WordPress Security: The Ultimate Guide

Like most website owners, security was never top of my priorities. It was only when one of my websites was hacked that I realized how common it was for websites to be compromised by malicious parties.

As the most popular web publishing platform on the internet (by a large margin), WordPress is a popular target for hackers and spammers. WordPress is known for being one of the most user-friendly website platforms available online, but out of the box WordPress is terribly vulnerable to attacks.

According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was a whopping 170,000. This figure is growing every year.

You may be wondering why anyone would want to attack your website, particularly if you have a low traffic website; however the vast majority of hackers are not looking to steal your data or delete important files. What they want to do is use your server to send spam emails.

I experienced this myself last year. A friend of mine had built a small content website using WordPress and hosted it on my hosting plan. Unfortunately, my friend stopped updating the website, which meant that WordPress was outdated. This made it possible for hackers to upload a script that sent spam directly from my server.

Due to this, my server IP address was blacklisted by all major ISP’s and email services; therefore newsletters that I was sending from a website I owned were not being delivered. Thankfully, I was able to clean my IP address from blacklists by using the blacklist checker from MXToolBox, though the whole experience cost me a lot of time and money.

MXToolBox
MXToolBox can check to see if your server has been blacklisted.

When it comes to website security, it pays to be proactive rather than reactive. Do not assume your website is secure because you have not been hacked in the past.

This article details what you need to do to make your WordPress website secure from threats. It has been divided into five main sections. Click of one the links below to skip ahead to the appropriate section:

I encourage you to bookmark this article for future reference as you will find it useful when you are securing other WordPress websites you develop :)

How Do Hackers Compromise Your Website?

It is important to understand how hackers gain entry into a WordPress website and have their wicked way. Although there are many different ways in which a hacker can break into a WordPress website, the main techniques can be grouped together into four categories. In an article last year, WP White Security reported the following statistics about hacked websites:

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress Theme they were using
  • 22% were hacked via a security issue in the WordPress Plugins they were using
  • 8% were hacked because they had a weak password

As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change data (e.g. your password), retrieve data, or delete data (i.e. delete all your posts and pages).

A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam). They may also leave a backdoor somewhere on your website. This is a technique they use to get access to your website in the future, even when you believe you have deleted all malicious files.

Last on the list is a weak password. Hackers continue to gain access in this way by using automated scripts that continually guess passwords until they gain entry; a technique that is known as brute force.

WordPress Security Best Practices

Hackers are not looking for a long battle to gain access to a website. They specifically go after WordPress websites that are vulnerable because of security holes. You can therefore effectively block 99.99% of attacks on your website by simply addressing these security issues.

In this section, I would like to walk through techniques that you can apply to your website in order to make it more secure. It should not take you more than 20 to 30 minutes to apply all of these techniques. All you have to do is modify a few key files such as .htaccess and wp-config.php. I will also speak about security best practices and recommend WordPress plugins that will help you make your website more secure.

Remember that prevention is better than the cure. If you follow the advice given in this section, a hacker will find it very difficult to gain access to your website in the first instance.

Host Your Website with a Good Hosting Company

With 41% of hacking attempts being caused by a security vulnerability on a hosting platform, it pays to host your website with a good quality hosting company. Look for a hosting company that places an emphasis on security. One that has:

  • Support for the latest versions of PHP and MySQL
  • Is optimized for running WordPress
  • Includes a WordPress optimized firewall
  • Has malware scanning and intrusive file detection
  • Trains their staff on important WordPress security issues

If you choose a shared hosting plan, make sure that your host provides account isolation. This ensures that one account cannot overload the server and cause problems for your website. Good hosting companies will also offer daily internal backups, but remember that you still need to backup externally regularly too (more on this later).

Pagely
Choose a hosting company that places an emphasis on security, such as Pagely and their trademarked PRESSARMOR WordPress security system.

Important Installation Settings

WordPress Security Keys were first introduced in WordPress versions 2.5, 2.6, and 2.7. The keys improve encryption of the information that is stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure.

The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:

1
2
3
4
5
6
7
8
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

Eight keys and salts can be generated through the WordPress Salt Keys Generator. Once the code has been generated, you simply replace the code above with the unique generated phrases.

It will look something like this:


* Note that the above code is just an example. You should generate unique codes for your website.

WordPress applies a table prefix to all database tables. The default table prefix is wp_. For example, wp_posts, wp_terms etc. Changing the table prefix can help prevent SQL injection vulnerabilities as hackers will need to guess the prefix; which, in turn, will stop people from gaining control of your database.

You will find the table prefix in your wp-config.php file:

1
$table_prefix = 'wp_';

Simply change the table prefix to something obscure that no person or script could guess. For example:

1
$table_prefix = 'asdfadsfa894sdms_';

Changing the table prefix in your wp-config.php file will not automatically change the prefix of your WordPress tables if you have already installed WordPress. Therefore, if you are changing the table prefix on an existing website, you need to update your database too.

One of the quickest ways of doing this is to install the plugin iThemes Security. The plugin can automatically do all the necessary changes for you.

Alternatively, you can do this manually. This is a more time consuming way to change the table prefix, however it may be necessary for you to do this if you cannot do it automatically via a security plugin.

There are two methods available to you through PHPMyAdmin (the process will be almost identical with other database managers). The first method is to use an SQL query to rename each table. Below is an example of how this is done:

1
RENAME table `wp_links` TO `newprefix_links`;

Obviously, you would change the reference to newprefix in the above example to the prefix you have defined in wp-config.php.

You need to run the above query for each database table including all core tables and any additional tables added by plugins.

The other way to do it is to click on the name of a table and then click on the operations tab. This tab allows you to change important table settings such as the table name. This step needs to be completed for each table.

Rename Table Prefix
Table prefixes can be changed through the operations tab.

Next, you need to update the references to the table prefix in the usermeta and options tables. You can do this using the PHPMyAdmin interface, however it is much quicker to simply use an SQL query.

To update the usermeta table (formerly wp_usermeta), enter the following SQL query through the PHPMyAdmin SQL tab:

1
UPDATE `newprefix_usermeta` SET `meta_key` = REPLACE( `meta_key`, 'wp_', 'newprefix_' )

To update the options table (formerly wp_options), enter the following SQL query through the PHPMyAdmin SQL tab:

1
UPDATE `newprefix_options` SET `option_name` = 'newprefix_user_roles' WHERE `option_name` = 'wp_user_roles'

Again, in both examples above, be sure to change the references to newprefix to the prefix you have defined in wp-config.php.

To recap, to update your WordPress database tables with your new prefix, you need to:

  1. Rename each WordPress table
  2. Update the usermeta table
  3. Update the options table

I would still recommend changing the table prefix in your WordPress table using iThemes Security as it allows the above changes to be made at the click of a button. You will, however, find the guide for applying the changes useful if the plugin cannot apply the necessary changes automatically.

Keep WordPress Updated

Every version of WordPress addresses security holes that have been identified in previous versions. Therefore, if you are using an older version of WordPress, your website is more susceptible to attacks. That is why it is important you always update WordPress to the latest version.

Major versions of WordPress contain many new features and are released twice a year. They are easily recognised as the version number increments by 0.1 with each release e.g. 3.7, 3.8, 3.9, 4.0 etc. Following every major release, WordPress release a few minor updates. The release numbers for minor releases increment by 0.01 e.g. 3.9.1, 3.9.2 etc.

Whereas major releases of WordPress introduce new features to the platform, minor releases address important security bugs and errors that have been found in a major release. It is therefore essential you apply these minor updates to your website.

WordPress introduced a new feature in WordPress 3.7 that updates WordPress automatically in the background. Many WordPress users wrongly believe that this feature applies to all WordPress updates, but by default WordPress will only automatically apply minor updates to your website.

It is possible to apply major and minor updates to your website. This will remove the need for you to ever update WordPress manually again. You can do this by adding this piece of code to your wp-config.php file:

1
2
# Enable all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

Safeguards are put in place to ensure your website does not break when your website is automatically updated, however there is always a risk that your website breaks after a major update. This is more likely if you use WordPress plugins that are not actively updated so you should be aware of this if you do apply major updates to your website automatically.

If you would prefer to handle all updates yourself because you are concerned your website will break with an automatic update (major or minor), you can disable all core WordPress automatic updates by adding this code to your wp-config.php:

1
2
# Disable all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

Plugin developers can improve automatic updates better by utilizing the add_filter function. They can do this by adding the following code to your wp-config.php file after the add_filter() reference.

1
require_once( ABSPATH . 'wp-settings.php' );

Check out “The definitive guide to disabling auto updates in WordPress 3.7” by Andrew Nacin for more information on disabling automatic updates.

WordPress Plugins and Themes

Security holes in themes and plugins represent more than half of all successful WordPress hacks. You therefore need to pay attention to the plugins you activate on your website.

  • Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
  • Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.
  • All plugins are not created equal. Be conscious of the fact that a poorly coded plugin could make it easier for a hacker to gain access to your website.

It is important that your WordPress theme is up to date and well-coded, too. You can check the quality of the code in your theme using a plugin such as Theme-Check and check the code in plugins using Plugin-Check.

You should also be careful of downloading free WordPress themes from unknown sources as they may contain malicious code. If in doubt, stick to the free WordPress designs available at WordPress.org.

Hackers could insert malicious code into premium plugins and themes. It is highly unlikely that the original developer of a premium WordPress product would insert malware into it, though you do need to be careful when downloading a premium product from other sources.

Therefore, I implore you to do the right thing and support WordPress developers by buying plugins and themes from them directly. Downloading a premium plugin or theme from a torrent website hurts their business and there is a chance the uploader has inserted malware into the product, placing your website at risk of being attacked. You are safer downloading plugins from a source such as WPMU DEV. Not only are our plugins free from bugs, they also come with 24/7 support.

The WordPress updater can be configured to automatically update plugins and themes. To automatically update WordPress plugins, add the following code to your wp-config.php file:

1
add_filter( 'auto_update_plugin', '__return_true' );

To automatically update your theme, add this code to wp-config.php:

1
add_filter( 'auto_update_theme', '__return_true' );

Note that your WordPress theme has to support automatic updates in order for the above code to work.

Remember that updating plugins automatically may cause a website error and could happen when you are away from the computer. I recommend upgrading plugins and themes manually to ensure that if any problems occur during upgrade, you can deactivate the plugin and reactivate it when the developer has fixed the error.

The WordPress plugin and theme editor allows authorised users to modify your theme and your installed plugins. If a hacker was able to gain access to your WordPress admin area, they could crash your website in a matter of seconds by simply changing code, or removing code. To avoid this occurring, you can disable the plugin and theme editor by adding the following code to your wp-config.php file:

1
define( 'DISALLOW_FILE_EDIT', true );

You can also remove the option of updating and installing plugins and themes by adding the code below to your wp-config.php file. Applying this technique would stop an unauthorized party from being able to upload their own plugin to your website.

1
define( 'DISALLOW_FILE_MODS', true );

The above code will also deactivate the plugin and theme editor if it is added to your wp-config.php file.

Using Correct File Permissions

It is important that you configure your file permissions correctly. Setting a directory with permissions of 777 could allow a malicious party to upload a file or modify an existing file.

According to WordPress, you should use the following permissions on a WordPress website:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

Check out the Changing File Permissions guide on WordPress.org for more information on how to change file permissions. If you are unsure as to whether you have set up your WordPress file permissions correctly, ask your host to check them for you.

Turn Off PHP Error Reporting

If a plugin or theme causes an error, the error message may display your server path. This information is useful to hackers, therefore it is better to disable error reporting altogether for a live website.

You can disable error reporting in WordPress by adding the following code to your wp-config.php file:

1
2
error_reporting(0);
@ini_set(‘display_errors’, 0);

If the above code does not work, speak to your web hosting company and ask if they can disable error reporting on your behalf.

Protecting WordPress Using .htaccess

The .htaccess file is a powerful configuration file that change the way your server operates. It is used to redirect URLs and configure pretty permalinks. The file can also be used to harden WordPress security.

The techniques below will strengthen your WordPress website significantly. Please note that he code has to be placed outside of the # BEGIN WordPress and # END WordPress tags, as anything between those tags can be updated by WordPress (e.g. during updates and permalink changes). Be sure to click on the option to see hidden files in your FTP client or file manager too. Otherwise, the .htaccess file will not be visible in the file list.

The wp-config.php is an important file as it contains your database connection settings, table prefix, security keys, and other sensitive information. You can protect the file by adding the following code snippet to your .htaccess file:

1
2
3
4
<files wp-config.php>
order allow,deny
deny from all
</files>

You can also relocate the wp-config.php file above your installation folder; however there is some debate as to whether this is beneficial.

To restrict access to your WordPress admin area to a specific IP address, use the code below (be sure to change the IP address to your own). In order to do this, you need to create a separate .htaccess file and upload it to the /wp-admin/ directory. Be aware that in order to access your WordPress admin area via a different IP address, you will need to modify the .htaccess file.

1
2
3
order deny,allow
allow from 192.168.5.1
deny from all

Additional IP addresses can be allowed by adding additional lines. For example:

1
2
3
4
order deny,allow
allow from 192.168.5.1
allow from 123.456.7.8
deny from all

The wp-login.php file that is found in the root of your WordPress installation can also be restricted to a specific IP address. The wp-login page will ultimately redirect any logged in users to the /wp-admin/ directory, therefore if anyone did login through wp-login.php, they would be blocked at /wp-admin/. However, you may want to restrict access to wp-login.php too for added security.

An alternative to protecting your admin area by restricting it to certain IP addresses is to password protect the directory. I am not a fan of this technique as it can cause problems with Ajax in plugins and is apparently not full proof.

If you find a person is consistently trying to access your WordPress admin area, you can block them from your website using the code below. Like the restrict by IP technique, additional IP addresses can be blocked using this technique by defining them in additional lines.

1
2
3
order allow,deny
deny from 456.123.8.9
allow from all

The /wp-includes/ directory contains a lot of important files that are required to run WordPress. There is no need for any visitor to view the contents of this directory. To protect the /wp-includes/ directory, add the following snippet to .htaccess:

1
2
3
4
5
6
7
8
9
10
# Block the include-only files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

To prevent people from browsing the content of your directories, add the following code snippet to your .htaccess file :

1
Options All -Indexes

To protect the .htaccess file itself, add this to the file:

1
2
3
4
<Files .htaccess>
order allow,deny
deny from all
</Files>

The /wp-content/ directory can be protected using .htaccess too. In order to do this, you need to create a separate .htaccess file and upload it to the /wp-content/ directory. Then add the following code to the file:

As you can see, the above technique will protect the /wp-content/ directory but allow XML, CSS, Javascript, and images, to be processed. Be aware that this code has been known to break some WordPress themes as it does not allow PHP to be executed; particularly themes that use timthumb.php. If the code causes any problems with your website, it is best to remove the .htaccess file from the /wp-content/ directory.

Disable XML-RPC

Since WordPRess 3.5, XML-RPC has been enabled by default. The feature allows you to remotely connect via blogging clients. It is also used for trackbacks and pingbacks. Unfortunately, hackers have been known to use the file for DDoS attacks.

You can use a plugin such as Disable XML-RPC Pingback and Disable XML-RPC and reduce the change of your website being attacked.

Stronger Login Information

Weak passwords allow hackers to gain access to your website easily using a brute force automated script. You should therefore:

Many years ago, WordPress used the username admin as the default username for the primary administrator account. They now allow you to choose any username you wish during the installation process, however many people still choose the username admin.

The problem is that hackers know that admin was the default administrator username for a long time. This means that they only need to work out the password for the administrator account. Due to this, most brute force scripts attempt to gain access to your website using the username admin.

You should therefore change your administrator username if you are using admin or another basic username. This will make it much more difficult for a hacker to gain access.

You can do this by entering the following SQL query in PHPMyAdmin (or whatever database manager you are using). Be sure to change newusername to the new username.

1
UPDATE wp_users SET user_login = 'newusername' WHERE user_login = 'admin';

You could also run the above command directly through your admin area using the WordPress plugin WP-DBManager, but be sure to uninstall the plugin after using it as you do not want to give anyone the opportunity of accessing your database directly through the admin area.

Alternatively, use the plugin Admin renamer extended to change the username directly through your WordPress admin area.

Limit Login Attempts

Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords. One of the best ways to protect your website against this kind of attack is to install Login LockDown or Login Security Solution. The plugins allow you to limit the number of login attempts from a given IP range.

Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time. The default period of lockout can be increased to a more significant period of time if you wish. You can manually unban any legitimate users that have been locked out, so you need not worry about frustrating your staff.

The great thing about these plugins is that they record the IP address of anyone who fails a login attempt. You can use this information to block those people from your website indefinitely using the .htaccess technique I discussed earlier.

Login Lockdown
Limiting the number of failed login attempts that are allowed makes it difficult to use brute force scripts on your website.

Two-Step Authentication Solutions

A two-step login authentication process will make it even more difficult for hackers to access your website through a brute force attack. It forces everyone to use an authorisation code in order to login to your website. For example, you may have to provide a code that can only be accessed via your mobile phone.

Here are some useful authentication WordPress plugins that are available to you free of charge:

  • Google Authenticator – Requires you to enter a secret key or QR code that is provided to you via a Google Authenticator smartphone application
  • Clef – Allows you to login using a passwordless two-factor authentication system using your mobile phone
  • Clockwork SMS – Sends a SMS to your mobile phone with a key that you need to enter to login
  • Duo Two-Factor Authentication – Offers multiple ways to access your website such as a mobile phone application, a SMS, or a phone call
  • OpenID – Allows you to login using the OpenID protocol, which supports every major social media service
  • Authy Two Factor Authentication – Requires you to enter an API key from a smartphone application
  • Stealth Login Page – Login to your website using a secret login authorizaiton code

You may find a two-step authorization login process frustrating, however it is one of the most effective ways of preventing unauthorized parties accessing your website.

Two Step Authorization Process
Introducing a two step authorization login process will strengthen your website security considerably.

Hide Your Login Page

Malicious parties can attack your login page because they know that a default installation of WordPress can be logged in at www.yourwebsite.com/wp-admin/ and at www.yourwebsite.com/wp-login.php. Moving the location of your login files makes it very difficult for hackers to perform a brute force attack.

There are good plugin solutions available that allow you to do this easily:

  • Rename wp-login.php – A multisite friendly plugin that allows you to change your login page. Once activated, the wp-admin directory and wp-login.php page will be inaccessible.
  • Hide Login+ – Allows you to change name of your login page, admin area, logout page, and forgotten password page.
  • Lockdown WP Admin – Another useful plugin that can conceal your admin area and login page.

If you forget the new location of your login page and admin area, you can reset everything by simply deactivating the plugin in question. You can do this by renaming the name of the plugin folder contained within /wp-content/plugins/. Alternatively, you could delete the plugin and reinstall it once you have logged back in to your website.

Hide Login
It is difficult for a hacker to login to your website if they do not know where to login.

Remove the WordPress Version Number

By default, WordPress will place a meta tag in your website code that states the version of WordPress you are using:

1
&lt;meta name="generator" content="WordPress 3.9.1"&gt;

Unfortunately, this information is useful to hackers, particularly if you are using an older version of WordPress that has a security hole.

WordPress developer Paul Underwood shared a useful code snippet that lets you easily remove the WordPress version number from your website. You can do this by adding the following code to the top of your theme functions.php file:

1
remove_action('wp_head', 'wp_generator');

Alternatively, you can remove the WordPress version number by installing the plugin Remove Version.

Use Common Sense

When it comes to making your website more secure, a bit of common sense goes a long way. You can reduce the chances of your website being compromised by taking precautionary measures.

  • Do not login to your website on unsecured networks
  • Make sure your computer does not have any viruses by installing antivirus software such as AVG, Avira, or Comodo
  • Install a firewall on your computer for extra protection, such as Comodo or Zone Alarm
  • Only upload files to your website using a Secure FTP (SFTP) client such as FileZilla
  • Do not access your website in an internet cafe PC as someone could track your login
  • Be careful that no one sees you entering your login details in public locations such as coffee shops and airports, incase someone is watching you enter your username and password
  • Be wary of allowing people to upload files to your website via a form as hackers can use it to upload a malicious script – Even if you only allow image uploads, sneaky files such as image.jpg.php have been known to slip through
  • Do not ever give admin access to people you do not know and trust
  • Do not ever make someone editor if you do not know them well
  • If you are ever concerned about logged in users (editors, authors) doing something malicious on your website, use a plugin such as Simple Login Log or track Audit Trail their activity
  • Do not give people you do not know FTP access or access to your website hosting area unless absolutely necessary

Backup Often

The old idiom states that you should hope for the best, but prepare for the worst. This is particularly true with websites. Even if your website security has been hardened, there is no guarantee that your website will not be compromised by hackers. That is why it is important to backup your website frequently.

Most hosting companies provide daily backups of your website, however if the host’s data centre is damaged, be it through a power surge or flooding, your main website and internal backups could both be lost. That is why you need to backup your website externally too.

VaultPress
VaultPress offers one click backups and restores from only $5 per month per website.

There are automated WordPress backup services that make the process of backing up and restoring your website painless. This includes Automattic’s VaultPress, the backup and monitoring service CodeGuard, and the backup and migration service BlogVault.

If you prefer a plugin backup solution, check out BackupBuddy, Backup Creator, UpdraftPlus Backup and Restoration for WordPress, and WordPress Backup to Dropbox.

You should also check out our very own backup solution Snapshot. It can backup your database, your theme files, and your uploaded media. It is one of the few backup solutions that lets you select what tables are backed up.

Backups can be backed up via secure FTP or to Amazon S3 or Dropbox. Everything can be restored at the click of a button, which ensures that you can get your website back online as quickly as possible.

Snapshop Backup Solution
Snapshot is a great backup solution that has native support for BuddyPress and WordPress Multisite

Do not become complacent about backups. If your website has been hacked, your content could be modified or deleted completely, and an external backup could be the only thing that saves your website from being lost. Therefore, you need to have a disaster recovery plan in place.

 

Scanning Your Website

A lot of people wrongly believe that when your website is hacked, your whole website will be broken. However, that is rarely the case, as the goal of the hacker is usually to use your server to send spam mail.

If you know your website has been compromised, you will contact your hosting company and start removing the files the hacker uploaded. If, however, you are unaware of the hacker using your server to send spam, they can continue to use your server to relay their email messages without your knowledge.

The most effective way of discovering malware and suspicious files on your website is to scan your theme files regularly. There are many plugins and services available that help you do this.

  • Theme Authenticity Checker – The plugin will scan all installed WordPress themes for signs of malicious code. It will then highlight this code to you by showing you the path to the theme file, the line number, and a small snippet of the suspect code.
  • Ultimate Security Checker – A plugin that scans your website for hundreds of known threats and gives you a security grade on what it finds.
  • AntiVirus – A great plugin that scans your theme files and database for malicious code injections. Email notifications can be provided on a daily basis after each scan so that you are aware of anything suspicious.
  • WP Antivirus Site Protection – A server side scanner that can detect backdoors, rootkits, trojan horses, worms, PHP mailers, fraudulent tools, adware, spyware, and more. It can be run automatically on a daily basis.
  • Sucuri Sitecheck – The Sucuri scanner can scan your website for malware, spam, and defacements. It will also advise if your website is on any known blacklists.
  • CodeGuard – The CodeGuard service is used to backup your website on a daily basis. If they detect any changes on your website, they will email you with a notification of what was added, modified, or deleted.

Another great plugin you should check out is WP Changes Tracker. The plugin will keep a log of every change in WordPress, in your themes, and in your plugins. It is not a malware scanner, however if you notice anything different on your website, it allows you to look at a change log and see exactly what has changed.

Scan Your Website
Scanning your website regularly will help you detect malicious activity on your website.

 

All-in-One Security Plugins

If you are not a technical person, you may want to consider protecting your website using an all-in-one security solution. These WordPress plugins can toughen your website at the click of a button by addressing common WordPress security issues. Some also add a firewall and scan your website on a daily basis for malicious files.

Let’s take a closer look at some great all-in-one security plugins.

BulletProof Security is a feature packed security plugin that offers .htaccess website security protection, file intrusion detection, login security, database backups, and daily monitoring. It also keeps a log of anything that is changed.

The plugin has many configuration options. If you don’t want to configure these options yourself, you can choose to harden your website with one click.

BulletProof Security
BulletProof Security can protect your website at the click of a button.

Acunetix WP Security is a security plugin that can check for vulnerabilities in passwords, theme files, and your admin area.

The plugin has many useful options such as removing the WordPress version, disabling PHP error reporting, removing update notifications, and more. A live traffic tool is also included.

Acunetix WP Security
Acunetix WP Security addresses common WordPress security holes.

Sucuri Security will scan your website and detect PHP mailers, injections, malicious redirects, phishing attempts, and more.

The plugin also includes one click hardening options such as protecting your uploads directory, removing the WordPress version number, disabling theme and plugin editors, and restricting access to the /wp-content/ and /wp-includes/ directories.

Sucuri Security
In addition scanning your website, Sucuri Security can also harden your website and make it more secure.

Formerly known as Better WP Security, iThemes Security is the most downloaded WordPress security plugin on WordPress.org.

The plugin addresses common WordPress security vulnerabilities such as renaming the admin account, changing the ID of the first user from 1, removing login error messages, and displaying a random WordPress version number to non administrative users. It also features a monitoring system that will detect bots and file changes.

iThemes Security
iThemes Security is one of the most effective way of securing a WordPress website using a plugin.

Wordfence Security features mobile phone two-factor authentication logins, a firewall to block common security threats, and a password strength checker.

The plugin can scan your website for backdoors, malware, and phishing attempts. It will also monitor your disk space usage to help detect DDoS attacks.

Wordfence Security
Wordfence Security protects your website from malware, bots, phishing attempts, and much more.

Final Thoughts

Securing your website is something you need to take seriously. If you don’t take any security precautions for your website, you run a high risk of being hacked. This could cause your website to be blacklisted because it sent out spam. In a worse case scenario, you could lose all of your data.

By just taking thirty minutes out of your day, you can make your WordPress website secure and make it less likely that a hacker will do something malicious on your website.

If you fail to prepare, prepare to fail.

In the event of your website being compromised, stay calm. The best thing to do is reset your password, scan your website for malicious content, and contact your host for help on putting everything back to normal. By backing up every day, you can avoid the risk of your website content being completely lost.

If you want to want to learn more about securing your website, check out our WordPress Security Essentials series of articles.

  1. WordPress Security Essentials: Say Goodbye to Hackers
  2. WordPress Security Essentials : Four Points Of Vulnerability
  3. WordPress Security Essentials: Password and Username Safety
  4. WordPress Security Essentials : Building A Layered Defense
  5. WordPress Security Essentials: Obscurity Tactics and Backups

Be sure to check out the Hardening WordPress guide at WordPress.org, too. It has a lot of useful information on how you can improve the security of your website.

Do you know of any other great security tips for WordPress? If so, please share them in the comments below.

Image credits: Moyan Brenn

– Interested? –

Try out 100+ Premium Plugins, Upfront Themes, WP Defender, Hummingbird Performance, 24/7 Expert WP Support, Snapshot Backups & more - FREE for 14 Days

START FREE TRIALLEARN MORE

40 Responses

    Vaughan

    Great article Kevin, very well written.

    I would also mention though, that you can be over paranoid with security, and you must weigh up between secureness and user inconvenience. Some security plugins can also create issues if they are not configured properly, so it’s always good to ask for advice before you make some critical changes or change a particular setting. The implications might not be apparent straight away.

    Also, do not become complacent, With all the security tips mentioned above & plugins available, they can give you a false sense of security, even though you have configured them all correctly, you should still be Vigilante, check your server access logs amongst other things, because nothing is 100% secure.

      Kevin Muldoon

      I agree that you can be too paranoid with security. If you have a good reliable backup solution, scan your website files for malware regularly, and plug common WordPress security holes, then you can always restore your website in the event of a hack.

      Though it is dangerous to become complacent. I had an old website get hacked last year and I was completely unaware of it. The hackers were sending spam from the server, which meant that all of my websites were blacklisted.

      A few days ago I installed Securi on another small content website I own and I was getting email notifications every few seconds about brute force attacks. First, they tried the username admin. Then they moved onto kevin-muldoon. They didn’t get through my security, but over the course of one night, I had over 400 notifications about failed login attempts (despite login lockdown being installed). It just goes to show how persistent they are.

      You are right about nothing being 100% secure. That is why backing up is so important. I have been using VaultPress since they launched and I am very happy with the service. Though I must admit that the offer of file scanning is tempting from CodeGuard as they only charge $5 per month (I’m currently on the $15 a month option with VaultPress).

    mark_gavalda

    A long and of course read-worthy article, Kevin, congrats! From our experience 90% of the break-ins happen because of outdated/malconfigured web server software (operating system included) and because the vast majority of WordPress users still use very old builds like 3.5 and most of the time even older ones! These two problems can be solved on a hosting level pretty easily (keeping server stuff always up-to-date) and force updating users’ WP installs. So it is indeed important to select a reliable and professional hosting company.

    One thing I’d like you to elaborate is “Includes a WordPress optimized firewall” as I’m not sure what you mean by that? Thanks!

    Magellan456

    What an in-deep Tutorial. Great work that i shall put in action onto my websites. I’d like to have your advice though.

    I found that security is a topic that needs a lot of time, awareness and deployment. I’m not a web developer and i create blogs to write and share about topics that i love. I’m thinking about going with WP-Engine to specifically let this part to a host that take care of it. From what you know, and maybe you don’t know, would this be enough or shall i still have to make a lot of efforts and time configuring my website security ?

    Thanks again for this in-deep tutorial.

    Sylvain

      Kevin Muldoon

      I’d personally avoid WP Engine as there has been many complaints from customers about them tampering with websites without the owners permissions. For example, they have been known to delete drafts without even notifying the website owner.

      That is unforgivable to me. No hosting company has a right to edit content on your website without your approval.

          Kevin Muldoon

          I’m probably not the best to ask as I don’t use a dedicated WordPress host. I’m currently hosted by KnownHost. Most WordPress hosting companies charge four times what I pay, but I prefer the hands on approach to more things so do not need to pay a premium for security etc.

          I did try Synthesis and I was disappointed with that they did not allow me to upload a database and then took several hours to respond to a ticket about it.

          I’ve heard good things about Pressable and Pagely, but to be honest it is not something I have researched thoroughly myself. Sorry I cannot help more :)

    Ian

    Thanks Kevin, a great indepth article.

    I’m very happy with the free version of Wordfence Security plugin.

    I have it on a number of sites. It’s great at automatically scanning site for any files that don’t match the developer’s version, blocking mutlitple login failures, mass attempts at password guessing attacks, etc.

    Also like getting the email alerts for whatever you want like warnings, alerts etc or if WordPress install have upgrades waiting, etc.

    Cheers, Ian

      Shawn

      Something that wasn’t mentioned (directly) in the article but should be noted is that there are often security vulnerabilities within the security plugins themselves. Wordfence Security is a perfect example, as you can see from their own changelog:
      https://wordpress.org/plugins/wordfence/changelog/
      Note specifically the changes under 5.1.4, 3.8.3 and more. No indication within the changelog of how long the specific security issues existed, so it could have been vulnerable for months or even years.

      iThemes Security isn’t immune to these issues, either, as 3.4.3 suffered from a popular XSS vulnerability.

      The point I’m making is that while it’s important to install updates and have a web-based security solution, you can not trust that the security application alone will protect you. In fact, it’s possible, even likely in some cases, that it will increase the attack surface. Web-based security applications like Wordfence and iThemes aren’t even the only ones at risk, as just in the last month Avast, AVG and MSE each had security vulnerabilities patched in them as well.

      Diligence and awareness of what should be on your site are far more important.

    amused

    Hi everyone,

    with regards to adding the WP code to the .htaccess file specifically to create a multisite, I usually delete everything in the .htaccess file and paste the given WP code, therefore NOT including the # BEGIN WordPress and # END WordPress tags.

    Many say the tags are optional and unnecessary.

    But this is the first time I have heard that,
    “anything between those tags can be updated by WordPress (e.g. during updates and permalink changes).”

    This sort of implies to be that these comment tags SHOULD indeed be used.

    – 1 – Am i correct in assuming this ?

    also, just playing devil’s advocate,

    – 2 – If using the comment tags in .htaccess causes WP to trigger or change the code inside them for updates etc., are there any adverse effects or issues that can result from this ?

    Any kind assistance in this would be greatly appreciated.

    Kind regards,

    RC.

      Kevin Muldoon

      Who says the tags are optional and unnecessary? Can you share the article where you read this please.

      Whoever told you is incorrect.

      * WordPress.org stress that you should not place code between those tags on a few different pages in the WordPress codex.

      * If you delete the contents of your .htaccess file and re-save your permalink structure, WordPress adds the BEGIN and END tags back.

      * If you simply remove the begin BEGIN and END tags from .htaccess, WordPress will add them back the next time it updates the .htaccess file (e.g. updating permalinks or updating WordPress).

      * If you add in additional code between the BEGIN and END tags, WordPress will remove the code during its next update and replace it with the code.

      I just tested all of the above and can verify it is true. I encourage you to do the same. It will only take you a minute.

      Just to clarify, removing those tags will not stop your website from working. However, it will cause problems when WordPress does update the next time.

      Take this code for example:

      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /wordpress/
      RewriteRule ^index\.php$ – [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /wordpress/index.php [L]

      # END WordPress

      I can remove the BEGIN and END tags and my website will function normally. However, when I re-save my permalinks my .htaccess file is changed to this:

      RewriteEngine On
      RewriteBase /wordpress/
      RewriteRule ^index\.php$ – [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /wordpress/index.php [L]

      # BEGIN WordPress

      RewriteEngine On
      RewriteBase /wordpress/
      RewriteRule ^index\.php$ – [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /wordpress/index.php [L]

      # END WordPress

      As you can see, WordPress adds the original code again because it does not see any BEGIN and END tags. However, if those tags were there, it would have replaced the content inside of those tags, instead of adding the content after the existing .htaccess code.

      Long story short, WordPress can and will update anything between the BEGIN and END tags.

      For the record, while I cannot say that I will never make a mistake (I am, of course, human), I do always verify everything in my articles. Whether that be testing a free plugin or trying out code to ensure it works.

      Hope that comment isn’t interpreted as being rude. That is not my intention. I am just sick of other WordPress bloggers giving others bad advice without actually validating the information themselves.

      If someone makes a claim about something not working, they should back it up with hard evidence or link to the source that influenced their view. Particularly when their claim goes against something in the WordPress codex :)

      Kevin

        amused

        thanks a lot for your kind assistance and advice Kevin !!!

        I absolutely did not and will not interpreted your comments as being rude.
        I appreciate and value your input, hence the reason for asking my question.

        I consider myself very green with WP code. I do however try to use common sense and logic as best as possible to make up for my illiteracy. This is how i was able to piece together varying advice I was not fully confident with and question the need and true importance of the tags.

        You obviously seem very thorough and this is exactly what I look for when fishing for advice and answers. The tone of your writing seems a bit upset that misinformation may have been distributed and this meticulous attitude is again valuable and beneficial for anyone that is not fluent in code like myself. If a seasoned coder like yourself can feel “sick” of bad information, try to imagine non seasoned newbies, front end designers, etc. who have to fish from forums to blogs to sites to wikis etc. etc.

        Trust me when I say you most likely know the people that told me the tags are optional. Maybe they knew it would be added back automatically, maybe not. That does not bother me. Everyone can learn something from anyone. I made a promise even before coming here to ask for your advice, that I would return with the feedback I got to assist all who can benefit from it. In other words, I will do the bull work and be as meticulous as yourself in making sure I get the facts and that they are backed up with hard evidence. I opened my FTP client (Transmit) and checked after reading your reply and you are correct, the tags were automatically added back indeed.

        So likewise, I hope my comment is not interpreted as being rude when I say that I will NOT share names or the source of my initial advice. I am NOT that type of person.

        The point is that your valuable knowledge and advice would be shared and greatly appreciated !!!

        I sincerely look forward to other EXCELLENT posts here from you as I follow wpmudev literally every day without fail.

        Respectfully,

        RC.

          Kevin Muldoon

          Hi Randall,

          haha Yeah I am a bit over the top about things like that. I don’t get annoyed with people raising the issue, but I do get annoyed with myself if the code I share does not work as I do my utmost to ensure that things work.

          I appreciate you checking the issue via FTP. The code thing about doing that test is that you will remember that information forever now. Learning by doing is always best.

          I respect your opinion of not sharing the article source, but I don’t think you would be hurting the author of the article in any way by sharing it. It’s certainly not a witch hunt. I just think that people should cite sources when they claims. Can you imagine what my article had been like if I had kept saying “They say this” and “They say that”, instead of actually linking to someone who says this? I would lose my reputation very quickly.

          I am glad you enjoyed the article. When I am referring to plugins, I usually test them to see if they are working. There are occasions when I don’t do this; such as a popular plugin that is always updated and I know works well. Or a premium plugin that I have not been able to get a copy to test.

          At the end of the day, I don’t see myself as an expert. I just see myself as an experienced WordPress user. So when it comes to any issue, I always like testing it myself. I think it can actually be dangerous to start thinking you know everything about a subject in this game as things change quickly, therefore you should be open to criticism, open to change, and be ready to check what you think you know.

          Hope you enjoy my next articles :):)

          Kevin

      Shawn

      “Required” – no, but they are important.

      They’re only comments (anything in the .htaccess that starts with a hash (#) is a comment), but they’re important for adding a semantic structure to an otherwise free-form file. Automating against the .htaccess file without these begin/end comments is a major PITA.

      Say, for example, that you later decide you want to add specific folder or file redirects and then later add a caching platform. These both (usually) require distinct changes to the .htaccess in a specific order. Without the ability for the caching plugin to see the begin/end wordpress comments, it may add it’s own features either too early or too late, resulting in ineffectiveness or even inoperability.

      Finally, these comments can cause no harm, so removing them provides no benefit. Keep ’em!

    roy_emory

    Great article. One sentence states “You can check the quality of the code in your theme using a plugin such as Theme-Check and check the code in plugins using Plugin-Check.”

    I see that Plugin-Check is 2 years old without any updates and requires Theme-Check. Not sure that it works anymore. And there are some reported issues with Theme-Check.

    bego_mario_garde

    Security affects all of us. This article covers a lot of good advice to keep your website safe. Thanks for that.

    One thing I don’t understand though is, why so many authors keep telling people to “Remove the WordPress Version Number”. (To make it worse, you even recommend a plugin to hide the version number.)

    In fact, it has been proven wrong and I may recommend you read this blog post by Gennady Kovshenin: http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag-paranoia/

    You write: “Unfortunately, this information is useful to hackers, particularly if you are using an older version of WordPress that has a security hole.” – No, sir. Don’t hide the fact you use an outdated version of WordPress. Update instead!

        ismail_hassan

        Glad to hear that this plugin have no security holes till now. Thanks for your research. I’d test its taste,too.
        I just want to take a look at the line that you said at the main blog-
        “Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.”
        So, it means, even if a plugin hasn’t updated in over 2 or more years, it doesn’t mean we’ll throw it away automatically, we’d test it & pick if it safe like this one…? Am I right?

          Kevin Muldoon

          In general, it is better to use plugins that are updated regularly. As this reduces the chance of using a plugin that has a security hole.

          However, it is not a problem with plugin-check or theme-check as it is an admin plugin that provides a report. These are not plugins that you leave activated 24 hours a day. They work in the same way as the P3 profiler plugin (a great plugin that tells you how much CPU time each plugin is using and how much page loading time a plugin adds).

          That is to say – for theme-check and plugin-check, you install the plugin, you activate it, you test your website, you get the report, and then you uninstall it.

          The plugin will not be activated for more than ten minutes. Therefore, despite not being updated in two years, it poses very little risk.

          Be aware, however, that it is different for plugins that are activated 24 hours a day. They would pose more of a risk.

          On the other side, you should also remember that there is no guarantee that a regularly updated plugin is always secure. It is possible for a ten year old WordPress plugin to be more secure than a plugin that was updated a few days ago. When it comes to the quality of coding in WordPress plugins, all plugins are not created the equal.

          In general, plugins that are updated regularly will be less likely to have a security hole as the developer has been able to address any issues that come up.

    ricardo_coutinho

    Giving your blog a test every once in a while is not going to heart you. I personally use Websecurify Suite – the scanner – which is cost effective – (Acunetix/Netsparker at least 1K).

    Another thing you should try is to block access to /wp-admin from external. In other words, none from the internet should be able to just login into your blog. Whitelist your IP addresses and you will be good to go.

    ali_raza2

    Today hackers change index.php of my all sites . How can I protect my index.php sites . They change all coding of index.php with their messages so I just change code of index.php to default now sites are ok but please tell me about security of index.php in wordpress.
    Thanks

    onlinejungle

    Hi Kevin,
    Great article, thanks for your hard work.

    I’m going to research/test some of the all-in-one plugins you mentioned, there are just so many and then there are the ‘malware scanning’ plugins too!

    I am no expert but I think I’d be tempted to make edits manually to the htaccess/wp_config/functions etc rather than use a plugin. Surely this reduces the ‘plugin’ security risk and the load on the site?

    Recently one of my clients fell foul of the ‘Rev Slider’ vulnerability that effected so many sites world wide.

    Sure the plugin on my clients site hadn’t been updated for a while but during the time the plugin had been exploited to when the developers made appropriate updates to fix it, the Theme creators of my clients theme that had Rev Slider within a packaged theme (on theme forest), brought out an update it was doomed!!!

    I suppose my point is that no matter the plugin/theme, whether free or paid, it’s got potential to be hacked, especially if lots of people are using it making it a worth while exercise for the hackers.

    My advice is protect best you can, make weekly/monthly backups with enough in the repository to fall back at least a few months just in case an exploit goes unnoticed for a month or so!!!!

Comments are closed.