The Key Elements of the WordPress Security Hardening Process
We at WP-Tonic are asked quite often if WordPress is more or less secure than many other open-source CMSs (content management systems).
Firstly, understand that, because of its overwhelming popularity and it's continually growing market share, WordPress is becoming one of the leading targets for the online hacker community.
There Is Nothing Worse Online Then Being Hacked!
We are going to look at a number of key areas that will make your WordPress website much more secure. We are not suggesting you become a WordPress security expert: that’s our job! However, there are some things that you clearly do need to understand connected to WordPress and security.
There is nothing worse, when you have spent a lot of time and money on your website, to find it has been hacked and you have to drop everything else and try to deal with this nasty, messy emergency situation. This type of situation only gets worse and even more urgent when you are selling digital, or physical products and services on your website.
We feel that the core settings of WordPress are still too loosely connected to security with the initial set-up. However, newer versions have improved regarding password strength which is a major step forward. Unfortunately, too often we still read statements like this online:
“I never thought anybody would hack my website! I thought it was just too small and unimportant. I also thought that my hosting provider would do all this security stuff for me!”
The process of making a WordPress website more secure is called “Hardening” in the security community. We are going to give you the plan of action we go through when dealing with WordPress security.
One point we would really like to make is that there is no single mythology or plugin that will magically make your website totally secure. And, just like physical security, there is a delicate balance between high security and a reduction in ease of use which every website owner has to consider when it comes to security.
The WordPress Hardening Process
So, let’s look at what you should do to optimize your WordPress hardening and what the major choices are so that you can make your website as secure as possible.
This is going to be a big list. However, the good news is that you don’t have to implement everything on this list in one go to be secure. The amount of work you do here will depend on what level of overall security you feel that you need. What we normally do for clients is break down the choices into three subgroups that have different levels of security options. Some options should be applied to all WordPress-powered websites and others are more suitable to sites that have a higher security risk signature!
As a reminder, you have got to have a strong backup system in place for your website and database before you even start looking at how to harden your websites. We at WP-Tonic use a number of different systems so that we have multiple backups of our client’s physical files and databases and we encourage you to do the same (we can help!)
The process that we would recommend to everybody who has an active powered WordPress website.
- Use the quality WordPress Hosting we recommend.
- Have an off-site backup system for your files and the website’s database. Make it a testable system.
- Have a strong admin password. Here are two apps we recommend to all our clients: LastPass and 1Password.
- Keep the core of WordPress and all your plugins and themes up to date.
- Don’t use plugins or themes from untrusted sources.
- Don’t keep inactive plugins or themes on your live website.
- Only run the plugins and themes that you really need on your live website.
- Have strong passwords, especially for any admin accounts.
- Disable XML-RPC Pingback: Here’s a plugin that will do this for you.
- Limit login attempts. Here’s a couple of really good WordPress plugins that will help you with limiting the number of brute force attacks your website will be exposed to Login Lockdown and Login Security Solution.
- Don’t connect to your website using FTP inside Starbucks or any other open public network.
- Use a quality WordPress security plugin and set it up correctly. We recommend a mixture of iThemes Security and Sucuri as a free solution or for our client, we install either iTheme Security Premium or Wordfence Premium. However, whatever WordPress security plugin you choose, make sure you really understand how to set it up. If you don’t understand how to set up the plugin you probably won’t get the full benefit of the plugin. Here’s a training video that I did recently that shows you clearly how to set both iTheme Security and Sucuri correctly.
We recommend advanced hardening for websites that have been hacked, that are taking payments online or have had a lot of time or money invested in building them.
- Limit login attempts. There are really good WordPress plugins that help you with limiting the number of brute force attacks you will be exposed to.
- Hide your login page URL. A WordPress plugin that helps you change your login URL or use this alternative plugin Hide Login.
- Removing the WordPress version number.
- Install a good quality firewall plugin we recommend BBQ Free & BBQ Pro.
- Use the HTTPS protocol for your site.
- Don’t connect to your website using FTP inside Starbucks or any other public network.
We normally recommend this to highly visible websites which are getting high monthly traffic numbers.
- Enable two-factor authentication (2FA) on all your accounts.
- Disable file editing, this is important.
- Change Roles and Capabilities. Here's a plugin we use ourselves (however we do use the pro version).
- Hide or make much more secure the wp-config.php.
- Authentication Keys. Here’s a link that explains how WP-keys will make your website more secure.
What we normally look at first for our clients is the existing website security and the website’s history of being hacked or any other past problems with their website security.
We also scan the client’s website and do a security audit. We then give our recommendations and a plan of action connected to the client’s website and any security problems we might have found.