SECURING WORDPRESS THE RIGHT WAY
Securing WordPress is not a one action thing that you can switch on and relax. It wouldn’t be an issue it was that easy, right? The complexity of securing WP is mainly due to the possible entry points to gain access to the website or its data. We can sum them up to the following four:
- WordPress core
- Themes and plugins
- and User login/access credentials
It will always come down to one of these four.
The only difference is how the hacker will attempt to get in. Before diving in, we need to understand how hackers think and process their hacking gig. First thing, you are not protecting yourself against high-level hackers. These don’t target anything, and when they do, only God and a top dollar security firm can prevent them from getting it WordPress hackers are more of lazy asses and opportunists. They will attempt a hack when they feel that an exploit/vulnerability is easy to execute, and when there is a way to automate the process. Otherwise, it will be a very tedious process, and even for hackers, time is money They rather spend their time monetizing mass hacked websites than look for hand-picked websites and gamble to hack in. If we know where the enemy will come through, and how they intend to get in, all we have left is making sure that these entry points are protected.
Probably the least cared about entry point and probably the easiest to exploit.
WordPress hosting services put security as the main feature on their sales pitch.
Unfortunately, there is an enormous difference between the sweet talks and what is done in real-world.
When a website gets hacked, hosting services usually blame the site owner for not securing it enough. And they even try to sell you their hack cleaning and fixing service.
What if you did your fair share to secure your WP and still get hacked?
Well, they will still blame you for that too
Shared hosting is the most vulnerable
A shared hosting service provider will always favor performance to security.
You will most likely find oldish setups, archaic server architecture, and poorly protected and isolated individual plans.
The nasty thing about shared hosting is that hackers can discover other hosted websites within the same server.
If one of them is compromised, chances are that most of the other websites hosted on the same server might fall too, leading to a large-scale hack through cross-site contamination.
90% of websites I fix are hosted on shared hosting plans. And more than often, all websites within the same plan get contaminated too.
Unmanaged VPS plans can be at risk too
New users to unmanaged VPS plans (like Digital Ocean or Vultr) tend to forget that their node or instances need to be manually secured.
They probably assume it’s done out of the box which is not the case.
Unmanaged VPS services are a good deal from the price/performance standpoint, but it’s still a naked server that needs to be set up and fully secured.
Following tutorials without knowing Linux security fundamentals might put your VPS in jeopardy, and the worst part is, you may not be realizing it until it’s too late.
Fortunately, there are tools like Runcloud, that will help you manage VPS without worrying about security. They sit on top of your VPS operating system and take care of issuing all technical commands and security fixes for you.
Managed services are the less risky
They are still vulnerable to get hacked depending on their architecture (shared or isolated VPS).
When using a managed WordPress hosting, security is usually the service provider’s problem.
So, it will be the service provider’s duty to keep your website safe and fix your website the worst happens.
The ideal hosting service
- Prevents external access to files and the database
- Isolate (jail) each website from everything else hosted on the same server
- Opt for a guaranteed security when available
How to stay safe
Protect your WordPress files from unauthorized accesses by setting the right permissions to your WP files (644), and folders (755).
Make sure that access to phpMyAdmin is only possible from within your hosting dashboard.
Avoid at all costs any hosting service pointing to an IP address or domain name on the define(‘DB_HOST’, ”); in your wp-config.php file.
The mention ‘localhost’ usually means the database is only accessible from inside the web server.
Rely on your Cpanel (or equivalent) file manager.
If you need an FTP access, you can activate it, use it, and make sure to deactivate it and delete your FTP credentials once done.
Ideally, use Dropbox to handle your files access (only possible if you use an unmanaged VPS).
If you use a VPS, and did the setup on your own, either dig deeper and learn how to secure Linux servers or hire someone to do it in your stead. It’s usually a one-time gig.
Always check reviews about the security of your hosting service. Spending few hours searching for information will prevent your getting disappointed, and might spare you from getting hacked
Make sure to check my full WordPress hosting guides to get a more accurate idea on the subject.
The primary target for most hackers, but luckily, the easiest to lock.
Like any piece of software, WordPress is prone to vulnerabilities.
0-day exploits, which are vulnerabilities and exploits not publically reported, have significantly increased in recent years.
Hackers use these kinds of vulnerabilities to hit hard before any reaction from the WordPress maintainers.
A good example is the REST-API vulnerability (late January 2017) in the new WordPress 4.7 that got 1.5M websites defaced (had random posts/page injected) in less than 10 days.
How to stay safe
One way: keep your WordPress ALWAYS updated.
WordPress releases periodic updates, and security is a prominent component on each one.
Make sure you have an auto-update feature on your website even if there risks to break your website.
You better have your website broke with an update than getting hacked
An additional step
Keeping an eye on WordPress news can help your website security too.
Major vulnerabilities are often addressed through temporary patches while waiting for official fixes. Like what happened with the REST API exploit:
- First time reported: 11th January 2017
- First time mediatized: 12th January 2017
- Official fix released: 26th January 2017
Which leave regular users a 15-day vulnerability timespan, where hackers can easily exploit it. The following places can help you keep up with the news:
Themes and plugins
WordPress core is not the only thing that you need to keep continually updated. Themes and plugins have the exact same need, with a bit more attention. As opposed to WordPress core, you get to pick your theme and plugins. This freedom can help you be more secure or make you extremely vulnerable.
What you need to check
Two main things:
- How often the asset is updated (read the changelog)
- How secure is it (do a quick research for that)
Takes few minutes, an hour tops, and makes you more confident if the asset you want to use is secure or not.
The free assets risk
If you check Quora’s WordPress related topic, you’ll find questions mostly about free theme and plugins and premium assets alternatives.
When you’re dealing with WordPress, using free themes and plugins needs to be handled with caution because chances are high you’ll get your web property compromised.
The first issue is the upgradability.
Free assets often end up getting abandoned when the main author/developer doesn’t want to keep the asset updated anymore, and there is no one willing to take its place.
So, the likelihood of ending with a slow/never updated theme or plugin is quite high. Plus the risk that a malicious developer takes over and use the plugin to compromise websites where it’s used.
The second issue is risking uploading compromised assets without you knowing it.
When someone hears that a premium theme or plugin is available for free or a fraction of its real price, they jump on it without thinking about the consequences.
There is no such thing as a free premium theme or plugin, or someone “sharing” their license with others.
All you’ll find are nulled assets. Hackers buy the legit version, put a backdoor on it, and put it free for people to download.
Nulled assets will lead you to get hacked in one way or another. In fact, the highest hack rate with themes and plugins happen to be using nulled materials.
If you still want to live the free-way, stick to legit sources. Make sure to:
- Strictly limit your options to the official free themes and plugins found on the official WordPress official repositories. You can’t miss it. It’s the only thing that you can use to install themes and plugins from within the WordPress dashboard.
- Check if the asset was recently updated, and preferably only pick it if it’s frequently refreshed
How to stay safe
Keep one main theme and its child theme if in use and completely delete the rest.
Delete any inactive plugins. There is no need to keep anything else installed if it’s not meant to be used. Remember, installing and activating a plugin is quick enough to be done only when needed.
Favor paid assets. Besides better features and higher coding standards, premium themes and plugins have a steady flow of updates and upgrades, and they are the fastest to adapt and fix vulnerabilities when needed.
Avoid at all costs problematic assets. There are plugins with a tarnished hacking history that caused major outbreaks in the past, like Slider Revolution or NexGen Gallery. Always look for security breach history to make sure you are not using a hacking magnet asset.
Avoid at all costs nulled themes and plugins. The only way to get a paid asset is by going to the author website, or by going to known marketplaces, like:
The average price is:
- $50 to $70 and up for themes
- $10/$15 and up for plugins
- $250 per year or lifetime access
Premium assets always come with:
- A key or API code (for registration and activation)
- An extensive documentation and tutorials
- A direct access to support platforms
- At least 6 months worth of support, updates, and upgrades
Anything claiming itself to be a premium asset without fitting the above-mentioned practices is probably a scam, stolen asset sold without their authors’ consent, and a highly risked trade in every way.
You might also end up getting your credit card information stolen and download an infected asset would it be free a paid.
Pay for genuine assets. There is always a refund grace time, so, you can basically test it up and reconsider if it’s not something you really want to use.
User login/access credentials
A hacker gains access to your WordPress login/password by guessing it or stealing it, or find database URL/login/password by having access to your wp-config.php file.
Brute force is your worst enemy
The most used technique is called brute force. Hackers keep trying sets of logins/password until they get in.
It’s a fully automated process that takes usually days or weeks to get done. It only costs the hacker one click and a long wait time period to find your login credentials if you’re not too careful.
Other ways methods to get your credentials
There are countless ways to steal your login information, including:
- Arbitrary file download targeting wp-config.php files (Slider Revolution, NexGen Gallery)
- Unprotected file permissions
- FTP access
- Hosting platform access
- Password theft (virus or malware on computers, bogus VPN access)
And many other ways.
I’ve been freelancing for years. And as part of my activity, I maintain WP websites on demand.
When I get a request, I ask for the admin credentials to the website, the hosting platform and anything related to the task so I can fix, install and set up, or maintain something WordPress-related.
To date, I’ve never had been informed at any point that the accesses I received will be destroyed or changed once I’m done.
This means that most people don’t have a credential safety protocol when a 3rd party gets involved.
Consequently, the credentials will stay active even if the 3rd party intervention is done. Making it possible to have access to the site without the owner’s consent or notification.
I’ve seen this relaxed credentials sharing policy turn quite bad when a malicious service provider take advantage of that.
Spying or stealing information, adding remarketing pixels, holding websites hostage, have people’s credentials circulating on hacking-related closed groups is not something anyone wants to go through.
How to stay safe
Enable brute force protection wherever it’s possible by changing the regular login/admin URL, disabling XML-RPC and the REST API if it’s none is used.
2-factor authentication, using either email, cell-phone, or any way to verify you are the one accessing your website.
Make service providers sign a non-disclosure contract, and make it clear that once the job is done, all credentials shared will be either destroyed or changed.
WordPress security protocol & gear
As you have learned so far, WordPress security has some many facets.
To date, no one-do-it-all tool can handle them all at once.
My advised security protocol is a stronghold against known and expectable hacks.
I make sure to update it periodically to cover any new threat and add any new security protocol if relevant.
Make sure to implement basic security fixes for any WordPress installation such as:
- Always keep WP core, theme, and plugins up to date
- Keep an eye on your server’s security
- Set the files permissions correctly
Have a reliable backup system
No matter how we protect our websites, there is always a new threat that might overcome all our security protocols.
While there are countless of plugins and services doing that for WordPress, I always found All-in-One WP Migration delivering a solid performance and a cost-effective.
While the core plugin is free for migration, to get the scheduled backups and the cloud storage pairing, a one-time $79 for unlimited websites use is required per cloud storage service.
The available cloud storage options are as follow:
- Dropbox ($79)
- Google Drive ($79)
- Amazon S3 ($79)
- OneDrive ($79)
- Box ($79)
- Mega (coming soon)
- Amazon Glacier (coming soon)
I’ve been using it for a couple of years now, and I’m pretty happy with it.
Part of the protection job is to cut the threat before it becomes one.
Cloudflare is a free DNS manager that comes with some threats monitoring and protecting feature.
It helps lighten the load from known threats sources. The setup is fairly easy too.Go to Cloudflare
Wordfence is a very important part of my security protocol because it’s the only plugin that covers multiple aspects of WordPress security at once.
The free version offers:
- A feature-rich firewall
- Live traffic monitoring
- Blocks brute force attacks (disables the XMLRPC, limits login attempts, and bans obstructive IPs)
- A great scanning tool with the ability to compare, repair and delete compromised files
They do have a paid version, starting from $99 per year. It has more advanced features, like:
- Real-time threat defense, which means, when a 0-day exploit is found, it’s quickly fixed and deployed to premium users
- Country blocking feature
- Remote scans
Amongst other features.
Wordfence can be a pain on some occasions, though. Their firewall might consider your patterns of behaviors as suspicious and kick you out of your own website.
Recovering from that is quite easy and without an email, link to confirm you are the admin of the website. But I some occasion, it might involve manually removing Wordfence from using FTP or your hosting file manager, installing an additional plugin called “Wordfence Assistant“, and use it to clear Wordfence’s banned IPs so you can reuse your website once again.Go to Wordfence
Block Bad Queries
BBQ gives a hassle-free protection against malicious URL requests and scripts injections attempts.
Consider it as an extension to the Wordfence firewall.
The free version works under the hood and doesn’t have any controls or customization options while the paid version has an admin panel with customization options, blocking stats, the ability to set redirections, and other protective features.Get BBQ (free version) Get BBQ Pro ($15)
Blackhole is a subtle plugin that allows you to dismiss any unusual crawling activity from bad bots.
The same rule applies. The free version works under the hood while the paid version gives you more control over the plugin’s settings.Get Blackhole (free version) Get Blackhole Pro ($25)
The Ultimate Tweaker
UT is a lightweight plugin to obfuscate information and secure some aspects of your WordPress site, like:
- Remove the generator tags for WordPress, WooCommerce, Visual Composer, and the RSD tag
- Adding nosniff and xss protection headers
- Prevent your website from being embed inside an iframe
- Disable selection and right-click
Minimizing the share information will make it harder for hackers to attempt any nasty thing against your site.Get the Ultimate Tweaker ($21)
Swift Security Bundle or Hide My WP
Both are equally good to take the obfuscation process a step further by totally misleading anyone meaning harm that your site is a WP website!
They do have security features comparable to Wordfence, but I find the Wordfence ones more reliable and effective.Get Swift Security Bundle ($36) Get Hide My WP ($22)
Disable REST API switches off access WordPress’ REST and JSON API (can be dismissed if using Wordfence).
WPS Hide Login changes the default login URL. It’s handy when you are the only one with direct access to your website (can be dismissed if using Swift Security or Hide my WP).
Miniorange 2-Factor Authentication implements the 2-step secured login using Google’s Authenticator.
Some plugins require technical skills to set them properly. If you don’t think you have the required knowledge to do so, either:
- Get a managed hosting service
- Hire cheap labor to take care of it periodically for you
- Or get my security pack
Additional resources to check:
Never take your website’s security lightly or assume that you are hack proof without being geared accordingly. Invest heavily in security. It can be a maintenance contract, rigorous updates, and upgrades as they go live, buy plugins to strengthen your setup, invest on better, standalone servers. Better safe than sorry! Especially if your website works and gets you a nice and steady income.