Hardening your WordPress site
We are going to cover some basic steps to harden your WordPress site against attack. As WordPress is a very popular platform for website creation a number of security risks are quite well known and can be countered quite easily with minimal effort. You may already have some of the steps below already in place, and if you have all of them in place, great! It means you are taking steps to ensure the security of your site and its contents.
Update your plugins – check them on a regular basis
It is vital to keep your site themes and plugins up to date. Bugs and flaws are found in them all the time and updates get released to fix these issues. If you leave your plugins out of date, you are missing these sometimes-vital updates. It is recommended only to use trusted plugins and themes as these are from reputable sources that continue to support and develop their software.
Complex and smart user passwords – a simple one, but easy to get wrong
Nowadays password generators are easy to come across and can be set to create random passwords of various complexity. As a rule of thumb, if it is a non-Linux login, I recommend at least a 12-character password with numbers, letters and special characters. Add a password rotation at some point between every month and every few months and you dramatically decrease the chances of one of your passwords getting broken.
Another recommendation is to change your login names. Things like ‘root’ ‘admin’ ‘person’s name’ are the first that get attempted in a brute force login attempt, changing the user name to something not easily guessed is one of the best ways to harden your security.
Around 8% of all WordPress hacks are caused by weak passwords/usernames
Security plugins – lots are available
There are several highly recommended security plugins for WordPress which are designed to integrate directly into the WP control panel and provide features such as software firewalls, brute force protection and the ability to scan files for malware. Not all these plugins are free but it is recommended using one to at least monitor and log information for invalid login attempts and possible spam attacks.
Backups – more of a ‘worst case’ preparation
Do you keep a running backup of your site? This can be done by something as simple as making a local FTP copy of your site on your PC, or as complicated as using a dedicated backup agent that stores everything in the cloud. Having a backup of your site saved locally can help in the event of a hack or exploit as it will let you recover your site back to a previously saved point. In the worst-case scenario, you can use the backed-up files to start again on a fresh install of WordPress.
Change the wp-admin login page
This again, is a quite simple change to make but will stop lots of future attacks. By default, WordPress gives your site an admin login page at www.SITEURL.co.uk/wp-admin.php
Most security plugins for WordPress include the option to change the login URL but there are also many plugins that can do this for you as well. A free plugin is WPS Hide Login, a great tool that lets you hide the admin login page. Feel free to change the URL to anything you want and once this is done expect to see the number of failed login attempts to your site drop off but a large margin.
Limit login attempts
If you still see high numbers of access attempts, you can add in a limit to the number of failed login attempts. This can be again done with security plugins or standalone plugins such as fail2ban, a guide for which can be found elsewhere in the DCP Knowledge Base.
2FA – a bit more effort, for a lot more security
2 Factor authentication is a good idea to help secure your logins even more than a complex password. Again, there are several plugins which tie into freely available authenticators such as the Google one to generate a secure code which is needed on each login attempt. This adds a bit of time to each login and a bit more work for the user but is a very good way to prevent unwanted site access.
Secure your wp-config.php file – also covering xmlrpc.php
If you use the .htaccess file for your site add this to the top of the file to prevent anyone coming across the config file:
deny from all
This file is very important and should always be the first thing you add to protect your site. Whilst in the .htaccess file you can also add a few lines at the end to block common xmlrpc.php exploit attacks. This is worth doing for every site you have, and if access is needed to the file you can un-comment out the ‘Allow from’ variable and add specific IP addresses that can access and edit the smlrpc.php config file.
# Block WordPress xmlrpc.php attacks
deny from all
# allow from XX.XX.XX.XX
There are other ways in which to add more security such as SQL hardening, SSL, robot.txt files etc and these will be covered in a more detailed security guide at a later date.