How to improve WordPress website security
1. Introduction
Nowadays we face a lot of security issues with different content management systems (CMS) and web applications. WordPress is not an exception as it`s one of the most popular and powerful blogging content management systems.
There are several reasons for it:
- CMS uses typical files for passwords and settings located in the same directories for each account (wp-config.php, wp-admin/ directory etc) so they are very easy to locate, modify after gaining partial access.
- The admin panel (wp-admin) runs under the same domain and uses the same codebase/permission as the rest of the application.
- Admin users can install a plugin/theme, which can then modify any file or change anything in the database (this is related to corrupted, non-official, non-updated, self-modified or fraudulent themes or plugins).
This article provides you with a list of tips and instructions that can improve a security level of your WordPress installation.
Making regular backups of your WordPress site is the first and the most important step. Before you apply any changes, make sure to backup your entire WordPress installation or databases.
It is recommended to create regular backups for your entire cPanel account using cPanel > Backupstool and creating Full cPanel Backup.
Also, you can backup your WordPress site using CodeGuard.
3. Updating WordPress, themes and plugins to the latest version
The latest version of WordPress is always available on official WordPress site. Official release is not available from other websites or resources, thus, NEVER update WordPress from third party resources. Also, you can easily update WordPress from Admin Dashboard directly or via Softaculous.
Make sure that your blog’s version is up to date. WordPress team works on creating patches for fixing security ‘holes’ and backdoors on a constant basis. That`s why it is very important to have the latest version of WordPress.
It is strongly recommended to update your plugins and themes to the latest versions too, as a bug in one of these can affect your whole installation. You can update both plugins and themes via Admin Dashboard > choose Plugins or Themes menu and click ‘Update now’ near the necessary plugin or theme:
NOTE: it is recommended to create backups of your WordPress files and database before applying any changes.
Many custom ‘free’ WordPress themes included base64 encoding, which is often used to hide malicious code. So, with such themes or plugins you can easily upload malware into your account. This is how most of the ‘hackers’ get access to your files and site.
We recommend using content only from official resource like http://wordpress.org/ as it`s the safest place to get themes and plugins.
5. Using secure username and password
The default WordPress login is ‘admin’ and most hackers know that. It should be changed to custom one with a strong password which include upper/lower keys, numbers and symbols.
Assuming you use Softaculous, you specify the username on the install screen:
Also, it is not recommended to use passwords or email addresses similar to your accounts from other web-resources.
You can change your Admin username or Password via the database, you can find the corresponding instructions here.
6. Changing database prefix, username and password
6.1 Changing database prefix
It is highly recommended to change the database prefix as the default table prefix for WordPress iswp_ . SQL Injection attacks are easier with the default table prefix because it is easier to guess. We recommend to change the database prefix to something more secure than wp_.
NOTE: create backup of your database before applying any changes.
If you install WordPress from Softaculous, you can set custom table prefix and database name at installation screen:
If you have already installed WordPress you can still change database prefix in two ways: either manually or using a special plugin.
For manual database prefix change, go to cPanel > phpMyAdmin menu > choose the necessarydatabase from the left side > click on SQL option above.
Here you need to run RENAME SQL queries on tables in your WordPress database:
RENAME table `wp_commentmeta` TO `newprefix_commentmeta`; RENAME table `wp_comments` TO `newprefix_comments`; RENAME table `wp_links` TO `newprefix_links`; RENAME table `wp_options` TO `newprefix_options`; RENAME table `wp_postmeta` TO `newprefix_postmeta`; RENAME table `wp_posts` TO `newprefix_posts`; RENAME table `wp_terms` TO `newprefix_terms`; RENAME table `wp_term_relationships` TO `newprefix_term_relationships`; RENAME table `wp_term_taxonomy` TO `newprefix_term_taxonomy`; RENAME table `wp_usermeta` TO `newprefix_usermeta`; RENAME table `wp_users` TO `newprefix_users`; |
*where newprefix_ should be replaced with new database prefix you wish to have instead of wp_, then click Go:
Once done, you will see the new database prefix has been applied to your WordPress database:
After that you will need to search the options table for any other fields that is using wp_ as a prefix in order to replace them. It is necessary to run the following query in the same way:
SELECT * FROM `newprefix_options` WHERE `option_name` LIKE ‘%wp_%’ |
Then click Go and you will get the result as on the screenshot below:
Here you will need to go one by one to change these lines and replace the old database prefix with the new one. Once done, we need to search the usermeta for all fields that is using wp_ as a prefix with the help of this SQL query:
SELECT * FROM `newprefix_usermeta` WHERE `meta_key` LIKE ‘%wp_%’ |
After that click Go and the following results will appear:
Number of entries may vary on how many plugins you are using and such. Here you need to change everything that has wp_ to the new prefix as well.
Once done, make sure to update your wp-config.php file with new database prefix:
Also, you can change database prefix using special plugins, like Change DB prefix or Change table prefix.
6.2 Changing database username and password
In order to change the database username or password, log into cPanel >> and click on MySQL Databasesmenu in Databases section:
Under Current users you will see all created database users in your account. Here you can Set new password orRename the necessary database user by choosing the corresponding option:
For changing password, click on Set password. In the new window insert your new password two times and click Change password:
To change the database username, click Rename. In the new window you need to specify the new username you wish to have (this will be the part after cPanelusername_ ) and click Proceed in order to save changes:
Once the database username or password are changed, you need to update your wp-config.php file with the corresponding details:
7. Setting password protection for important files and folders
In order to prevent your WordPress site from being hacked we recommend setting the password protection for system files and folders.
To create the password protection follow these steps:
7.1 Go to cPanel > Security > Password Protect Directories to access a list of your site’s folders:
7.2 Choose the directory you wish to protect and click on it:
7.3 Put a tick on Password protect this directory and name your protected directory, insert the username and password and click on Add or Modify the Authorized User button to save your changes:
NOTE: it is very important to protect wp-config.php file and wp-adminfolder since they are more susceptible for hacker attack.
8. Using secure FTP (SFTP) and Shell access (SSH)
Uploading files via FTP is a quick way to make a new site up and running or add new files to your account. However, SFTP is more secure and your passwords are encrypted to help prevent hackers from learning it. You can find a more detailed guide on how to upload your files via FTP or SFTP.
If you do want to use FTP (or use cPanel details for FTP connection), it’s a good idea to delete any FTP accounts that you’re not using to prevent them from being accessed without your consent. This is a great way to help keep your site and information more secure.
Another good idea is to remove the generator meta for WordPress. This meta shows the version of your WordPress site. You may open your website and check your source code by pressingCTRL + U on Windows orOption+Command+U on Mac. If WordPress version is visible for hackers it’s more easy for them to target the vulnerabilities of the specific version to hack into your website.
In order to hide your WordPress version, navigate your current theme at /wp-content/themes/yourtheme/ and insert the code below into function.php file:
/* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */ function fjarrett_remove_wp_version_strings( $src ) { global $wp_version; parse_str(parse_url($src, PHP_URL_QUERY), $query); if ( !empty($query[‘ver’]) && $query[‘ver’] === $wp_version ) { $src = remove_query_arg(‘ver’, $src); } return $src; } add_filter( ‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’ ); add_filter( ‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’ );/* Hide WP version strings from generator meta tag */ function wpmudev_remove_version() { return ”; } add_filter(‘the_generator’, ‘wpmudev_remove_version’); |
10. Limiting the number of failed connections
It is recommended to limit the number of login attempts to your WordPress Dashboard with the help of Login LockDown plugin. It records the IP addresses of every failed login within a certain time period of time. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This allows to prevent brute force password discovery.
11. Plugins for WordPress security
One of the most important step for making your WordPress site well-protected is to use security plugins:
Wordfence Security:
Wordfence Security is free WordPress security plugin that allows to scan your website looking for malicious code, backdoors or shells that hackers have installed, shows website analytics and traffic in real time, set up automatic scanning and much more. You can find description of each option here.
Acunetix WP Security plugin:
Acunetix WP Security checks your WordPress site for security vulnerabilities and suggests corrective actions such as passwords, file permissions, database security, WordPress version hiding and admin protection.
All In One WordPress Security plugin:
All In One WordPress Security plugin is a user-friendly plugin that will bring security of your WordPress site on a new level. It provides with user accounts and login security, database and file system security, brute force login attack prevention, website scanning and much more.
12. Account and external security
Here are the tips and general recommendations that will help you to increase account and external security:
- To keep your local environment updated and clean from viruses.
- To protect your hosting (cPanel account) and here you can find the general tips on how to prevent it from being hacked
- To use secure passwords and SFTP connection + type for FTP/files upload.
- To change cPanel password regularly. Try to use strong passwords (with high and low register Aa-Zz and special symbols) and we recommend you to change the passwords for all your email accounts, as well.
- Do not store passwords in places where they can be obtained easily (e.g. passwords.txt file on desktop is not very secure).
- To update all third party scripts to latest versions.
- To enable CloudFlare in cPanel. CloudFlare is a broad security solution that is designed to provide protection from many forms of malicious activity online including: comment spam, email harvesting, SQL injection, cross-site scripting, credential hacking, web software vulnerability and DDoS (denial of service) attacks.
- Always have a backup copy of your entire website and its databases.
The tips provided above do not guarantee 100% secure of your WordPress website, however, they drastically decrease chances of getting hacked. We sincerely hope this article helped you enough in securing your online business and becoming a trouble-free and happy customer.
That’s it!
Source: NC