The term, “harden WordPress”, is used to describe the process involved in making the default installation a lot more secure and impenetrable.
In our last post, we talked about converting WordPress sites to static HTML as a result of a client with a very small website having big issues with hacks, website breaking with PHP updates and huge maintenance bills.
We converted their website to HTML, but that is not an option for everyone especially when you have a website which needs it for functionality like blogging or you have a really large website which needs to be constantly updated and for cases like these, taking steps to harden your installation would go a long way in securing your site and client data.
30,000 websites are hacked every day leading to loss of sensitive data, business downtime, risk of fraud and reduced trust. WordPress while generally being a secure platform on it’s own, has thousands of third-party software called plugins that enable it do a lot more than it is designed to do.
A lot of the security breaches in WordPress happen through outdated or insecure versions of these plugins as well as other ways which we would discuss in this post.
Ways in which WordPress gets hacked.
Brute force attacks
In a Brute force attack, the attacker locates the login page for the website and then uses a software which tries to guess thousands of username-password combinations per second. Below are some passwords and in how long they can be guessed.
Distributed Denial of Service (DDOS)
A DDOS attack tries to take a website offline by flooding it (through bots or compromised computers) with far more traffic than its server can normally handle.
In pharma hacks, listings for illicit drugs are added into the website to enhance SEO of the drug vending websites (since they aren’t allowed to advertise anywhere)
Backdoors are vulnerabilities in code that allow a user easily get in and compromise a website. Backdoors are commonly added in themes and plugins downloaded illegally.
Cross-Site Scripting (XSS)
Cross-site scripting (XSS) attacks occur when malicious code is injected on a website that tricks the browser to run it anytime the website is loaded.
Now we have talked about the common ways we applications are hacked, we would go through different ways to secure your installation.
How to harden WordPress for better security
Do not use “admin” as your admin username A typical WordPress installation comes with the default username; “admin.” It is advisable to change this when installing WordPress as with attacks which guess the username, making the username easy would mean 50% of the hackers work has been done by you already.
Change backend link from “wp-admin” An easy and fast way to figure if a website uses WordPress is adding “/wp-admin” at the end of the web address. This is a huge security risk and most hacking attempts can be prevented by hiding this so /wp-admin leads to a 404 page.
If you use auto-installers change the default database prefix Some auto-installers like Fantastico use the same default database prefix when creating new installations. Make sure you change this during the installation.
Keep all scripts up to date Hackers improve their craft every day and since most software scripts are complex programs, vulnerabilities are found in them all the time which are usually patched by the developers via updates (why you get so many update notifications). Keeping your WordPress installation, plugins and themes always up to date is a great way to harden WordPress.
Never download premium themes or plugins from “free” sites This is one of the biggest causes of hacks especially on sites built by cheap offshore developers. To make development faster, themes and plugins are usually used in building most WordPress sites. There are websites which sell “nulled” or “free” versions of these paid scripts and sadly, most of these scripts obtained from these websites contain “backdoors” meaning once they get activated, the attacker would be able to take full control of the website.
Force HTTPS for all connections HTTPS encrypts all communication between your website and your computer compared to HTTP which sends everything via plain text (including passwords) that can be easily intercepted and read. Get an SSL certificate and force all connections to pass through HTTPS.
Add a Captcha to your login forms Are you a Robot? If you use the internet a lot, you probably have answered that. Those forms are called Captcha’s which make any suspicious user solve a challenge to prove that they are human. It helps in preventing automated bots from making consecutive attempts on your site.
Use strong passwords and change them regularly There are databases on the internet showing passwords that have been compromised (if you save your password in the chrome browser, it shows this to you too.) Strong passwords you use nowhere else would protect you from Brute force attacks.
Add two-factor authentication to your login Two factor authentication (2FA) makes you confirm your login with a text message, email or an authenticator app after you’ve successfully entered your password.
Delete all unused files, themes and plugins When building a WordPress site, you might test out some themes/plugins, find out they aren’t what you want and deactivate them. It is advisable to delete whatever you aren’t using from your system.
Deactivate all unused features WordPress has hundreds of features out of the box that you will never use, and some of them are security risks! For instance we mentioned changing your admin username at the start, but do you know if you add “/wp-json/wp/v2/users to the end of any WordPress site, it would display your user details? If you aren’t using them, disable features like xml-rpc and the rest API.
Generate and save regular backups When you first complete development of your website, make a backup. When you make any changes or updates, create additional backups. They come in handy.
Disable file editing from the backend WordPress comes with a feature that lets you edit theme and plugin code in the admin area. To harden WordPress, it is advisable to disable this.
Make sure file permissions in file manager are correct In the file manager, you would see numbers like 644, 755 and co written by files and folders. These are called file permissions and determine who has access to view or modify these files. Folders should be 755, files 644 and the wp-config should have 600 as the permission.
Hide your WordPress version An attacker knowing the version of your website would be able to determine what vulnerabilities it has (if it is not up to date) so it is important to disable the feature that displays your WordPress version in the HTML to avoid this.
Configure Security HTTP headers Security headers can be added to limit occurrences of hacks like XSS and clickjacking. Add these security headers to every page in your installation to secure your website.
Add a firewall to your website Most hacks are not carried out by humans but by automated software designed to search for insecure websites and exploit them. A firewall monitors incoming traffic and blocks access to these automated bots.
Use SFTP for file transfers FTP (File Transfer Protocol) is used in transferring files to and from the Web Server. Secure FTP (SFTP) like HTTPS encrypts any data being transferred and is essential to use for better security.
There are more things to do to secure your WordPress website but going through the points above alone would eliminate 90% of the causes of website hacking.