WordPress Security Issues: Best Practices Checklist [Complete Guide]
Do you worry about your WordPress website security issues?
Most WordPress users think that it is hard to secure website …
…and they need an external agency or developers to make their website secure..
Don’t worry …
It’s easier to secure your website than you think…
Today, I am going to tell you the best practices you can follow to make your website super safe that can’t be hacked.
If you are new to WordPress follow these links:
- How To Create A WordPress Website [Complete Tutorial]
- 15 Ways to Optimize Speed of Large WordPress Websites [Updated]
- WordPress website security issues
- Security WordPress Themes
So follow the step by step check-list to secure your WordPress site now …
1. Keep Updating WordPress, Themes & Plugins
Always update your core WordPress, plugins and themes whenever you see update notification in your dashboard.
Older version has vulnerability or depreciated functions.. that lets hackers to exploit the WordPress CMS.
Therefore, WordPress community always launch a new release of WordPress copy to fix the possible bugs. It’s simple but a smart starting, most of the hackers are unable to create vulnerability in updated version of WordPress.
2. Do Not Keep Multiple WordPress Websites On Same Server
Yes, that is true…
Running multiple website on same server can be dangerous.
but how ?
Let’s say, If you run 5 different website on a single server. One or two website can be very popular and other websites may be not .. you might regularly update website that are popular and forget to update others.
Hacker find vulnerability on websites that are not updated regularly and enter your server. They upload scripts like (mini PHPMyAdmin or database script) that take complete control of your server and they easily hack file and data on your server.
When hackers are able to find the vulnerability on one site, they can easily access all the other websites on the same server.
I know, It’s costly to purchase separate hosting for every website.
So, If you need to keep multiple websites on same server, I personally recommend you to update all websites on that server or purchase new hosting for every website.
This is very common mistake that most webmaster do which in-turn leads their website to be hacked. Follow this process and makes your website safe.
3. Install Reliable and Popular Plugins
Use reliable, popular plugin that are updated regularly to make your website secure. You can download plugin for free from wordpress.org repository or purchase premium plugin from trusted source.
Plugins are essential to enhance WordPress functionality and we can’t survive without using them. A weak plugin leads your site to be vulnerable to hackers.
A. How do we find plugin that is reliable and popular ?
Let me provide you a short rundown:
- Always check plugin rating, while you download plugin from WordPress official website.
- Read review of WordPress experts about a particular plugin that might be available on the web.
- Only install useful plugin and uninstall rest of the plugin that have no use.
- Check plugin popularity among other web-masters and blogs.
B. Famous Security Plugin To Find Vulnerability
These are some famous plugin that help you to check any vulnerability in plugin, theme or any other issue that you might not be aware about.
C. What type of security attacks these plugins can find.
- It scans all plugins for deprecated WordPress functions
- Scans plugins for unsafe functions like eval, base64_decode, system, exec etc.
- Checks plugins to find vulnerabilities listed in WPScan vulnerability database
- Top vulnerability types:
- Cross-site request forgery (CSRF)/cross-site scripting (XSS): 69 vulnerabilities
- Reflected cross-site scripting (XSS): 57 vulnerabilities
- Arbitrary file upload: 52 vulnerabilities
- Arbitrary file viewing: 34 vulnerabilities
- SQL injection: 25 vulnerabilities
D. If these plugins find any vulnerability with the files or any warning, either you can remove problematic plugin or install some other popular alternative.
4. Use Secure, Reliable WordPress Themes
As this is a general rule of thumb, free is always not free, It costs you in the way that you might not expect. I strongly suggest you to avoid free WordPress themes. It’s usually all about to enhance your security. Free themes from trusted source like wordpress.org is completely safe. You can try one of the very popular theme ColorWay from there and try to built your website. WordPress ColorWay theme is 100% safe.
There are few different things you should know about free themes that are not from trusted source, each of them has a disadvantage:
- They often contains hidden code that are entirely suspicious.
- Several free themes comes with malicious codes and encrypted links.
- Lots of free themes are not updated and use the old version that welcomes the hackers to exploit your website.
- Free themes contain affiliate links.
- Search engines like Google trigger the quick penalty to those sites that use free themes with security threats.
If you still urge to use free WordPress theme, then download theme from a known or trusted developers.
Just take a moment to think about the power of a premium WordPress themes, they maximize your security if developed by a prestigious theme company.
Theme Check :- It’s a very popular plugin to check vulnerabilities and deprecated function in WP themes. Remove all unnecessary plugins that are of no use later.
5. Avoid To Use Admin As Username
Most hackers focus on brute login attacks or dictionary attacks. Also they know most of the WordPress users have Admin as their usernames. Therefore it is easy to crack the login of any WordPress website.
The solution is simply use a username other than admin. This way, attackers can’t easily predict the username and therefore it is extremely hard for them to crack password.
Username Changer is a WordPress plugin that help you to change username.
6. Strong Passwords Makes A Strong Security
Don’t keep password simple as “123456” or any easy combination that anyone can predict. A strong password is a combination of letters, symbols and numbers.
Strong Password can be a combination of symbol, numbers, lowercase, uppercase. Use this website to generate strong password.
7. Use Secured WordPress Hosting
In recent years, a large number of WP websites have been hacked and it signals a higher percentage of insecure hosting companies in the market.
Every hosting companies have different security standards, therefore you shouldn’t rely on the cheapest one while selecting a web hosting company.
Compare following parameter and check yourself, which hosting will be best for you.
- SFTP – You might be familiar with FTP (file transfer protocol) that helps you to upload files from your computer to the server. But in comparison to FTP, SFTP (secure file transfer protocol) is a more secure way for uploading/transferring files on the server. So your service provide must provide this facility.
- SSL – SSL (Secure Sockets Layer) adds an encryption layer over the communication between clients (browsers) and server thereby making it hard to steal the data from an encrypted path. SSL is very useful for eCommerce websites that accept payments, credit cards, and keep information of users like name, address, login information etc.
- Backup – Check if hosting company provides regular automatic backups. If in case, your website get hacked due to any issue, you have a backup copy to restore everything.
Recommended host: DigitalOcean, Siteground and Liquid Web.
8. WordPress Security Keys: Adds Additional Layer Of Security
WordPress security keys are used to encrypt cookies.
If unfortunately someone steals your WordPress cookie, then with the help of security keys, it is damn-hard to crack the encrypted cookie.
Therefore, hackers will be unable to get the cookie data due to its complex encryption.
What exactly are these Encryption Keys?
Encryption/security key is a set of random strings used to encrypt the data in the form of cookies, passwords and information etc.
Security key makes your data more secure by encoding information in a way that only the person or browser with the key has ability to decode it.
WordPress security key is used to generate encrypted cookies and it comprises of four different keys:
Note: Security keys prevents from cookie-hijacking or session hijacking attack in which a hacker steals your browser cookies. Those cookies may contain sessions of the accounts in which you are already logged-in.
Enabling WordPress Security Keys
WordPress security keys are stored in wp-config.php file. You can access the wp-config.php file by login to your c-panel.
Now, all you need is to open wp-config file in edit code mode and search for the Authentification unique keys and salts. They are collectively defined in eight lines that will look like this:
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
Now, we have to replace unique keys in order to enable these security keys.
Therefore, WordPress provides the keyword generator to generate unique sets of secret keys.
Visit the secret keyword generator and copy all of the random keys from here and replace them with default keys that I shown above in wp-config.php file.
Update the file with security keys and boom, We have made an extra security layer to protect WordPress cookies and password.
LOGGED_IN_KEY – The key is used to authenticate the user. Whenever a user is logged-in, the encrypted-logged-in key will be generated and can’t be modified by attackers.
SECURE_AUTH_KEY – This key works with auth cookie such that a user can change the data with encrypted version.
AUTH_KEY – The WordPress AUTH_KEY creates the encryption cookies for signing and verifying authentication requests.
NONCE_KEY – Nonce (number used once) key makes your cookie unique to hide old communication (between browser and server) from the hackers and thus prevents replay attack.
In replay attacks, an attacker steals cookie and will use in future for illegal issue, like making a similar purchase that was done in past but without making payment. This is where nonce key works.
B. What is Salt ?
A salt is itself a strong password use to combine with security keys. This adds extra secret value to the encoded/encrypted cookies and passwords.
There are 4 WordPress salts named as LOGGED_IN_SALT, SECURE_AUTH_SALT, AUTH_SALT, and NONCE_SALT.
All these salts work just like the security keys but with more confidential value.
Things You Should Know About Security Keys:
- You can change or update security keys at any time.
- Once you update these keys, all logged-in users forced to re-login again.
- Security keys must be confidential and you shouldn’t share them with anyone.
9. Integrate 2-Step Verification
2-step authentication or verification adds an additional email/mobile verification step to login in our WordPress website.
10. Limit login attempts : Block Multiple Login Attempts From Same IP
In case of Brute login attacks, robots try to use multiple login attempts to crack the password of WordPress websites.
Limit login attempt is the way to block these multiple logins from a single IP address.
Again a well-known plugin with the name – Limit Attempts allows to block multiple logins from the same IP address. Simultaneously you can create black or whitelist of IPs to block unwanted person.
11. Protect The Appearance of UserName
If you don’t hide username from the author archive’s page, you are giving access to your WordPress account to the hackers.
Suppose, if the username is johnparker, the link generated through the author archive page will look exactly as:
http://yoursite.com/author/johnparker Where username = johnparker
You can also find out WordPress username from the blog pages of the website. Just hover your mouse to the author name and the link will be generated in the bottom of the browser that displays user-name.
[PHP]In above image the URL may look like …./blog/author/admin/
where admin = username[PHP]
Finally the hacker would try to crack password with known username.
Make sure your display name should be different from username.
You can check this by navigating : WordPress dashboard > Users
Solution: In order to hide this author link, we can remove author archive pages via this plugin.
12. Disabling File Editing Through WordPress Dashboard
Many times, you have seen the theme editor feature in your WordPress dashboard under the Appearance tab. Perhaps, you have customized the code of your theme.
By default, you can easily edit themes and plugin code. In any way, If hackers get access to admin account then, they can inject malicious codes to theme or plugin codes.
To handle the issue, it’s good idea to disable file editing.
Whenever you need to change the theme or plugin code, you can do it through FTP access.
If you decided to disable file editing, just open the wp-config.php file and insert the constant mentioned below:
define( ‘DISALLOW_FILE_EDIT’, true );
And Well done, we have added another layer of security.
13. Protection Of Directory Browsing
To lookup your directory in the form of list is called directory browsing or directory listing
Have you any index.html file? If not, by default your server shows the index page. This page has all the important information that is helpful to create vulnerabilities by an attacker.
However, directory browsing is not the vulnerability issue but it can be used to gain the information that helps to search site’s weakness.
Possibly, the threats via this method can be made by exploiting your theme, plugin or server. It’s also necessary to hide your information.. so, just add a small code to the .htaccess file in order to disable directory browsing. Login to c-panel of hosting account and navigate to:
Files and Folders > Select Root directory > Edit .htaccess file. > paste below code in .htaccess file > save file.
Options All -Indexes
14. Secure Folders By Password Protection
You can add extra security layer for attackers to get access of website’s folder and make your access secret from others.
Step 1. Login to c-panel of your hosting account and navigate to:
Security > Password Protect Directories
Step 2. Now, you can observe a list of folders that can be accessible in the case when the hacker succeed in exploiting server level protection.
Simply select the directory for password protection and then click on it.
Step 3. Now you are able to set username and password under the Create User Tab.
Finally, save the changes to click Add or Modify The Authorized User button.
Step 4. In the next step you will be redirected to the Security Setting Page. Check the option – Password protect this directory and simultaneously enter the name that you want to display to the suspicious user who are trying to access your directories.
Step 5. This is the last one step, click save and again another hurdle has been created for the hackers.
15. Change The Database Prefix
At the time of installation WordPress has many default setting. As many of us are non coders or may be non-techy therefore we don’t care about at all.
Similarly, WordPress database has a default prefix starts with wp_.
The matter of fact is that hacker would also try to infiltrate your WordPress website. As most of the webmaster don’t like to change this prefixes.
Fortunately, a customized or changed prefix name makes it harder to inject. Because attackers practice SQL injection with default table prefix name and fortunately a customized database prefix will be less accessible.
Here’s the procedure to change table prefix wp_
Step 1:- Start from a backup
We are going to alter our WordPress database tables, so it is recommended to take a back up at first priority.
Just navigate to:
c-panel > Backups icon >Download a full website Backup > Select Home Directory under backup destination
Step 2:- Navigate to wp-config.php file.
c-panel > Files > File manager > Select root directory > Select wp-config.php file and search for:
$table_prefix = ‘wp_';
Now replace the value wp with your own customized word and remember you can use only numbers, letters and underscores. Let’s consider I have changed this code to something like that:
$table_prefix = ‘jk6vwu333_';
Step 3:- Change all the table names with sql query. Navigate to:
phpMyAdmin > Select your wordpress database (we already mentioned how to check for wordpress database) > Click on SQL tab and enter the given commands:
Rename table wp_commentmeta to jk6vwu333_commentmeta; Rename table wp_comments to jk6vwu333_comments; Rename table wp_links to jk6vwu333_links; Rename table wp_options to jk6vwu333_options; Rename table wp_postmeta to jk6vwu333_postmeta; Rename table wp_posts to jk6vwu333_posts; Rename table wp_terms to jk6vwu333_terms; Rename table wp_term_relationships to jk6vwu333_term_relationships; Rename table wp_term_taxonomy to jk6vwu333_term_taxonomy; Rename table wp_usermeta to jk6vwu333_usermeta; Rename table wp_users to jk6vwu333_users;
Step 4:- Edit the table wp_options, now we have changed this table name to jk6vwu333_options. Search the table name and click on it.
Step 5:- Look at the option_name column table and finally change the wp_user_roles to jk6vwu333_user_roles
You can save your records by clicking edit button.
Step 6:- change wp_usermeta to jk6vwu333_usermeta from the database table menu on the left side. Look for the meta key there. Search all the value with prefix wp_ and change it with your new or customized name.
wp_capabilities to jk6vwu333_capabilities wp_autosave_draft_ids to jk6vwu333_autosave_draft_ids
And finally after saving the changes, you’re done
Alternatively… You can use plugin
This plugin changes database default prefix (wp_) to anything you like. We recommend you to uninstall the plugin once your desire changes has done.
16. Remove Inactive Members
Hacker can also target your website by knowing other assigned members like admin or super-admin.
Removing the inactive users from our WP dashboard might reduce the attach risk to some extent.
Some WordPress members have the ability to modify content and possibly they don’t care about the strong password. So, this condition makes any website vulnerable to attack.
Also, if you have any inactive user, you can change their role to subscriber so to limit any changes in the content.
17. Secure Your .htaccess File
Attackers often like to attack .htaccess file to control your website configuration and I am considering it is essential to secure your .htaccess file from other users.
By default, the server generates 403 forbidden error whenever a user tries to access this file.
But here again, we put up some extra security layer to our .htaccess file.
All you need to add this code to your htaccess:
deny from all
18. Use Good Antivirus : Keep Computer Free From Virus
If you have secured your website from server level, still you should consider to clean your computer from insecure elements. Because these unsecured elements like viruses or trojans weaken the computer and browser security.
Therefore hackers can penetrate your website if you have an infected computer system.
The only solution is to use a high rating antivirus and firewall.
I recommend not to avoid this small step because computer and browsers are the main hosts that keeps website cookies and handles the connection between server and hosts.
19. Protecting wp-config.php
wp-config.php file is one of the file that needs more security from unauthorized access.
You can access this file in the root directory of WordPress.
A wp-config.php file contains the basic configuration of WordPress website like information of database connection, WordPress security keys and salts and more valuable information.
Any external access to this sensitive information may damage your site security.
In order to strengthen the security of this file, add the given snippet in .htaccess file:
<files wp-config.php> order allow,deny deny from all </files>
However, you can access this config.php file from FTP and cpanel.
20. Auto Update WordPress Core, Plugin and Themes
Don’t want to updated WP theme, plugin and core manually. You can do this by adding this piece of code to your wp-config.php file:
Enable all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );
To automatically update WordPress plugins
add_filter( 'auto_update_plugin', '__return_true' );
To automatically update your theme, add this code to wp-config.php:
add_filter( 'auto_update_theme', '__return_true' );
Note that your WordPress theme has to support automatic updates in order for the above code to work.