Ways to Strengthen WordPress Site Security from CGColors's blog

According to Search Engine Journal, WordPress holds over 35% of all websites on the internet. Since it holds one of the largest percentages of websites, the attacks on it are also intense.

Best Practices to secure WordPress site

• Use Secure login procedures: This is a fundamental step but most users simply do not invest time in creating a secure username and password.
• Use strong passwords: Passwords like “123456” should be avoided and stronger ones should be used.
• Two-factor authentication: for a secure login two-factor authentication is an effective tool that involves login verification from a second device.
• Limited login/failed login attempts: Limiting the number of wrong login attempts.
• Change default username: By default, the username of every account is admin. The username should be changed to something more user-specific.
• Add Captcha: This can eliminate the use of login automation by checking if a real person is logging in or not.
• Enable auto logout: Log out inactive accounts by using the Inactive Logout plugin. However, a user should responsibly log out when finished.

• Secure WordPress Hosting - Your server must have the following features:

• Firewalls: A firewall that allows access only to specific ports that are required for applications to function.

• Bot protection: The server must Protect your WordPress Website from traffic congestion caused by malicious bots, brute force login attacks and Denial-of-Service (DoS) attacks with the help of our technology partner, Malcare.

• Database security

• Database Protection

• Only verified IPs should have access to the database that is only from C Panel

• Separate WordPress Installations

• Every WordPress install should be separate so security breaches on one WordPress installation should not infect other sites on the same server

• Using an updated WordPress version: Every update makes the software more stable and robust. Outdated versions are more vulnerable. Taking a backup before doing an update is recommended as a new update might create a compatibility issue.

• Using the latest version of PHP: Install when WordPress notifies there is a PHP update.

• Installing security plugins: Installing one or more reputable security plugins on the website is recommended. These plugins automatically scan the website for infiltration attempts, alter source files that might make the site suspicious, reset and restore the WordPress site, and prevent hotlinking. There are a few reputed plugins that can cover all aspects.

• Using a secure WordPress theme, removing unused themes and plugins: The theme(s) used should be WordPress compliant.

 NOTE: PLEASE CONTACT YOUR WORDPRESS EXPERTBEFORE DELETING ANY WORDPRESS PLUGIN. IF YOU ACCIDENTALLY DELETE THE PLUGIN WHICH IS BEING USED, IT CAN BREAK YOUR SITE.

Follow these steps for deleting an unused WordPress plugin:

• Navigate to Plugins -> Installed Plugins.
• Click Delete under the plugin’s name.

Steps to delete an unused theme:

• On the WordPress admin dashboard, navigate to Appearance -> Themes.

• Click the theme you want to delete.

• On the pop-up window, click the Delete button in the bottom-right corner.

• Block hotlinking: This can be achieved using hpanel, an FTP client, a content delivery network, and WordPress plugins.

• Creating regular backups: Today data has become an important asset. A hacked WordPress website can be recovered but it is necessary to automate and create regular backups. To do this WordPress backup plugins can be used.

• Maintaining user activity log: Create a log of all user activity on the website to get ahead of issues. Checking this log periodically is a great way to limit suspicious activities like trying to change passwords, altering theme or plugin files, and installing or deactivating plugins without permission.

• Creating logs can give a better understanding of what went wrong, and when which makes cleanup easy after a hack. There are several dedicated logging plugins for WordPress like WP Activity Log or the free Activity Log.

• Limiting WordPress user permissions: For multiple user accounts, it is recommended to limit the roles of each user. WordPress has six roles to choose from for each user. Limiting the number of users with administrator permissions decreases the chance of a brute-force attack, hence the damage can be limited if an attacker correctly guesses a user’s credentials.

• Install a firewall: A firewall creates a filter between the host network and all other networks to automatically stop unauthorized traffic to the user's network or system. This also helps in keeping out malicious content. The firewall and plugin must be carefully chosen.

   

• Conduct regular security and malware scans Multiple plugins are available that can run routine check ups on the site at least once a month.

• Monitoring user input: Any type of user response as an input can be an opportunity for an XSS, or database injection attack. Hackers can use these input fields to enter malicious code to disrupt a website's backend. Plugins can be used to detect malicious code or to filter out these characters from the input.

• Use WordPress monitoring: Ideally, other measures would prevent this incident, if not then a monitoring system will alert the user for any suspicious activity that occurs on the site. WordPress monitoring plugin can be used to get an alert in case there is a breach.

• Change default WordPress login URL: The default URL for the WordPress login page or any WordPress development website are easy to find. To hide it, plugins like WPS Hide Login can be used.

• Managing file and folder permissions: It is important to disallow file editing to everyone. To do this, in the end, add the following to the wp-config.php file:

define ('DISALLOW_FILE_EDIT', true);

• Enable SSL/HTTPS admin: SSL (Secure Socket Layer) is a way to encrypt admin data. It also makes data transfer secure.

• Delete the default WordPress account: It is preferable to get rid of the default account and make a new one with administrator permissions. This eliminates the chance of getting hacked due to using default passwords.

• Disable your xmlrpc.php file: This file can be deleted if the site is not using it. This should be done as XML-RPC technology lets attackers submit requests containing hundreds of commands, which makes brute-force login attempts easier.

• Changing database file prefix: As with all the files in WordPress, the database begins with “wp by” giving hackers leverage to locate database files by name and conduct SQL injections.

• Protect wp-config.php: This file contains crucial information about Install WordPress. Simply moving this file above the WordPress root directory will hide this file from hackers.