As with all open-source software, a robust approach to security is essential. With so many WordPress installations out there, some of which are quite poorly protected, it’s little surprise that WordPress is the most hacked or compromised CMS platform, according to the leading online security experts, Sucuri.
As the team at Sucuri is keen to point out in its report, however, much of WordPress security problems are not caused by the base software, but by poor installation, configuration errors and a lack of maintenance. Those affected by WordPress malware and vulnerability exploits are often surprised to learn that their sites had been left so open to attack and to discover that their problems could have been avoided with some simple WordPress security measures.
Good security for WordPress starts at the installation stage. By default, when you install WordPress, the administrator user will be created with a username of ‘admin’ and all database tables will be prefixed by ‘wp_’. WordPress hackers know this, so they have a head start when looking for ways to attack a site. By changing the admin username to something less obvious during the installation process, and also setting the database prefix to something else, you can take the first steps to protect your site.
Make sure that the admin password is as strong as possible, including both uppercase and lowercase letters, numbers and symbols. Never be tempted to use an easy to remember the password, as easy to remember means easy to guess!
Just before you install WordPress, there are a few changes that are needed in the wp-config.php file, and these are highlighted in the WordPress installation guide. However, it is easy to overlook the security aspects of these changes.
Firstly, make sure that the database password you create is as strong as possible, following the same principles as mentioned above for the admin user.
Also in the wp-config.php is a set of salt keys, which look similar to this:
define(‘AUTH_KEY’, ‘3`l-4w`1w.lw}e3,nmK fY,1X4y8|(hm4TA@4ew9cA:cdd}*UXop4_;=ylu9#&H,’);
define(‘SECURE_AUTH_KEY’, ‘rJ&e%mdlwS)*:^Xd![W-2HdC]L+wG^K-m9;>AUU//wEAO$tCai7w]4P(fY ,-ye)’);
define(‘LOGGED_IN_KEY’, ‘hRnQ$y2tnD$&-}!im}{%,|&B1;R@sP2ZA;%-iXuIAdNd2ND,6y{7OX2WmpUqWgT}’);
define(‘NONCE_KEY’, ‘&GH1rfn+6{ `TgOJ=5[<n_Hb$g?$CxTf_QZsy(~n-r-@QYrQ@5YA~)6l#@ -OAx|’);
define(‘AUTH_SALT’, ‘daM)lQ5<aqFgp<2!0hRaJDU*sG#<3N[2F4Nf.>Ed5lCMV7(GBKjhiGHQo-3upzwg’);
define(‘SECURE_AUTH_SALT’, ‘4;-4<:jC<!+>h|Z.BS2#cjLJShG#RgCe}K<w+.H<!)HD^yev=|/CBaSBs,`X|>%z’);
define(‘LOGGED_IN_SALT’, ‘I-{kHk::ZxdZ$j5#FT4EjY]|>wGRP*o]Ly1&;->+P>1JSt:zKVS^zHol2IQ?JNnz’);
define(‘NONCE_SALT’, ‘yUwKs|A?sJ($w0x^AT|Lmx>))i8uKHM6<zV>b{[@l7[kFJi6<VrK[5xq<+*U@aA&’);
These salt keys are used as part of the encryption process within WordPress, helping to protect sensitive data such as usernames and passwords.
Despite the clear instructions given by WordPress in the installation guide, it is amazing how many people do not visit the WordPress Salt Key Generator to create their own unique salt keys, simply leaving the example keys in place. The implications of this error should be obvious to all.
Having added all of the other required information into the wp-config.php file and uploaded it, it’s good practice to then move it up a level, out of your public HTML directory. It’s also wise to lock down permissions on the file itself, to prevent unauthorised access. You can do this by SFTP or by using the chmod command in Linux-based hosting setups. Changing permissions to 400 will lock the file down as much as possible, whilst still allowing WordPress to work.
It’s good practice to disable directory browsing, so that visitors cannot peruse the contents of your website’s directory structure, simply by typing common directory names into their web browser. This is a quick and easy fix, and simply involves adding the following line to your site’s .htaccess file:
Options All -Indexes
Once a new vulnerability or exploit is identified, hackers often go out looking for websites that are using the theme, plugin or WordPress version that is affected. If your website allows access to version number information and you are using affected code, the chances of your site being attacked are high.
Hiding the WordPress version number from hackers involves adding a short script to your theme’s functions.php. WPMU DEV has a great tutorial on how to do this, but if you are unsure, it’s wise to seek expert help with this, since an error in the functions.php file can cause your website to crash.
It can be tempting to consider manually changing theme and plugin names to conceal what code your site is making use of, but this could have important repercussions. If you do this, it’s possible that you will not receive automatic notifications when updates are available for those themes and plugins, and your site could then become out of date, with vulnerabilities left unfixed. A better approach is to use a plugin such as Hide My WP, which provides dynamic random names for themes and plugins, and also offers many other security hardening features.
It’s all too easy for website owners to assume that hacks are dreamt up by malicious geeks with genius minds, but the reality is a lot more ordinary than that. Whilst those skilled hackers do exist, the fact is that many WordPress sites are compromised via access through the login screen. We’ve spoken already about the need to change the default admin username, and to use strong passwords, but there are other steps you can take to beef up login security.
Firstly, you can password protect your login page using your .htaccess file, forcing users to enter a username and password before the WordPress login screen is displayed. If you have a fixed IP address and limited users, you could also restrict access to wp-login.php to only that IP address, locking it down even more tightly. Finally, you can limit the number of logins allowed, before a user or IP address is blacklisted. This prevents user enumeration, or brute force guessing, which is perhaps one of the simplest ways for attackers to gain access to your site.
All of these protection measures can either be accomplished via bespoke code, or you can use a third-party plugin such as Hide My WP or WPS Hide Login.
It’s also worth pointing out that if multiple people need access to the back-end of your WordPress site, you should ensure that they use secure passwords at all times and that access levels are strictly limited to allow each user to achieve just what they need to do. If anyone leaves your organisation, make sure that their WordPress account is disabled or deleted.
It’s a fact of life that no code can ever be 100% secure, as new vulnerabilities are discovered all the time. However, keeping all code as up to date as possible means that security patches and functional improvements are loaded onto your website at the earliest opportunity. After all, many updates are released precisely in order to patch a vulnerability, so it makes sense to apply those updates as soon as possible.
WordPress now comes with the option of automatically updating itself whenever a new version is released, and it’s recommended that this approach is adopted. Themes and plugins should also be checked regularly, and updates applied promptly. If you have themes or plugins which are not in use, it’s wise to delete them entirely from your site, since code can still be vulnerable to attack, even if it is not active.
In order not to fall behind with the task of WordPress updates, it’s worth either scheduling a weekly reminder to yourself or assigning the task to a member of staff, ensuring that they are given sufficient time to complete it regularly.
Whenever a web server responds to a request for content, it delivers that content along with response headers. These response headers pass various bits of information back to the requesting client, and some of that information can be valuable to would-be hackers. Secure response headers can prevent issues such as XSS attacks, clickjacking, and MIME Type sniffing. Whilst many hosts will permit you to add secure response headers at the server level, if this isn’t possible with your web hosting setup, you can also achieve the same result using code added to your functions.php file.
Another way to boost website security is to switch to using SSL for all content delivery on your site. At one time, websites restricted SSL usage to checkout pages or pages containing sensitive data, but in 2014, Google announced that it planned to use SSL as a ranking signal, meaning that SSL-protected sites could get a ranking boost over sites using standard HTTP. Adopting SSL across your entire site, therefore, has a twofold benefit – all content is protected and your site could move up the organic search results on Google.
If you have had your website developed by a freelancer or an agency, you should never simply assume that all security measures have been put in place. Always ask your developer or agency to walk through all the steps that they have taken to secure your site. If in any doubt, it’s worth talking to an experienced agency like KIJO, who can undertake a full security check for you, correcting any vulnerability issues and advising on further measures to tighten up security across the entire site.
Once the basics of a secure WordPress site are in place, one of the easiest ways to ensure that good security is maintained is to make use of one or more security plugins. There are quite a number of security plugins available, each handling different elements of security. Always only use plugins that have lots of active users, plenty of positive reviews and a recent update history.
Here are a few of the best security plugins available:
Always ensure that you understand what any security plugin offers you and that it meets your particular needs. Of course, installing a plugin doesn’t mean that you no longer have to think about security, and you should adopt a security-focused approach at all times, to give you the best possible chance of avoiding the problems so often caused by hacking and malicious code.
If you are in need of help with security on your WordPress website, or with any other aspect of your web presence, contact KIJO for a no-obligation chat about how we can help you.
