The security of a WordPress based website should always be a top priority for every single site-owner that chose this platform and there are literally millions of websites that are currently vulnerable to website attacks.
Most people believe that they just need to keep their WordPress version updated and all will be fine. This is definitely not the case. The bug fixes that appear with every single new version of WordPress are basically there because a hacker realized that there is some sort of vulnerability.
While we cannot actually completely protect any website, not just those running with self-hosted WordPress, we can still make it very difficult for the botnets and hackers to try to hack our site.
Below we will talk about some important things that you have to know about the security of your WordPress installation, plugins that you have to consider and advice about what you can do right now. But before that, we should learn what the hackers usually do so we can better understand how to protect ourselves.
The Most Common WordPress Hacking Methods Used Today
Did you ever hear someone talk about various hacking methods and you did not understand a thing because of the terms that were used? In that case you most likely heard the following:
We cannot really say that this is hacking since it is usually done by a novice hacker that just wants to have some fun. However, it is still quite common these days. The “hacker” will use special tools in order to send a lot of pinging commands to the IP where your site is hosted. If the server is not properly secured against something like this, it will freeze. When running on Windows, the server will end up with the Blue Fatal Exception error.
If you do not use a private server, you should not worry too much about this. If you are using a private server, it is better to use a hosting provider for data and web file storage.
The DDOS Attack is quite similar to nuking but before the server crashes, hackers add Trojans or viruses. That usually leads towards site control and the removal of index files. In most situations hackers do not mean harm and will not do too much damage. The same thing cannot be said with the rather new Permanent DDOS attack, which will install firmware into devices. In such a situation the devices are usually destroyed. The Routers and the Network Cards are the most common ones affected.
The best thing that you can do to protect yourself against such attacks is to use the services of reputable web hosting providers. They usually have all the security that is necessary to prevent any type of DDOS attack. If you use private servers, you need to have a firewall installed and have a router in place (the server should not receive internet directly but through extra cards). Also, make sure that you do not use Windows XP (Service Pack 2), Windows NT 4.0 SP6A or Windows 2000 SP4.
This is definitely the biggest WordPress security problem at the moment. Hackers will utilize or create special algorithm based tools in order to crack the site. In most cases a password cracker tool is utilized. The tool tries out various possibilities in order to find the exact password that a user has.
The problem with the Brute Force attacks is that the very good hackers will have tools that will try every single combination possible based on every character imaginable. It is impossible to protect yourself against such an attack if you do not protect your site. You can use a login attempts plugin or a captcha. More about the login attempts plugin below.
Only a more experienced hacker can perform this. He/she will analyze websites, plugins, hosting, themes and many other factors while looking for some sort of security flaw. In many situations such a flaw is found in a theme or a plugin. Be extremely careful about the plugins and themes that you decide to use!
Folders should not actually be indexed. You can modify the .htaccess
file and just add the following line to prevent folders indexing:
"Options All –Indexes"
Keep in mind that you should not modify anything inside this file without actually knowing what you do. If there is text that is already present in the file, just add the mentioned line. Do not modify anything else.
Most of the attacks that appear with WordPress installations are connected to the default admin account. It is quite rare to see an installation that does not have this account as the main one. Also, the hackers will use common password dictionaries. Take a look at this list of common passwords used in 2012. You do not want to use something like this.
If you install WordPress now, simply choose a different username. If you already have WordPress installed, you need to create a new account. Make sure that it has full administration privileges. Then, log into your new account. Delete “admin” and you are done. Do not use your name or your company. Just use something random like “GuineaPig” or anything you can think about.
Keep in mind that a good hacker can still find out what your username is. In this case, your password has to be strong. It is a very good idea to have a password of at least 16 characters, upper case and lower case letters, numbers and special characters like $, # and ^. Any special character adds a lot of security, especially when it appears inside the password. An example of a very strong password that is easy to remember (since that does count for all of us) would be:
MyStrongestP4$$WOrd0SOfar
As soon as a new WordPress version is available, make sure that you have it. There are usually minor bug fixes that are included. Security fixes are quite rare but you never know when one of them is included. If you have many different WordPress sites and it is really hard to keep them all updated, check out ManageWP since it is designed for corporate use.
The WordPress files are not the only ones that you want to keep updated. If you take a look at past security problems, you will notice that one of the biggest was connected to the timthumb.php script, which was a thumbnail generator. While many of the new themes do not use that anymore, there are still some that do. WordPress cannot actually tell you that you are faced with vulnerability when you install a plugin or a theme.
A good way to see if the considered theme or plugin is secure is to look for user reviews. Just use a regular search engine and search for something like “theme/plugin name security problems”. You will most likely find a problem if it exists. Also, make sure that you keep updating all themes and plugins to the latest versions.
Let us say that you just changed the plugin that you use for your index slider. In most cases, WordPress users just deactivate the former plugin and leave it there. As time passes, that deactivated platform might become suitable for the hacker to gain access to your hosting account. Just delete everything that is not used so that you do not have to worry about future vulnerabilities that might appear.
The functions.php file can be used by hackers. What you might not know is that WordPress will tell anyone that knows how to look the version that is installed thanks to a header file code. The hackers use this to identify older, vulnerable installations. Just modify the “functions.php” file by adding the following 3 lines to protect against broadcasting platform version, live writer information and make it hard to identify the XML-RPC file:
remove action( ‘ks29so_head’, ‘ks29so_generator’ ); remove action( ‘ks29so_head’,’rsd_link’ ); remove_action( ‘ks29so_head’,’wlwmanifest_link’ );
There is also the possibility that you sometimes write your password incorrectly when you try to log into your WordPress account. When that happens, there is a log that highlights incorrect login errors. The hacker can find that and use the information he gains from the wrong spelled passwords to realize what the real password is. Once again, modify functions.php by adding the following:
function no_errors_please(){ Return ‘Nope’; } add_filter( ‘login_errors’, ‘no_errors_please’ );
Unless you want to use a plugin for back-up purposes, you can always take advantage of the Tools section in the WordPress admin dashboard. Export the file with all the posts constantly so you at least save all the text. Also, you can access FTP and constantly copy your entire site to your HDD. It is the best way to have a back-up in the event that your site is hacked with the exception of the automated plugins.
Most people use the WordPress admin dashboard editor to modify plugin and theme PHP files. It is obvious that something like this can make the installation vulnerable in the event that a person would gain access to your account. The best way to handle the situation is to basically make modifications with the WordPress editor and then, after you are done, stop this function from working. You can do so by modifying “wp-config.php”. Add the following line manually through secured FTP connection:
define( ‘DISALLOW FILE EDIT’, true );
When you want to modify files again in the WordPress editor, just remove the line.
This plugin makes it extremely hard for the account to be hacked because the password alone is no longer enough to gain access to the admin dashboard. Every single Google Account user most likely knows about the authenticator system that sends an SMS to your mobile phone when you want to check your email or use another service from Google. The plugin is similar and very easy to use. You can find it here.
No matter what we do, sometimes hackers find a way through our security. With this in mind, it is important that we always have back-ups of all the data. This includes the SQL Database, plugins, settings, themes, posts, pictures and so on. BackupBuddy makes it really easy to handle back-ups. The only problem is that it is not free. However, you might want to take a look at the pricing options here (Buy Now Tab) since this is definitely one of the best.
Other free plugins do exist like BackUpWordpress, X Cloner, Online Backup For WordPress and WP Complete Backup but we strongly recommend BackupBuddy as a stronger option.
This is quite a nifty WordPress security plugin that implements various fixes. Out of the different options available, the plugin will check passwords, modify SQL table prefix, protect the login area from brute attack, rename the wp-content area, and check the security of .htaccess
and a lot more. Take a look at this link to read all about Better WP Security.
This WordPress plugin was not updated in the past 2 years but it is still quite effective in blocking brute force hacking attempts. It will detect the IP address of the person that tries to log in and every single failed attempt. When a specific number of failed attempts take place, the IP range is blocked. More about the plugin can be found here.
You can always find a good CAPTCHA login plugin for WordPress so we do not necessarily need to recommend one. Some are based on pictures while others are based on math or questions. Choose whatever you like to protect against the unstoppable Brute Force attacks mentioned above.
Hopefully, this WordPress security guide will help you out a lot. If you follow the steps above and you consider the plugins mentioned, the security of your installation will be very high. Tell us what you think and share any other tips that you may have with fellow readers. We all need to help ourselves against hackers.
Thank you Derek Crowden, for this informative article on WordPress security.
I am happy that you liked it :)
Thanks for your security post
I use Bullet Proof Security plugin and login lockdown
I believe it is always a good idea to keep everything updated including plugins
Thanks a lot for giving a great security of a WordPress based website.
Happy reading, I like the most which says about how to remove live writer traces from posts. thanks