How to Improve the Security of a WordPress Website
- WordPress update
- Incorrect hosting configuration
- Obsolete plugin or theme
- Vulnerable plugin
- Vulnerable theme
- Strong password
- Regular cleanup
- Regular backups
- Backup plugins you can use
- Security plugins
- What to do if a site were hacked
- Additional tips and tools
WordPress is a great platform but like any other content management system, it’s susceptible to hacker attacks, especially if you have an ordinary free WordPress theme. I’m not against the free WordPress themes. There are very good free themes in the official directory of wordpress.org. But most free themes are not exactly ‘free’. They have hidden links and an encrypted code, which the authors have placed in them exclusively for their own benefit. For example, links to their resources for their promotion. But security problems lie not only in free themes, taken from unverified sources. The WordPress system itself is the source of possible security problems.
When a version with two digits comes out, for example, the latest 4.9, this means that the system has a new functionality. When a version with three digits comes out, for example the latest 4.9.1, it means that the system has been improved and additional security measures were implemented. For example, read on wordpress.org what developers wrote about the latest version 4.9.1. Immediately, in the first sentence, are the words about WordPress security. So, the authors have found (by themselves or with someone’s help) the “vulnerabilities” in the system code. And this is very bad. Therefore, a regular update of the system is a way to improve the security of your site. Update only when there’s a version with three digits in the serial number. And don’t rush to update until updates for plugins come out. The authors should make sure that their plugins work correctly with the new version of the system. And always make a full backup before upgrading, preferably via FTP and of the entire site.
Incorrect hosting configuration
The hosting provider plays a huge role in protecting your site, especially when it comes to components over which you have no control, such as an outdated and vulnerable version of PHP or a vulnerable module of the Apache web server. Most often, this happens with cheap hosting providers, who are “all-inclusive and unlimited” for a few cents a year. Remember, good and reliable hosting costs money.
Obsolete plugin or theme
If a vulnerability is found in either the theme or plugin, the responsible developer tries to fix it as soon as possible. So, to continue to work with the old version of the theme or plugin is not safe. It’s best to update them on the day the new versions are released. This, first and foremost, applies to large and popular products. However, updates don’t always go as smoothly as one would like. If you doubt the update, it’s better to test it on a local computer or on a test server before doing it on a live site. If you have problems updating, you can always contact the developer through the WordPress support.
To date, there are almost 25,000 different plugins in the WordPress repository. Among them, there are vulnerable ones that can provide an attacker with full access to your site. It’s not possible to know in advance whether a plugin is safe. The vulnerability check can take from several hours to several weeks. Here the confidence lies in the trust and reputation of the plugin developer. The probability of vulnerability in the popular plugin of a well-known developer is much less than in a completely new, dubious one. When choosing a plugin, pay attention to the number of downloads, the frequency of updates, support, and other plugins from the same author. And if there are any doubts, it’s better to look for an analog. If you find a vulnerability in a particular plugin, the first thing is to contact the developer via email, Skype, etc. If the developer doesn’t respond, then you should inform firstname.lastname@example.org so that the plugin is excluded from the WordPress repository.
Unlike plugins, all themes on wordpress.org undergo a thorough check before being published so the probability of finding a vulnerable theme on this site is very small. But if you did find an unsafe theme, first contact the theme developer, and then email@example.com to remove it from the repository. Also, I would remind you that WordPress themes should be downloaded only from official resources. Most problems arise with themes downloaded from third-party and questionable sources.
There are a lot of resources that can help you create a correct and strong password if you don’t have enough time and ideas. Why do you need a strong password? The most common technique of hacking a site is the automatic selection of the administrator’s login and password. This technology is called Brute Force. Your page with login and password is attacked by a script, capable of about a 1000 tries per minute of numerous variants of login and password. It’s very similar to DDoS attack, even a little simpler. You may say: “My website? Who needs it anyway?”. The answer is no one except you, but hackers still have to attack someone. Moreover, you’ll be attacked not by people, but by robots. They need to hack any site or computer available in order to use it in a linked system to hack into other, more important resources. The DDoS attack is exactly the way this is done. First, sites and computers are hacked around the world. Next they are combined into a system that attacks an important Internet resource like a bank, government website, military department, etc. Your site can become a participant in such illegal activity. At best, your account on the hosting will be blocked by the server administrator and you’ll receive a letter stating that your account is blocked due to the spread of the virus. Will you be able to find the virus on the site? Among hundreds of folders and thousands of files? To recognize a file that doesn’t belong to the WordPress system, plugins, or themes? And it often happens that the virus is embedded in an existing file. And a script like that is even more difficult to detect since it’s hidden in the system files. So, start the process of protecting your site by installing a complex password.
In the past few years during which I’ve been using WordPress, I’ve changed few themes and used dozens of different plugins. Some of them worked for me without any problems right from the beginning. Some are always deactivated and others are activated periodically to scan the site (security, checking the speed, caching, etc). I have long stopped using some of them and deleted them from the site folders. I don’t have extra themes, plugins, unneeded scripts or anything like that. If there’s something inside the website system folders, it’s only just what I use. Everything else I delete. I don’t need unnecessary folders and files that take up space and can be used by a hacker to add malicious code. And I advise you to do the same.
This is the most simple solution. Once a month, through some FTP client, download the root folder of each of your sites. Store at least two versions with a difference of one month. Each month delete the old one and add a new one. If you have, say, up to ten sites, the download process will take about one day. The total weight of the average personal website is up to 10GB. If tomorrow the site fails or is hacked, just delete everything and upload the old version, which is on your computer. The database doesn’t usually need to be backed up. It’s unlikely to be hacked (although this happens). You can back up both the site and the database using WordPress plugins.
Backup plugins you can use
This is the most high-quality plugin for performing backups of WordPress. It can create backup copies of the database, files, and content according to a pre-specified schedule. The backups created can be saved in various formats to the directory on the hosting, as well as sent to a specified email or to cloud data stores, such as Microsoft Azure, RackSpaceCloud, Dropbox or Amazon. The main advantages of the plugin are high functionality, stability and a relatively simple backup process.
This plugin provides the ability to make regular backups of both databases separately and databases along with WordPress files. The plugin creates its settings page in the backups section of the WordPress control panel with two backup schedules already created by default and the ability to add new ones. You can set the frequency of backups, choose what exactly will be saved, how many backups will be stored on the server and whether it’s necessary to send a notification of the successful backup to your email. The paid version allows you to save backups in several cloud services automatically.
This plugin allows you to save not only the site files to archive but also the SQL file with a WP database that can be restored later through phpMyAdmin. The additional server configuration settings are also exported. You can view the full list of all the features of the plugin on the developer’s page.
This plugin will link your site to a remote VaultPress service. It’s worth noting that the service doesn’t have a free or trial versions, so get ready to pay immediately. After payment, you will be given access to the administrative panel where you can find a complete list of backups made for your site according to the chosen VaultPress plan. You’ll need to configure the FTP or SSH connection between the service and the site. In the admin panel of your site will be a simplified version of the VaultPress admin panel, so that you can work with the service without accessing their site.
Dropbox is a very popular file storage site. By using the plugin, you can manage the creation of backups: set their regularity, include and exclude different directories, etc. The plugin also has excellent protection, your data to enter DropBox is not saved in the plugin because it uses the OAuth authorization system.
This plugin will allow you to restore a site from the created copy quickly . You can schedule your backups in the admin panel and set their time and regularity. Through the admin panel, you can manage the created backups. This plugin is recommended to all those who have a superficial knowledge of WordPress or who are simply looking for an automated tool for creating backups. The plugin doesn’t use any third-party services to store backups and that is its small disadvantage.
This plugin will allow you to schedule backups and to store them on the Amazon S3 account or directly on your host. Files can be archived to save space for your account. Backups on the host can be removed by using the admin panel. You can set regular email notifications with the statistics of the last backup. In general, it’s a handy tool for scheduling regular backups. The license costs about $20.
And also, I want to introduce you briefly to the WordPress plugins, the main task of which is to help you improve the security of your site.
iThemes Security (formerly Better WP Security)
With this security plugin, you can change a lot of settings and enable monitoring of almost the entire website security system:
- Protection from Brute Force
- Theft-proof passwords
- Detecting file changes
- Lockout of bad users
- Database backup
- Detecting redirects to 404 error page
- Email alerts
- Ban by IP
The plugin is paid; a personal license costs $80; unlimited for developers is $150.
- Tracks IP addresses, usernames, and passwords
- Automatic notification of the administrator by email
- Slows access to the visitor if the login and password are incorrectly entered
- Helps to complicate the passwords
- Causes users to change their passwords regularly
- Administrator can request all users to change passwords
The plugin protects the site from unauthorized or suspicious and malicious URL requests. There’s a way to do this without a plugin by adding the necessary additional functions to the system files. However, if you don’t know how to do this, try using this plugin.
A comparatively young plugin, but actively gaining popularity among users. Currently it has been downloaded more than three million times. It performs one action: compares your themes and plugins with the ones in the official WordPress library. And if the files differ, it sounds the alarm.
One of the most sophisticated and complex security plugins. It includes a lot of functionality, which, to list fully would be long and tedious. Download, activate and see for yourself. My impression of the plugin: the console is very overloaded. For me, it’s better to use three different plugins instead of this one. But the name “bulletproof” corresponds to the built-in functionality.
When you read the words “all-in-one” in the title, you understand that this plugin is from the same series as the “Bulletproof” one. There is everything to protect the site from hacking and other security problems.
- Vulnerability scanning
- Protection against Brute Force attacks
- Deletion of spam comments
The plugin scans the files of the active theme and if it finds a suspicious code it tells the administrator either by mail or right away by instant message. The main thing is to understand what kind of code it is and if it really is a virus. It scans only one active theme. Is it good or bad? Good, but not enough to sleep peacefully. An excellent feature is that this plugin works fine with several other security plugins.
An excellent plugin, especially the latest versions. When I first started using it, it wasn’t altogether perfect. Now an author has added many useful functions. For example:
- Scans the system and shows the presence of the site in the Blacklist of various resources.
- Shows the most vulnerable places on the site and provides an opportunity to fix them.
- Monitors a large list of actions and automatically notifies an administrator by email
- There’s a free version; it has a lot of functionality. There’s paid, with a connection to a powerful resource sucuri.net.
I recommend this plugin.
What to do if a site were hacked
If the attackers have reached your site, then you’ll have a hard time. The main thing, in this case, is to remain calm. Attackers often leave a trail behind, usually in the form of extraneous plugins, modified kernel code, etc. Below there are some tips for removing the traces of an attacker:
- Change all access passwords to the hosting site, including the password to the database.
- Install WordPress from scratch by downloading the latest version.
- Change all secret keys in wp-config.php.
- Export the entire database and clean it up thoroughly.
- Edit all passwords for all users.
- View download directory for extra files.
- Thoroughly browse each plugin in the WordPress repository and install the latest versions.
- Carefully review the themes used and install the latest versions too.
Tools like Google Search Console and Exploit Scanner will also help you to find and fix the signs of hacking of your site. After the restoration of working capacity, it’s necessary to try to understand how the felon has made his way to your site. With this, a good hosting provider will often help you by providing an access log.
Additional tips and tools
Here are some other tips and tools to improve the security of your site. They are suitable for both beginners and more experienced users and programmers.
- If possible, enable SSL or HTTPS for the administrative panel.
- Use secure SFTP or SSH instead of ordinary FTP when you work with hosting files.
- Use a different prefix for the database.
- Prevent editing files via wp-config.php.
- Disable execution of *.php files in the wp-content directory.
If you still have questions about the WordPress security, I’m happy to answer them. And if you have other recommendations for security tools, feel free to leave a comment too.