WordPress Security 2018: The Ultimate Guide to Secure WordPress
WordPress is serving bloggers and webmasters since 2003 to build almost any type of website. It is an open source content management system. So everyone can use it without paying even a penny to use it. Due to its flexibility and easiness soon it gains so much popularity and become the marketer leader.
Now, this is not only utilized by the individuals but also of government agencies and large corporation using it for their websites. More than 74 Million sites using WordPress including free WordPress blog services (WordPress.com). The outstanding CMS has countless plugins to do the tasks in an eye glance. Apart from numerous benefits, WordPress security is a common issue and you should take necessary steps to secure your WP sites from any unpleasing condition.
Why You Must Secure WordPress Site and Blog
Let’s take a tour of the other side of the coin now. Because of WordPress’s immense popularity and considerable market share, it becomes an attractive spot for hackers and other cyberspace criminals. Once a hacker manages the way to enter any WordPress site, he/she can able to insert infected codes and vulnerabilities to transform your site into the malicious site. And through this, they can not even control your site but also make a way to access your personal data.
When a hacker gets into your site and laptops, then this leads you to dire consequences. Hence, it’s crucial to know the possible threats for your WordPress site so that you can defend your site against malicious attacks while doing your main work. You must fill all the potential security holes. Here in this article, we will describe the different ways to secure WordPress site in order to avoid any future regret.
Let’s discuss all the possible steps to harden WordPress security.
1. Use Complicated Passwords
There are some precautions that you must take while creating passwords
- Don’t ever use your or website name as the password
- Don’t use only numeric words or just the alphabets
- Never use your phone, vehicle number or house address
- Most importantly never use dictionary words or combinations of dictionary words
What to remember while choosing Passwords
- Use a mixture of Numeric and alphabets
- Use both Lower and capital-case alphabets
- The passwords must include symbols like $,@,%
- Password must be lengthy at least 8 words. The longer the password, the better for you
Tip for making effective passwords
Yes, a password must be long and the combination of alpha-numeric words. The best way is to construct a sentence then pick the words from it. Here look at the example “I played badminton with my friend’s at 7:00 pm. We bought rackets in $80.
So the passwords look like “Ipbwmf7:p.Wbri$80“. As you can see the password is complicated and easy to remember. It is just for example sack, you can make more complex passcode but creating a sentence could help you remember the long password.
2. Secure Your Admin Area
Building a strong wall around admin area is an excellent way to add security layer. You can choose specific IP’s using which you can access to the panel. So if someone is not able to access the admin area then how he/she can try to enter into your WordPress site’s dashboard? In this way, you add a specified IP address in the .htaccess file.
Suppose you add the IP address of your home internet connection in the .htaccess file then you can only manage your site by using your that internet connection. So no one can access the site backend settings due to different IP address we defined in the .htaccess file. You can find your IP address using WhatIPMyIP website. Here note that you need a static IP address from your internet provider. So contact with them and get and static IP.
- Now login to your hosting control panel and then click on the “File Manager”.
- Find the .htaccess in the WordPress installation directory and Edit it.
- Add the below codes and paste your IP address in place of the 00.000.000.000.
<Files wp-login.php> order deny,allow Deny from all Allow from 00.000.000.000 </Files>
Now if you want to access from your office PC then you need to add IP address of that connection (Office internet). Just add the line Allow from with that new IP below the old one.
This method works great when using certain internet connection. If you access from the public wifi connection, then this method is not useful.
3. Two-Factor Authentication
This feature enables the major security layer. Google provide it for its services like Gmail account. With activating two-factor authentication on Gmail account whenever you want to login to your account, it requires phone verification. For enabling such kind of service on WordPress, you need to install a plugin. Two Factor Authentication (Google Authenticator), Clef and Google Authenticator are some of the best plugins for two-factor authentication.
Let’s just discuss the Google Authenticator – Two Factor Authentication which is developed by MiniOrange. After activating the plugin click MiniOrange at the sidebar of the WordPress and Register an account.
There are plenty of options available such as email verification, Google Authenticator, QR code scanning and Push Notification, etc. The plugin also includes SMS and Call verification features. But these are premium features and cost $6/year which is quite affordable.
4. WordPress Security Plugins
After installing the WordPress, it should be your top priority to install the best WordPress Security Plugin. There are plenty of plugins, but we suggest install Sucuri, iThemes or Wordfence. These three are the well-reputed plugins and includes many useful features for free. Sucuri provides malware scan, Login alerts, secret keys status and many other security layers.
On the other hand, iThemes is also an excellent security plugin. It will provide protection against Brute force attacks, specific IP’s, update the secret keys, Database backup and much more. We always use iThemes Security as it is easy to operate and understand.
Moreover, the developers release various updates to fix bugs and security holes time to time to improve WordPress security.
5. Change Login URL
If you don’t want to use the protocol which allows login only from specific IP’s that we discuss at number 2, then changing login URL is effective to secure the WordPress site. People use different internet connections, so that’s mean different IP’s. In this type of situation adding multiple IP’s in .htaccess is not wise.
There are various ways to change the login URL. You change the login URL by just installing a simple plugin. In iThemes security plugin, there is an option named as “Hide Backend” to modify the login URL. There are some other plugins like Rename wp-login.php, WPS Hide Login which also can be used to change the backend login address.
6. Pick Well-Reputed Plugins
Plugins can also become the cause to inject vulnerabilities in your blog. So before installing a plugin check its rating as well as the number of downloads. Higher the number of downloads mean the plugin is fine and works perfectly. For example, if there are three plugins by different developers to change the login URL, then you should prefer that plugin with more active installs, frequent updates, and user reviews.
Additionally, when you click on the plugin title a box will open where you can see that how many people rated that plugin as 5 stars or below. And if you want to be overprotected, then look at the other people reviews to know their experience.
7. Secure WordPress Themes/Plugins
Some novice bloggers use cracked themes as they have the limited budget. Do not ever use cracked themes either plugins.
Before Installing a Crack theme, You Must Know:
- No support is available in case of any issue
- The developer release updates frequently to cover up the bugs in the theme. But in a crack version, there are no updates, so a big advantage for the hackers to sneak in.
- Chances are the person who cracked the theme could insert some vulnerable codes in it.
WordPress offer tons of free templates for websites and blog. Yes, these free templates are not fully customizable, but we think there is enough customization for a new blog. But remember that these free templates are far better than the crack versions. Moreover, these are backed by the WordPress.org and get latest updates.
8. Never Use “admin” as Username
If you are using admin as your username, then we think this is the biggest mistake. In cyber-attacks like Brute Force the priority of the hackers to use the default name admin as it is most common.
Some new bloggers think that just keep a strong password is enough, but this is not a good practice. Your WordPress dashboard should not only have a strong password but also a unique user name (i.e. other than common words).
You can change the username either from control panel provided by the hosting provider (cPanel) or by using a plugin like Username Changer. Here you can read the article about how to Change the username with and without installing a plugin.
9. Assign Appropriate Roles
If you are the only person who manages and operates the site, then that’s fine. But if you have a team i.e. multiple users then you have to assign a particular role to each user. Giving everyone the administrative rights may compromise your WordPress site security. There are different roles like Subscriber, Administrative, Contributor, Author, and Editor, etc. Each role has certain limitations except the Administrator.
At the sidebar of the WordPress dashboard go to Users> All Users. Here you can add the new users as well as assign them roles. You must assign roles carefully especially when you outsource the users.
If you want more information regarding assigning roles, then you may read this article at WordPress.org
10. WordPress Security Keys
This security layer is to protect the user cookies, so that make it difficult for hackers to crack the password. So what are the cookies? Explaining simply, cookies are small pieces of data/information which stored via a web browser on the user computer. Yes, hackers can break in through cookies. So you have to take steps and to make the encryption of that information.
For this, use WordPress Secret Key Generator. These keys change whenever you refresh the page. So make sure to pick your unique, fresh combination and copy all the keys i.e. all the lines. Now you need to add these keys in wp-config.php
How to use WordPress Secret Key Generator to Improve Security
- Login to your Hosting control panel (cPanel)
- Open the file manager and get into WordPress installation directory (the exact place where the folders like wp-admin, wp-content and wp-includes are.
- Find the file named as wp-config.php and edit it.
- Scroll down until you found the following terms
- Now Paste all the keys which you copy from the Secret Key Generator in place of the old ones. That’s all.
11. Limit Login Attempts
As the name shows, this method put restrictions on the number of attempts for logging in the dashboard. After activating it, there are certain login attempts, and if someone put wrong username or passwords, then it will block that IP for given period of time. This way of securing WordPress website is very effective against the Brute Force Attacks. In this type of hacking attack, the bots or program or whatever the thing is, it tries different combinations to enter into the site.
During Automatic installation of WordPress via setup wizard it will ask you if you want to enable the Limit login attempts. If you did not enable the option from there then don’t worry just install “WP Limit Login Attempts plugin”.
12. Security Checker
Through scanning your site, you can find out the security risks. Sucuri Security Scanner is a free tool to locate the security risks. It will check your website for SPAM, Malware, Blacklisting, and firewall, etc. and provide the recommendations. So keep an eye on it and scan your site frequently.
Along the Sucuri scanner also put your site address in the Google Safe Browsing and it will generate the report that if your site has malicious contents or not?
Some other Best Website Scanners:
13. CloudFlare and SSL
CloudFlare not only improves the performance of your site but also strengthen the WordPress security. They offer free as well as premium plans. At free plan, you can enable DDOS protection and some other security layers.
They also offer SSL certificate for free. SSL implant the additional security layer to your site. The SSL is used to protect the customer’s data like credit card numbers etc. But Now the search engine especially Google consider those sites more secure which are using SSL and give a little boost in search rankings.
14. Create Routine Backups
It is advisable to create the backups frequently. Many best web hosting providers include backup services in their plans without any extra fee. But at the basic plans mostly company impose some kind of constraints on the number of backups and restoration. We always prefer to make a backup by using more than one tools. So you should create a backup through the tool provided by the hosting provider as well as using third party plugin.
VaultPress, BackupBuddy, and Updraftplus are some of the great backup plugins for creating the WordPress site backup. Unfortunately, VaultPress and BackupBuddy did not offer any free service. But Updraftplus offer free and premium services to create whole site’s backup, so that’s great for people having no or low budget. With this plugin, you can also assign schedule that after when to create backups and how many copies of each backup to retain? You may read Updraftplus guide to know all the details.
15. Secure Web Hosting
Along all the above factors choosing a secure hosting is also very imperative for WordPress sites security. Before buying a hosting account check the company security protocols on their websites. Moreover, in the case of any uncertainty chat with them via Live Chat. In a shared hosting there are multiple users use the same server resources and in case if an account got hacked then chances are other users will also infected.
For this regard, we recommend SiteGround and InMotion hosting. Both are fine and secure. And the both providers keep their technology up-to-date. You can also read the reviews to find the trustable and reliable WordPress hosting providers.
Secure Hosting Features:
- Firewall Application
- Pre-installed RAID
- Malicious detecting
- Using latest programs like PHP etc.
- SPAM prevention system
- Daily Backups
WordPress Security Compromised, Now What to Do – How to FIX?
Above security precautions make your WordPress site’s security tougher. But also keep in mind the plan B that if someone breaks in then What to do? First of all, don’t panic and stay calm because you can get back your site back as it was before hacking. Again the above mention precautions are enough to build a strong layer around your WP website.
Is My Site Hacked?
Here are the main indicators to figure out that you have been hacked.
- Google search result page shows a message like “This Site may be hacked”.
- Google enlist your site as blacklisted. Sucuri Security Scanner shows blacklist status.
- The web browser like Google Chrome shows an Alert message to the visitors.
- The Hosting provider may disable your account.
- Google Search Console send you an alert message
- The security scanner shows alert message that’s why we suggest you scan your site frequently to remain up-to-date about site security status
Fixing Hacked WordPress Website
Change Passwords and Username
After the hacking attack find out if you still have access to WordPress dashboard. If yes then immediately change the password and username. Also, change the web hosting account login details. Now choose the strongest and powerful password.Use Strong Passwords.
Change WordPress Secret Keys
It is the best time to change the secret keys or WordPress Salts. We already describe that how to change the WordPress secret keys. Whenever you change the secret keys, this will log out all the users. Note this is not going to change the passwords it will just log out. Changing these keys might cause the interruption in hacking.
Contact your Hosting Provider
Contact your hosting provider’s customer support for help. That’s why it is very important to check how fast and friendly their support team is. The company has the experts to deals such kind of situations. They not only get you out from this but also helps to retrieve your site. Even some companies maintain a separate line to contact them in case suffering any cyber-attack.
A good hosting provider will always response to overcome this difficult situation. There are more chances that an affected account may affect the others in shared WordPress hosting. Therefore company not only assist you but also provides the guidelines about the security holes.
Restoring a backup to a safe position when it wasn’t hacked can also get your site out of it. If you made changes and publish the posts daily, then you should also backup your site on a daily basis. If you made a backup on weekly or after more time span then restoring the backup resulting the data loss. So restore to that safe extent where the loss is minimum.
Moreover if possible, then we think you should take the backup creation in your hands. At the end of the day scan your website via above-mentioned scanners and then make a backup manually. We know this add’s more work but this habit saves a lot when you suffer a hacking attack or option for daily backup creation service like VaultPress.
Scan for Plugins and Theme
You can also remove the malicious material by deleting the unnecessary themes and plugins. After that scans all the themes and plugins. Use Sucuri or Exploit Scanner to find the suspicious items. These plugins, scan database, comments, and plugins etc. and then allow you to take necessary actions.
Additionally, you have to scan the themes separately as there are more chances that the hacker put the hack in these. Theme Authenticity Checker is the free and best to find out the vulnerable codes in themes. It will also provide the status and alert you to fix the hack.
We suggest you if possible delete the plugins and themes then install the fresh copy. Yes, this act will remove all changes that you made, but it also helps you to make sure that all things are fine.
Keep an Eye on the Other Users
You should also take all the users into your consideration especially if you hire some online. It is advisable to keep all the administrative rights in your hands. If you find someone suspicious that have the hands in the hack, then don’t waste time and delete him/her.
We recommend that you should always adopt the latest and most stable version, enhance login security to avoid WordPress security threats. Hope so this article will help you to strength your WordPress websites and blogs security. Stay touch with us to remain up-to-date.