How To Secure WordPress Website

Introduction

Millions of websites are powered by WordPress software and there’s a reason for that. WordPress is the most developer-friendly content management system out there, so you can essentially do anything you want with it. Unfortunately, every day some scary report about a major site being hacked or a sensitive database being compromised hits the web … and freaks everyone out.

If you haven’t installed WordPress yet, check the following article.

On Debian based systems:

On Debian RPM systems:

This tutorial explains the process of harden wordpress website. In this article we will show you checklist allows you to secure your WordPress site with as little effort as possible.

Checklist To Secure WordPress Website

1- Keep your WordPress site and plugins up-to-date

It is really important to make sure that your WordPress site, plugin and scripts are updated to the latest stable version. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.

1.1 – Update WordPress From the admin area

In WordPress  you can easily update your application directly from the admin area. When a new version is available, you will see a notification in the WP admin area.

Before you proceed with the upgrade, we strongly advise you to make a backup of your WordPress.

When you are ready, click Please update now to proceed with the upgrade. On the next page you can choose whether to upgrade automatically or manually.

Click Upgrade Automatically.

If everything goes smoothly, your WordPress will be successfully upgraded.

1.2 – Upgrade WordPress: Manual upgrade

Following the steps to do manual upgrade for your wordpress website .

Step1: Backup the Database Tables and Files including .htaccess.

Step2: Deactivate all the Plugins you use from the plugin management page.

Step3: Overwrite Files 

There are two options to overwrite files:

Option1: Get the latest WordPress version from WordPress download page and upload it to the WordPress directory, overwriting all the files that exist there. This will preserve your images and themes.

Option2: Deleting your old files on the server and uploading the newer files from the new version you’ve downloaded is an alternative which will ensure that the files on the server have been replaced for sure.

Step4: Run the upgrade script

Visit your blog’s Upgrade Page (http://yourdomainname.com/wp-admin/upgrade.php) and follow the instructions that are displayed.

Step5: Activate your plug-ins, one by one, at the Plugin Management Page.

Step6: Check if everything works as expected.

2 – Don’t Use “admin” as Your Username

Most of the attackers will assume that your admin username is “admin”. Any hackers try to get your password by trying to brute-force your admin username. If you change your username to something else, that will protect your website immediately.

3 – Use strong passwords

Passwords protect every part of your online life. If you don’t treat them properly, you’re exposing yourself to a whole mess of trouble. If you aren’t using a password that’s at least ten characters, with numbers and letters, capitals and lowercase … you’re doing it wrong. Do it right. Especially this one.

4 – Protect your wordPress admin area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get your home IP address and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient.

5 – Protect your WordPress website from spam

In this part, we will show you how to protect your WordPress blog from spam.

5.1 –  Install a captcha plugin

You can install WordPress ReCaptcha plugin in you webiste to activate captcha for comments and users registrations.

Once activated, the plugin will prompt for the public and the private API keys. The visualized link will take you to the corresponding Google web site where you can get the API keys for free. Paste them in the corresponding fields and activate your ReCaptcha plugin for comments and users registrations.

5.2 – Install Akismet anti-spam plugin

Akismet checks your comments against the Akismet Web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.

In order to use Akismet, you should have a WordPress API key.To receive a WordPress API key, you should register at the official WordPress website. The key will be included in your welcome mail.

If you already have a registration at WordPress.org, you can see your API key by visiting the WP dashboard.

To enable Akismet for your website, follow the steps below:

Step1: Go to your WordPress admin area > Plugins > Installed and click Activate.

The Akismet plugin will be activated.

Step2: Click “enter your WordPress.com API key” (you can also click Akismet Configuration in the Plugins section)

Step3: Enter your WordPress API key.

Step4: Click Update options>>.

Step6: If you have entered a correct API key, it will be verified.

From now on your blog will be protected from spam by Akismet. You will be able to check the comments in your blog for spam, as well as manually mark comments as spam from the blog admin area > Comments.

You can also display on your blog’s front page how many spam posts have been stopped by Akismet. To show this information, you should add the Akismet widget to your sidebar.

6 – Use security plugins

As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.

Here are a handful of popular options:

7 – Make backup copies of your WordPress site

Having backups of your site is essential. Every webmaster should have few backups of his/hers website in case something goes wrong. You can :

7.1 – Install BackupWordPress plugin

BackupWordPress

BackupWordPress is a complete WordPress backup plugin with automatic scheduling support. It allows you to create different schedules for your database and files. The only problem is that the free version does not allow you to store your WordPress backups to a cloud storage service.

If you want to store your backups on Dropbox, Google Drive, FTP, etc, then you will need to purchase a premium extension for it. The extensions are available for each service, and you can buy the one you need or the whole bundle.

7.2 – Backup WordPress Manually

WordPress is a web application based on PHP and MySQL. As such you need to backup all its files and its database to have a full copy of your site. The easiest way to copy your files is via FTP. Make sure that you save all the files and folders in the directory WordPress is installed in (public_html if it’s the main application for your site).

The WordPress database can be backed up as any other database.  In case you have multiple MySQL databases and you wonder which one your site is using, open the wp-config.php file in the WordPress root folder and you’ll see the database name saved next to the DB_NAME option.

8 – Limit Login Attempts

Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

There is a nifty little WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours.

All options are customizable in this plugin. You can select how many failed login attempts you will allow, how long they’re locked out, and how many lockouts it will take to issue a temporary IP ban.

9 –  Choose the right and the secured web hosting

Your WordPress site is as secured as your hosting account. If someone can exploit a vulnerability in an old PHP version for example or other service on your hosting platform it won’t matter that you have the latest WordPress version. This is why it is important to be hosted with a company that has security as a priority. Some of the features that you should look for are:

  • Support for the latest PHP and MySQL versions
  • Account isolation
  • Web Application Firewall
  • Intrusion detecting system

10 –  Monitor your website

Maximize your uptime and optimize for performance with 24/7 network, server, and website monitoring by using free and open source monitoing tools like:

  • Nagios
  • Zabbix
  • Centreon
  • Pingdom
  • Uptime

Check out the following articles to install and use some of above mentioned monitoring tools.

11 – Ensure your computer is free of viruses and malware

If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.