to repair a corrupted .htaccess file (e.g. a plugin not working properly). The code is copied from the official Wordpess documentation.
# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
List of WordPress security plugins
Hackers often exploit vulnerabilities in WordPress themes or plugins. Therefore, it’s important to frequently check your blog for vulnerabilities. There are many well-written plugins for these purposes, for example: WP Cerber Security – it’s quite good and convenient, with understandable settings. I use it. By the way, you won’t find it in the official WordPress plugins, because it’s considered unreliable 🙂
I caution against the thoughtless use of security plugins! Be sure to test them for your site. They can disrupt your site’s layout (and I’m not confusing this with caching plugins) or block access to visitors.
- Wordfence Security is an anti-virus, firewall, and malware scanner. Wordfence offers an application guide and automatic scanning capability, along with a bunch of other miscellaneous settings.
- Sucuri Security plugin protects against DDOS attacks, contains a blacklist, scans your site for malware and manages your firewall. Google, Norton, McAfee – this plugin includes all the blacklists from these programs. If a problem is detected, you will be notified via email.
- BulletProof Security (difficult to understand how it works and therefore to configure) – malware scanner, firewall, authorization form protection, database backup, anti-spam. Database comparison function. Database backups: full, partial database backups, creating backups manually, on schedule, sending archived backups to email, automatic deletion of outdated backups on schedule.
- All-In-One Security (AIOS) – Security and Firewall
- Defender Security – Malware Scanner, Login Security & Firewal
There are a large number of special security plugins designed for WordPress. You can find them here: https://wordpress.org/plugins/tags/security/.
Change the default WordPress database prefixes to prevent SQL injection
SQL injection is one of the most widespread methods of hacking sites and programs that work with databases, based on injecting arbitrary SQL code into a query. Depending on the type of DBMS used and the injection conditions, SQL injection can allow the attacker to perform arbitrary database queries (e.g. read the contents of any tables, delete, modify or add data), gain the ability to read and/or write local files and execute arbitrary commands on the targeted server.
I’m skeptical of the advice to change the WordPress database prefix on a running site. If you’re a novice webmaster, only change the prefix when you first install WordPress.
If you are a professional experimenter, find a guide on how to change the prefix on any other site. Good luck!
Conclusion
There are two opposing views on the Internet:
- Opinion 1: Despite the fact that WordPress is the most hackable CMS in the world, improving its protection is not so difficult.
- Opinion 2: As sad as it sounds, protecting WordPress is a complicated thing, and any action will not guarantee 100% that your site will be completely protected from any rogue activity.
Dear Webmasters, make backups and sleep well! But understand the basics of WordPress protection yourself, do not delegate. To understand the basic methods of WordPress protection, it is enough to understand the recommendations of this article.
- 4 Best Anti-Detect Browsers (Free & Paid) - 14.10.2024
- What is Abuse-Resistant (Bulletproof) Hosting? - 06.09.2024
- Present and Future Problems of Internet Hosting in Antarctica - 13.08.2024
Outstanding post, Securing of WordPress site is paramount. This step-by-step guide ensures a robust defense against potential threats and safeguarding of websites and user data. Prioritize these security measures for a worry-free online presence.
Awesome post! I would appreciate the way you have explained the article. Your detailed step-by-step guide will be very helpful for beginners to understand easily. Thank you for sharing such an informative guide!
Its such as you learn my thoughts!
A fantastic read. I will definitely be back.