As a business owner, you already know how to secure your WordPress. Strong passwords, using a good hosting provider, doing regular backups — all these help protect your site from hackers, but are these all enough?
Not really!
You need to take action to make your site completely secure. After all, you do not want to give malicious actors any chance to break into your site.
WordPress, by default, is already secure. However, you must follow industry-leading best practices for securing your WordPress site.
Let’s get started.
Install WordPress Security Plugin
Even though WordPress is a secure platform, using a third-party security plugin can help secure your site further. You can try many third-party WordPress security plugins, including WordFence, Sucuri Security, and Bulletproof security.
A WordPress security plugin ensures the overall site’s monitoring and auditing. For example, it will handle failed login attempts, file integrity monitoring, and malware scanning — to name just a few things that a modern WordPress security plugin does.
As a consumer, you have many choices when choosing the best WordPress security plugin. I generally suggest WordFence and Sucuri. However, you are also free to use other WordPress security plugins.
Setting up a security plugin is also easy. Once you install and activate them, it will guide you step by step on what needs to be done to harden your site’s security. Almost all of them require an API key to work. To generate the API key, you must go to the security plugin’s main site and create an account. Once done, it will generate a unique API key for your site.
Rename Login URL
Most of the attacks on your WordPress site are carried out by bots. These bots target the login URL of WordPress and try to guess the password by constantly trying out new combinations.
So, a bot will go to your site login URL page: www.yougoodrsite.com/wp-login.php — and then bombard it with login attempts.
To overcome this, you can change the login URL to something different(and challenging). You can opt for a random login URL or change it to something easy to remember.
It may be something like: www.yourgoodsite.com/this_is_the_way_batman_login.php.
You can change the URL using WordPress security plugins such as iThemes. There are also dedicated plugins for changing URLs. If you are a dedicated developer or webmaster for your site, you can also ask them to change it for you.
Limit Login Attempts
Apart from the Login URL change, you also need to limit login attempts. By limiting the login, you are discouraging bots from trying out combinations. It also prevents hackers who try to enter you using brute-force methods. To enable it, you can free-to-use plugins such as WP Limit Login Attempts or Login LockDown.
Use SSL/HTTPS
Secure Socket Layer(SSL) is a way to secure your site with another layer of technology. It encrypts the data that is shared between your site and visitors.
To enable SSL on your site, you need to ask your hosting provider to install one. Many hosting plans already contain SSL certification. You can also get an SSL certificate from third-party providers and install it on your site.
If you do not want to spend, use the industry-standard free SSL; let’s encrypt. It is easy to install using the plugin. If you cannot do it, you can take the help of professional web admins who can do it for you for as low as $5.
Protect wp-config.php
WordPress wp-config.php is used to configure and manage WordPress installation. It is the core of your site. You must protect it so no one can change the values and disrupt your site’s functionality.
To protect the wp-config.php file, you need to move it to one folder above your WordPress root directory. This will hide it from hackers.
Another thing that you can do is disable file editing. To do so, open the wp-config.php file using your favorite text editor. Once it is opened up, you need to add the following code.
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
Two-Factor Authentication
Strong passwords go a long way, but nothing beats two-factor authentication(2FA). 2FA adds another security layer to your site. You need to go through two steps before you can access your site. The second step is adding a one-time password(OTP) that can be sent by email or phone(call or text).
The second layer adds ambiguity to the hacker’s attack. Even if they can guess the password, they do not have access to the OTP. 2FA is 100% effective against brute force attacks and prevents your site from hackers(mainly bots).
There are plenty of Two-Factor authentication plugins. You can check out Google Authenticator or Duo Two-Factor Authentication.
Disable XML-RPC
XML-RPC is an exciting technique that lets us pass multiple methods within a single request. It is a helpful method as you can reduce HTTP requests. However, it can also be used with malicious intent.
Few WordPress plugins use XML-RPC, but it is better to disable it to secure your site. Jetpack is one of the popular plugins that use XML-RPC.
To check if your XML-RPC is enabled on your site, you need to try the XML-RPC Validator tool by Danilo Ercoli from the Automattic team. If the XML-RPC validator fails to detect XML-RPC on your site, it will throw an error.
If it is enabled, then you need to use the XML-RPC plugin to disable it. Sometimes, the hosting provider takes care of XML-RPC by configuring their NGINX config file.
HTTP Security Headers
You can also add HTTP security headers to protect your site from hackers further. The HTTP security headers work at the webserver level. They tell the browsers that the content needs to behave on the user’s side.
You do not have to worry about all HTTP security headers as a business owner. All you need to do is make sure that the following HTTP security headers are implemented correctly.
- X-XSS-Protection
- X-Frame-Options
- Content-Security Policy
- Public-Key-Pins
- X-Content-Type
- Strict-Transport-Security.
It would be best to use Chrome dev tools to check which HTTP security headers are already enabled.
Database Security
The database is at the core of your WordPress website. After all, it stores all your data centrally and securely. However, you can make a few tweaks to make your database more secure.
For example, you can choose a database name that is not obvious. If you are running a tech site, your database name might be something like wp_tech or wp_yoursitename. The hacker can easily guess these, and the information can be used to penetrate your database security. The best way to solve this is to use a problematic yet clever database name.
Another small change you can make is changing the database table prefix. WordPress, by default, uses wp_. You can change anything like 15rx_, protecting it in the best possible way.
You can change the prefix during the WordPress installation process.
Hotlinking prevention
Hotlinking is a method by which you can use images on the internet directly to your site. You are serving the image without the need to host it. This means you are doing bandwidth theft. For the original owner, it can lead to more server costs and overall slow site performance.
To prevent hotlinking, you must do the following based on your server type.
Disabling Hotlink in Apache
All you need to do is copy-paste the following code into your .htaccess file.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]Disabling Hotlink in NGINX
In NGINX, you must copy-paste the following code into the config file.
location ~ .(gif|png|jpe?g)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}DDoS Protection
Distributed Denial of Service(DDoS) attack uses multiple systems to send requests to the server to overwhelm it and make it crawl or go down. These are prevalent attacks and generally happen to interrupt the service.
To protect against it, you need to use a CDN such as Cloudflare. You can also use other services, such as Sucuri, to prevent DDoS attacks. Your hosting provider also might have its arrangement for handling DDoS attacks.
What’s next?
Securing your site requires careful planning and execution. Some of them are technical, and you may need help from your developer or a professional. If you are curious, you can also implement them by doing the research yourself!
Have you implemented all of the security tips and tricks? Then, your site is pretty secure! However, you should check your site periodically to ensure there is no lapse in security.
If securing your site seems challenging, contact us at [email protected]. Our approach to securing the WordPress site is backed by years of experience where we helped secure the best websites.