The Ultimate Guide to Harden WordPress Security

0
Harden WordPress Security

WordPress is continuously growing and becomes a very popular CMS. As much as it became popular, hackers also taking a keen interest in breaking its security. Security in WordPress is considered as most sensitive and essential issue.

Website owners do their best to make their site successful. They work hard to protect their site from hackers. No doubt, having your site attacked is most disappointing things that can happen to an entrepreneur. At such instance, you look for host support. But they are not always readily available.

To make it not to get attacked, you must provide continues security to your site. Because it is always better safe than sorry.

Providing security to your site means reducing the chances of being attacked. It is a continuous process that you should manage. It’s all about utilizing the proper security controls that best help address the dangers and dangers as they relate to your site.

Security mainly involves three factors: people, process, and technology. Each factor works in synchronous harmony with each other. Without the people, and their processes, the technology itself would be useless.

In this guide, I will provide you basic security concepts that will help you to harden WordPress security.

Web Hosting:

To drive any website, you need to own a self web-host to have a wide range of options. Choosing web hosting comes in varieties- managed hosting, shared hosting, VPS hosting, etc. Each host handles security disparately.

Some of them provide:

With hosting option, the site owner is also responsible for securing the areas that he/she want to have control over and for changes made.

Security Concepts:

Harden WordPress security is the super important step for keeping your digital empire safe. The main aim of this guide to provide some basic security concepts that you shouldn’t skip. Here are some security concepts that you should aware of. They are as follows:

  • Working Environment
  • Deep Defence
  • Least Privilege Principle
  • Web Server Security
  • Database Security
  • FTP or SFTP
  • Other Security Controls

Working Environment:

Workplace safety should never be taken lightly with any business. Due to the sensitivity and regulations associated with our data, it is essential to protect it and lower the security incidents.

While securing Working Environment, keep these factors in mind:

  • Use updated version of your local computer, browser, and routers.
  • Always use anti-virus to protect from spyware, malware, and virus infections.
  • Use VPN while moving in public places and using public hotspots to encrypt your online communications.

Deep Defence:

This concept promotes the use of every single security approach on every layer. It involves using a firewall at very basic to avoid external attacks, using security scanner to find threats in events, authentication control to prevent from unauthorized access. Keep this in mind, every security aspects are designed to directly fix the bugs, threats, and attacks.

Least Privilege Principle:

If you are allowing multiple editors and authors to access the site, make sure you are allowing them with only limited resources that are essential.

The principle basically based on this idea: all user accounts at all times should run with as few privileges as possible. It’s all about giving limited access to users they require.

It provides:

  • Better System Stability
  • Better security
  • Ease of deployment
  • Protection of data and functionality from faults and malicious behavior

Web Server Security:

Web server configuration plays a critical role in your Web application’s security. A small mistake can make lots of problems to face. The term involves the protection of information assets that can be accessed from a Web server.

Sometimes a web server and the software it consists might have vulnerabilities. While managing your host, always install security updates to the operating system, web server, PHP and any applications.

Generally, Secure Sockets Layer (SSL) certificate is used to carry out Web server security. If you don’t have SSL on your site, you can setup CloudFlare flexible SSL on your website.

Database Security:

The database is the backbone of any site or blog. It holds overall data of the site. Yet they are complex and an administrator does not always know the implications of not ensuring database security.

Not ensuring database security may invite hackers to get in and out of a database with a goldmine of data. The risks involved with databases vary depending on the type of information and the amount of importance it holds.

So, staying secure is essential to prevent embarrassing and costly incidents. Database security involves using the terms that protect databases against compromises of their confidentiality, integrity, and availability.

It involves encryption while data transmission, defining user access control system, etc.

Providing Database Security:

  • Use parameterize queries to keep malicious queries out of your database and prevent from SQLi injects.
  • Keep features and services only that are essential.
  • Keep your databases up to date. Remove any unknown components, and enforcing least privilege parameters to ensure the confidentiality, integrity, and availability of your databases.
  • Use UPS to make sure any forced shutdown doesn’t cause data loss.
  • Keep your database clean. Use Advanced database cleaner to clean and optimize the database.

FTP or SFTP:

FTP is an abbreviation for File transfer protocol. The protocol is being used to transfer files between computers on a network. FTP is a popular method of transferring files between two remote systems.

Many experts suggest, instead of using FTP, you must use SFTP. SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol. Originally, it is a separate protocol packaged with SSH that works in a similar way over a secure connection.

SFTP is preferable to FTP because of its underlying security features and ability to piggy-back on an SSH connection. It also involves many graphical tools.

Other Security Controls:

Consistently growing hacking attacks are a serious concern for bloggers. So, staying alerted and maintaining security helps you protect reputation. It also offers your best service to the visitors.

Create Unique Username and long tail passwords:

WordPress gives common username ‘admin’ during installation, you can either create a new account with administrative access and drop the old account or change the username from the database.

WordPress has common admin URL is ‘wp-admin’ that hackers can easily find. But for security concerns, change this URL or you can password protect admin directory.

By doing this, hackers won’t get the login URL. This reduces the chances of being attacked.

Similarly, short and simple passwords are easy to remember. Using strong and long tail passwords can slow or often defeat the various attack methods.

Protect WordPress Configuration wp-config.php File:

Wp-config.php is the most important file that located in your WordPress root directory. It comprises overall important information like database name and passwords. Thus, it is essential to protect this file to provide tight security to your WordPress blog/site.

Read the process of securing a wp-config.php file.

Always stay up-to-date:

Hackers can easily identify an old version and they don’t lose this golden opportunity. Keeping everything up-to-date ensures that your WordPress sites are secure against potential attacks.

It also involves updating the latest version of themes, plugins, web applications, etc.

Maintain Regular Backups:

With a proper backup, you can drive a blog/site with restored data. To ease this task, WordPress provides you free plugins that will easily backup and restore your entire websites in case of any problem.

Use Security Plugins:

Protecting your site from attacks or vulnerabilities keeps your site at a better position on search engine. In its plugins store, likewise other plugins, WordPress provides security plugins too. These popular plugins help you to reduce the threats or vulnerabilities and secure your site.

Two-Factor Authentication:

Two-factor authentication is nothing but the two-step verification process. It provides an extra security layer and stops gaining hacker access to user’s account.

The most common types of attacks are Brute-force attack. In this attack, hackers try many combinations of usernames and passwords multiple times, until it gets in.

Two-factor authentication secures your website by requiring a password to log in and a unique code sent to your mobile.

WordPress provides the two factor authentication plugins.

If you are using JetPack, I recommend using Single Sign On feature. It uses authentication part of WordPress.

Files and Directory Permissions:

To enable certain functions, WordPress may need access to write files in your wp-content directory. To do so, you need to specify files and directories with who and what can read, write, modify and access them.

Permissions changes host to host. These variations include changing them to be more restrictive.

The default permission scheme should be:

Folders – 755
Files – 644

For security concerns, avoid having any file or directory set to 777.

If you want to change the permissions, you need to give following commands:

For files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

I recommend doing this by using FTP/SFTP.

Disable File Editing:

WordPress mostly recommend disabling file editing within the WordPress dashboard. Do this by adding following lines of code in Wp-config:

## Disable File Editing in WordPress Dashboard
define('DISALLOW_FILE_EDIT', true);

WP-Includes:

If you don’t want any scripts to be accessed by any user, you can block them by using mod_rewrite in the .htaccess file.

Add following code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress

Wp-Content/Upload:

This is the directory where all files are uploaded separately. Thus, it is must to avoid PHP execution here. To do so, add following lines of code in .htaccess at the root of /UPLOADS.

# Kill PHP Execution
<Files *.php>
deny from

Check indexing status and optimize visibility:

You can check your site status including indexing and optimization by using free services like Google search console, Bing Webmaster tool.

These tools are also known for reputation monitor tools.

So, these are some basic tips to security fundamentals that will surely help you to harden WordPress security and what action you should take next so. Did I miss something? let me know in the comments.