WordPress is open-source which means its core files are out in the open. People knows its default directory structure, whats written in the files etc. Learn how to improve WordPress security.
Contents – Improve WordPress Security
- File & Directory
- Extra Measures
“Whats good can be better” and WordPress security is good but can be improved. Some tweaks can be done, some precautions can be taken to improve the overall security of your WordPress site. You should also consider running your website in a good hosting. Today we will talk about the tweaks and precautions that strengthens your WordPress site security.
Basics – Improve WordPress Security
While developers work on a software they look at a thousand things before releasing the software, still there can be improvement. Developing is not just making something but also taking care or improving it. Like all other open source software WordPress is regularly maintained, improvements are meant to come, security patches are released if any problem is found. So you should check for update regularly and keep WordPress updated which includes the core, plugins and themes.
To update WordPress please click on Updates and update the outdated plugins, theme and WordPress core.
If you are installing plugins, themes or updating anything for the first time WordPress asks you for your FTP credentials. Put
in your wp-config.php file before
/* That's all, stop editing*/ if you don’t want to provide FTP or SSH credentials.
Use SSL / TLS
TLS — cryptographic protocol, creates encrypted link between web server and web browser. There was a time when you didn’t need to use SSL / TLS unless your website had to handle credit card or similar sensitive thing. As time went the age of information / data came, now using TLS is essential for every website if privacy and data integrity etc. are the demands.
SSL is Secure Socket Layer, deprecated predecessor of TLS. SSL has not been updated since SSL 3.0 in 1996 and most modern web browsers no longer support SSL.
Now maybe you think if SSL is deprecated than why all of the Certificate Authorities sells SSL,
Since they are so closely related the two terms are often used interchangeably and confused. Some people still use SSL to refer to TLS, others use the term ‘SSL/TLS encryption’ because SSL still has so much name recognition.CloudFlare
You can buy SSL / TLS but in this article we will focus on free SSL / TLS provided by Let’s Encrypt. Please follow the steps,
- At first please go to sslforfree.com — a website that provides SSL / TLS from Let’s Encrypt.
- You can chose any of the verification methods but here I will show the manual verification using DNS. So please select Manual Verification (DNS) and go with me.
- Add the shown TXT record(s) in your domain’s DNS management page.
- Now please click on Verify _acme-challenge* to check if the records are set successfully. If you can see the records in the new opened tab than its done if not you will see something like “No TXT records found”. In that case make sure you set the name, value and TTL (time to live) exactly as shown in verification page.
- Finally click Download SSL Certificate and copy the shown texts in three separate file. You can also create an account and the website will notify you before your cert expires.
Now that you have SSL, please follow these steps to install it,
- Go to your cPanel and click on SSL / TLS under Security.
- After that please click on Manage SSL right bellow Install SSL Certificate*.
- Now select the domain and paste the certificate, private key and CA bundle that you got from sslforfree.com a while ago.
- Finally save to activate the SSL.
After you have activated SSL go to your settings and make your WordPress address and Site Address are using HTTPS. If you can’t change the url(s) from the settings page than open you
wp-config.php file and add these lines before it says,
That's all, stop editing, happy publishing!. Don’t forget to change iamlizu.com with your own domain name.
If you are using trailing slash at the end of the url, make sure to use here also. An url with trailing slash and without trailing slash are two different urls.
Google treats each URL above separately (and equally) regardless of whether it’s a file or a directory, or it contains a trailing slash or it doesn’t contain a trailing slash.Google Webmaster Central Blog
Always Use HTTPS
HTTPS is the secured version of HTTP (Hyper Text Transfer Protocol). When you install SSL / TLS your website can be browsed with HTTPS. But your website is still accessible using HTTP. Please add these lines in your
Fix Mixed Content
Mixed Content means your website is serving both contents with HTTP and HTTPS with the same time. This is one of the common problem WordPress administrators face when website is switched to HTTPS. Reason of mixed content error includes but limited to images with hard coded url(s) using HTTP, plugins using absolute path etc.
First please replace external links with HTTPS and include this piece of code in your theme’s
functions.php to replace core links (media, css, script etc. — internal links) of your website with HTTPS,
Tip: When you link an image or script or embed something make sure to use HTTPS.
File & Directory
In Unix and Linux there are three kind of permissions, i.e. Read, Write & Execute. And there are three user types — Owner, Group, Others where every user is member of at least one group.
Let’s say you are a user in your computer or system or server and you own some files, your website directory (folder) perhaps. Now whether the people in your group or someone else will be able to read, write or execute a file depends on the permission set on the file. If permission is wrongly set than several problems can occur which includes but not limited to inaccessible file or directory, leak of important files or directory etc. Ideal file permission for directories to run WordPress is 755 and for files it is 644.
File permission 755: File or directory owner will be able to read, write, execute; Group member and others will be able to read and execute only, they can’t write the file or directory.
File permission 644: File or directory owner will be able to read and write but can’t execute; Groups and others will be able to read only, no write or execution is permitted.
It is advised to set 600 on
wp-config.php so no one else but the file owner can read and write the files; no execution permission.
Lets see how to change file or folder permission in cPanel, please follow the steps,
- At first please login to your cPanel,
- After that please open File Manager,
- Now select the files or folders you want action to be performed on and select Change Permissions,
- Here change file or folder permission as need,
- Finally click Change permissions to save the changes.
Disable PHP File Executions
PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.PHP: What is PHP?
WordPress is written in PHP, you may have noticed that the configuration file of WordPress aka
wp-config.php is a PHP file. Now the question arise how can disabling php file executions help to improve WordPress security?
A hacker can try executing malicious php file and harm you in a way you cannot imagine. Good for you, you can block php file execution in a folder or directory. Please add these lines to the
.htaccess file in that folder or create a new file with these lines if you don’t have a existing one,
Disable Directory Listing
Leaving the WordPress directory open to be viewed by anyone is like storing secret stuff at a locker but telling people what you have stored. Let’s think that a file in WordPress core is somehow vulnerable, now if a hacker discovers that you have that file than this will be advantages for the hacker. Here you will see two easy way to solve this problem.
You may have seen sometimes there an
index.php file with no content but a single comment —
silence is golden. You may have wondered why an index file is there while it basically showing nothing, well now you know. So can copy that
index.php and paste into a folder to disable the directory listing or you can create the file with these lines,
Now when someone visits that directory WordPress will load the index file which is empty and they will see nothing but an empty screen.
However, copying this file to all the folders will time consuming and you will have to do this everything you create a folder for whatever reason. If your hosting server is running Apache then you will be able to do this with the help of
.htaccess file which is usually included in your site configuration, most of the hosting companies allows it. Add
Options -Indexes at the end of your
.htaccess file to disable directory listing in all directories within your WordPress installation directory.
Change Database Table Prefix
Database is place where the website information is stored. Software is programmed to store its data in tables. Database table prefix is the string added in the starting of every table created. WordPress uses
wp_ as default table prefix. This makes easier for hackers to guess the table name of any table because the part after the table prefix is always same. For example, users table will be
wp_users, posts table will be
wp_posts etc. But if you change the table prefix to something else it will give the hacker hard time to figure out the names. Please follow these steps bellow to change your table prefix of your WordPress database,
- At first please open your wp-config.php file and search or look for
- Then please replace
wp_with your new custom prefix. For example
- Finally save and close the file, don’t forget to upload if you are using FTP instead of any File Manager.
Limit Login Attempts
You can limit the login attempts to your WordPress administration area which help prevent Brute Force attacks. Let’s say you are allowing a user to try maximum three times in a short window, if the user fails three times the user will be banned for a period of time. This will make sure that a hacker cannot try logging in continuously.
a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.Wikipedia
I would suggest Limit Login Attempts Reloaded which is a great plugin with more than 1 million active installs. Please follow these steps,
- At first please click on Add New under Plugins from Dashboard,
- Now type in Limit Login Attempts Reloaded in the search box,
- Then please click on to install the plugin,
- After that please click on to activate the plugin and you have successfully added the plugin in your WordPress site.
Plugins extends functionality of WordPress. You can follow the above step to install any plugin in your WordPress site. You can also upload the plugin files from the Add New plugin page using Upload button or directly uploading in your web host. However, it is suggest to install plugins using WordPress dashboard.
- Now go to the plugin’s setting page by clicking Limit Login Attempts under WordPress settings,
- Change the lockout settings and save.
Allow Login From Trusted IP(s)
Allowing a selected IPs to access the login is one important step to improve WordPress security, only the people with trusted IP can access the login page. This can be done easily by applying some rules in
.htaccess. Please add these lines to your
.htaccess file at the root of WordPress installation dir,
xxx.xxx.xxx.xxx with the IP you trust, to allow multiple IP add another line of
allow from <your_ip>.
Caution! Do this only if you have dedicated IP — IP that belongs to you only and don’t change when connect or reconnect to the network. Make sure you add all your IPs, unless you won’t be able to access the login page.
User Enumeration is one of the vulnerabilities a web application can have, every web application with has user authentication. In simple words it is a process to guess the usernames of a web app to apply Brute Force — popular and commonly used technique where a hacker tries all possible combination of a password for an account. Now if the user accounts are easily discover-able than it is an advantage for a hacker. There’s a bunch of ways a hacker can collect the usernames of your website.
Lets see the steps to prevent user enumeration and improve WordPress security.
Username vs Display Name
Username is your login name, the name you use to login in your website’s admin panel or dashboard. Display is the name shown over the site. You may never thought but setting display name something else than username can help you. Let’s say your username is admin and display name is you John Doe than it will a bit harder for bad guys to apply brute force. You can change your display name from the user profile under Users, don’t forget to save the changes.
Change default username
In the installation process of WordPress, it automatically sets administrator username to
admin. If your admin username is same as this than you need to change it because a hacker will obviously try hacking that account. It adds an extra layer of security if that username doesn’t exist at all. But you have noticed that changing username is not allowed in WordPress. You will have to change it in the database directly. Please follow these steps to change the username,
- At first please go to https://yourdomain.tld/phpmyadmin to access phpMyAdmin, don’t forget to replace
yourdomain.tldwith your website url.
- Then please click on your database name and click
wp_usertable to access the user table.
- Now please click on the edit icon left to the username you want to change.
- After that please change the value of user_login field with your desired username, e.g.
- Finally click on Go to save the changes.
Tip: When you install WordPress or create users, avoid common usernames like
author etc. These are the usernames a hacker will always try to brute force with.
Block Author Scans
Author scan is another technique used by hackers to collect usernames. By default you can query usernames using user ID in WordPress. If you go to https://yourdomain.tld/?author=1 where ‘1’ is the user ID of a user, you will be redirected to that user page. Please follow these steps to block author scans,
- At first please open your
.htaccessfile from the WordPress installation directory.
- After that please add these lines to the end of the file,
- Finally save and close the file.
Don’t give a user permissions that the user doesn’t require. For example don’t give an author administration privileges. If you are the site admin, use a regular user account while you are not performing administrative task, it helps investigate issues like when you have to check whether a regular user can see a restricted page or not.
Limit REST API access
In simple words API is used to communicate between two applications. By default WordPress REST API endpoints are open to everyone. Hackers use this an advantage to collect the users of a WordPress site. It is suggested to limit the API access to logged users to strengthen security. For example if you go to https://yourdomain.tld/json/wp/v2/users/ you will see all the users of your site. To stop others to view this please follow these steps,
- At first open your theme’s
functions.phpand add these codes at the end,
- Now please save and close the file.
Hide Login Errors
Another easy way to check whether a user exist in a system is trying to login with that username and random password. If WordPress has that user account it says “Wrong Password” or something similar. This also helps a hacker collect username. But if you change the login error to something very generic that shows for every error occurred while a user tries to login than it will be impossible for a hacker to collect usernames from login errors. Please follow these steps,
- First please open your theme’s
functions.phpand add these line at the end of the file,
- Save and close the file.
Password Protect WP-Admin
Besides using a strong password for your user accounts you should also consider adding password protection to the wp-admin area. This will add an extra layer of security to your dashboard and WordPress as well. When you add password protection WordPress will ask everyone trying to access the wp-admin. Please follow these steps to add password protection,
- At first go to the wp-admin directory.
- After that please create a
.htpasswdfile where the credentials to access the url will be saved. Please use this htpasswd generator by Andreas Gerhke and save the generated string in a
- Now please upload the file somewhere outside the public_html directory of your web host. An ideal local can be
/home/Your_Username/.htpasswds/adminwhere “Your_Username” is your own username e.g. bob.
- Then add these line at the end of your
.htaccessfile in the WordPress installation directory.
- Don’t forget to change
your_usernamewith your actual username.
- Finally save and close the file. Now if you go to the login url, it will ask you for an extra username and password that you just added.
Now try to access the wp-admin of your website, you will see a similar pop-up like this. Please enter the username and password you generated
.htpasswd string with.
To add new user, first generate the encrypted user-pass string using that
.htpasswd generator and add the string at the end of your
Restrict File Editing
Let’s imagine a situation that a hacker somehow got access of your WordPress administration area. Now the hacker can do a lot of things by altering the files using the WordPress editors like Theme Editor, Plugin Editor. Disabling file editing from the WordPress admin area is another step further to improve WordPress security. This way no file editing can be done using Theme Editor or Plugin Editor as those won’t exist.
To disable file editing please open your
wp-config.php file and add
define( 'DISALLOW_FILE_EDIT', true ); before
/*That's all, stop editing...*/.
Please avoid using WordPress plugins for managing file through WordPress administration area i.e. file manager type plugins.
Extra Measures – Improve WordPress Security
Remove WordPress Version
WordPress adds the running version in the html source of your website. Let’s say you are running WordPress 5.2.2, if you view your page source you will see
<meta name="generator" content="WordPress 5.2.2" />. This exposes your WordPress version. If you are using the latest version of WordPress than you don’t have to worry about it but for some reason if you are using an older version then you should remove it. Because that old version can have vulnerabilities which will be an advantage for hackers. Please add these line at the end of your
functions.php, the file will be inside your theme’s folder.
Limit XML-RPC Access
XML-RPC once was very essential kind of thing for WordPress users, specially the site owners. Back then Internet was way slow compared to what we have now and XML-PRC helped post to WordPress remotely using the mobile app of WordPress. Though it is used till the writing time of this article. Unfortunately XML-RPC enables a hacker to perform brute force and DDoS attacks. So it is better to limit access of
xml-rpc.php to improve WordPress security.
Now what we will do is allow specific IP(s) and website(s) to access the
xml-rpc.php. Add these lines to your
.htaccess file, add new lines of
allow from ... as needed,
Apply Content Security Policy
Content Security Policy (CSP) — a set of rules that controls resource loading. For example let’s say your site loads js from jsdelivr and your web server. By setting CSP rules you can make sure that no other js files are loaded without unless they are from your web server or jsdelivr. However, you need to be careful and set CSP properly. Because improper implementation of CSP can lead to missing resources, functional problem of your site etc. There is no generic CSP rule, the resources your site loads from are unlikely to be same to mine or someone else. You can set CSP rules in your
.htaccess file. You can follow MDN Web Docs for CSP and this Content Security Policy Reference to set CSP rules for your website.
Check Site Health
This feature was added in very recent version of WordPress. As the name suggests Site Health shows status and information page. Status page shows issues. Info page shows including but not limited to server details, site information, plugin information, database information. It is accessible from the Tools menu of your WordPress admin area. Be sure always keep an eye on the page and solve the issue(s) to improve WordPress security.
World is updating every day, so as technology. Make sure you are on the track too! Keep your website updated, use updated plugins. Install plugins wisely, they do affect your site overall performance.
All those techniques above are to prevent you site from being hacked, not for an already hacked site. You can use Sucuri to scan your site for malware.
Please be noted that this article is focused on the Apache web server since most shared hosting uses it till date. To help average users I focused the shared hosting area.
Disclaimer: This content – Improve WordPress Security / WordPress Security Tips 2019 and everything used in this content are copyrighted materials of S M Mahmudul Hasan, please credit properly if you are using material — image, paragraph etc. You may find the featured image used in this article on Fiverr used in a gig, I am the gig owner.