Complete WordPress Security Guide

Wordpress securityI thought of writing a guide on WordPress security because, recently some sites hosted in WordPress have witnessed brute force attacks. The WordPress attack attempts will increase as soon as your blog starts to grow. So, in order to provide security to your WordPress blog. You need to follow some guidelines and tweaks.

I have listed some of the WordPress recent security attacks, how to prevent them from happening to your blog and some WordPress security plugins, security tips to be followed and implemented.

Below methods involve editing .htaccess file and others. Editing htaccess and others involve risk. So make sure that you back up the things before proceeding.

 

Brute Force Attack

One of the popular methods of hacking of WordPress blogs is brute force attack. In brute force attack the hacker tries to login to a WordPress account with every possible combination of characters. Some softwares that are meant for brute force attack will do this.

Plugin: Login Security Solution, can track the IP addresses from where login attempt is made and we can block those IP addresses, isn’t it cool?

Here are some more WordPress security best practices to avoid brute force attack.

Treat username as your password

The default username of WordPress database is admin, change that to your name or set the username to something unique, so that it is not easier to judge for hackers. If hackers know your username, it will be further easier for them to carry out the attack.

If the username is like password, then it is impossible to carry out brute force attack.

Keep your passwords safe, secure and strong

Strong passwords secure your account from brute force attacks. It is difficult to implement a brute force attack on accounts with secure alphanumeric passwords.

Keep your passwords as long as possible, and include special characters and numbers in it. Make use of WordPress password strength checker while you are setting passwords for your WordPress account.

In brute force attack, hacking a WordPress account with secure alphanumeric password is almost impossible.

Enable Captcha for Login and Registration Pages

Enabling Captcha for your login page makes it impossible for hackers carry out a brute force attack on your account, as the captcha is reloaded after every attempt.

Also enabling captcha and other extra fields to Registration field, avoids spam registrants.

To make this possible you could use SI CAPTCHA Anti-Spam or alternatively you can use Cimy User Extra Fields plugin.

Limit login attempts

In order to prevent brute force attack. You may have to limit the login attempts to your WordPress account. This can be done with the help of a WordPress security plugin called limit login attempts, in which the WordPress account will be locked after some preset failed attempts and time. This ensures that your WordPress account is safe as far as a brute force attack is concerned.

Enable IP based login

There are plugins that offer you to set whitelist IP addresses from which one can login to your WordPress account. Include current IP address and the IP address of the place where you frequently travel in whitelist so that you can login to your WordPress account in those locations only and secure the WordPress account from brute force attacks.

Plugin - WP Login Security 2

Alternatively, you can manually create a separate .htaccess file for wp-admin folder listing the allowed IP addresses.

Login ip filters wordpress
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# IP addresses of my Computers
allow from 00.000.000.000
allow from 000.000.00.000
allow from 000.000.00.000
allow from 000.000.00.000

Malicious Script Injection

Malicious scripts or sometimes injected into the WordPress database. It is very difficult to find the malicious scripts in the WordPress database. These malicious scripts can act as key loggers and as well as SEO juice suckers. It acts like Trojans, which appear as useful in the front and carry out its malicious activities in the background. Here are some tips to prevent malicious script injection to your WordPress database.

Scan your site and block IP addresses known for hackers

Sounds tough, right? For me too without this plugin. WordFence security is the best security plugins for WordFence. Which alone has the capacity to cope with hackers. On installing, it thoroughly scans for any vulnerabilities in your WordPress account. It contains many options in free version and a plethora of options in the premium version.

It also contains inbuilt who is lookup, which helps you to find out the who is details (Website, telephone no, address of the person associated with the IP address)

Also offers you the facility to block the IP addresses trying to login to your account, block the network, etc. It will automatically track down the IP addresses from which the hacker tries to hack your site and add those IP addresses to its database, and blocks those IP addresses on all the sites that are running WordFence. That means a WordFence user is not only protecting himself but also the WordPress users using WordFence.

Avoid 3rd party plugins

Installing plugins from other than trusted sources like nulled plugins injects malicious scripts to your WordPress database.

Plugins and themes have become the major target of hackers to inject malicious scripts, steal the credentials of WordPress users. Always use plugins from WordPress or other trusted sources, which are thoroughly scanned before releasing.

Use anti-malware pluginsDisallow script

As removing malicious scripts manually is a nearly impossible task for an average user, there are numerous anti-malware plugins available in WordPress, that scans your WordPress database regularly for malicious scripts and remove them with your permission.

Plugins
Sucuri WordPress Security Plugin
Anti-Malware (Get Off Malicious Scripts)

You can also do it manually by inserting some code into your htaccess file, but back up your htaccess file before editing it.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Scan for malicious scripts in multiple .htaccess files

Infected htaccess files are being injected into the WordPress database to achieve redirections to some other websites unknowingly. This leads to Google marking your website as spam. Take a full backup of your WordPress database regularly to ensure that you are safe.

You can also use plugins such as bulletproof security to scan htaccess files for malicious scripts.

Choose a good hosting service

There are some hosting services, which offer free hosting services, but at the same time, they may inject malicious scripts into your WordPress database for the process of tracking and promotion. Therefore, avoid these un-trusted hosting service providers.

Go for trusted hosting providers that may be complimentary or paid.

HostGator, is one of the best hosting service providers out there. It ensures that your site is up all the time and also the security given by this hosting giant is incredible.

Avoid Pirated Themes

The themes available from other than WordPress that untrusted and are likely to contain malicious scripts that will be injected into your WordPress database as soon as you install the theme.

So, install the themes that are trusted and from WordPress and has good reviews. You can even purchase a premium theme to avail SEO benefits.

Numerous theme providers claim that they give premium themes for free, simply avoid them.

 

Other important tips

There are other methods that hackers use to hack a WordPress account. As the number of hacking methods is increasing day by day, it is necessary to take some extra important steps to secure your WordPress account. Some of the important of them are listed below.

Enable two factor Authentication

Two-factor authentication is an additional feature offered by many plugins to enhance the security of WordPress.

You can enable two-factor authentication by using Google Authenticator or Secret question.

Alternatively, you can also use Login Dongle that gives you bookmarklet, you need to click on the bookmarklet every time after logging in with your credentials.

Set Privacy locked for your WordPress Admin files

By default, WordPress set its admin files visible to the admin only. However, sometimes, it may be necessary to set the privacy manually. So set the privacy of the WordPress admin files visible to the administrator only in to cpanel. If you set the privacy of your WordPress admin files to the public, then it is easy for the hacker to snoop into your WordPress database structure and it will be easier to hack.

Use robots.txt to disallow access to admin files in your WordPress database. Add the below code into robots.txt file.
#User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

The most dangerous feature is CHMOD 777, which enables public and all visitors to view, edit or modify the WordPress database. The malicious scripts can even alter these settings so it is important to consider your privacy regularly.

Require Login for Comments or disable links in the comments

Nearly 80% of the comments are spam. It’s better to allow only registered users to comment on your blog posts.

Alternatively, you could also disable links or HTML in the comments with the help of plugins like  Disable Author URL and Comment Links.

Update all the things

The older WordPress versions of vulnerable, so the newer versions of WordPress are released to fix the bugs and vulnerabilities. If you remain in the outdated version of WordPress, you are more vulnerable to hackers.

Likewise, do not forget to update the outdated plugins, as older plugins are more vulnerable to attacks. Avoid plugins that are updated for about two years and which does not have enough ratings.

This is one of the best practices to be followed instead of realizing that, “I should have updated that plugin”.

Remove anything that exposes your WordPress version

You may have discovered that the particular WordPress version is vulnerable and the latest has fixed that. Hackers before hacking looks at the WordPress version and its vulnerabilities to hack. To make sure that you do not expose the WordPress version to the public and remove anything that exposes WordPress version. If possible, remove everything like, Powered by WordPress, etc. To remove a WordPress version number manually, then you should add the following code to the functions.php file.

If possible, remove everything like, Powered by WordPress, etc.

To remove a WordPress version number manually, then you should add the following code to the functions.php file.
remove_action('wp_head', 'wp_generator');

Change Default WordPress database prefix

Change wordpress table prefix

At the time of creation of WordPress database, it will ask you to set WordPress database prefix. Use WordPress databases prefix other than “wp”. Open WP-config-sample. PHP, find the prefix area, and change it to something that you desire. Just look at the screenshot below.

Keep WordPress audit security logs

WP Security Audit Log keeps log of everything happening on your WordPress blog. It is easy to track suspicious activities, as this plugin generates warning for every major change in your WordPress account.

It keeps log of every major activities like WordPress updates, passwords, users, roles, publish of post, installation of plugins, logins, file uploads, any sort of deletions. It also keeps log of IP addresses from where logins were made.

It literally logs every activity in your WordPress account makes the analysis and prevention of WordPress exploits easier.

 

Final words
These are some of the tips to be followed to make your WordPress site, bulletproof from hackers and vulnerabilities.

Limiting login attempts, IP based login, two-factor authentication are the surefire steps to be taken to secure your WordPress site. Regularly check your whole site for malware, using scanners such as Sucuri, Exploit Scanner, Theme Authenticity Checker, etc.
I hope you enjoyed this pillar post on complete guide to secure your WordPress account. If you follow all these above WordPress security guidelines, it will be impossible for a hacker to break into your WordPress account.

If you are following any methods to secure your WordPress blog. Please do share them. I personally took 7 hours to churn out this guide on WordPress security and best practices, then why can’t you take a minute to share or at least like this post?

8 Comments


  1. I personally use Better WP Security plugin for some of my sites. This plugin does a good job of securing your WP site however if you're not careful with the settings e.g. changing directory path names, you can mess up your WP site pretty badly. I recommend backing up your site before installing or configuring this plugin.

    Great sharing Akshay!

    Reply

  2. Really great and helpful article to secure our wordpress based blog.

    Thank you writing this.. keep it up.

    Reply

  3. This is, what i called a post
    Complete Wp Security Guide.
    Good Try bro :)

    Reply

  4. Very nice post Akshay!
    I agree with most the BetterWP plugin is pretty good!
    You used any others apart from that one? I used another recently called "All in one Security" which I have to say is also pretty good!

    Reply

  5. It's nice to see a very comprehensive guide not relying only on plugins.

    We basically follow the same principle on our VPS, however we keep the bad bots away and also monitor excessive 403, 404 errors and login attempts and eventually trigger temporary bans. I believe that most managed hosting are implementing much tighter security rules than the shared one which makes them much more reliable even if they cost a bit more.

    On a shared hosting, I would recommend iThemes Security. I believe it's one of the most complete and compatible (also with nginx).

    Reply

  6. Very complete post. If all the points will be followed hackers will have a hard time braking your site. It is very unpleasant to have you site broken, a had one site hacked and generated a lot of load on my server.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge