Tips to Secure WordPress

[CyberAlchemist]

Hey folks,

We all know that WordPress websites be easy get hacked or attacked from malware or virus and it requires more efforts to securing/recovering it. I've seen a lot of piecemeal guides on how to best solve this, but I wanted to start a thread dedicated to Securing WordPress site.

All guides are welcome! thanks!

 

[Localnode]

The basics:
- Make sure the computers you use are free of spyware, malware, and virus infections.
- Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
- Use long passwords for your WordPress login. Preferably hard to guess, with numbers.
- Keep your WordPress and plugins up-to-date.
- If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
- When connecting to your server you should use SFTP encryption.

Restrict access to your WordPress admin area. Add this to your .htaccess file.
Replace the x's with your own IP. If you've changed the admin area, also reflect those changes.

# BEGIN RESTRICTION
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
# END RESTRICTION

Consider two-factor authentication.

Security through obscurity:
Don't use the "admin" username.
Don't use the default database prefix.

Backups are important, too. If in the event your Wordpress is hacked - restoring from a backup so you don't lose all your data.

Then there's a plethora of security plugins. Such as iThemes Security and Wordfence just to name two.
I know iThemes has an option to autoban anyone attempting to login using the "admin" username. It also has 2FA built-in. Has a known blacklist of IP's. Has website malware scanning functionality. Lots of things, really.

The server on which Wordpress is installed also plays a large role. Obviously if the server Wordpress is on is outdated, or has known vulnerabilities it definitely wont help your installation of Wordpress.

From what I've seen, it's usually outdated Wordpress installations with very old plugins that get hacked.

 

[hoangvu]

Security through obscurity:
Don't use the "admin" username.
Don't use the default database prefix.

What are the reasons behind these?

Backups are important, too. If in the event your Wordpress is hacked - restoring from a backup so you don't lose all your data.

I'm wondering how if your backup included malware/virus or exploited? should we keep multiple backups?

 

[Localnode]

What are the reasons behind these?

Well the default username "admin" is standard. It's suggested you change it. That way brute force attempts on "admin" will always fail.
It also can be a great security measure to help prevent unauthorised access to your WordPress admin dashboard. It's widely known the default admin username is simply "admin". Changing it certainly helps your security.

As for the database prefix the WordPress database is also a prime target in many website attacks. Spammers and other bad guys target various database tables with automated scripts, SQL injection, and other malicious code. Needless to say it’s critical to protect your database and keep recent backups. One of the smartest ways to protect your site’s database is to change the default table prefix to something obscure and difficult to guess. Sort of like a password. Further [URLnf="http://www.wpwhitesecurity.com/wordpress-security/change-wordpress-database-prefix/"]reading[/URLnf].

Further [URLnf="https://en.wikipedia.org/wiki/Security_through_obscurity"]reading[/URLnf] on security through obscurity.

I'm wondering how if your backup included malware/virus or exploited? should we keep multiple backups?

Apologies, I do mean multiple backups.

 

[Ron Killian]

Localnode covered it quite well. I just wanted to say that getting rid of the "admin" is a must, as already said.

I use Wordfence and by far the biggest username bots try is "admin". That and your name or your domain name.

FYI, wordfence does have an autoban, for like "admin", but it's time set, I don't think it can be permanent. If I see some one or a bot more than a couple times I usually add the IP in my cpanel to block it. Course, I don't' know how much that helps as i think many change IP's or use proxies. Slows them down a little I guess

 

[Hawker]

None of these WP security tips will keep your WP from being hacked by a professional WP hacker. NONE of them!

Even Wordfence with all its settings and changes it makes like renaming WP-Admin page etc will stop them.

Brute force protection, file change detection, hiding the backend, strong passwords, disabling directory browsing, all of them are childsplay to a professional WP hacker!

It's WP's XML-RPC that leaves a massive hole in WP installations that make it so vulnerable.

You can blocks XML-RPC requests that contain multiple login attempts but that also stops some of your other WP functions from working properly such as any API's you use.

With Wordfence you can stop abuse of WP's Pingback method from XML-RPC by simply removing it.

While you can use the rest of XML-RPC methods.

But again, this stops other features from working.

So its either have those features and risk getting hacked. Or disable XML-RPC altogether, have a more secure site but don't have full functionality.