20 Steps to A Secure WordPress

Web Security is Complicated. What an understatement.  Anything important is usually fairly complex, and web security is paramount.  So you can just imagine how complex it is! Fortunately, securing portions of the web can be done far more easily.  For today, lets talk about securing your WordPress Installations.

  1. Permissions – Set your server permissions so that all WordPress directories (folders) have 7-5-5 permissions, while all files have 6-4-4
  2. Use Random Characters for WordPress Inputs – Obfuscating the details of your installation is your first line of defense from brute-force hacking algorithms.  You want to use random names for most entities as a means of providing less data to hackers.For this, you can use plugins like LastPass or Roboform, or you can use a naming convention that only you understand.  Lastly, you can just push down on a bunch of keys at the same time, thus ensuring a random entity name.In particular, randomly rename these assets:
    1. Database Name
    2. Database User Name
    3. Table Prefix – This is the prefix WordPress uses to identify tables that belong to your installation.  Changing this adds another layer of obstruction.
    4. WordPress User Name – By all that is holy, don’t ever use the default “admin” as your username.  Hackers will need to find two pieces of data to break into your user, but having admin as the username, you’ve lost half the battle.
  3. Restrict User Privileges – Not for use with most installations, restricting the user privileges is one of the most powerful ways to secure your WordPress.  It is important to note that you will be removing necessary capabilities from your interactions between WordPress and your database, so problems will invariably arise.Only perform this action when your website is in production and you wont’ be messing around with the code any longer.  For more info, learn about Hardening WordPress.
  4. Strong Passwords – This goes without saying, but the strength of your password goes a long way towards determining the strength of your security.  From an IT perspective, the only reason that passwords are broken is because they are human-readable.  In order for us to remember our passwords, we use common conventions that can be easily understood.  We also use the same passwords in multiple places, with little variation, resulting in lax security.

    As a rule, if your password is random and of enough characters, you will never need to worry about it being cracked.

  5. Get New Salts (WordPress Secure Keys) Each Time You Install – WordPress secure keys are used to provide a layer of security to various portions of your installation.  Get new WordPress Secure Keys each time, from the link provided, to secure each of your installations.
  6. Move WP-Config File out of Root Installation – By default, your WP-Config file, which holds information for your website to communicate with your server, is placed in the root of your installation.  You can achieve an additional layer of security by moving this file out of your public_html folder and into the root of your domain.  WordPress should still be able to find the document, but there might be some instances and server setups that prevent this from working.
  7. Add HTACCESS File to Block WP-Config – We can block communication with our WP-Config but adding a custom HTACCESS file to the same level in the directory that WP-Config is located.  You will want to add this command to your .htaccess :
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    

    There are many different ways and multiple steps depending on your operating system, but you can find directions here: Hardening WordPress WP-Config.

  8. Set Up SSL – Secure Socket Layers is an additional layer used to obfuscate traffic sent between the host server and the downloading computer.  It is a good idea to have one, and also a good idea to secure your entire WordPress with it.  Once secured, edit your general information to refer to the website as “https://” rather than “http://”
  9. (With SSL Applied) Force Logins and Admin Through SSL –
    Add

    define('FORCE_SSL_ADMIN', true);

    after the WP_DEBUG section to force all login attempts and administration sessions through SSL

  10. Change Path to Login Page – Brute-Force hackers need your login page in order to begin cracking your logins.  Hide your login page with the Rename WP Login plugin (or something equivalent).
  11. Limit Unsuccessful Logins – Brute-Force requires a large number or requests before they can crack your logins.  Limit Login Attempts to make this process much more difficult. Or look to WordFence.
  12. Add Captcha To Login Forms – Another great way to limit the effectiveness of brute-force algorithms is to use Login Page Captcha.
  13. Two-Factor Identification – Make it more difficult for everyone to sign in using your chose of Two-Factor Identification plugins.
  14. Hide Your Version of WordPress – Use a dedicated plugin or install WordFence to hide your version of WordPress from hackers. As WordPress is developed, vulnerabilities are found and resolved.  Each different iteration of WordPress, therefore, has different vulnerabilities that are solved by subsequent versions.  Hide your WordPress version to prevent hackers from knowing the specific vulnerabilities for your installation.
  15. Block Bad Queries – Query stings have the ability to interact with WordPress in different ways.  Prevent any malicious queries with the Block Bad Queries plugin. This works great with WordFence.
  16. Block Bad Behavior – To particularly watch for Spambots, also include the Bad Behavior plugin for your installation.
  17. Force HTTP calls to HTTPS – Sometimes plugin or theme developers will leave a HTTP call in their code, thus breaking your SSL and leaving a vulnerability.  Use Really Simple SSL to force all http links to https, thus removing this potential problem.
  18. Disable Admin File Editor –
    Add

    define('DISSALOW_FILE_EDIT', true);

    after the WP_DEBUG section to remove the option to edit files while in the admin portal.  You can still edit with FTP, but you have prevented the number one reason people hack WordPress, for control of the PHP files and the server they are delivered from.

    This, of course, means you cant edit them either.  For this reason, you will want to wait until the website is production ready.  Additionally, if you want to be able to edit your files again, simply comment out the line in wp-config.php, then uncomment it when you are done.

  19. Only Install Themes from Trusted Sources – Malicious code can be placed in your theme and you won’t even know.  Therefore, only add themes from the free theme store within WordPress or from trusted download sources.
  20. Use Yoast SEO for Search Engine Optimization and W3 Total Cache for Performance Optimization.
  21. Create a Maintenance Plan – It is impossible to be 100% secure in anything, especially web security.  To be as resilient as possible, monitor updates and update your websites regularly.  Also regularly back up your website to ensure that, should the unthinkable happen, you can get back up to business in no time.To keep on top of updates, use WP Update Notifier or regularly check into your WordPress installations to check for updates.

    For backups, you can use a plugin like Updraft Plus, or you can manually back up your installation.  You need to download the HTML files and the database separately, and store them on your local computer or somewhere secure.  Special note – when backing up the database through PHPMYADMIN, you will need to export the DB, when exporting, be sure to Output > Save Output to a File and select the zipped compression method.