WordPress security issues, how to improve website security - createIT
Get a free advice now!

    Pick the topic
    Developer OutsourcingWeb developingApp developingDigital MarketingeCommerce systemseEntertainment systems

    Thank you for your message. It has been sent.

    WordPress security issues, how to improve website security

    October 28, 2021
    Last update: November 22, 2023
    7 min read
    11
    0
    0
    WordPress security issues, how to improve website security

    WordPress security has been an important topic ever since the content management system was released back in 2003. As with any highly popular piece of software with a long and rich history, the CMS can sometimes become the target of WordPress hackers. Hostile actions could include a cross site scripting attack, sql injections, brute force attacks, and a number of other ways to gain unauthorized access. As hackers gain experience in finding new ways to exploit WordPress vulnerabilities, developers and security specialists get better at creating sites that are more difficult to breach. There are things developers and WordPress site owners can do if they don’t want hackers to gain access and bypass server security. In this article, we will discuss some actions a WordPress admin can perform to prevent a platform from becoming one of many hacked websites.

    Proper permissions for wp-config.php and .htaccess on the server

    644 -rw-r–r– /home/user/wp-config.php

    644 -rw-r–r– /home/user/cgi-bin/.htaccess

    to secured permissions:

    600 -rw——- /home/user/wp-config.php

    600 -rw—— /home/user/cgi-bin/.htaccess

    Use an up-to-date and secure version of PHP

    As of October the 6th, 2021, the most recent and recommended version of WordPress is 7.4. One can always check for supported and secure PHP versions by following the link: https://www.php.net/supported-versions.php . As with any piece of software, keeping everything up to date is an important factor for WP security.

    Disable the editing of themes and plugins from WordPress admin panel level

    If hackers gain access to an admin account, it will be very easy for them to input malicious code into themes and plugins. We are going to use DISALLOW_FILE_EDIT to disable file editing and improve website security. Here is how to do it:

    1. The first step is to open wp-config.php using a text editor.
    2. Within that file, find the line: /* That’s all, stop editing! Happy blogging. */ and place the following code above it: define( ‘DISALLOW_FILE_EDIT’, true );
    3. Save changes end exit the file.
    4. If you go to your WP dashboard and if you did everything correctly, the “Plugins > Editor” and “Appearance > Editor” links should no longer be visible
    WordPress dashboard with the Theme Editor option highlighted

    Keep your WordPress plugins updated

    It’s a good idea to follow technological blogs and WP fan groups on social media, such as Facebook. Many WordPress users share notifications about critical errors in specific WordPress plugins. If you see an error concerning one that you use on your WordPress website, perform an update immediately. Furthermore, make sure to delete unused plugins to avoid unnecessary security vulnerabilities.

    One website worth following to stay updated is https://www.wordfence.com/blog/.

    Install WordPress themes and plugins only from trusted sources

    The safest way is to use the official database/repository. For WordPress themes this is https://wordpress.org/themes/

    A preview of a website with WordPress themes, blue header and theme examples below

    whereas trusted WordPress plugins can be found here: https://wordpress.org/plugins/

    WordPress Plugins site with a blue header and plugins below

    The files in this repository have been verified, and likely subjected to malware scanning software before upload.

    Change the wp_ prefix in the database during WordPress installation

    By default, WordPress installation proceeds with the wp_ prefix, but it is worth to change it to an original one during the process. By doing so, we will make it more difficult for malware to gain access to our database and extract data.

    WordPress dashboard

    Do not use the default “admin” login, use strong passwords

    It is imperative to change the login to an original one. Strong passwords with multiple different symbols are also more difficult to crack.

    Disable user registration if you do not need this function

    To do this:

    1. Go to the Settings page, General section

    2. Uncheck the “Anyone can register” field in the Membership section.

    3. Save changes.

    WordPress options panel

    Disable comments if they are unnecessary

    There are several ways to do it, you can use code, the built-in options of WordPress, or a plugin.

    To disable comments globally using WordPress itself, follow the steps below:

    1. Go to Settings, the Discussion section

    WordPress settings panel with Discussion highlighted

    2. Uncheck the “Allow people to post comments on new articles” field

    WordPress discussion settings

    3. Save changes

    You can also write your own code or use a plugin to achieve the same effect, but in this tutorial we only present the fastest option.

    Configure robots.txt to block unauthorized access to WordPress files

    This file, which is placed in the main folder of the domain, acts like a signpost for Google crawlers showing the pages they should visit and index, and the ones they should not. You can use the example presented in the grey box here: https://wpninja.pl/artykuly/zaawansowane-pozycjonowanie-wordpressa/#robots-txt (remembering to change http://www.example.com/ to your own domain)

    or have a look at the official Google guidelines for robots.txt: https://developers.google.com/search/docs/advanced/robots/create-robots-txt

    Google Search Central website with info on the robots.txt file

    Protect yourself against user enumeration

    User enumeration is a form of malicious activity that allows hackers to use brute force attacks in order to gain access to user accounts. Check out the discussion on StackExchange on how to reduce the risk: https://wordpress.stackexchange.com/questions/182236/completely-remove-the-author-url

    Secure access to wp-admin / wp-login.php, two-factor authentication, limited login attempts

    This action can be performed in many ways. The most popular one is to limit access to specific IP addresses or to display an additional window with authentication information. We can also set up a limit for log in attempts or use two factor authentication.

    Two-factor authentication

    To set up this functionality, first download the Google Authenticator plugin.

    The subsite of the Google Authenticator WordPress Plugin with a description of the plugin

    After installing, go to the Profile page and check the “Active” field in the Google Authenticator Settings:

    Google Authenticator Settings with one option and a tickbox

    Now it’s time to get the Google Authenticator app for Android:

    Google Authenticator site on the Google Play Store with the icon of the app and some description

    After launching the authenticator, a request should appear to input a code or to scan a QR code. Go back to your plugin settings and either copy the code to your app or select “Show/Hide QR code” and scan it with your phone:

    Google Authenticator Settings with multiple options and tickboxes

    This will begin automatic configuration, you should accept all changes and then click “Update profile” on the “Your profile” subpage. From now on, each attempt at logging in will require two-factor authentication on the WordPress login page.

    Log in attempt limitation

    As mentioned before, one other method of preventing brute force attacks is to limit the number of times a user can attempt to log in. How to do it?

    Probably the simplest solution is to use one of the many WordPress security plugins, such as the WP Limit Login Attempts by Arshid. You can download the security plugin here: https://pl.wordpress.org/plugins/wp-limit-login-attempts/

    A website for the WP Limit Login Attempts WordPress plugin with the plugin's padlock icon and description

    Make backup copies regularly

    Even the best protection may not be enough to save your website from WordPress hackers. Therefore, make sure you always have a backup in case the worst happens. Check if your hosting provider makes regular backups every day. Alternatively, you can make use of the following security plugin: https://wordpress.org/plugins/updraftplus/

    The website for the UpdraftPlus WordPress Backup Plugin with the plugin's icon and description

    Hide information about the WordPress versions you use

    The information about your version of WP can be of use to hackers, so there is really no need to share it freely. First, block access to your readme file by adding the following lines of code to your .htaccess file:

    <files readme.html>
        order allow,deny
        deny from all
        </files>

    Second, use a security plugin to deactivate this information. One such plugin is Sucuri, which should automatically hide this information once it is activated, but verify this by visiting “Settings” > “Hardening” tab just to be sure.

    The website for the Sucuri Security plugin with its icon and description

    You can also remove version information by adding the following lines of code either to a site-specific plugin or a code snippets plugin:

    function wpbeginner_remove_version() {
    return '';
    }
    add_filter('the_generator', 'wpbeginner_remove_version');

    Third, remove information on WP version in the CSS/JS files loaded on the website. Here is a link on how to do it, following the recommendations by user tjhole: https://gist.github.com/tjhole/7451994

    Block the execution of PHP scripts in specific WP catalogues

    Disable PHP file execution in unnecessary directories to improve your security. Following the solutions at wpbeginner.com, open a text editor and type in the following code:

    <Files *.php>
    deny from all
    </Files>

    Save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website.

    Disable access to the REST API of your WordPress (if you are not planning to use it)

    You can do this by using the following plugin: https://pl.wordpress.org/plugins/disable-json-api/

    The website for the Disable REST API plugin with its description

    Limit or disable access to XML-RPC (pingback, mobile apps)

    If you are not using XML-RPC, disable it with:

    function remove_xmlrpc_pingback_ping( $methods ) { unset($methods['pingback.ping']); unset($headers['X-Pingback']); return $methods; } add_filter('xmlrpc_enabled', '__return_false'); add_filter('xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );

    or with .htaccess:

    <Files xmlrpc.php> Order deny,allow Deny from all </Files>

    Check out this link if you need additional information: https://www.wpbeginner.com/plugins/how-to-disable-xml-rpc-in-wordpress/

    Make sure your website has an SSL certificate

    Theoretically, you could use a plugin to do it, but we recommend a more “manual” way suggested at https://thecamels.org/en/compendium-how-to-secure-your-wordpress/ . Check out the “How to properly enable SSL in WordPress” section, and follow the guidelines.

    Conclusion

    Security should be a top priority of any enterprise, big or small. We hope you find these suggestions useful in the fight against hackers and malicious software. Make sure to follow us for other tips and guidelines.

    Technology
    Be on the same page as the rest of the industry.

    Contact us