WordPress security breach is a cause of concern for many website owners. Security issues in 2016 could doom your business. Attacks by anonymous users and SQL Injection techniques can break up your site. E-business sites can have a dramatic loss of revenue and brand image, if proper best practices are not followed.
For the past 8 years, WordPress security vulnerabilities did not cross my mind. Initially, my blogs had very less traffic and so not much care was taken of loopholes in PHP code and plugins. But for the last 2 years, with increasing usage of WordPress and other CMS platforms, safekeeping of site credentials against hackers became a business of utmost importance.
Table of Contents
How Somebody Gains Access to Your WordPress Site?
The following are some of the methods, by which attackers try to hack your site. (Source: http://matthewpavkov.com/wordpress-plugins/wordpress-attacks.html)
- Directory Traversal (http://en.wikipedia.org/wiki/Directory_traversal)
- SQL Injection (http://en.wikipedia.org/wiki/SQL_injection)
- WordPress-Specific SQL Injection (http://en.wikipedia.org/wiki/SQL_injection)
- Executable File Upload
- Filed Truncation (http://www.secgeeks.com/sql_server_truncation_attacks.html)
- Remote File Execution (http://en.wikipedia.org/wiki/Remote_file_inclusion)
For example, in SQL injection hacking method, it exploits a security vulnerability occurring in the database layer of an application. By using certain queries or commands, control or access of the database may be obtained.
By default, all references in the database are blocked, unless otherwise whitelisted. This can happen, when you try to use a specific WordPress functionality or plugin which requires the access to a particular resource on your site.
Suggested Reading : Slow WordPress Dashboard – Fix
WordPress Security Best Practices in 2016
In this post, I’m going to discuss about 7 bulletproof tips, which protect your site from unauthorized usage and stealing passwords. Using these WordPress security best practices of 2016, you can have a peace of mind regarding authentication breach and concentrate on content. Bugs arise in WordPress installation from time to time, which can cause severe harm to your server and site. Too much of encryption and firewall optimization can hinder the performance of your sites.
7 WordPress Security Best Practices – Checklist
- Login Credentials
- WordFence Security Plugin
- Limit Login Attempts
- .htaccess & robots.txt
- Block xmlrpc.php
WordPress Security Basics
The default username and password for your WordPress login page are “admin” and “admin”. Most of the owners, tend to use the same username or password or both, even after the installation. Hackers use this “lazy” and “naïve” habit to get access to your site dashboard.
The first best practice to keep your WordPress site secure is to change the username and password to different and strong ones. Some of the common usernames, which hackers try to scan are “admin”, “<sitename>”, “123456” etc. So once you change the username to a complex name or set of characters, it becomes the first degree of defense against DDoS attack.
Also, in the current version of WordPress of 4.5.3, the CMS itself gives the provision of generating a strong and difficult password for each, which is not easy to hack. If you are using Chrome, then you can safely sync these credentials, which also makes it easier for you to login to your WordPress without remembering them. You have both guarantee and one-click usage with this technique.
Wordfence Security Plugin
The second best practice against attackers trying to login to your Dashboard, is to use a plugin called Wordfence Security. I’ve tested this plugin against 6 to 8 sites and didn’t find any performance or login issues. The FREE version comes with some limitations, but is enough for normal safekeeping.
The following are the features of this plugin.
- Live Traffic
- Performance Setup
- Blocked IPs
- Password Audit
- Cellphone Sign-in
- Country Blocking
- Scan Schedule
- Whois Lookup
- Advanced Blocking
This plugin will scan your site for different vulnerabilities like HeartBleed etc. It also checks the theme and plugin file signatures. It will also check the WordPress files against originals in the repository.
It will also scan for weak passwords and comments.
It will produce a neat summary of the result.
A detailed activity of the scan with number of files per second is also displayed. If there are any issues with your site DNS servers or theme files, that is also mentioned.
You can also set rate limiting rules. This is a feature to battle the performance of your server. In case an hacker or DDoS attacks happen, there will be huge surge in bandwidth. In that case these rules will come into play and will block or throttle the requests. You can also set options for what to scan and send a summary to your email.
Most of the other options are for premium users.
Limit Login Attempts
The third best practice is to use another WordPress security plugin, useful for preventing hackers doing brute-force attacks. By default, WordPress mechanism allows anyone (registered or not registered) with unlimited login attempts either using the login page or by sending special cookies.
This allows for decryption of passwords (or hashes) using brute-force cracked methods with relative ease.
You can leave the default settings for the plugin or you can change them under Settings > Limit Login Attempts under the WordPress Dashboard. The defense against threats comes with the usage of the “Lockout” options.
The features of this covenant plugin are
- Limit the number of retry attempts during logging in (for each IP). This can be changed to our necessity.
- Limit the number of attempts to login using auth cookies, which can be done in the same way.
- Information to the user about the remaining number of retries or lockout time.
- Optional logging, with email notification to the admin.
- Handles server behind reverse proxy. For eg, if you are using CDN or Cloudflare, this can detect the server.
- You can also whitelist the IPs using a filter.
So for example, if an intruder tries with a brute-force attack of 6 retries, then you can block him for a specific time period like 2000 minutes. In the same way, if he returns back to try again with more number of attempts, you can then increase the time of lockout.
This is very useful from preventing unauthorized users knowing your WordPress site credentials.
The fourth best practice is to use another free WordPress plugin package useful in myriad number of ways to customize your site. There are lot of features available with “amateur” WordPress.com installation, which can also be had in self-hosted WordPress installation using this plugin.
After installing the plugin, you need to connect to your WordPress.com account. For this you need to create a free account.
After that, you can see the “Performance and Security” tab in the content area.
There is an option called “Protect” which has a switch to toggle on/off. By default, it’s off. To provide better security to your WordPress site, you have to turn it on. This will prevent brute force attacks.
The fifth best practice is to use a proxy service that accelerates and secures your WordPress site. There is a free priced service, which gives some basic features. Using this cloud based service, you can protect your website against hackers, brute-force attacks, save bandwidth and reduce average page load times.
Once you add your site to the free account, you have some options to defend your site from attacks.
Under this tab, you can encrypt communication with your site, using SSL. You can also enforce web security policy for your website using HSTS (HTTP Strict Transport Security) method. This is very useful in case of downgrade attacks.
This is where you can set the security level for your site. There are several settings for this option like –
Low, medium, high, I’m Under Attack. So based upon the intensity of security level you give, Cloudflare will automatically determine which visitors will receive a challenge page, if they are doing any unauthorized connections to your site.
Here you can do several things like Email address obfuscation, server-side excludes, hotlink protection. You can automatically hide specific content from suspicious visitors. You can also protect your images from off-site linking.
.htaccess & robots.txt
This is the sixth best practice to secure your WordPress site in 2016. This is a special type of file that resides in the root directory of your WordPress installation. You can access it in several ways. You can directly open it using cPanel or FileZilla. You can also use a plugin like Yoast to access it. Whatever may be the way, by just adding some code, you can deny access to certain type of files.
You can also deny IPs which are repeatedly trying to gain access to your site. You just have to put a line of code of something like this –
deny from 18.104.22.168
This will simply deny that IP from accessing your site. You can also put a range.
You can also restrict access to certain files, by putting this code in your .htaccess file.
# the following prevents display of the hideimg file <files hideimg.jpg> order allow,deny deny from all </files>
The above code will deny access to the hideimg.jpg file.
You can also use the robots.txt file, to deny access to bots, crawlers from accessing important folders on your site like /wp-admin , /wp-content and files like /wp-login.php. etc. So if you see there is a surge in CPU resource usage or bandwidth, than you can better do this. But this also has a negative side. Sometimes, search engine crawlers like Google bots also will not be able to crawl your site, if you initiate this setting.
So you have to modify they code, to allow for Google and Bing bots to crawl the restricted folders.
This is the seventh best practice to prevent security weakness in your site. Since I’m using Wordfence plugin, I sometimes turn on the LiveTraffic button. Here I can see if there any bots trying to access my site. Here I’m astonished to find that, many hackers are using the xmlrpc.php file to gain access to our WordPress site.
Xmlrpc.php is an API provided by WordPress, so that plugin and other third-party developers can use it to integrate with our site. But this is wrongly used by some bad users. JetPack is one developer which uses it to integrate the functionalities of their plugin and modules.
So blocking has its own pros and cons. So if you really want to completely block access to it, keeping in mind the loss of functionality of certain plugins, you can add the following code in your .htaccess file at the top.
# START XML RPC BLOCKING <Files xmlrpc.php> Order Deny,Allow Deny from all </Files> # FINISH XML RPC BLOCKING
Now-a-days, many malicious users are trying to hack your site using brute-force attacks. They are trying with username credentials like “admin”, “<sitename>”, “www” etc. So if you cleverly use a username which doesn’t include the standard names, 50% of the protection can be done there itself.
If you can use a plugin like “Limit Login Attempts”, you can also prevent unauthorized users from making attempts to guess your username and password. The simple way is to block those users for an indefinite period of time.
Using a security plugin like Wordfence also has several advantages. It will list out the bots and other malware uses trying to gain access to your site. It will also list the IPs which are trying to do a brute-force attack. This is so easy because Wordfence is an intelligent algorithm method, by which it decides, which IP is trying to attack and blocks the IP. There are also other several settings in the plugin (free version), using which you can scan for vulnerabilities.
The above 7 wordpress security fixes can be helpful for beginners. You should audit your site from time and check your email, if anybody has logged into your site. This setting can be had using the options of Wordfence plugin. Using a firewall may be detrimental to performance sometimes and can cause false-positives, but at the same time gives you security hardening.
If you like my post, please discuss wordpress security in your social forums and comment in the section below.