In June, I attended WordCamp Vienna, a huge conference that focuses on everything WordPress – not just an excuse for a holiday! It’s a fantastic conference for everyone from the casual WordPress user to core developers. I learnt lots of new things, some of which I hope to share through our blog and on LinkedIn.
One of the first talks I went to was by the wonderful Maurizio Pelizzone, an Italian WordPress Developer who whizzed through ten tips in ten minutes for hardening WordPress. After working through what Maurizio said and tweaking some of the code so it works better for us, below is what we found.
Disclaimer! Some bits require adding code to the .htaccess, wp-config.php and functions.php files of WordPress. If you don’t know how to do this, ask your web developer (or — shameless plug — call me at Pivotal Web Solutions J).
Why harden WordPress?
All systems are vulnerable. No matter what. And because WordPress is used by over 25% of all websites on the web (July 2016), it is by far the biggest platform to attack. There are five main dangers that could put your website in danger:
- Human errors. These are things we forget to do (because we’re human after all!). Removing the admin username, forgetting to add a strong password and forgetting to update to the latest version of WordPress are some of the most common.
- Exploitation. Attackers find an unpatched vulnerability in a plugin or theme and access your site this way.
- Social engineering. This is when hackers collect personal information from your website and using it against you.
- Brute force attack. A trial and error method used by bots that attempt to decode passwords and usernames to access your website.
- Write & execution permission. When permissions are left open it leaves a back-door for attackers.
Before you even launch a WordPress site make sure you have a good host that will protect your server from attacks. Once you have done that, harden your WordPress website using the ten tips below.
Ten Tips for hardening WordPress against attacks
Before we even start the technical bits, ALWAYS keep your site updated. WordPress is constantly fixing security patches so having the latest version is a necessity.
1. Test your backup
You should be taking regular backups of your website. Make sure you test these occasionally before disaster strikes. This means you will be able to recover quickly if anyone does access your website. There are many plugins available to help you with your backup (for example, UpdraftPlus and VaultPress) or you can do this manually.
2. Prevent user enumeration
Deter hackers by removing username information. User Enumeration is a process WordPress uses to create author pages (visit http://mysite.co.uk/?author=1 on your WordPress site and see where it directs you to). It doesn’t take long to be able to find the actual username in Page Source even if you are using a nickname.
3. User permissions
Limit the number of users and the permissions they have to an absolute minimum. This means if hackers do manage to get into your Dashboard, they will not have full access to your site.
4. Hide your login
Move your login to a custom login page so the /wp-login and /wp-admin pages are unavailable. The plugin Custom Login URL plugin works well for redirecting the pages.
5. Don’t show errors & unnecessary info
Remove login errors, WordPress version and readme files to limit the amount of information provided to hackers.
6. Deny PHP execution
If hackers get access to your website, they can hide PHP files in folders that they should not be able to. For example, most access files disguise themselves in the /wp-content/uploads/ folder. By disabling PHP execution in this folder you will improve your security. To do this, you need to create a brand new .htaccess file to put into the contents folder.
7. Remove inactive plugins
Remove any useless or inactive plugins. If you have the knowledge you could integrate plugins functionality inside your child themes. In terms of plugins, less is more. The more plugins you have, the more you are relying on a third-party source to remove any vulnerabilities or problems that will allow hackers a backdoor into your website.
If you work on a website that has a few users, you can easily disallow front-end plugin and theme updates and installations to limit any problems.
8. Use a secure password
Everyone says this, but there really isn’t any excuse! Don’t be lazy, use a very strong password. You could use a password manager such as Keypass to keep them safe or use a method that is logical to you to remember them. For example:
Phrase + numbers + symbol e.g.:
- My son likes playing with his red ball = mSlPwHrB
- Addicted to WordPress = @ddic3d.2.WordPr3ss
9. Custom directory structure
WordPress comes in a standard structure (obviously) which you rarely see on the front-end of your website. The standard file structure is:
However, by applying your own custom structure, you can not only make it look nicer but it also means brute force attacks will fail. For example:
10. Set a black hole trap
A WordPress black hole adds a hidden link to your website’s robots.txt file that forbids bots from following the hidden link. Bad bots that ignore the robots.txt rules will fall into the trap and be denied access to the rest of your website. You can also choose to receive information about the blocked bots via email. I’d recommend using Blackhole for Bad Bots plugin for this but if you fancy a challenge, or don’t want to add an extra plugin, you can follow these instructions on Perishable Press.
So there you have it. By using these methods, you can harden your WordPress site against attacks. If you don’t know how to edit your .htaccess, wp-config or functions.php files that are mentioned above, ask a web developer. Changes to these files can bring your website down if not implemented correctly. If you have any questions about it, or you know of other ways to harden WordPress please share in the comments.
For more chatter about WordPress, follow me on Twitter @KarysPivotal. Thanks!