WordPress is one of the best and most popular Control Management Systems (CMS) in the world and it is open source. But, because it has open code, WordPress websites are attractive to hackers.
On one side we have large number of designers and developers who are trying to make web prettier place, but there is the other side which is trying to spoil all of that efforts of the first side. Fact is that some companies completely base their business on the web, so security of their sites is very important.
If protection of WordPress website is done well, chances for hacking are lowered to minimum and security of website is taken to the next level.
Goal of this post is to present the best advices and suggestions for increasing WordPress security.
It is important to mention that these measures doesn’t guarantee full protection of hacking attempts, mostly because 100% secured website doesn’t exist, but it will protect you from majority of attacks.
These are some practical advices which should be applied.
Choose reliable hosting provider
Before start creating website project and planning online presentation, first step is choosing hosting provider. Search for hosting providers which offers good support and have high priority for security and have the best performances for your website.
Regular data backup
Backup is the basic security measure which every website should practice, especially if it is dynamic CMS website. For WordPress you can use certain plugin for backup which works automatically, for instance one backup in week or you can make backup manually by directly accessing through hosting account.
For WordPress it is necessary to backup files which comes with installation and website database.
The most safely solution is to save all website data in the one computer in folder with name and date of backup.
Regular version update
WordPress often releases new versions – don’t ignore this! It is very important that website is up-to-date with versions, plugins and themes which are updated to higher level of security, with new versions. WordPress will let you know if there are new updates, and you can easily apply them.
To enable automatic WordPress version update, file add this line of code in wp-config.php file:
# this enables automatic WP version update define( 'WP_AUTO_UPDATE_CORE', true );
There is an option to enable automatic update of theme and plugins, but our advice is to do that manually.
Test theme and plugins
Themes and plugins may have some security omissions which hackers may use. Use just checked themes and plugins which fulfill all the rules of WordPress codex.
We suggest these two plugins for testing themes and plugins:
- Theme Check
- Plugin Check
Delete inactive/old themes and plugins
WordPress themes and plugins which are installed but aren’t in use, may be potential security risk, in case if they aren’t updated, they could have security omissions which hackers can use.
The best option is to delete all themes and plugins which aren’t in use, and keep just those which are needed.
Disable theme/plugin editor
If happens that someone unwanted access admin page of the website, it is necessary to protect access to theme and plugins files, in that way you prevent them to add malicious code. For instance, hackers can make changes in template files or they can change security permissions without your knowledge. In this way you prevent attackers to make any changes to files.
To do this, you will have to find, in WordPress installation directory, wp-config.php file and add this code:
/* this disables theme and plugin editor */ define( 'DISALLOW_FILE_EDIT', true ); define( 'DISALLOW_FILE_MODS', true );
WordPress Installation and adjusting
These are practical advices which can contribute to higher security:
- Change database prefix from wp_ to some other combination of letters and numbers (for example, $table_prefix = ‘eofofe56k6′;)
- Don’t use “admin” as username
- Remove user with ID = 1
- Create long and strong password, don’t use name of the company, website name etc.
- Hide meta tag which displays WordPress version, by adding this line of code in functions.php theme file – remove_action(‘wp_head’, ‘wp_generator’);
- Change path for accessing wp-admin page (iThemes Security)
- Set limit to number of logins on wp-admin page
Protect .htaccess file
.htaccess file is acting like gatekeeper of your website in the figurative sense. It provides you with the control over file permissions, so you can define who can access to certain files and type of files. This is hidden file which is located in root directory of your website and to access that file you will have to enable hidden files displaying.
When you open that file in editor, add this code:
# protection of .htaccess file <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
This will make sure that no one except you can access to .htaccess file, and in that way you will be protected from interlopers who are trying to change permissions of accessing to your website.
Deactivate directory listing
One more useful thing that you can add to .htaccess file is line of code which will disable access to listing of files inside your WordPress installation.
Directory listing provides others to see complete structure of your website files and find potential security omissions. To prevent this, add next line of code in .htaccess file which is located in root folder of WordPress installation.
This will make a lot harder work for potential hackers.
Protect wp-config.php file
Because wp-config.php contain very sensitive information about your site, you have to make sure that no one reach them. Things like username and password for database are crucial for your website.
You can protect WordPress database by making sure that wp-config.php file is locked and secured. Add next code line in .htaccess file:
# wp-config.php protection <files wp-config.php> order allow,deny deny from all </files>
This code disables public access to wp-config.php file, while keeping your important data secured.
Disable wp-login.php access to unknown IP address
This is one more trick that you can achieve by making changes to .htaccess file. wp-login.php file provide access to WordPress admin page and it is available from any location, which is nice option, but that presents very high security risk.
By using .htaccess you can disable access to this file from all the IP addresses, and define IP addresses which can access.
In .htaccess file you can add this code. Instead of x, you should add IP addresses which will have access.
<files wp-login.php> order deny,allow deny from all # static IP allow from xxx.xxx.xxx.xxx # dynamic IP allow from xxx.xxx.xxx.0/8 allow from xxx.xxx.0.0/8 </files>
If you know which is your current IP, static or dynamic, if you have to provide access to more IP addresses.
Protect access to wp-admin folder
You can double up security level of your website, which you achieve by list of IP addresses which can access to wp-login.php file, by doing the same to wp-admin folder. Add this line of code in .htaccess file to prevent unknown IP addresses accessing wp-admin folder of website.
<LIMIT GET> order deny,allow deny from all # static IP allow from xxx.xxx.xxx.xxx # dynamic IP allow from xxx.xxx.xxx.0/8 allow from xxx.xxx.0.0/8 </LIMIT>
Prevent access to files with .exe extension
Executable files can make trouble because they often contain malicious code which can install viruses on user’s computer. They can be blocked, of course, via .htaccess file.
Add this code in your .htaccess file:
# deny all .exe files <files "*.exe"> order deny,allow deny from all </files>
This prevent any kind of .exe files to access server. So security level of website is higher.
iThemes Security – currently the best security solution
Almost every items which are written above can be done by using iThemes Security plugin. This plugin really combines all of the most important segments for protection of WordPress with over 30 different ways of protection from hackers. All adjustments are done directly from WP dashboard, so users with lower experience can easily handle it.
Website security is often the last thing which is considered by site owners, but to make business more stable, this part should have much higher priority.