WordPress security: the ultimate guide of best practices to follow
In 2021, securing your WordPress site and protecting your users should no longer be an after-thought. Attacks can vary, from comments section spam, to capturing sensitive information and everything in between. But ensuring your site's security can be daunting if you haven’t delved into it before. For this reason, we’ve created an ultimate guide, providing you with actionable best practices to reduce WordPress security vulnerabilities.
How to use this WordPress security guide
The guide is split into two sections: site level best practices and server level best practices. Throughout our recommendations, we’ve linked to helpful resources so you have everything you need to get started. In most cases there is a plugin that can provide additional functionality, but where possible we’ve linked to resources that detail how to commit changes manually. This method can be more efficient, so you don't have to rely on plugins which may reduce your site's performance. Ultimately, the more best practices you follow, the safer your site and its users will be.
So here's what you can expect from this guide:
- Is WordPress secure?
- Why is WordPress security important?
- How to improve your WordPress site’s security
- Site level security best practices
- Server level security best practices
- Stay on top of your site security
Is WordPress secure?
Wordpress is an incredibly popular CMS. According to w3Techs, WordPress is the CMS of choice for 39.7% of all websites. That’s a lot of websites to keep safe, and like all other popular CMS’, WordPress is secure. Unfortunately, WordPress has recently had a bad rap for bad site security, but they do a lot to protect what they are in control of. For example, they have a team of 50 security experts, who rapidly roll out security fixes when a vulnerability is exposed. WordPress states that the team also “consults with well-known and trusted security researchers and hosting companies”.
But it’s not just the security team who are involved; The WordPress community also plays a part in helping the security team monitor and flag issues. If you have a WordPress site, you can trust that there are a large number of people working on keeping it secure at all times.
So why has WordPress been branded as insecure? WordPress is an open source CMS, which means anyone can pick up the code and modify it. This is great if you want the flexibility to create a bespoke website for your business, but it comes at a cost. The open source framework means WordPress themselves have less control over the CMS, with a large portion of responsibility sitting on the site owner’s shoulders. In a 2018 report, Sucuri detailed that some of the common issues which lead to vulnerabilities are “a lack of security knowledge or resources” and “security configuration issues”. Although many people are wary of using WordPress, as the site owner you have a lot more control than you might think. Implementing best security practices and arming yourself with knowledge is the best weapon against cyber-attacks.
Why is WordPress security important?
From plugin attacks to malicious redirects, WordPress security vulnerabilities can lead to disastrous consequences for your business. There are a variety of methods hackers can use to gain access to your site’s admin or take your site down. For example, brute force attacks, where hackers try to gain access to the admin, configuration files or other password protected areas by guessing as many username/password combinations as they can. There are different types of brute force attacks, but the point is the same: gain access. You could also be vulnerable to DDoS (Distributed Denial of Service) attacks, where hackers overwhelm your server by sending more traffic to your site than it can cope with. The point is to take your site down so no legitimate users can visit it, which can also lead to extortion in rare cases.
These are just two broad examples of attacks but the list goes on. When it comes to the security of WordPress sites, best practices aren’t a nice-to-have, they’re a necessity. In order to protect your site, users and stored sensitive information, staying on top of WordPress security maintenance is vital.
How to improve your WordPress site’s security
Keeping your WordPress site secure isn’t as hard as you may think. The beauty of WordPress is how user-friendly is, with plugins that provide protection and settings that can be changed to improve security. But don’t wait until it’s too late before implementing these changes. Once you’ve got best practices in place, you’ll only need to undergo periodic checks to make sure everything is working as expected. So let's get into it!
Site level security best practices:
The WordPress security team regularly maintains and improves the WordPress core through minor updates. Whilst these smaller updates and patches are usually automatically installed, major updates require manual installation. It may not seem urgent, but if a new update requires installation, make sure you prioritise it. The importance of updating to the latest WordPress version was demonstrated by Reuters in 2012, who were hacked because they were using an outdated version.
Equally, it’s not just your site that needs updating; leaving your plugins and themes on older versions can make your site vulnerable too. Updates provide much-needed improvements to functionality and security, so make sure they're implemented to help keep your site and its users safe.
TIP: Be sure to backup your site before any major updates in case any functionality or elements break. Being able to restore the pre-updated version will give your team time to look into the issue and find a fix as soon as possible.
WordPress security vulnerabilities aren’t just code related, they can happen because of something as simple as a user’s permission level. The best approach is to take on the ‘Least Privileged administrative model’ - a simple principle where permissions are only granted to people when needed, at a specific time, for a set time. For example, you may have a team member who has round the clock site access, but barely enters the site's back end. Using the least privileged administrative model, you could remove their permissions and only provide access at a) the level they need, b) when they need it, and c) for the duration they need it. This gives you more control over who is accessing your site and when. Fewer users having access means a decreased risk of protected details or accounts being breached.
Change your defaults
When your WordPress site first went live, you would have been aware of the default settings connected to the back end. Your default username would (and might still) be ‘admin’, with the default WordPress login URL www.domainname.com/wp-admin. Although keeping the default settings may be easier in the short term, hackers know these standard settings and can use that knowledge to their advantage. If someone is looking to conduct a brute force attack, they already know the site’s admin login page and your username. In that instance, there’s only one more piece of information to crack: the password.
Use the ‘security through obscurity’ approach and change your default admin username and login URL. To change the default username, you can either go to your hosting account and follow a few simple steps, or go to your WordPress admin and change the username from there. To change your default login URL, you can do so in the WordPress admin with a few clicks. As you can see, these small changes take minimal effort and time, but they have a large impact on securing your site and making attacker’s attempts a lot harder.
WordPress security plugins
There are many WordPress security plugins which are trusted and relied upon by thousands of site owners. The advantage of these plugins is that they usually have a multi-pronged approach to keeping your site secure. With so much functionality on offer, it can be hard to know if your plugin of choice does what it needs to do or if it’s missing key capabilities. To help you choose the most comprehensive option, we’ve detailed some of the most important features to look out for:
- Two factor authentication - a secondary process is put in place for users attempting to log into protected areas of the site e.g a code is sent to a specific email which is inputted on the login page to gain access.
- Automatic logout - once a user’s session is idle after a predetermined amount of time, their session will be terminated and they’ll be logged out. This process can be executed manually, however plugins may be better suited due to their additional controls and features.
- Malware scanning - malware often goes unnoticed until it’s too late due to vulnerabilities being exploited behind the scenes. Subtle changes, such as a drop in traffic or out-of-the-blue performance issues, can signal malware. With malware scanning, you can rely on your plugin of choice to flag any suspicious behaviour.
- Secure password generator
- Forced password expiry - rather than sending a company-wide email prompting everyone to change their passwords, you can use a plugin feature which forces password expiry. Site users will then be required to set up a new password. You’ll also have the ability to set the intervals e.g every 3 months.
- WAF (Website Application Firewall) - a WordPress firewall will interact with your server to monitor, filter and block traffic from a web service. Enabling a WAF means your site will be safe from DDoS attacks and malicious traffic. You don’t need to integrate your WAF with a plugin, as it can be done on a server level, but it can be a more user-friendly way to get it done.
- IP whitelisting - you can implement IP whitelisting through WordPress security plugins or on a server-level, but like most of these security practices, the latter requires dedicated expertise. With IP whitelisting, you add the IP addresses of users who will be granted access to a protected area of your site. Anyone whose IP isn’t on the list will be automatically blocked from entering. This means unauthorised users, hosts or servers will be prevented from gaining access to protected areas, such as your site’s admin.
TIP: Always remember to do your research on plugins prior to download and check their reviews.
Limit login attempts
WordPress’ has unlimited login attempts as the default, so it’s wise to put a cap on how many times someone can try to login to your site admin; not having restrictions on login attempts could make your site vulnerable to brute force attacks. Limiting login attempts means users only have a few tries to get their username/password combination right before they’ll be blocked from attempting to login. By manually capping login attempts, you can effectively protect your site’s admin.
When you visit a site, cookies are stored on your device/desktop which log your IP address. With this IP address stored, your movements can be attributed to you as a user and tracked. In the same vein when you log into your site admin, cookies are also stored which keep you logged in and track changes back to your user. If your site was breached and a hacker got hold of this information from the stored cookies, they could capture site-specific usernames and passwords through your user; security keys encrypt that information, so if a hacker ever got hold of it, it wouldn’t be displayed in plain text. WordPress automatically generates four security keys, however, we’d suggest generating new ones for additional protection. You can download a plugin which provides this functionality and implements it for you.
XML-RPC is a way for third party systems to communicate with WordPress. It used to serve a valuable function, allowing users to remotely connect to their site and make changes away from a desktop, for example; nowadays this is all handled through WordPress’ API. The issue with XML-RPC is it gives attackers a means to gain access to your site through brute force or DDoS attacks. The risk is easily mitigated by downloading a trusted plugin which will disable XML-RPC. Equally, you can bypass a plugin and do this through .htaccess by adding a snippet of code. GetAstra has outlined the five steps to disable XML-RPC manually for you. Once it’s done, you won’t have to worry about it again!
Spam might not sound like the most threatening of attacks. However, an influx of spam can harm your rankings, user’s experience and lead to your site being infected with malware. An effective way to secure your site against spam is to install reCAPTCHA on all forms, inclusive of comments and contact forms. You should also consider changing comment settings in your admin’s ‘Comment’ section so that any new comments must be reviewed first before they’re published. This will give you ultimate control over who’s posting on your site, whilst also minimising and filtering out spam with reCAPTCHA.
Back end administration
There are many working parts to back end administration that impact how robust, or weak, your site's security is. The best way to check whether these parts are as secure as they should be, is to create a process for it. Carve time out once a month to review each security element of your site’s back end. Ultimately, the effectiveness of these administrative tasks is in their regular review, so prioritise them when they’re due to be completed.
Server level security best practices:
You could have every protective measure in place on a site level, but if your hosting isn’t secure, it’s only a matter of time before disaster strikes. When it comes to hosting security, your provider should have proactive measures in place to minimise vulnerabilities. When choosing a provider or evaluating your current one, there are a few key areas and questions you should review from a security standpoint:
- Are regular backups included in your hosting plan?
- Are these automated or will you have to manually do them? The preferential option is automation to try and eliminate human error (and forgetfulness) from the equation.
- What is being backed up: is it purely database-related or will elements like theme changes be backed up too?
- What are their processes for recovery of backups?
- Is there malware scanning, and how regularly do these scans occur?
- What’s being done to protect websites on the server?
- Are there server-level firewalls?
- Does the package come with DDoS protection?
- What’s their protocol if an attack should happen?
- Will you receive immediate support?
- Is there an add-on option to get an SSL (Secure Sockets Layer) certificate?
- Does the provider use the most up-to-date operating system and security software?
Always read reviews on your short-listed hosting providers, check they have a physical business address and a named owner, and ask as many questions as you need. Your hosting environment will need to look after your site, its users and their data, so do your research before signing on the dotted line.
Disable file editing
If your site gets hacked, an attacker will likely head for the php files where they can change configurations and execute malicious code. Disabling file editing will prevent anyone from making changes to files within the back end. It’s a quick change to make that only requires adding one line of code to your wp-config.php file. WPShout has a simple tutorial on how to do it, but if you’re unsure, involve an experienced developer or agency to make the changes.
Protect the wp-config.php file
Your site’s wp-config.php file is incredibly valuable to attackers. It contains all the information about the configuration of your site, including sensitive information about your database such as usernames, passwords and more. By default, the wp-config.php file is stored in the root level directory. This directory can be shared through the web server, which means your site’s configuration, inclusive of sensitive database information, could be captured during an attack. You can increase this file’s protection by simply moving it. CGS Computers has a step-by-step guide for moving the file to a non-public folder, but if in doubt, call in experienced developers to make sure the move is completed safely.
Similarly, adding file permissions will give you additional control. In the event of an attack, locked down permissions will mean attackers won’t be able to read, write or execute anything within the file. This ensures the wp-config.php file and the information it holds will be less likely to be exploited. Malcare has created a complete guide on permissions and how to manually change them, so you can confidently protect your wp-config.php file.
Password protect wp-admin
Implementing server level protection on your login and admin pages is crucial. It provides control from a central place above your site, so if any attacks are happening on the ground, you can rest assured your server has got you covered. You can enable password protection for your admin and login pages through the cPanel within your hosting account. There should be a Files section, where you can then amend the privacy controls, but if you’re unsure where to look, contact your hosting provider for specific information.
Backup your site
In the event your site was attacked, backed up versions would be your saving grace. If all your site files were deleted or spam scripts injected into your site’s code, you’ll have the power to revert to a previous backup and restore your settings. After deleting the hacked version, your backed up site should allow you time to pin-point and handle the initial breach. For details on how to manually backup your site, Skillcrush have created an in-depth guide on backing up without a plugin.
Remember to save your backup off-site so that you can always access it from a secure place that isn’t connected to your site or server. Similarly, make sure you back up your backups and accurately time stamp them. Your secondary backup should either be saved to a separate file location or to an external hard drive, so you always have a copy ready to go, either physically or digitally.
The frequency of site-backups is contested, some say it should be done daily, some say it’s relative to how much you update your site. The frequency you decide on is up to you, but as a guide: If your site got attacked tomorrow, would you be comfortable restoring the most recent backed up version? If you can restore your site to the most up to date version, then you’re on the right track.
TIP: Once you’ve backed up your site, don’t forget to test it. Don’t wait until it’s too late to find out whether your backups have worked or not!
SSL encrypts the data that’s being transferred between your site’s users and your web server. It accommodates a secure connection so attackers can’t infiltrate the connection. This means that any sensitive information provided by your site user’s such as login information, banking details or addresses will be protected from hackers through encryption. Without SSL, attackers could obtain this information as plain text. Most hosting providers offer SSL as an add-on, and whilst it may cost more, it’s now an industry-standard security protocol, so be sure to enable it as soon as you can. Without SSL, you’re also likely to experience decreased rankings on Search Engine Result Pages (SERPs). Search engines view sites without SSL as less trustworthy and more vulnerable to security breaches - not the ideal destination to be pointing their users to!
Hotlinking is where the URL of an image on your site is copied and used on another website. Rather than downloading the image and using their own server to load it, the other website owner is using your server bandwidth instead. In essence, you’ll be paying for someone else to serve your images on their site. But not only that, it may also impact the performance of your site. Your server may not have enough bandwidth to load your site’s content and someone else’s, leading to slow site speeds.
There are various ways to prevent hotlinking, but thankfully they’re all incredibly simple. The easiest of all the methods is to disable right-clicking on your images by going to 'WP Security' in the admin, clicking on 'Miscellaneous'. and then enabling copy protection. Equally, many of the WordPress security plugins we previously talked about have hotlinking protection. If you’d like to do it manually through your server, ShoutMeLoud provides the answer with three alternative methods to prevent hotlinking on your site.
Stay on top of your site security
The list of WordPress security best practices is comprehensive, but implementing our recommendations will save you hassle in the long run. Securing your site is a vital element to protect and maintain your digital presence, but it doesn’t have to be a company-wide endeavour. As a business, it may prove beneficial to get in touch with a reputable agency who can do a site security audit and implement recommendations. At Versantus, we build and manage a large portfolio of sites and solutions for businesses, so we know how important digital security is.
If you’d like support with implementing your site's security, or you’re looking for guidance on where to start, get in touch with our experienced team who’ll be happy to help. Once your security best practices are set up, regular maintenance is the only thing left to do!