Business owners love WordPress for its themes, editing tools, and overall functionality. Whether you want to create a learning management system (LMS) or a membership site, WordPress is the best solution to create your content.
That is, until an unforeseen hole in your security makes your site go haywire.
You know the feeling: spam comments flood your blog posts; major plugins are compromised; and malicious links are scattered throughout your site.
The result: No site. No Audience. No sales.
You’re likely familiar with the go-to solutions to maintaining a secure WordPress site – update your plugins and WordPress installations; backup your database; etc. – but for businesses whose sites are developed with PHP, there’s a must-have set of security protocols you must follow.
In this article, you’ll learn the best ways to maintain a secure WordPress site developed with PHP, WPMUDEV guide “The Ultimate Guide to WordPress Security.”
● Coding best practices
● Protecting the backend of your site
● Securing user information
● Monitoring uploads
● Choosing a secure WordPress host
We’ve explained each protocol – and how you can follow it – below.
Coding Best Practices
You were right to develop your WordPress site with PHP. The benefits are huge:
● It works well for both novices and professionals.
● It works across all platforms (Linux, Windows, etc.).
● It is WordPress-friendly.
However, it has its flaws, such as SQL injections and spoofed forms.
Fortunately, knowing a few coding best practices can help you secure your WordPress site.
Always use the latest version of PHP. As of today, the latest version of PHP is PHP 7. There are several reasons to update to PHP 7 – it offers better development features and is blazing fast – but the most important reason is its enhanced security.
Before PHP 7, PHP had not been updated for 12 years. Several hacks had been documented and features had become deprecated (a welcoming sign for hackers).
With the latest version of PHP, you can ensure you’re getting the best security for your code.
Hide your current version of PHP. If you’re not ready to update to the latest version of PHP, hackers can see that your site is running on an outdated version, making your site a likely target for an attack.
You can turn this setting off in your header by using expose_php.
Prevent a directory listing. The default file named phpinfo.php displays the contents of your directory. This can make your site vulnerable to hacks by revealing essential information about your plugins, theme, and servers.
By renaming the file, hackers will have a more difficult time finding the file.
Change the default error message. When a connection to your site fails, a default message appears for your visitors. The default message includes information such as your IP and file path, which hackers can use to hack your site.
If you change the message, this essential information will be hidden, thus, make it difficult to find for hackers.
Protecting the Backend of Your Site
The backend of your WordPress site includes all of the precious information that powers your site. Therefore, you want to ensure only the right people have access to it.
There are several ways you can restrict access to the backend.
Use SFTP when transferring files on the backend. SFTP uses a strong algorithm that encrypts the data within the files that are being transferred.
Hide your session data. Your session data includes sensitive information such as user logins and ecommerce shopping carts. If you use shared hosting, then other users on the shared server may be able to view your session data.
The best way to hide your session data from other users is to store new session paths below the root directory of your server.
Protect user roles. As an admin of your site, you have the freedom to determine which users can access which information on your site. If you have multiple PHP sites on a single server, you must be cautious of cross-site infections.
The best way to prevent cross-site infections is to create separate admins. Therefore, each admin will only be able to access his or her associated PHP site.
Make your directory read-only. Your site includes a web-accessible directory that includes information about your theme, plugins, and uploads. This is essential information that you do not want hackers to be able to change.
Therefore, we recommend you make your directory read-only.
Move sensitive information outside of your directory. Remember: Your site includes a web-accessible directory. Therefore, you want to be cautious of what information you include in the directory.
We recommend you use a PHP script to move sensitive information, such as configuration files, to a directory that is not web-accessible.
Securing User Information
You’ve likely stored user information, such as names and email addresses, on your WordPress site, especially if you run an LMS or membership site.
Without the right security protocols, that information can get in the wrong hands – not a good scenario for the credibility of your site.
Below are a few ways you can secure the information of your users.
Encrypt your passwords. Encrypted passwords will make it difficult for hackers to access your site through a login page. And we recommend you encourage your users to encrypt their passwords as well.
Secure user sessions. Hackers are notorious for using a hack called Session Hijacking: In Session Hijacking, hackers compromise the session token by stealing or predicting a valid session token to gain unauthorized access to the server.
You can prevent Session Hijacking by adding a special token to each URL on your site, which will create a complex session ID (much more difficult for hackers to steal or predict).
Destroy old sessions. WordPress uses browser cookies to keep user sessions active for two weeks. Say a hacker has a browser cookie: that means he or she will still have access to your site even after the password has been reset.
The best solution is to delete the cookies from users’ sessions and force a new session ID.
Verify new users. When new users request access to your site, whether it’s a course in your LMS or a blog post, we recommend you verify their identity before giving them access.
We recommend you download the New User Approve plugin: This will give you the power to approve or deny new user requests, as opposed to accepting all users by default.
Use a throttle. Without the right security protocol, hackers can try dozens of passwords, uninhibited, until they gain access to your WordPress site.
We recommend you use a throttle to limit the amount of unsuccessful password attempts. Popular plugins include WP Limit Login Attempts and Login LockDown.
Your WordPress site is full of different type of uploads: plugins that give your site essential functionality; images that bring life to your site; etc.
However, you want to make sure those beloved uploads aren’t harming your site.
Verify user uploads. There are rare instances where your users will need to upload files to your site. However, if they do, you should analyze the content of the upload for harmful injections.
Harmful injections can lead to serious damage to your site, including a complete takeover of your database.
Scan your site for viruses. Before you allow users to upload files, ensure you’ve download a virus scanner. This will help you pinpoint any viruses in the files.
Choosing a Secure Host
Choosing a secure host is one of the most important factors in ensuring that your WordPress site is secure.
Below are a few things you should look for when choosing a host for your site.
Ensure the host is reliable. WordPress is a big advocate for PHP 7. However, if your host does not share that advocacy, your site may have holes in its security.
Secure, PHP 7-friendly hosts include SiteGround, Anchor Hosting, and Kinsta.
Use a content delivery network (CDN). A CDN is a geographically distributed network of proxy servers and and data centers. Why are they so important for your WordPress site: a CDN pulls information from multiple servers, as opposed to just one single server.
This not only speeds up your site based on a user’s geography, but also improves its security by scattering files among several servers.
Get an SSL certificate. An SSL certificate authenticates the identity of a website and encrypts sensitive information. It’s a must that your host offers SSL certificates.
If you ever want to accept payments on your site, for example, allow users to purchase access to your course, the SSL will encrypt their payment information so it doesn’t get in the hands of hackers.
You’ve made the right choice developing your WordPress site with PHP: It’s the best supported programming language for WordPress and a secure option, when the right protocols are followed.
Follow the protocols we listed above, and you can enjoy a secure WordPress site for both yourself and your users.