How to Secure a WordPress Website [ Security Guideline ]

Today we try to cover the WordPress security guideline. Hopefully, after reading this article you will learn how to secure a WordPress website. Below we give the table of content of this article for understanding the topic clearly.

How to secure a WordPress website

Table Of Content

• Why WordPress Security is Important.
• Is WordPress Safe?
• Issues Of WordPress Security.
• Hotlinking.
• How many steps you must take care of for your wordpress security.
• WordPress Security Guideline.
• Advance Security Guideline For WordPress.

Why WordPress Security is Important

Let’s discuss why every successful website built with WordPress makes security a priority. They apply to businesses of all sizes, reputations, and industries.

It protects your information & reputation

If attackers get personal information about you or your website visitors, there’s no end to what they can do with the information. Security breaches open you up to public information leaks, identity theft, ransomware, server crashes, and unfortunately, the list goes on. Needless to say, any of these events are far from ideal for the growth and reputation of your business and are usually a colossal waste of time, money, and energy.

Visitors Expectation

As your business grows, so will the number of problems you need to solve and your customers’ expectations of how you will address those problems. One of these issues is keeping your customers’ information secure. If you fail to provide this basic service from the start, you will undermine your customer’s trust in you.

Your customers need to trust that their information will be used and stored securely, whether it’s contact information, payment information (which requires PCI compliance), or our initial response to a survey. There’s a catch-22: If your security system works, your customers will never have to know. If they ever see your site’s security news, it’s probably bad news and most won’t come back.

Google bots like secure websites

Keeping your WordPress website secure is the cornerstone of maintaining a high-ranking website.

Why? Because a secure website is a searchable one. Website security directly affects search visibility on Google (and other search engines) and has for some time. Security is one of the easiest ways to increase your search rank.

Obviously, protecting your online assets should be a key concern. Every website needs to ensure the security of its visitors and users and we will go over the steps to do so. But at first time, you might be wondering: Actually WordPress safe?

Let’s look below.

Is WordPress Safe?

WordPress is a secure content management system. But, it can be vulnerable to attacks, like other CMS.

There’s no getting around it: websites that use WordPress are a popular target for cyberattacks. In its WordPress Security Report, a firewall service called Wordfence blocked 18.5 billion password attack requests on WordPress websites. That’s about 20 billion attacks on WordPress websites alone.

image source

This may be less surprising, knowing that 42.7% of all websites use WordPress. Still, nearly twenty billion attacks is still a lot, even considering WordPress’ market share. The bad news continues: 8 out of 10 WordPress security risks fall into the “medium” or “high” severity score according to the Common Vulnerability Scoring System.

image source

WordPress Security

Before you hard-delete your WP account, you should know that these numbers aren’t entirely WordPress’ fault. Or, at least, not the fault of the WordPress products themselves.

WordPress employs a large security team of world-class researchers and engineers to look for vulnerabilities in its systems and regularly releases security updates to its software. As far as WordPress Core goes, we are covered. The problem is how WordPress is made available to its users.

WordPress is open-source software, meaning the source code is available for anyone to modify and distribute. Since WordPress is open source, the software is infinitely customizable and optimizable. Thousands of plugins, themes, and developers are adept at modifying the backend code themselves. This flexibility is a defining feature of WordPress, That’s a huge part of what makes it so powerful and widely used.

The downside of all this freedom is that an improperly configured or maintained WordPress website is vulnerable to a myriad of security issues. WordPress gives its users a lot of power, and with great power comes great responsibility. A responsibility that many shirk. Hackers know this and target WordPress websites randomly.

You can rest easy, however, knowing the following: Perfect security just doesn’t exist, especially online. As WordPress says:

Security… is the reduction of risk, not the elimination of the risk. It’s about leveraging all the appropriate controls available to you, within reason, that allow you to improve your overall posture and reduce your chances of being hacked later.”

You can never guarantee complete immunity against online threats, but you can take steps to make them much less likely to happen. The fact that you’re reading this means you probably care about your security and are willing to go the extra mile to keep you and your visitors safe. To sum it all up, WordPress is safe, but only if its users take security seriously and follow best practices.

===========================

Issues Of WordPress Security

So, what can happen if someone puts all these numbers aside and does nothing to secure their WordPress site? As it turns out, a lot. The most common types of cyber attacks on WordPress websites are:

Brute-force login attempts

This one is the very easiest type of attack. A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the correct credentials. Brute-force hacking is very dangerous, it can access any password-protected information, not only logins.

Cross-Site Scripting – (XSS)

XSS occurs when an attacker “injects” malicious code into the backend of a target website to extract information and destroy site functionality. This code can be introduced in the backend in a more complex way or submitted as a response to a user-facing form.

Database Injections

Also known as an SQL injection, it occurs when an attacker submits a string of malicious code to a website via some user input, such as a contact form. The website then stores the code in its database. Similar to XSS attacks, malicious code runs on websites to retrieve or compromise confidential information stored in databases.

Backdoors

A backdoor is a file containing code that allows an attacker to bypass the standard WordPress login and access your site at any time. Attackers place backdoors in other WordPress source files, making them difficult for inexperienced users to find. Even if removed, attackers can write variants of this backdoor and continue to use them to bypass your login.

Although WordPress limits the types of files users can upload to reduce the chance of backdoors, it’s still a problem to be aware of.

Denial-of-Service (DoS) Attacks

These attacks try to make resistance for authorized users from accessing their own websites. DoS attacks often overload a server with traffic and cause a crash. The effects are even worse in the case of a distributed denial-of-service attack (DDoS), a DoS attack carried out by many machines at once.

Phishing

When an attacker contacts a target by posing as a legitimate company or service, this is known as phishing. Phishing attempts usually prompt the target to give up personal information, download malware, or visit a dangerous website. If an attacker accesses your WordPress account, they can even coordinate phishing attacks on your customers while posing as you.

Hotlinking

Hotlinking occurs when another website shows embedded content (usually an image) hosted on your website without permission so that the content appears to be their own. More like plagiarism than outright attacks, hotlinking is generally illegal and causes serious problems for victims, since they have to pay when retrieving content from their server when it appears on another website.

To commit these crimes, hackers need to find holes in a site’s security. Common vulnerabilities are a hole for hackers, Normally, hackers look for when targeting WordPress websites include:.

Plugins

Third-party plugins are responsible for the majority of WordPress security breaches. Since plugins are developed by third parties and have access to the backend of your website, they are a common channel for hackers to disrupt your site’s functionality.

Outdated WordPress versions

WordPress sometimes releases new versions of its software to patch security vulnerabilities. As fixes come out, vulnerabilities become public knowledge, and problems with older versions of WordPress are often targeted by hackers.

The login page

By default, the backend login page of any WordPress website is the site’s root URL with “/wp-admin” or “/wp-login.php” appended to the end. Attackers can simply find this page and attempt a brute force entry easily.

Themes

Yes, even your WordPress theme can open your site up to cyber-attacks. Older themes may be incompatible with the latest version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress standards for code, leading to compatibility issues and similar vulnerabilities.

How many steps you must take care of for your wordpress security

1. Secure Your login method.
2. Active 2-step verification.
3. Use secure WordPress hosting.
4. Please update your WordPress version.
5. Update to the latest version of PHP.
6. Install one or more security plugins.
7. Use a secure WordPress theme.
8. Enable SSL/HTTPS
9. Install a firewall.
10. Back up your website.
11. Conduct regular WordPress security scans.
12. Filter special characters from user input.
13. Limit WordPress user permissions.
14. Use WordPress Monitoring.
15. Log user activity.
16. Change the default WordPress login URL.
17. Disable file editing in the WordPress dashboard.
18. Change the prefix of your database file.
19. Disable your xmlrpc.php file.
20. Consider deleting the default WordPress admin account.
21. Consider hiding your WordPress version.

Now that we’ve gotten past the scary part, let’s discuss what you can do to reduce the threat of cyber attacks on your WordPress website.

Website security, and by extension is important. WordPress website security is very important for its users, It’s can secure by following a set of best practices. Some of these apply to all websites in general (such as strong passwords and two-factor authentication, SSL, and firewalls), while others apply specifically to WordPress websites (such as using secure plugins and a secure WordPress theme).

To keep your site as secure as possible, we recommend that you adhere to these best practices as much as reasonably possible First, we’ll cover basic best practices. Then we’ll add additional steps if your site is particularly at risk or if you want to go further.

WordPress Security Guideline

1. Secure your login method

The most basic step in securing your website is keeping your accounts safe from malicious login attempts. To do this:

Use strong passwords

We used to think there would be flying cars in the near future, but as of this year, people are still using “abcdef/123456” as a password. Make sure all users with accounts in your WordPress backend are using strong passwords to log in You may want to use one of our recommended password managers to create strong passwords and track them for you.

Enable two-factor verification

Two-factor authentication verifies users’ sign-on with a second device. It’s one of the simplest, yet most effective tools to secure your login. Here’s how to add two-factor authentication to WordPress.

Avoid User Name ”Admin”:

Chances are, this is the first username attackers will plug in during a brute force login attempt. If you have already created a user with this name, create a new administrator account with a different username.

Limit login attempts

Placing a cap on the number of times a user enters incorrect credentials over a period of time will prevent hackers from forcing logins. Some hosting services and firewalls can take care of this for you, but you can install a plugin like Limit Login Attempts for the job.

Add a captcha

You’ve probably seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you really are a live person. You can use plugins to add a captcha verification system on your site. We recommend Recaptcha by BestWebSoft — see our guide to enabling Google reCaptcha in WordPress.

Enable automatic logout

You should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping into your account if you forget. To enable automatic logout on your WordPress account, try the Disable Logout plugin.

2. Use very secure WordPress hosting

When choosing a service that hosts your website, there are many factors to consider, but security should be a top priority. Consider services that have taken steps to protect your information and recover immediately in the event of an attack Check out our list of recommended WordPress hosting providers.

3. Update WordPress Version

Old versions of WordPress software are a very common target for hackers. Make sure you regularly check and install WordPress updates as soon as possible to eliminate vulnerabilities found in older versions.

To update WordPress to the latest version, the first backup your site and check if your plugins are compatible with the latest version of WordPress, then update the plugins accordingly. You can refer to our guide on how to update your WordPress plugins.

After updating your plugins, follow the update instructions on the WordPress website.

4. Update PHP Version.

Upgrading to the latest version of PHP is an important step you can take to keep your WordPress website secure. When the WordPress upgrade is ready, WordPress will notify you in your dashboard from their system. It will prompt you to go to your hosting account to upgrade to the latest PHP version. If you don’t have access to your web hosting account, contact your web developer to upgrade.

5. Install security plugins

We recommend installing one or more reputable security plugins on your website. These plugins do a lot of security-related manual work for you, including scanning your website for intrusion attempts, changing source files that could leave your site vulnerable, resetting and restoring WordPress sites, and preventing content theft like hotlinking. Some of the reputed plugins cover almost everything on this list. This step is not necessary if you use HubSpot’s content management system that provides malware scanning and threat detection within the platform.

Whatever plugins you decide to install, security-related or not, make sure they are well-established and valid. Read How to remove malware from your website.

6. Select a secure WordPress theme

Just as you shouldn’t install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. To prevent vulnerabilities created by a WordPress theme, choose one that complies with WordPress standards.

To check if your current theme meets WordPress requirements, copy your website URL (or the URL of any WordPress site or live demo of any theme) into the W3C’s verifier. If you find that your theme is not compatible, find a new theme in the official WordPress theme directory. All themes in this directory are securely compatible with WordPress software. Alternatively, check out HubSpot’s list of recommended WordPress themes, or search another trusted theme marketplace.

7. Use SSL/HTTPS

SSL (Secure Sockets Layer) is a technology that encrypts connections between your website and visitors’ web browsers, ensuring that traffic between your site and your visitors’ computers is safe from unwanted interception.

Your WordPress site needs to have SSL enabled. If you are a CMS Hub user, SSL is free and built into the platform so you are good to go. If you use WordPress, depending on your use case, you can do this manually or use a dedicated SSL plugin. Not only will this boost SEO, but it will also directly play into your website visitors’ first impression. Google Chrome will even warn users if the site they are visiting does not follow the SSL protocol, which directly reduces website traffic.

To see if your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If your website URL begins with “HTTPS://” then your connection is secured with the SSL. If the URL starts with “HTTP://”, you need to get an SSL certificate for your website immediately.

8. Install a firewall

A firewall sits between the network that hosts your WordPress website and all other networks & automatically prevents unauthorized traffic from entering your network or system from the outside. A firewall keeps malicious activity away from your site by excluding direct connections between your network and other networks.

We recommend installing a Web Application Firewall (WAF) plugin to keep your WordPress site secure. With CMS Hub, your site will come with WAF within the platform. As with everything else on this list, carefully research which type of firewall and which plugin works best for your needs before making your choice.

9. Make sure to back up your website

Being hacked is bad. Losing all your data is even worse. Make sure your website data is backed up by WordPress and your host in case of an attack (or any other event) that causes data loss. We also recommend automatic backups. Check out our list of the best WordPress backup plugins available.

10. WordPress Security Scan

This is a good idea for a security scan, it should be checked regularly or at least once a week. If you are busy then, observe at least once a month. WordPress platforms have multiple plugins that can scan your site without any charge for you. Here are seven WordPress scanner plugins we recommend.

Once you’ve taken these basic steps, you can move on to more advanced steps to secure your WordPress website.

Advance Security Guideline For WordPress

You must follow security guideline to Secure your WordPress website.

1. Filter special characters from user input

If any part of your website accepts a response from a visitor, be it a payment form, a contact form, or even a comment section on a blog post, this is a good opportunity for an XSS or database injection attack. Attackers can enter malicious code into any of these text fields and disrupt the backend of your website.

To avoid this type of problem, make sure you filter out all special characters from user input before it’s processed by your site and stored in a database. You can use a plugin to detect malicious code. Alternatively, you can use a WordPress form plugin to automatically filter these characters.

2. WordPress user permissions Limitations.

If you have multiple user accounts on your WordPress site, we recommend changing each user’s role to limit their access to only what they need. WordPress has six roles for each user to choose from. By limiting the number of users with administrator permissions, you reduce the opportunity for an attacker to force access to an administrator account and limit the damage that can be done if an attacker correctly guesses the user’s credentials. Check out our guide on how to change WordPress user permissions.

3. Monitoring WordPress Website

Having a monitoring system for your website will alert you to any suspicious activity that may occur on your site. Ideally, your other steps would have prevented such activity, but it’s better to find out sooner rather than later. You can use a WordPress monitoring plugin to receive alerts in case of violations.

4. User activity

Here’s another way to catch problems before they happen: Create a log of all the activity users take on your website and periodically check this log for suspicious activity. This way, you can see if another user is acting suspiciously (such as trying to change passwords, changing theme or plugin files, or installing or disabling plugins without permission). Logs are also useful for cleaning up after a hack, showing you what went wrong and when.

That’s not to say that all password changes or file changes are always signs of a hacker on your team. However, if you hire a lot of external contributors and allow them access, it’s always a good idea to keep an eye on things.

Many WordPress plugins generate activity logs and there are several dedicated logging plugins for WordPress such as WP Activity Log or Free Activity Log Plugin.

5. Change WP login URL

As I mentioned, it’s easy to find the default URL of the WordPress login page for any WordPress site. With plugins like WPS Hide Login, you can change your login URL.

6. Disable file editing from the WordPress dashboard

By default, WordPress allows administrators to edit the code of their files directly with the code editor. This gives attackers an easy way to modify your files if they gain access to your account. If a plugin doesn’t already disable this feature, you can do some light coding to disable it. Add the following code in the last of the wp-config.php file:

7. Change the prefix of your database file

The files that create your WordPress database start with “wp_” by default. Hackers use this setting to identify your database files by name and perform SQL injections.

A simple solution? Change the prefix to something different, such as “wpdb_” or “wptable_”. This can be set when setting up the WordPress CMS. You can rename these files if your site is already live with this setting In this case, we recommend using a plugin to manage this process since your database stores all your content, and a wrong configuration will break your website. Look for the ability to change table prefixes in the features of your preferred security plugin.

8. Disable your xmlrpc.php file

XML-RPC is a communication protocol that enables WordPress CMS to interact with the external web and mobile applications. Since the inclusion of the WordPress REST API, XML-RPC is used much less than before. However, it is still used by some to launch powerful attacks on WordPress sites.

This is because XML-RPC technology allows attackers to submit requests containing hundreds of commands, making it easy to brute force login attacks. XML-RPC is also less secure than REST because its requests contain authentication credentials that can be used.

If you are not using XML-RPC, you can disable the xmlrpc.php file. First, check if your site is using the file. Plug your URL into this XML-RPC validator to check if your site is currently using the protocol If not, the easiest way to disable this file is to disable a plugin such as XML-RPC-API Your WordPress security plugin may be able to do this for you.

9. Better to delete the WordPress admin account

We’ve discussed changing the username “admin” for the default WordPress admin account, but if you want to take things a step further, get rid of this default account entirely and create a new account with the same admin permissions. This is a good step to take if you think your real admin username and password have been discovered.

10. Consider hiding your WordPress version to maintain WordPress Security Guideline

Hiding your WordPress version prevents hackers from knowing your site is vulnerable. As previously covered, you should always update to the latest version of WordPress. But if you haven’t had a chance to do it yet, it’s important to hide potential vulnerabilities.