WordPress Hardening Action Plan [Checklist]
Every year, hundreds of thousands of WordPress sites are hacked. Most of those hacks could have been prevented with some basic WordPress security. The attacks that were more sophisticated could have been stopped with advanced WordPress security. And, letās face it, some of them could not have been stopped.
People have hacked into the Pentagon, the CIA, NASA and countless other āsecretā and āsecureā government agencies around the world. If a hacker REALLY wants to get into your site, they will probably find a way. Luckily, situations like that are few and far between until you become a major authority in the world.
When it comes to WordPress, the truth is, your site just needs to be more secure than the average. There are so many WordPress sites that are insecure that if a hacker encounters any sort of difficulty getting into your website theyāll simply move on to the next one rather that bother hacking yours.
How Can Hackers Get into Your WordPress Site?
To the layperson, āspamā and āmalwareā may be the easiest ways to describe a WordPress security breach.
As a developer, you understand that hackers get much more creative than that.
Because of the variety of ways in which they attack or infect a website and the location through which theyāre able to get inside, there are over a dozen types of WordPress threats you should be aware of.
ā¢ SQL Injection
ā¢ Cross-site Scripting - Wordpress XSS
ā¢ Forgery
ā¢ Phishing
ā¢ Remote File Inclusion
ā¢ File Upload
ā¢ Path Traversal
ā¢ WordPress Malware Redirect
ā¢ Brute Force Attack
ā¢ Distributed Denial of Service - WordPress DDOS attack
Again, you donāt need to make your site unhackable, you just need to make it harder to hack than the others. Remember the premise of the old joke: āI donāt need to outrun the bear, I just need to outrun you.ā Same thing with hackers. You just need to be a little better prepared than the other websites.
On that note, letās start with some basic wordpress security tips for your site so that you can have some peace of mind. You can also download PDF here.
1. Keep an eye on your siteās performance
You should be checking your websiteās load speed at least once a week. A sudden slow down on your website can be an indicator that itās infected with malware or has been hacked.
Most brick-and-mortar business owners rarely check their websites, which means they could be down for an extended period without them knowing about it. So an uptime monitoring service can be important if youāre in that boat.
Pingdom is a great tool that can help you with both starting at $15 or less per month.
Install security plugins
Installing security plugins that monitor your site files is a smart move. There are two major ones that we use and recommend: WordFence and Sucuri.
WordFence does things like scan site files for changes on a regular schedule, limits login attempts with wrong usernames or passwords, keeps track of IP addresses that are using your website in suspicious ways. Some hosts donāt like you using WordFence because that plugin can be a server resource hog. There is a free and premium version of this plugin.
Sucuri is a primo security plugin that scans your websites directly for malware. They also have a firewall that will filter out suspicious traffic before it even reaches your website. If you are infected with malware theyāll also clean it up for you. They have a free and premium version, but all the cool stuff all comes with the paid version.
Scan Your WordPress site on regular basis.
Check and scan WordPress for malware detection using the best professional tools. Use multiple malware checkers: online site check tools as well as on-site malware scanners. Scan your site thoroughly by first identifying the malicious hacks on the site like Wordpress malware redirect. This scan helps in discovering and identifying the infected files.
You can also scan your wordpress theme for malware and identify the malicious files . Review WordPress front-end, back-end, source-code, file-system, themes, plugins, updates, configurations and settings to discover the source of attack. You can use this Advanced Wordpress scanner by WP Hacked Help.
Their Deep Scanning WordPress malware scanner detects viruses and trojans hidden deep within the server and their WordPress experts cleans it up. It is important for you to know the security gaps and what exactly needs to be done to clean up your site.
Donāt keep ZIP backups on your server
It is important that you backup your website and database regularly if you are regularly adding new content to your site. Some backup plugins will save the backups inside the WordPress directory. Bad move.
Hacking scripts can easily access those ZIP files and insert malware into them. Then, if for any reason you need restore your site, youāll be restoring a hacked version of your website.
Thatās why itās best to have the backups either emailed to you or stored in the cloud with Dropbox, Google Drive, Amazon S3 or another cloud service provider.
Delete the install.php and upgrade.php files
These two files allow special access to server resources and are only required for installation or upgrading your WordPress site. So you can delete them once your site is installed or updated.
These files may reappear after you update your WordPress core files, so youāll have to delete them after every update.
Lockdown directory access
There are two directories within your WordPress folder hierarchy that never need to be accessed by the public: wp-admin and wp-includes. It is always a good idea to restrict access to these directories using your .htaccess file.
Protect your wp-config.php file
The wp-config.php file is one of the most important files in your WordPress installation. If itās not protected itās relatively easy for to access for a hacker to access and see your database credentials. They can use those database credentials and the file itself to wreak all kinds of havoc on your website.
There are two main ways to protect it. The one you choose will depend on your hosting account. If your website is on an Apache server you can use the
.htaccess file to protect your wp-config.php file.
The second option is only useful if you are using a dedicated host and you have access to folders above the root of your website. If you do, you can move the wp-config.php file out of the public folders to the folder above the root.
Block too many failed logins
Too many failed login attempts in a short amount of time is an indication that someone is trying to guess a username and password combination that will give them access to your site. This is called a Wordpress brute force attack.
You can block people that have failed to login a certain number of times using the Wordfence plugin and the Limit Login Attempts plugin
Move the login page to a different URL
Brute force attacks are often carried out using automated tools. These tools look for the WordPress login page in the usual places: YourDomain .com/wp- login.php or YourDomain .com/wp-admin. If thereās no login page there they have no choice but to move on. Thatās why moving the login page do a different URL is so handy.
Thereās a handy plugin called Move Login (https://en-ca.wordpress.org/plugins/sf-move-login/) that will help you do just that. You can choose the slug for the login page to be anything you want. Now when the automated tools scan WordPress sites for login pages to brute force, your site will be invisible.
Hide WordPress version
Every WordPress core update includes security patches. When an update is released information about the patches and the vulnerabilities they fix are published online. Hackers know that most people donāt update their websites right
away AND the hackers now know the exact vulnerabilities that exist in previous versions of WordPress. This is what we call ālow-hangingā fruit.
To make matters worse every WordPress site publishes the version number of the WordPress core files in the source code. Using automated tools hackers can scan
your site, find the version number and attempt to hack in using the known Wordpress security vulnerabilities .
That is why itās so important to update your WordPress core files as soon as updates become available. Itās also a good reason to remove the WordPress version number from your source code.
Remove/disguise login error messages
When you enter an incorrect username and password combination into a WordPress login page the error messages give you hints about what you got wrong.
For example, if you enter an incorrect username AND an incorrect password the error message says āError: The username or password you entered is incorrectā.
However, if you enter the correct username but an incorrect password the error messages saysā Error: The password you entered is incorrectā.
Thatās bad for business. If youāre a hacker, you now know that you have a valid username and you just need to crack the password. For that reason itās much better to keep the first error message all the time, āError: The username or password you entered is incorrectā.
Conclusion
WordPress powers nearly 22% of all websites on the internet, which is huge and it means that the WordPress community will probably be around for a long time to come. It also means that WordPress is a huge target for hackers.
Unfortunately, most webmasters donāt care or donāt know that they should be securing their websites. Sooner or later they will be hacked and it will hurt their business. Even by just browsing through this document you are doing more than the vast majority of webmasters, so good work!
Now itās time to take this to the next level. Iāve created a step-by-step tutorial action plan to harden your website substantially more than most people are doing.
Original Source: https://www.academia.edu/40546316/10-Point_WordPress_Security_and_Hardening_Tutorial