Step-by-step instructions for setting up WordPress security. WordPress is so widespread that more and more developers are creating ready-made themes and plugins for it. While most of them make your site easier to use and extend its functionality, some may hide viruses or open the door for hackers. This article will help minimize the risk of your site being hacked and teach you to be prepared for any situation.
Step 0 – Choosing a hosting provider
If you are reading this article – then you have hosting. And it’s too late to recommend anything:) Remember for the future hosting choose not by price.
But I will still recommend a few hosting providers:
- Zomro with its clear prices and services. Zomro with its servers in the Netherlands is great for hosting campaign sites. Pay attention to their VPS with large disks and FTP storage service. I copy backups from other hosting companies to Zomro – fast, convenient and cheap.
- HyperHost with their service of free administration of not only virtual hosting packages for WordPress, but also VPS/VDS. When a hoster offers administration services paid or free – it is an indicator of the quality of service (when choosing a hosting pay attention to this).
Step 1 – Remove all unnecessary plugins, themes, files
Boldly remove all unused plugins and themes. Hackers often use disabled and outdated templates and plugins (even official WordPress plugins) to gain access to your control panel, or upload malicious content to your server. By removing plugins and templates that you no longer use, you reduce your risks and make your WordPress site more secure.
For example, you installed plugins to test and choose the one you will use. After selecting, don’t forget to delete any unnecessary ones.
- Remove unused plug-ins.
- Remove unused themes. You should have maximum 3 themes: the first one you use on your site, its child theme and Twenty One theme (the last official WordPress theme for 2021). Twenty One should be kept, that in case of failure (white screen often appears because of PHP errors, the more so if you have custom theme or plugins) your main theme, you can switch to Twenty One and fix problems.
- The readme.html and license.txt files are located in the root folder of any WordPress installation. They are just text files that don’t affect WordPress in any way, I recommend deleting them immediately after installation. You don’t need these files, but they help hackers figure out the current version of your WordPress and many other useful things for hacking your website.
Step 2 – Enable auto-update engine, plugins, themes
If you don’t want to update WordPress because you made changes to the files, it’s better to create a child theme, transfer the changes to it, and still enable updates.
Since version 5.5 in WordPress is a built-in feature to automatically update themes and plugins.
- Turn on theme auto-update: Go to “Appearance” -> “Themes”, hover your mouse over the desired theme, click “Theme info” -> Enable automatic updates.
- Turning on plugin auto-update: Go to the “Plugins” section and turn on auto-update against the desired one.
If you have software on your site that is not compatible with new versions of WordPress, a plugin or a theme, you can enable selective automatic updates of plugins or themes.
Step 3 – Remove the admin or use non-standard login credentials
Do not use a username such as admin. It is strongly recommended that you change your admin username to something else.
The easiest way to set up a login when you install WordPress. But if you already have it installed – create a new administrator account with different data.
- Log in to your WordPress control panel
- Find the “Users” section and click “Add New”.
- Create a new user and give him administrator rights.
- Re-enter WordPress with your new data.
- Go back to “Users” and delete the default Admin account.
I recommend using specialized tools for creating and securely storing passwords, such as the free KeePass Password Safe.
In addition, it is possible to remove the message that the username and password are incorrect. After all, this is also information that can help an attacker. To remove this message, open the functions.php file located in the current theme folder of your website (wp-content/themes/current_theme_WordPress) and add the following code:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
I use the Clearfy Pro plugin to disable incorrect password information.
Step 4 – Back up your data as often as possible
Even the biggest sites get hacked every day, despite the fact that their owners spend thousands to improve WordPress security.
Not all attacks can be prevented, but just one successful attack can destroy all efforts to work on your site. We recommend that you make regular backups of your site.
There are several ways to create backups. You can manually download the site files and export the database, or as I wrote above, use the tools offered by your hosting plan(I did not use the word tariff for nothing – hello to the marketers). Another way, use WordPress plugins. The most popular ones are:
- BulletProof Security is a very interesting plugin for both site protection and backups.
- or find the plugin at the link https://wordpress.org/plugins/tags/backup/
- WordPress Database Backup – plugin settings allow you to set the option to send a daily database backup to your contact mailbox.
Step 5 – Disable WP JSON
WP JSON is short for WordPress JSON REST API. WP JSON is used to write applications on different platforms and in different languages that can manage your site: add, change and delete content, customize themes, menus, widgets and more. As you have already guessed it allows you to do unsafe things!
Search engines often index /wp-json/ as a subsection of the site. From the point of view of SEO in the index should be only pages that bring traffic, not technical (garbage) pages /wp-json/.
When disabling WordPress REST API, keep in mind that some popular plugins use it, such as Contact Form 7. So if your feedback form suddenly stops working, see if the REST API is disabled.
We have at least two reasons to disable wp-json – security and SEO. To disable wp-json I use Clearfy Pro pluginor you can use the code below.
// Disable REST API add_filter('rest_enabled', '__return_false'); // Disable REST API Filters remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' ); remove_action( 'wp_head', 'rest_output_link_wp_head', 10, 0 ); remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 ); remove_action( 'auth_cookie_malformed', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_expired', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_bad_username', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_bad_hash', 'rest_cookie_collect_status' ); remove_action( 'auth_cookie_valid', 'rest_cookie_collect_status' ); remove_filter( 'rest_authentication_errors', 'rest_cookie_check_errors', 100 ); // Disable REST API Events remove_action( 'init', 'rest_api_init' ); remove_action( 'rest_api_init', 'rest_api_default_filters', 10, 1 ); remove_action( 'parse_request', 'rest_api_loaded' ); // Disable Embeds related REST API remove_action( 'rest_api_init', 'wp_oembed_register_route'); remove_filter( 'rest_pre_serve_request', '_oembed_rest_pre_serve_request', 10, 4 ); remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
Insert this code in functions.php of your topic, if the last line is ?>, then insert the code before it.
Step 6 – Using .htaccess to improve WordPress security
Setting up .htaccess correctly and safely is a very broad topic and requires some professional expertise. I strongly recommend not, without understanding, to copy .htaccess settings from obscure sites, especially from forums and use them.
.htaccess is a file necessary for WordPress links to work correctly. Without the correct entries in the .htaccess file, you will get a lot of 404 errors.
Prohibit the display of directory contents if there is no index file
A code that will prevent you from viewing folders on your server by typing their full path. To check, type http://yourdomain.com/wp-includes into your browser and if you see the entire contents of the “wp-includes” folder, it’s a security problem with your web server. A simple solution is to create an empty index.html index file in each directory. A better and quicker solution is to configure the server response – 403 Forbidden via .htaccess. To do this, add a line in .htaccess:
Protecting the wp-config.php file
The most important file in WordPress is wp-config.php, which contains the basic WordPress settings, including the password and login to connect the MySQL database. Therefore, it is most often the main target of hackers. To secure wp-config.php using the following rules in .htaccess:
<files wp-config.php> order allow,deny deny from all </files>
Deny access to the WordPress admin panel
Using .htaccess, you can deny access to the WordPress admin panel by IP address. It is not recommended to use this method if you have a dynamic IP address.
This blocking can be done in different ways, for example, through the main .htaccess file in the root of the site. But I do not like to overload the code and overcomplicate the logic of the code. To protect Vordpress admin panel, create an empty .htaccess file in the directory that we want to protect, in our case it is the directory wp-admin. Let’s add a special code to the resulting .htaccess file:
<LIMIT GET> Order deny,allow Deny from all Allow from xx.xx.xx.xxx Allow from xx.xx.xx.xxx </LIMIT>
Be sure to change XX.XX.XX.XXX to your IP address. You can use our service to check your current IP. If you use more than one connection to manage your site on WordPress, make sure you write down the other IP addresses (add as many addresses as you need).
Step 7 – Scanning WordPress for Malware
Hackers often use holes in WordPress templates or plugins. Therefore, it is important to check your blog more often. There are many well-written plugins for this purpose, such as:
- BulletProof Security – malware scanner, firewall, authorization form protection, database backup, anti-spam. Database comparison function. Database backups: full, partial database backups, creating backups manually, by schedule, sending backups in the archive to e-mail, automatic deletion of obsolete backups by schedule.
- Wordfence Security is an anti-virus, firewall, and malware scanner. Wordfence offers an application guide and automatic scanning capability, along with a bunch of other miscellaneous settings.
- Sucuri Security plugin protects against DDOS attacks, contains a blacklist, scans your site for malware and manages your firewall. Google, Norton, McAfee – this plugin includes all the blacklists from these programs. If a problem is detected, you will be notified via email.
- WP Cerber Security – very not bad and handy. I did not like it because it creates gigantic log tables, the size of my site has grown to a huge size. Also on cheap hosting you can not run this plugin, only on VPS or some business shared hosting plan.
There are a large number of special security plugins designed for WordPress. You can find them here: https://wordpress.org/plugins/tags/security/.
Step 8 – Do not use nulled templates for WordPress
Nulled-products are pirated copies of paid themes and plugins distributed illegally on the Internet.
In short, you will end up paying more to the developer to clean your site of malicious code than you will save to install a zeroed template or plugin.
Step 9 – Enable two-step authentication
Two-step authentication is an account security method based on the application of the following two factors: information known only to you (password) for logging in and your physical device (mobile device or key).
After you enter your password on the site, you are sent a request for a new one-time password, which you receive to your contact phone number or email (it is possible to follow a certain link from the email). So even if your main password has been compromised, the hacker won’t be able to enter your account without access to your phone number or email.
Popular two-factor verification plugins for WordPress:
- Keyy Two Factor Authentication allows you not to remember a password, but to use a QR code scan to log in.
- Google Authenticator provides two-factor authentication using the Google Authenticator app for Android / iPhone / Blackberry.
Step 10 – Change the default WordPress database prefixes to prevent SQL injection
SQL injection is one of the most widespread methods of hacking sites and programs that work with databases, based on injecting arbitrary SQL code into a query. Depending on the type of DBMS used and the injection conditions, SQL injection can allow the attacker to perform arbitrary database queries (e.g. read the contents of any tables, delete, modify or add data), gain the ability to read and/or write local files and execute arbitrary commands on the targeted server.
I’m skeptical of the advice to change the WordPress database prefix on a running site. If you’re a novice webmaster, only change the prefix when you first install WordPress.
If you are a professional experimenter, find a guide on how to change the prefix on any other site. Good luck!
Step 11 – Hide the version of WordPress, scripts, and styles
WordPress by default adds the current version number to the source code of its files and pages.
<meta name="generator" content="WordPress 5.7.1" /> <meta name="generator" content="WooCommerce 5.2.2" />
Not always being able to update your WordPress version on time can be a weakness of your website. Knowing what version of WordPress you have can do a lot of damage to a hacker. To prevent your platform’s version information from being displayed, add a line to your functions.php file:
I use the Clearfy Pro plugin, which has settings for:
- Removes meta tag from head section. Allows attackers to find out the WP version installed on the site. This meta tag has no useful function.
- Removes versions from styles. WP, themes and plugins often include styles with the version of the file, plugin or engine, it looks like this: ?ver=4.7.5. Such a connection allows attackers to know the version of the plugin, engine. Also not all proxy-servers and CDN services can cache files with parameter ver at the end of their addresses, which increases download time of your site.
- Removes versions from scripts. As with styles, scripts are connected with the version of the file, plugin or engine, it looks like this: ?ver=4.7.5.
There are two opposing views on the Internet:
- Opinion 1: Despite the fact that WordPress is the most hackable CMS in the world, improving its protection is not so difficult.
- Opinion 2: As sad as it sounds, protecting WordPress is a complicated thing, and any action will not guarantee 100% that your site will be completely protected from any rogue activity.
Dear Webmasters, make backups and sleep well! But understand the basics of WordPress protection yourself, do not delegate. To understand the basic methods of WordPress protection, it is enough to understand the recommendations of this article.