This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
Hackers. Vulnerabilities. Brute-force. Malware. Denial of service. Man-in-the-middle. Phishing. All scary words. We live in a dangerous online world!
Has your site been hacked? I have, and we’re not alone. In 2012 more than 70% of WordPress sites were vulnerable to attack, and not much has changed since. What have you done to protect ensure you have a secure WordPress site?
In this article we’ve pulled together security tips from previous SitePoint articles, our own experience, and from around the web, and organized them in a way I hope you find useful and understandable. And most importantly, easy to act on.
All-in-one WordPress security plugins are useful (and we’ll be covering them in our next article), but security requires more than just installing a plugin and walking away. It requires a careful strategy and constant vigilance. Be proactive, not reactive. In other words, don’t assume your site is safe—work out a security plan before you are hacked!
That being said, there is no such thing as 100% security. What you can achieve is risk reduction, and find the balance (for you) between security and convenience.
Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.” — codex.wordpress.org
Where should you focus your attention? In an article last year, WP White Security reported the following statistics about hacked websites:
That’s where the holes are in your defence. Keep that in mind while you’re creating your security strategy.
OK. With all that in mind, here are 40 ways you can keep your WordPress site secure. Choose the ones that make sense for you and your site.
The latest of WordPress is most likely more secure than the last one, and has less vulnerabilities. So keep it up to date—it’s a one-click operation. Make sure you back up your site first!
WordPress updates rarely cause problems, but if you like to be careful, update it on a test server first. Or, if you’d just like WordPress to auto-update itself, apply the following code to your wp-config.php file:
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );
If you don’t want to manually update your WordPress, consider a hosting provider like our partner SiteGround, which has a special auto-update tool available on all plans.
Make sure you make regular backups of your WordPress site. A backup of WordPress data and files can play a crucial role in an emergency. If all else fails, you won’t have to start from scratch!
Schedule your backups so you won’t forget them, and do a test restore from time to time.
Further reading:
Enable SSL to secure your WordPress site. A Secure Sockets Layer encrypts all information sent to and from your site, keeping it private and preventing man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. As a bonus it can also boost your Google PageRank.
The address of an SSL-certified site will start with an HTTPS, while a site that’s not SSL certified will begin with HTTP. It’s best to activate HTTPS before installing WordPress, but it’s possible to update your WordPress settings if you add it later. Hosting providers like SiteGround offer free SSL certificates.
Further reading:
Lock down wp-config.php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.
To deny access to this file, you should add the code below at the top of the .htaccess file:
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );
Move the wp-config.php file into the folder above your WordPress installation. This will make it inaccessible to anyone using a browser, meaning a cracker has less chance of locating it.
Further reading:
Some versions of WordPress have known vulnerabilities. Someone familiar with those vulnerabilities can discover which version you’re using because it’s shown in the HTML head of every page.
Remove that information by adding the following line to your theme’s functions.php file:
<files wp-config.php>
order allow,deny
deny from all
</files>
You should also remove the readme.html file, which also contains the WordPress version number.
Someone will only try to hack WordPress if they know you’re using it. So keep it a secret! Remove all references to WordPress from your theme files.
Find and delete the references from the header.php that look like this:
remove_action('wp_head', 'wp_generator');
Hackers can use error messages to their advantage. For example, an error from a theme or plugin might display your server path.
To disable error reporting, add the following code to your wp-config.php file:
<meta name="generator" content="WordPress" />
When you install WordPress, four secret keys are written to your wp-config.php file. They improve encryption of information stored in the user’s cookies and make it harder to crack your password.
Use WordPress’ Secret Code Generator to get some new keys, and copy them into your wp-config.php file.
51% of hacked sites are because of security issues with themes and plugins. Give special consideration to this section!
Don’t just update WordPress, make sure your themes and plugins are also up to date. Each one is a potential back door to your site, and each new version is likely to have less vulnerabilities.
If there are security vulnerabilities found in a theme or plugin, you’d like it addressed as quickly as possible. That won’t happen with a theme or plugin that’s no longer maintained. Whenever possible, make sure the themes and plugins you use are actively maintained.
Further reading:
If every theme and plugin is a potential back door, reduce the risk as much as possible. If you’re not using it, remove it. Deactivating plugins isn’t enough—click “Delete”!
Restrict access to your WordPress plugins directory: www.your-domain.com/wp-content/plugins/. Otherwise, someone browsing the folder can see which plugins you’re using, explore them for potential vulnerabilities.
Deny access by uploading a blank index.html file to the directory. Alternatively add the following line at the start in your .htaccess file in the root folder:
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );
There’s a built-in plugin and theme editor on the WordPress dashboard. This editor can be used to bring down your entire site if one of your user accounts is hacked.
If you don’t regularly use the editor, it’s best to disable it. Insert the following into your wp-config.php file:
<files wp-config.php>
order allow,deny
deny from all
</files>
8% of hacked sites are caused by weak passwords. Here are some techniques to improve the security of your login procedures.
Avoid using the default admin username, or obvious names like ‘administrator’, the name of your site, or your own name. They’re too easy to guess, and a hacked admin account is more dangerous than an author account.
Choose an appropriate admin username when you’re setting WordPress. If your site is already using “admin”, then create a new admin user, then delete the old one, or alternatively use a plugin like Username Changer.
Choose a complex password comprised of letters, numbers and characters. Here are some hints:
Here are some tools that can generate a secure password for you:
Finally, make sure you don’t use the same password as you use elsewhere. All passwords should be unique.
It’s no good if you use a strong password, but the rest of the team aren’t so diligent. You don’t want any weak links in the chain.
You can ensure everyone uses a strong password by using a plugin like Force Strong Passwords.
The longer you use the same password, the more time you give hackers to crack it. Shorten the window of opportunity!
Change your password at least a few times a year. And encourage your other users to do the same.
Two-factor authentication (2FA) increases security when logging in by requiring a unique code in addition to a username and password. The code is generated for one-time-use by an app, or and sent to a device/smartphone via SMS.
Further reading:
Give hackers less opportunity to guess your password, and protect your site from brute-force attacks, by limiting the number of login attempts that are possible. This will automatically block the login screen after a configurable number of tries, and informs the administrator by email.
You can limit login attempts by using one of these plugins:
In addition to a username and password, use CAPTCHA or reCAPTCHA on your login screen. The user is asked to input what they see in an image as text, which is a useful way to stop botnets from attempting to log in by brute force.
Further reading:
Adding a security question to your WordPress login screen makes it harder for someone to gain unauthorized access. You can do this by installing the WP Security Questions plugin.
Users can sometimes wander away from the screen when they are logged in, posing a security risk—someone can hijacking their session, changing passwords, or making changes to their account.
You can automatically log inactive users out with the Idle User Logout plugin.
Users are the weakest point of any system. That weak point is most dangerous when they have administrator privileges.
Few actually need administrative access. WordPress offers a range of alternate roles to choose from:
Forced SSL is a relatively simple change which can make a huge difference. Even if you don’t encrypt your entire website, ensure your users have a secure login pages. You’ll need an up-to-date SSL certificate to ensure this.
With every failed login attempt, error messages on your login page can give hackers clues. Remove them by adding the following line of code in your theme functions.php file:
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );
Knowing that the WordPress admin URL is wp-admin, any hacker can easily get started with brute force attacking. Reduce the risk of getting attacked by changing that URL so hackers won’t be able to find it.
WPS Hide Login is the simplest plugin for achieving that.
To log in to WordPress you need a username and a password. By default, WordPress makes it easy to discover your authors’ usernames. According to DreamHost, it’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier.
To do that, copy and paste the following into your functions.php file:
<files wp-config.php>
order allow,deny
deny from all
</files>
This one’s for advanced users. You can provide another layer of security by requiring a server-side login before the WordPress login screen is displayed.
Learn more here:
If only you (or your authors, but not members or readers) need to log in, then restrict access to your /wp-admin/ folder or wp-login.php file.
If you only log in from your home computer, restrict the log in screen to only that computer. Grab your home IP address (using whatismyip.com or similar) and add these lines to the .htaccess file in your WordPress admin folder (replacing xx.xxx.xxx.xxx with your IP address):
remove_action('wp_head', 'wp_generator');
To allow access to multiple computers (office/home/laptop or user1/user2/user3), add another Allow from xx.xxx.xxx.xxx statement on a new line.
XML-RPC allows users to connect to WordPress remotely via blogging clients, and is used for trackbacks and pingbacks. It has been enabled by default since WordPress 3.5.
Unfortunately, hackers can use it for DDoS attacks, so if you don’t use those features, consider disabling XML-RPC.
This can be done with one of the following plugins:
Avoid naming your database “wordpress” with a user ID of “user” and a password of “password.” You only set the database up once, so make them as complex as you like. If you forget them, you can check the details in wp-config.php.
Use a strong password for WordPress to access the database. See our password hints in #16 above.
When you install WordPress, tables use table prefixes like Wp_ by default. Knowing this, hackers with automated tools can work out your database structure. Change the prefix so that it becomes more difficult to run SQL injection queries and other attacks.
Use an SFTP (Secure FTP) connection when connecting to your server. This ensure the communication between your machine and the server is protected. Most hosts , like SiteGround, offer SFTP.
Further reading:
Protect the security of your site by setting your file permissions to the bare minimum:
If a breach does happen, you don’t want to be serving malware to your visitors unaware. You need a solution in place that will scan regularly for infected files.
There are several server-side scanning solutions, including Sucuri. Some hosting providers, like SiteGround, have it set up out of the box.
41% of hacked sites are because of security vulnerabilities on the hosting platform. So take special care when choosing or changing yuour hosting provider.
Your WordPress site is only as secure as your hosting account. If it’s running an old, vulnerable version of PHP, it won’t matter what you do to secure WordPress.
It’s essential that you choose a hosting provider that prioritises security. Some of the features that you should look for are:
SiteGround, our preferred hosting provider, provides all of that and more.
Further Reading:
Several companies now offer secure, managed WordPress hosting with excellent security solutions, such as WP Engine, SiteGround and Media Temple. They spend time, effort and expertise configuring their tools for maximum effectiveness.
For example, WP Engine will automatically update WordPress and key plugins, and disable plugins known to cause performance and security issues. They provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.
SiteGround provides automatic updates for the WordPress core and plugins, an efficient ch-root account isolation for all accounts on shared servers, and sophisticated systems that block malicious bots and attackers.
We’ve focused on highly-rated plugins that cover a range of security features, rather than one-trick-wonders. If your hosting provider doesn’t already have a comprehensive security solution, installing one of these would be a great first step in your security strategy.
Have we missed your favorite security plugin? Let us know in the comments.
Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing, real-time updates to the Threat Defense Feed, two-factor authentication, and we even check if your website IP address is being used to Spamvertize.
WordFence includes these security features:
A comprehensive, easy to use, stable and well supported security plugin… It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
All In One WP Security & Firewall includes these security features:
iThemes Security Pro takes the guesswork out of WordPress security. You shouldn’t have to be a security professional to use a security plugin, so iThemes Security Pro makes it easy to secure & protect your WordPress website.
The free version gives you some protection, but the Pro version includes these security features:
We keep your website safe and hack-free! The Sucuri Platform is a suite of tools designed for complete website security. With no additional cost or hidden fees, the Sucuri Platform is affordable, easy to deploy, and supported by a team of professionals at your disposal.
Sucuri forms part of the security solution of many quality hosting providers, including SiteGround. It’s a valuable tool for SiteGround to protect its clients’ sites from malware, because it scans every link that is accessible from the website homepage on a daily basis. It includes these security features:
The free WordPress security plugin includes these features:
Jetpack (by Automattic, who bring you WordPress) does more than just security. It basically brings the features of WordPress.com to the rest of us, which is appealing. For security and backup the paid plans includes VaultPress.
VaultPress is a real-time backup and security scanning service designed and built by Automattic, the same company that operates (and backs up!) millions of sites on WordPress.com.
VaultPress is now powered by Jetpack and effortlessly backs up every post, comment, media file, revision, and dashboard setting on your site to our servers. With VaultPress you’re protected against hackers, malware, accidental damage, and host outages.
VaultPress includes these security features:
BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5 years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000 websites in 5 years have been hacked.
100% hack free website guarantee. If your website is hacked after installing BPS Pro, we will clean up your hacked website for free. We can easily offer that awesome deal because your website will never be hacked if you have BPS Pro installed.
The free version includes these security features:
The Pro version adds these features:
Protect your WordPress with malware scans, block bots & suspicious IPs. Get a complete WordPress security toolkit for free or as a pro plugin.
If you are proactive, our free WordPress security plugin is a great choice! No time to activate weekly scans? Then SecuPress pro is the way to go. Our plugin takes care of everything with automated tasks.
SecuPress includes these features:
Security Ninja helps thousands to stay safe and prevent downtime due to security issues. 50 tests will provide a comprehensive overview of your site’s security.
The free version lets you achieve the following:
You can even more protection using these Pro modules:
The best practices for securing your WordPress site include keeping your WordPress version, themes, and plugins updated, using strong passwords, limiting login attempts, and installing a reliable security plugin. Regularly backing up your site is also crucial so you can restore it in case of any security breaches. Additionally, consider using a secure hosting provider that offers features like SSL certificates, firewalls, and regular site scans.
Protecting your WordPress site from hackers involves several steps. Firstly, ensure you have a strong, unique password for your WordPress admin account. Secondly, keep your WordPress core, plugins, and themes updated to the latest versions as they often include security patches. Install a security plugin that can monitor your site for any suspicious activity and block any potential threats. Lastly, use a secure hosting provider that offers advanced security features.
A hosting provider plays a crucial role in WordPress security. A good hosting provider will offer features like regular backups, firewalls, malware scanning, and removal, SSL certificates, and protection against DDoS attacks. They also ensure that their servers are always updated with the latest security patches.
To ensure your WordPress plugins are secure, only download plugins from reputable sources like the WordPress plugin repository. Always keep your plugins updated to the latest version, as updates often include security patches. Delete any plugins that you’re not using, as they can still pose a security risk.
An SSL (Secure Sockets Layer) certificate is a digital certificate that provides a secure connection between a website and a visitor’s browser. It’s important for WordPress security as it encrypts the data transferred between the user and the site, preventing hackers from intercepting and misusing it. Google also ranks sites with SSL certificates higher in their search results.
Limiting login attempts on your WordPress site can be done by installing a security plugin that offers this feature. This helps to prevent brute force attacks, where hackers attempt to gain access to your site by guessing your password.
The frequency of backups depends on how often you update your site. If you update your site daily, then daily backups are recommended. However, if you only make changes to your site once a week, then weekly backups should suffice. Regular backups ensure that you can quickly restore your site in case of any security breaches.
A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted network and an untrusted network. It can protect your WordPress site by blocking malicious traffic and preventing unauthorized access to your site.
Detecting and removing malware from your WordPress site can be done by using a security plugin that offers malware scanning and removal. If your site is infected with malware, the plugin will notify you and often provide steps to remove it.
Signs that your WordPress site has been hacked include sudden drop in website traffic, unexpected changes to your site content, new user accounts that you didn’t create, a slow or unresponsive website, and notifications from your web host or Google about malicious activity on your site. If you notice any of these signs, take immediate action to secure your site.
The above is the detailed content of 48 Ways to Create a Secure WordPress Site. For more information, please follow other related articles on the PHP Chinese website!
How to solve the invalid mysql identifier error
linux scheduled shutdown command
What does full-width and half-width mean?
How to install chatgpt on mobile phone
What is email
Solution to failed connection between wsus and Microsoft server
What interface is audio?
The difference between vscode and visual studio
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
