Ultimate Guide to WordPress Website Security

Website Security

After 20 years in business, building and hosting websites, I have come across all sorts of things. This actionable guide will help you to avoid the common pitfalls and tighten the security of your website. I will discuss why sites get hacked, what happens when they do and how it can be avoided in the first place and quick steps to get back online in the event of your site being hacked.

Is WordPress Secure?

Yes. No. Maybe. 

If a fresh installation of WordPress is installed on a server which is configured for optimum security, with a well configured firewall, it will be trouble free. Yes.

However, does this make it secure and invulnerable? No. 

If I keep it patched and avoid adding any plugins, will it work for me, without problems? Maybe. 

The fact is, WordPress as a platform is well maintained and any identified exploits are quickly patched by the WordPress Security Team BUT this only covers the core system. Keeping WordPress up to date is essential and is relatively easy to do, but problems can (and do) arise. Let’s take a look at some of the causes.

WordPress Core

  • Non-maintained WordPress installations
  • Default admin URLs used

Plugins (3rd party software installed as an ‘addon’ to the WordPress core)

  • Poorly written plugins
  • Non-maintained plugins
  • Non compliant coding

Hosting Environment

  • Insecure hosting environment
  • Insecure PHP versions
  • Insecure database permissions

Users, Logins and Access Security

  • Weak passwords for admin
  • Default admin username
  • Default admin URLs
  • Poor user access control

This is not an exhaustive list, but it’s among the top causes for a broken / hacked website.

Common Scenario

Many websites are built by a 3rd party. I notice that many website owners pay to have their website built but then fail to maintain it.

This is a key factor when looking to identify why problems occur.

I personally feel it is the responsibility of the website developer / agency, to inform the website owner (prior to launch), of the importance to keep the website patched and up to date. Ultimately, it is up to the website owner to ensure their website is maintained properly, by doing it themselves or paying someone to do it for them.

Customers who decline maintenance due to cost

If you are one of these, maybe the importance of maintenance was not explained to you by your developer. Hopefully it’s not too late and you are reading this to proactively, to secure your website, before a problem occurs.

You don’t have to pay someone to maintain your website, as long as you make sure you do it yourself

Statistically, a regular small business website is attacked 44 times per day.

Did you know?

In the last 30 days (at the point of writing), one well known security provider logged 3,368,884,212 attempts to breach WordPress websites…. and that’s just one provider and in only 30 days.

The same provider blocked 209,917 IP’s and marked them as dangerous.

Content Management Systems (CMS) such as WordPress, Drupal, or Joomla are always being exploited. They always are, always have been and always will be. The fact is, they are Open Source, widely used and a prime target for hackers to target.

Once a site is exploited, it is logical, the same exploit will work on other sites and will continue to work until the problem is fixed and the exploit is patched.

Typical cause of website hacks

In a recent survey, customers whose sites had experience an exploit, gave these reasons:

  • Website updates were not done
  • Login details were exploited
  • Plugin vulnerabilities exploited
  • Unsafe hosting environment with directory traversal attack

In the majority of cases, website exploits are avoidable.

There is no such thing as Hack Proof

This blog post won’t make your website hack proof! I don’t think there is such a thing. However, what this post will do, is make you aware of common pitfalls and encourage you to tighten security. If you do, this will protect your online investment and make it harder for hackers to disrupt your business.

So, let’s get into it and find out what you can do, to keep things running like clockwork.

Top Security tips to Secure your WordPress site

The following steps are what we recommend you do. Ideally, these are done from the very beginning and on a fresh installation, but they can be done on an existing site.

Be sure to use a good web host!

They should be scanning for file changes, known exploits, known malware and reporting this to you. *We run Imunify360+ on all our business website hosting packages.

Management is more than just updates!

Recognising and using a reliable web host

Having been in the industry since 1999, I know all too well how much hassle it can cause when a website goes down. Before we get into securing your website, let me touch on one critical thing that EVERYBODY should be doing.

MAKE ABSOLUTELY SURE YOU TAKE A REGULAR BACKUP

Not just one from last year when you last thought about it, but one from last night, and the night before etc.

IF you lose your website for whatever reason, you will need a backup to get you back up and running, fast as possible.

Check if your host can offer backups for you.

If your host is offering backups, when was the last time you checked they work?

I have seen several instances where customers thought they had a backup, but they didn’t. Even if your host says they do, check the backups work by downloading the data, unpacking it and making sure it’s all there.

I had a client who was hosted and felt safe with R1 backups running on their host, but when it came to restoring from those backups, the data was corrupted. There was no local stored backup and the whole site had to be rebuilt.

Tips regarding website backups

  1. One backup is not enough. Run two, just in case the first one fails
  2. Test the backup at random times to make sure the backup archive is not corrupt
  3. Make sure the archive time is long enough to keep you safe. 3 days is not good, 3 months is much safer!

So, what makes a good host

For me, a good host is one I can contact easily and who provides me with a safe, secure and reliable hosting facility within an up to date server environment.

Find out what backup plans they offer.

A good host should be taking backups for you and holding them for a decent amount of time. For your information, here at W.E.B.S Ltd, we take nightly backups of all databases and your entire data folder and retain backups on a daily, weekly and monthly cycle. We purge backups after 3 months.

Staging Area and Update Functionality

We operate Softaculous in all our Cpanels and clients can easily install, update, clone and modify their website installations. If you want to be able to test applications before setting them live on your site, no problem.

File Change Scanning

We constantly look for file changes and identify anything which looks out of the ordinary. You can access Imunify reports from your client area.

Up to date PHP and Server Versions

We operate Cloud Linux, KernelCare and ensure the latest secure versions of PHP are available. Any hosts offering you anything less than PHP5.6 (or higher) should be considered risky. Older versions are not secure and you need to be running Version 7 or higher now.

Jailed Users / Locked Directories in Shared Hosting Environment

The last thing you want is to be on a host, where it is possible to SSH in and navigate outside of your own directory. If you can see other clients, they can see you. In most cases, SSH can be disabled anyway, but if you have it, ensure it’s correctly configured, secured and locked to you.

Monitor and Update WordPress and Plugins *Regularly

If you don’t keep up to date, you are a prime target and will expose yourself to much higher risk of being hacked.

Don’t bury your head in the sand. If you can’t do it, pay us (or someone else) to do it for you. 

WordPress has made it much easier to update your website nowadays, but the issue is often TIME.

In business, we hear the same thing over and over again. “I have just been so busy, I didn’t have the time to do it.”

For as little as £12 per month we can do it for you, with our website maintenance service, so there is no excuse really.

Have you heard of Softaculous? 

We provide this as standard on our servers and you can benefit from it. Check the video below to see how it works, what it can do and how it can help you keep up to date.

Maintain Plugins and be sure to monitor activity on them

WordPress is a fantastic system which can be adapted to suit your requirements with a range of ‘Plugins’. These ‘plugins’ are 3rd party software applications which can be installed to add functionality to the website.

They are both a benefit and problem to stability of WordPress and you need to understand the pitfalls before blindly installing them.

  • Ensure they are well maintained. Plugin directories will show when it was created, last updated and it is important to know, it is well maintained and suitable for your website and WP Version.
  • Search for problems / vulnerabilities. Simple google search for ‘known problems with plugin name‘ can let you know of any well known pitfalls.
  • Use reliable plugin authors. A new author might be fine, but with an established developer, you are likely to be able to read reviews and see activity and support taking place.
  • Read user reviews. A great way to identify how other website owners are getting on. See lots of positive reviews, great! See lots of negative reviews, move on and avoid!
  • Regularly check for signs of inactivity. Inactive plugins with no updates, comments or activity for 6 months + are cause for concern. If it’s years of inactivity, be careful.
  • Maintain paid license status. Commercial plugins with an annual renewal must be reviewed. You don’t actually NEED to pay every 12 months, BUT keep an eye on when a new version comes out and be sure to renew your licence.
  • Delete/replace inactive plugins. If you don’t use it, delete it. If it’s not been maintained for a LONG time, consider replacing it.

Just because a plugin has NOT been updated for a year or more, does not necessarily mean it’s vulnerable. It does mean, it is more likely to be vulnerable. As the WordPress core evolves, the plugins with it must also evolve and adapt to the system architecture and changing server environment.

If software has not been updated for 18 months +, not only is there an increased risk of it not supporting the latest version of WordPress but it might also include code which is not suitable for later version of PHP running on your server.

It is important to keep ALL plugins up to date, if you are to minimise the risk of problems on your website.

Make sure your website and hosting is secure

It doesn’t matter how well configured your WordPress site is, inadequate, poorly maintained website hosting will cause you problems. Make sure:

  • Server Firewall. Hardware or Software firewall to provide you with a secure and stable environment for your website.
  • Up to date OS and Kernel. No different to a desktop OS, if it’s not up to date, it’s not using the latest security and functionality. If the host isn’t using the latest, you should be asking why not?
  • Hardened versions of PHP. Hosts running old, insecure versions of PHP are exposing you to risk. Most hosts server version 7 at the time of writing. If you see 5.4 or below, ask why?
  • File Scanning Security. File integrity and change scanning is helpful to know if a file change was harmless or not.
  • Jailed Users. Shared hosting is common but allowing a user to FTP outside of the home directory and access any other sites can happen. If it does, run!
  • Performance by User: Hosts who cram as many customers onto a server without fairly distributing resources = problems. Check for cloud linux and find out whether rogue / heavy use websites can affect your performance!
  • Locked SSH. Most website owners don’t use or know what SSH is. If it’s granted, make sure it’s not abused.

Secure admin and user logins

  • Choose secure usernames. Avoid using simple names e.g chris. Instead, use random characters e.g c165dtF
  • Don’t use admin as your username. Common usernames make it easier for hackers to gain access.
  • Choose secure passwords. Don’t use 12345678 or something really easy. F65Ds1£dabxj_9* is more secure
  • Use the password generator. Need a secure password, we like 1password. Try this link.
  • Make sure to use SSL. Serving ALL pages on https:// rather than http:// is essential nowadays
  • User a firewall. Even though your hosting server has one, consider running something like WordFence
  • Limit Login Attempts: Excessive attempts to gain access. Block the IP with loginizer plugin
  • Change default admin login. Everyone knows it’s wp-admin so why not change the admin URL
  • Limit by IP using .htaccess. Simple and effective way BUT only for those with a static IP.
  • 2FA. Two Factor Authentication is available for WordPress if you want to add extra login protection.

These are great ways to make things hard to hack. In most cases, ‘script kiddies’ and rogue script testers online want an easy target. This posts aims to avoid you being that easy target and thinking about these security factors, will help you avoid being a victim.

Backup, Backup, Backup + TEST Recovery

Backups are there for you, if it really hits the fan. It can happen and when it does, if you don’t have a backup, you are in trouble. For the record, we do take backups (for our own protection) BUT it is ultimately your responsibility to check and ensure you have a backup, to cover you, in the event of a problem.

We take daily, weekly, monthly backups and store them for 3 months. This gives us peace of mind, we have something to use IF things go wrong. You should NOT rely on ANY host and are well advised to take backups for your own peace of mind.

Not only should you take a backup and hold it safely offline, but you should test recovery from that backup to make sure you have a solid copy to return to, if you needed. There is no point having a backup archive which is corrupted and fails to give you access to your files.

BACKUP. TEST. BACKUP REGULARLY. TEST REGULARLY.

Here is a short video to show you how to backup and how to download it and store it offline.

Consider using a Security Plugin

I like the WordFence plugin which does a good job and rarely causes problems. There are others which claim to offer similar facilities but I haven’t tested them fully and do not wish to recommend anything, I haven’t tested or used myself.

Limit access to your website admin using .htaccess

Use with caution. This one is handy to restrict access to your wp-admin directory by limiting access to your static IP.

ONLY Use this if you have a static IP.

If you have a dynamic IP address, it can change after a router reboot and potentially lock you out. IF that did happen, FTP in and remove the entry in .htaccess or change it to the new IP.

Inside your hosting area is a file called .htaccess.

NOTE: as it is prefixed with a dot e.g . it may be invisible. In CPanel for example, there is an option to ‘show hidden files’ and this would need to be enabled for you to see it.

EDIT your existing .htaccess OR create one inside the wp-admin folder

The code below is ready to use EXCEPT for one thing. You need to paste your IP Into it.

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

The bold Allow from entry above needs to be changed. You will put your IP here. To find out your static IP, go to www.whatismyip.com and find out the IP address. This might something like 80.190.180.170 for example

Once you have your IP, edit the text above and then paste it into your .htaccess file and then save it.

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 80.190.180.170
</Files>

What this does is disable anyone from accessing wp-admin UNLESS they are on that IP. Your IP.

Check Directory Browsing (indexes) is disabled on server

In Apache web server, indexes can be enabled by default which allows a directory to be explored. The workaround used to be to place a blank index.html file inside the directory, but really, your host should disable indexes in apache to easily fix this.

Basically, most servers will look for index.php or index.htm, html etc and IF it doesn’t find a default page to load, it can show the contents of the directory. This is not good, so check and fix it.

Example of what you should see

Directory browsing disabled

If you see this, great. If not and you can see the contents of a directory, get in touch with your host and ask them to fix it. Better yet, move to a better host.

Quick fix is to add this line of code into your .htaccess file.

# Disable Directory Browsing

Options -Indexes

Should you disable XML-RPC?

Some people say this should be disabled. I would argue the validity of telling everyone to disable it. In many cases, it can safely be disabled but is it strictly necessary. I think not.

XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. Since WordPress isn’t a self-enclosed system and occasionally needs to communicate with other systems, XML-RPC was introduced to handle that job.

In 2008, with version 2.6 of WordPress, there was an option to enable or disable XML-RPC. However, with the release of the WordPress iPhone app, XML-RPC support was enabled by default, and there was no option to turn off the setting. This has remained true to the present day.

The security factor here isn’t XML-RPC directly, but how the file can be used to enable a brute force attack on your site. For this reason, some people choose to disable it.

To check if XML-RPC is running on your site, enter your site in the XML-RPC Validator. If you get an error message, you don’t have XML-RPC enabled. If you get a success message, XML-RPC as follows:

  1. Search for Disable XML-RPC and install the plugin
  2. Block it via .htaccess with the following code

# Block XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Check folder and file permissions on the server

This really shouldn’t be an issue, if your host is set up properly. This comes back to running your website on a good host. We run su php on our servers and permissions are easier to manage. Automatically, files and folders will be given the correct permissions. Some servers may run dso php and this can often lead to sites running incorrect permissions.

The permissions for WordPress should be:

  • Folders – 755
  • Files – 644

NEVER have files or folders set to 777. This opens up all permissions and allows anyone to read or write to the file.

STAY SAFE. KEEP UP TO DATE AND IF IN DOUBT. ASK!

This post was last updated Wednesday 6th March 2019 by Justin Williams

Leave a Reply

Your email address will not be published. Required fields are marked *