Securing your WordPress installation is a topic many people avoid. It is not a topic to be avoided. There are hackers who attack these sites. In fact, there are an estimated 90,000 hack attempts per minute against WordPress installations. In this article we will discuss some ways to harden and secure your WordPress installation so you don’t have to deal with hackers. I will also discuss how WordPress installations can be vulnerable to attack, how hackers compromise websites, how to secure a WordPress installation and security plugins you can use towards that end.

After reading the statistic that close to 90,000 hack attempts happen per minute, you may be wondering if securing your WordPress installation is even possible. The fact is, that with caveats, WordPress is inherently secure.

Is WordPress Secure?

The security team at WordPress is continually releasing security patches to cover for discovered vulnerabilities. Since WordPress was released, over 2,450 security patches have been released to address vulnerabilities. The caveat is that you need to keep WordPress core up-to-date in order to apply all the security patches that are rolled out. Fortunately, updates can be pushed automatically or manually in a couple clicks. You can also choose to turn off automatic updates in case you want to run compatibility tests beforehand.

Keeping your WordPress instance up-to-date is the key to securing your WordPress installation. Everything else I teach you still applies, but all of it is ineffective if you don’t keep your WordPress instance up-to-date on the patches that are released.

How Hackers Compromise Websites

WordPress is secure, but the fact is, all websites are targets for hackers so not a single website is immune. Even a fresh install of WordPress with nothing on it, with little to no traffic, and that’s kept up-to-date is still at risk. Hackers can be relentless.

Overall, there are two main reasons why any site is hacked: money and hacktivism (defacing a site for political reasons such as to show support for a particular political party or influencing group).

The American Economic Association reported that businesses and consumers lose $20 billion per year due to spam. According to a 2016 report by Sucuri, 100% of sites that were sampled were hacked in order to exploit them for profit, but four percent of them are simultaneously used for hacktivism.

The size of your site is not even a factor. Hackers attack all sites–large and small. Being so popular as a CMS, WordPress becomes an extremely popular target for hackers. Hackers can use bots to systematically scan sites for vulnerabilities and security holes. These bots can scan hundreds of thousands of sites simultaneously. This is just more reason for securing your WordPress installation.

WordPress is a target because it now powers over 28% of all websites in the world. It is all a matter of simple math.

Hackers compromise websites because it is nearly impossible to write any kind of code without introducing security flaws. Hackers look for these security flaws and take advantage of them.

The following is a list of vulnerabilities that are commonly exploited:

  • SQL Injection (SQLI) – Occurs when SQL queries and statements can be entered and executed from a site’s URL
  • Cross-site Scripting (XSS) – A hacker can inject code into a site, typically through an input field
  • File Upload – A file with malicious code is uploaded to a server without restriction
  • Cross-Site Request Forgery (CSRF) – Code or strings are entered and executed from a site’s URL
  • Brute Force – Constantly trying to log in by guessing the admin’s account username and password
  • Denial of Service (DoS) – When a site goes down due to a steady stream of traffic coming from a hackbot
  • Distributed Denial of Service (DDoS) – Similar to a DoS attack, except the hackbot is sending traffic from multiple sources such as infected computers or routers
  • Open Redirect – Occurs due to a vulnerability and it’s a site’s page that’s redirected to a different one that’s set by a hacker and is often spam or a phishing site
  • Phishing (Identity Theft) – A site or page created by a hacker that looks like a well-known, commonly trusted site, but is used to collect login credentials by tricking a user to input their details
  • Malware – A malicious script or program with a purpose to infect a site or system
  • Local File Inclusion (LFI) – An attacker is able to control what file is executed at a scheduled time that was set up by the CMS or web app
  • Authentication Bypass – A security hole that enables a hacker to circumvent the login form and gain access to the site
  • Full Path Disclosure (FPD) – When the path to a site’s webroot is exposed such as when the directory listing, errors or warnings are visible
  • User Enumeration – Being able to determine a valid username to later use for brute force attacks by adding a string to the end of a WordPress site’s URL to request a user ID which may return an author’s profile with the valid username
  • XML External Entity (XXE) – An XML input that references an external entity and is processed poorly by improperly set up XML parser and can lead to confidential information disclosure
  • Security Bypass – Similar to authentication bypass, except that a hacker can circumvent the current security system that’s in place to gain access to some part of a site
  • Remote Code Execution (RCE) – A hacker has the ability to execute arbitrary code on a machine or site from a different machine or site
  • Remote File Inclusion (RFI) – Exploiting a reference to an external script on a site in order to exploit it to upload malware and all from an entirely different computer or site
  • Server Side Request Forgery (SSRF) – When a hacker can take control of a server either partially or totally to force it to execute requests remotely
  • Directory Traversal – Cases where HTTP can be exploited to access a site’s directories and execute commands outside of the server’s root directory

This is not a complete list of vulnerabilities, but rather a list of the most commonly exploited vulnerabilities. So what are some steps you can take for securing your WordPress installation?

Steps for Securing Your WordPress Installation

  1. Make sure your own computer is secure. You must keep your computer free of malware and viruses. These can attach themselves to files and when you upload those to your WordPress installation, it gets infected as well.
  2. Install anti-virus software and keep it up-to-date
  3. Scan regularly for viruses
  4. Make use of a firewall
  5. Use a secure hosting provider
  6. Use strong passwords
  7. Don’t allow users to upload files to your site
  8. Use FTPS instead of FTP
  9. Install a security plugin like Defender or WordFence
  10. Backup often
  11. Always test your backups to insure they work
  12. Keep WordPress up-to-date
  13. Keep all plugins and themes up-to-date
  14. Pay attention to the reviews for your plugins to insure there are no known vulnerabilities
  15. Use a CDN to prevent DoS and DDoS attacks
  16. Install and force the use of SSL for your WordPress installation

Disable the Theme and Plugin Editor

WordPress allows you to edit theme code and plugin code in a built in editor.

securing your WordPress installation

This is considered a security risk by many developers because a hacker who has access to your admin dashboard could edit theme and plugin files directly without needing to hack their way further into your site’s directories.

You can add this code to your wp-config.php file to disable the theme and plugin editors:

define('DISALLOW_FILE_EDIT', true); 

Relocate wp-config

If you move the wp-config file from its default location, you will do wonders towards securing your WordPress installation. The only requirement is that you must create a new wp-config file that is located in the same place as the original with the following code inserted:

<?php
define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . '../path/to/wp-config.php');

Be sure to change ‘/path/to/wp-config.php’ to the actual path on your server.

Change the Database Table Prefix

This is something I do on every WordPress installation I setup. By default, the table prefix for a WordPress installation is wp_ and that makes it even easier for hackers to exploit your site. Changing it to something random and complex can thwart hacking attempts.

Rules in .htaccess

Another step to securing your WordPress installation is to add some rules to the .htaccess file to protect files and directories.

You can protect important files by adding the following to your .htaccess file:

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

You can restrict access to your WordPress PHP files by adding the following code to your .htaccess:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php<
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

You can restrict access to your WordPress admin dashboard by allowing only certain static IP addresses by adding the following to your .htaccess:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Lines one and two redirect users to a 404 error page if they try to visit the admin dashboard from a different IP address than what’s defined in this rule. It helps resolve possible redirect loops so your site doesn’t appear to be down. Just be sure to replace /path-to-your-site/ with the actual path of your WordPress site.

Change Your Default Username

By default, the initial WordPress user is an admin role and is called simply ‘admin’. You should definitely change this. If you leave it at the default, you are giving the hacker half of the credentials to get into your site. Use something you will remember, but definitely do not use the default username. If your site is already set up and you used the default username, you can change it via PHPMyAdmin directly in the users table.

Best Practices for Securing Your WordPress Installation

Many or most of the security techniques mentioned above can be applied quickly with a security plugin. Installing one and keeping it active is a simple and excellent way to ensure your site is protected and without having to remember to apply all the security tactics yourself.

WordPress itself is secure as long as you keep it updated, but new vulnerabilities surface as hackers find them. A security plugin helps protect you while the WordPress security team works on a fix to release in the next core update.

You can find a list of reliable and solid security plugins later on, but remember to install one if you don’t have one on your site already.

Part 2 – More on Best Practices

In part 2 of this article, I will address some more ways you have for securing your WordPress installation. I will cover some more basics in part 2. For now, go through and implement the changes recommended above. This will take securing your WordPress installation to a new level.