There is no doubt about the popularity of WordPress, which caters to more than 74,6 million sites worldwideo, and 48% of the top 100 blogs are managed by the platform. In the online world however, anything that is popular is open to attack and WordPress is no exception.
However, the types of attacks that tend to hit WordPress sites, unless you're a big brand, are usually carried out by people who don't have a great deal of technical knowledge. These often refer to the “script kiddies” that use common code, techniques and kits to hack sites.
The good news about this is that an attack can often be treated quickly and easily. It is not necessary to get to the stage where an attack causes damage, as most can be prevented in the first place. So today, let's see how you can secure your installation and avoid common hacks.
Start with the server
Before thinking about the security of your site, you need to start from scratch and this means making sure your hosting server is secure in the first place. Starting with the basics, you should choose a host based on security and reputation and not price. I'm sure there are some decent cheap hosts out there, for the most part hosting costs $ 2 per month It's not going to be enough.
Most managed services WordPress Hosting They have a reputation for secure hosting. However, not all of them allow some performance-related plugins, so you should check first to see exactly what access and level of control they have.
Most of them offer:
- Managed WordPress hosting.
- Automatic security updates.
- Daily backups.
- One-click restore points.
- Automatic caching.
- Top level security.
Whatever host you decide to choose, you should check that it offers the following:
- Run stable versions of server software and patches as necessary.
- Enable a firewall at the server level.
- Allow frequent and easy backup and restore (site and database).
- Intrusion detection.
The managed hosts (like WPEngine for example) use caching that is passed through a CDN, so if you really don't want to use a managed WordPress host, consider implementing a CDN along with a caching plugin like W3 Total Cache.
This is a simple way to configure your site so that all traffic that is passed through CDN caches also passes through secure socket layer (SSL/TLS). Unfortunately, WordPress installations on shared servers, rather than a VPS or dedicated server, are usually installed and configured in such a way that it is easier for the host, but not necessarily the safest.
Please note that the following configurations are for advanced users who are familiar with coding or basic sysadmin tasks. If you're not, ask your web developer to set this up for you.
Logins, passwords and plugins
Over 70% of WordPress installations are vulnerable to attacks. Always make sure that when you have installed WordPress you update to the latest version as soon as it is available. The same goes for the theme and all the plugins you use. The same applies to your server software. It may seem obvious to many, but the statistics speak for themselves, there are many, many older versions of the platform installed.
When it comes to passwords, I come across people who still use something like “companyname123” like your password and these are the people who are in the technology industry.
So for you and all other users, generate complex passwords and store them in some password manager like LastPass, it's safer this way.
Apply automatic updates
To ensure that minor and major updates are done automatically in WordPress, you can make a small change to the code. This eliminates the need for you to do it manually (only minor updates are automatically applied to WordPress v.3.7 and later), but you should make sure you turn on frequent, automatic backups in case something goes wrong.
To enable updates, use the following code to your wp-config.php file:
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );
It is more common to experience a problem with automatic updates if you use plugins that are not updated frequently, so try to ensure that the plugins you install are maintained and, where possible, some form of support is available.
Disable PHP error reporting
If a plugin or theme you are using throws an error, then it is possible that the resulting error message shows the server path which in turn could be intercepted by hackers. With this in mind, you should disable error reporting by adding the following code to your wp-config.php file:
error_reporting(0); @ini_set('display_errors', 0);
On the other hand, if you don't feel confident when it comes to editing configuration files, then you can ask your web host to disable this for you.
Stop brute force attacks
If you monitored how many login attempts there are to your WordPress site each day, you'd probably be surprised. These are common attacks that are avoidable to some extent by using complex passwords. Brute force attacks usually come from a botnet trying to guess your administrator password. You can mitigate risk and stop brute force attacks by adding an additional layer of protection at the login screen level with HTTP AUTH.
To do this, you will first need to protect your directory with a password by setting up the .htaccess file. Once you have done this, you need to add the following code to your .htaccess file:
#Protect wp-login AuthUserFile ~/.htpasswd AuthName "Private access" AuthType Basic require user mysecretuser
This will display an authentication box asking you to enter your username and password, and then you will have to log in on the WordPress home screen – of course, you must use different passwords for both accesses.
You can also prevent brute force attacks by monitoring IP addresses trying to log in and then blocking them. Or, you can simply change the admin username from 'admin' to something else and then delete the default administrator user profile. You and your webmaster/developer should really be the only people with administrative rights on the site.
URL-based exploits
These are really a stab in the dark for hackers who try to find weaknesses in the site by making URL requests that should return an error, but are sometimes completed.
The URL might look something like this: http://yoursite.com/your/files/%3G/config
Commonly, a hacker will use an opening parenthesis in the URL so first, to circumvent this, it is necessary to generate a 403 Forbidden page to stop any requests containing the parenthesis. To do this, simply use the following line in your .htaccess file:
RedirectMatch 403 [
To create a more complex set of rules, you don't need to write all the code yourself. If you are familiar with the file .htaccess and your site is on an Apache server, then it can use the 5G Firewall, which is a black list for common exploits. It is not necessary to use all the lines either, since it is modular, and in case of errors, you can delete line by line until you discover the problem.
You can protect the .htaccess file itself by adding the following line to the file:
order allow,deny deny from all
Security plugins for WordPress
Of course, you can use one of the security plugins that are available for WordPress as well. Before installation, you should check that any plugin you use is compatible and updated frequently. If so, you should also consult the ratings and reviewss to determine which one is seen as the best by the WordPress community.
Also remember that if you have many plugins in your installation, periodically remove any that you are not using. Ask yourself if the functionality you get from a given plugin is really necessary and remove the ones that are not necessary. For those plugins that you have disabled, you should also remove them as they provide potential opportunity for a hacker. If the plugins are no longer supported, then you should look for an alternative as these may create a vulnerability at some point, if they have not already done so.
For the most part, WordPress security is based on using common sense and understanding that most of the time, hackers and malware can be blamed on end-user error. For the most part, hackers gain access through exploits in software, so if you make sure you always have the latest versions you'll do a good job of protecting your site. Hackers look for the easiest route unless they are specifically targeting you and your site, so make their job a little harder.