WordPress security issues, how to improve website security

WordPress security has been an important topic ever since the content management system was released back in 2003. As with any highly popular piece of software with a long and rich history, the CMS can sometimes become the target of WordPress hackers. Hostile actions could include a cross site scripting attack, sql injections, brute force attacks, and a number of other ways to gain unauthorized access. As hackers gain experience in finding new ways to exploit WordPress vulnerabilities, developers and security specialists get better at creating sites that are more difficult to breach. There are things developers and WordPress site owners can do if they don’t want hackers to gain access and bypass server security. In this article, we will discuss some actions a WordPress admin can perform to prevent a platform from becoming one of many hacked websites.

Proper permissions for wp-config.php and .htaccess on the server

644 -rw-r–r– /home/user/wp-config.php

644 -rw-r–r– /home/user/cgi-bin/.htaccess

to secured permissions:

600 -rw——- /home/user/wp-config.php

600 -rw—— /home/user/cgi-bin/.htaccess

Use an up-to-date and secure version of PHP

As of October the 6th, 2021, the most recent and recommended version of WordPress is 7.4. One can always check for supported and secure PHP versions by following the link: https://www.php.net/supported-versions.php . As with any piece of software, keeping everything up to date is an important factor for WP security.

Disable the editing of themes and plugins from WordPress admin panel level

If hackers gain access to an admin account, it will be very easy for them to input malicious code into themes and plugins. We are going to use DISALLOW_FILE_EDIT to disable file editing and improve website security. Here is how to do it:

1. The first step is to open wp-config.php using a text editor.
2. Within that file, find the line: /* That’s all, stop editing! Happy blogging. */ and place the following code above it: define( ‘DISALLOW_FILE_EDIT’, true );
3. Save changes end exit the file.
4. If you go to your WP dashboard and if you did everything correctly, the “Plugins > Editor” and “Appearance > Editor” links should no longer be visible

Keep your WordPress plugins updated

It’s a good idea to follow technological blogs and WP fan groups on social media, such as Facebook. Many WordPress users share notifications about critical errors in specific WordPress plugins. If you see an error concerning one that you use on your WordPress website, perform an update immediately. Furthermore, make sure to delete unused plugins to avoid unnecessary security vulnerabilities.

One website worth following to stay updated is https://www.wordfence.com/blog/.

Install WordPress themes and plugins only from trusted sources

The safest way is to use the official database/repository. For WordPress themes this is https://wordpress.org/themes/

whereas trusted WordPress plugins can be found here: https://wordpress.org/plugins/

The files in this repository have been verified, and likely subjected to malware scanning software before upload.

Change the wp_ prefix in the database during WordPress installation

By default, WordPress installation proceeds with the wp_ prefix, but it is worth to change it to an original one during the process. By doing so, we will make it more difficult for malware to gain access to our database and extract data.

Do not use the default “admin” login, use strong passwords

It is imperative to change the login to an original one. Strong passwords with multiple different symbols are also more difficult to crack.

Disable user registration if you do not need this function

To do this:

1. Go to the Settings page, General section

2. Uncheck the “Anyone can register” field in the Membership section.

3. Save changes.

Disable comments if they are unnecessary

There are several ways to do it, you can use code, the built-in options of WordPress, or a plugin.

To disable comments globally using WordPress itself, follow the steps below:

1. Go to Settings, the Discussion section

2. Uncheck the “Allow people to post comments on new articles” field

3. Save changes

You can also write your own code or use a plugin to achieve the same effect, but in this tutorial we only present the fastest option.

Configure robots.txt to block unauthorized access to WordPress files

This file, which is placed in the main folder of the domain, acts like a signpost for Google crawlers showing the pages they should visit and index, and the ones they should not. You can use the example presented in the grey box here: https://wpninja.pl/artykuly/zaawansowane-pozycjonowanie-wordpressa/#robots-txt (remembering to change http://www.example.com/ to your own domain)

or have a look at the official Google guidelines for robots.txt: https://developers.google.com/search/docs/advanced/robots/create-robots-txt

Protect yourself against user enumeration

User enumeration is a form of malicious activity that allows hackers to use brute force attacks in order to gain access to user accounts. Check out the discussion on StackExchange on how to reduce the risk: https://wordpress.stackexchange.com/questions/182236/completely-remove-the-author-url

Secure access to wp-admin / wp-login.php, two-factor authentication, limited login attempts

This action can be performed in many ways. The most popular one is to limit access to specific IP addresses or to display an additional window with authentication information. We can also set up a limit for log in attempts or use two factor authentication.

Two-factor authentication

To set up this functionality, first download the Google Authenticator plugin.

After installing, go to the Profile page and check the “Active” field in the Google Authenticator Settings:

Now it’s time to get the Google Authenticator app for Android:

After launching the authenticator, a request should appear to input a code or to scan a QR code. Go back to your plugin settings and either copy the code to your app or select “Show/Hide QR code” and scan it with your phone:

This will begin automatic configuration, you should accept all changes and then click “Update profile” on the “Your profile” subpage. From now on, each attempt at logging in will require two-factor authentication on the WordPress login page.

Log in attempt limitation

As mentioned before, one other method of preventing brute force attacks is to limit the number of times a user can attempt to log in. How to do it?

Probably the simplest solution is to use one of the many WordPress security plugins, such as the WP Limit Login Attempts by Arshid. You can download the security plugin here: https://pl.wordpress.org/plugins/wp-limit-login-attempts/

Make backup copies regularly

Even the best protection may not be enough to save your website from WordPress hackers. Therefore, make sure you always have a backup in case the worst happens. Check if your hosting provider makes regular backups every day. Alternatively, you can make use of the following security plugin: https://wordpress.org/plugins/updraftplus/

Hide information about the WordPress versions you use

The information about your version of WP can be of use to hackers, so there is really no need to share it freely. First, block access to your readme file by adding the following lines of code to your .htaccess file:

<files readme.html>
    order allow,deny
    deny from all
    </files>

Second, use a security plugin to deactivate this information. One such plugin is Sucuri, which should automatically hide this information once it is activated, but verify this by visiting “Settings” > “Hardening” tab just to be sure.

You can also remove version information by adding the following lines of code either to a site-specific plugin or a code snippets plugin:

function wpbeginner_remove_version() {
return '';
}
add_filter('the_generator', 'wpbeginner_remove_version');

Third, remove information on WP version in the CSS/JS files loaded on the website. Here is a link on how to do it, following the recommendations by user tjhole: https://gist.github.com/tjhole/7451994

Block the execution of PHP scripts in specific WP catalogues

Disable PHP file execution in unnecessary directories to improve your security. Following the solutions at wpbeginner.com, open a text editor and type in the following code:

<Files *.php>
deny from all
</Files>

Save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website.

Disable access to the REST API of your WordPress (if you are not planning to use it)

You can do this by using the following plugin: https://pl.wordpress.org/plugins/disable-json-api/

Limit or disable access to XML-RPC (pingback, mobile apps)

If you are not using XML-RPC, disable it with:

function remove_xmlrpc_pingback_ping( $methods ) { unset($methods['pingback.ping']); unset($headers['X-Pingback']); return $methods; } add_filter('xmlrpc_enabled', '__return_false'); add_filter('xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );

or with .htaccess:

<Files xmlrpc.php> Order deny,allow Deny from all </Files>

Check out this link if you need additional information: https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/

Make sure your website has an SSL certificate

Theoretically, you could use a plugin to do it, but we recommend a more “manual” way suggested at https://thecamels.org/en/compendium-how-to-secure-your-wordpress/ . Check out the “How to properly enable SSL in WordPress” section, and follow the guidelines.

Conclusion

Security should be a top priority of any enterprise, big or small. We hope you find these suggestions useful in the fight against hackers and malicious software. Make sure to follow us for other tips and guidelines.