Here’s how to secure your WordPress website, also know as hardening WordPress?
Here’s where I’d perhaps insert a column or two about why you should harden WordPress. I don’t think anyone would argue that it’s essential to secure their website. To be meticulous, I’ll list a few reasons.
Why Should You Harden WordPress?
Because you’ll most likely get your WordPress website hacked. You’ll no doubt agree this is a bad thing. The severity of damage can vary. Before I list a few reasons to Harden WordPress below I’d like to mention that these reasons are universal. This means they apply to any website no matter what CMS (Content Management System) it’s based on. This includes Joomla, Drupal etc.
Website Data Loss
You may lose website data. This can include website files and/or your database. This can be devastating to the point of losing your entire website. How many hours or days or weeks or months or even years have you invested in your website?
Visitor or Customer Data Loss
To me having customer website data compromised is the worst case scenario. Your visitors have trusted you with their personal information and you’ve let them down. Granted it may directly be your fault. But at the end of it all, as a website operator or owner your customers data is your responsibility.
As a website owner you should do everything (reasonably) possible to protect your website and your website visitors. Hardening WordPress and making your website as secure as possible is an excellent way to do that.
How To Secure WordPress
1. Keep WordPress Updated
I’ve worked with hundreds of clients over the years and the vast majority don’t keep WordPress updated. Is this because it’s difficult to keep WordPress updated? Or perhaps a special skill set is required to keep WordPress updated? Definitely not! Updating WordPress is as easy as clicking a button in the WordPress admin area.
Why keep WordPress updated? The first reason, because there are awesome new features being added all the time. If you don’t keep your WordPress updated, you won’t be able to take advantage of them. WordPress evolving rapidly is a very good thing.
New features are being added continuously to make WordPress better and easier to use. And like any software sometimes there can be vulnerabilities. B fortunately with WordPress there is a huge community working to fix any problems should the arise.
Windows is a perfect example, think how often there are patches and updates. Another good example are app updates on your device. There are constant updates. It’s the same with WordPress.
It’s extremely important to keep WordPress updated.
2. Keep Plugins Updated
Keeping your WordPress plugins updated goes hand-in-hand with the previous point. Most of the considerations highlighted above apply to plugin updates. Updating plugins ASAP should be standard practice with a WordPress website.
3. Keep Themes Updated
Keeping your theme updated is the third in the trio of updates required. Theme updates are usually less frequent but no less important. It may be that you’re running a framework like Genesis from StudioPress. In this case there will be updates to the Genesis core and hardly ever to your child theme. Apply Genesis core updates when released.
4. Backup WordPress
This is an extremely important point and cannot be overstated. Let’s say your WordPress website was compromised, with an up to date backup you could be up and running again in hours. You’d use those backups to restore your website and get it online again. This would be awful but you could recover relatively easily.
The flip-side of this, out of date backups: This would mean a LOT of work and expense in time and probably money. And it may still be impossible to somehow recreate the lost data. Think about customer orders or blog posts or articles and unique data on pages etc.
What about having no backups at all? That’s the same as having your website totally destroyed or wiped out. Starting from scratch as if you never had a website. Need I even elaborate?
Most web hosting companies have some form of backup tool, use it. If you want the ultimate in convenience try our Managed WordPress Hosting. Our WordPress hosting comes with automated daily backups included. And if disaster ever strikes it’s simply a matter of restoring the website with a click of a button.
5. Secure Usernames and Passwords
Absolutely avoid using easy to guess passwords. This includes iterations like password, p@ssword, p@ssw0rd, admin etc. A good password is ideally longer e.g. a short sentence or phrase with no spaces.
A good (long) password would be something you could easily remember. To make it even more secure swap out things like o’s with zeroes (o = 0), e’s with three (e = 3) etc.
You could take this even further by capitalizing the first letter of each sentence, or the last. Or making everything caps. The possibilities are endless, with each measure you take making your password more secure. Thus hardening WordPress and securing your website.
Let’s not forget your username for your WordPress admin area. DO NOT use admin or ANY derivative thereof for your WordPress admin area username. This includes Admin, @dmin, administrator, Adminitstrator. The other favorites to avoid are user, User etc. Options abound for a secure username, give it a few moments and you’ll think of something good. Remember though you also need to be able to easily remember it. 🙂
6. Limit Server Access
FTP is how you would usually access your website files. Using SFTP is always recommended when using FTP to access your website files. Some hosting companies may offer the ability to lock your FTP or unlock it. At KryoHost we offer FTP locking and a lot more more. We lock your FTP by default. This means it’s inaccessible and needs to be unlocked before it can be accessed.
You can unlock it for a time period e.g. 1 hour or 2 hours or a day or week etc. Another cool features is the ability to unlock it to a specific IP number only. This means your FTP is unlocked for only the person accessing FTP from a specific IP number. It’s set with the click of a button the your web hosting control panel.
7. Harden WordPress Core
There are three steps here, I recommend all of them and I’ll outline them below. The WordPress Codex includes an excellent resource on hardening WordPress.
7.1 Restricting Access to wp-admin
This would be something as simple as directory protection for the wp-admin folder which is located at www.yourdomain.com/wp-admin. That’s the URL you visit to login to your WordPress admin area. Adding a second layer of protection to this directory forces an additional username and password to be required when trying to login.
This may seem excessive but it’s not. This second layer increases your website security massively.
There are a few ways to secure the wp-admin directory. I’ll list them below, pick whichever you feel most comfortable with.
- Secure wp-admin with a plugin: The AskApache Password Protect plugin is a good choice.
- Use .HTACCESS to limit access to wp-admin.
- This can be done through your web hosting control panel e.g. cPanel or Plesk. Our web hosting control panel maXpanel is incredibly powerful but has an extremely user-friendly interface to to accomplish this in 3 seconds flat. See the image below.
- You can also manually create a .htaccess file and drop it in your wp-admin directory. For in depth information on .htaccess and view this article.
7.2 Secure the wp-includes folder
You don’t want anyone snooping inside your wp-includes folder. To secure wp-includes modify your .htaccess folder by adding the following code.
Make sure to include it OUTSIDE the # BEGIN WordPress tag in your .htaccess folder. In this example it’s added above as you can see the tag is at the bottom of the code snippet. If you don’t add it outside the # BEGIN WordPress tag WordPress can overwrite it.
7.3 Secure the wp-config.php file
In your root .htaccess file insert the following code at the very top of the file. This will deny access to your wp-config.php and secure it.
7.4 Disable File Editing in WordPress Admin
Some people may not like this as it stops access to the “Editor” in the WordPress admin. Many people (myself included) like the convenience of being able to quickly edit your CSS files or perhaps a theme file without having to log-in to FTP.
This is not best practice and can lead to you breaking your site as the WordPress editor is a destructive editor. It’s always best to edit files in a proper text editor (not Microsoft Word or any other word processor). You can find many excellent free text editors, here are a few to consider.
Most are free and cross platform: Sublime Text, Atom, Brackets, Notepad++. There are many others but these are text editors I personally use and can highly recommend. (Sublime Text can be used free but extended use requires purchasing a license).
To disable file editing in WordPress admin add the following code to your wp-config.php file. This will disallow editing of themes, plugins and files from the WordPress admin. This is often how code is injected to a WordPress website to compromise it. This measure will close that avenue of attack.
8. Security Addons to Secure WordPress
8.1 Limit Login Attempts Plugin
This is an essential plugin if you are not using .htaccess directory protection mentioned above. And if you are it’s still a good idea. The Limit Login Attempts is a free plugin you can download here.
What’s really useful about this plugin is the ability to check what usernames people (or bots) are using to try access your website. Everything is logged and you can lockout a user or bot after a certain amount of incorrect login attempts. There’s also an option for an administrator to be emailed when this happens.
Note: As of writing this, the plugin has not been upgraded in a while. I would normally not recommend using a plugin that’s not been updated in a while. But as this plugin does very basic work that is not easily affected by WordPress updates I recommend you install it.
8.2 Using a CDN to Help Secure WordPress
Using a service like CloudFlare puts a virtual barrier between your website and your visitors. CloudFlare like other similar services is a CDN or Content Delivery Network. This provides benefits like faster website loading for visitors across the planet. And the cherry on the cake is the many security benefits that come included out the box.
Protection includes DDOS, SQL injection and spam protection. You can signup for CloudFlare here and there is a free plan. You can also checkout Securi which offers awesome WordPress specific security services, but more about Sucuri below.
8.3 SiteLock Cloud Based Website Security
We offer the easy to use SiteLock website malware and security tool. You can get more information on SiteLock here. There are some really useful features including file change monitoring and auto-cleaning of malware.
8.4 SSL Certificates
Securing WordPress or any website with an SSL certificate is imo mandatory. SSL certificates encrypt the data between the visitors website and the server. This means that even if the data was somehow intercepted, it’s almost impossible to read it as it’s encrypted.
What If Your WordPress Website Gets Hacked?
First I recommend a solid backup service so that you can restore you website easily and quickly. I’ve mentioned our WordPress hosting above, take a look at it, there are really useful features over and above daily backups with 1-click restore.
If your website does get hacked or compromised in some way I recommend two companies. VaultPress and Sucuri. Both are pro-active and reactive solutions I’ll discuss below.
Sucuri offers a cleanup service and monitoring if your WordPress website should ever get hacked. And the best part, it’s extremely affordable for what’s offered. These guys know WordPress.
Hardening WordPress and making sure your WordPress website is as secure as possible is not difficult. I recommend all the measures outlined above to ensure maximum security. But remember there is still a chance your WordPress website can be compromised.
Checkout our WordPress Hosting, it takes care of a lot many of the features above for you including daily backups. And should disaster strike, we can restore your website with a single click.