WordPress is the most widely spread CMS system. It has numerous options for customization and great diversity of themes and plugins both free and premium. More than 74 million websites run on WordPress, making it the most popular Content Management System (CMS). Installing a WordPress website is rather easy, but not many users know how to properly secure their installation.
In this article we will discuss how to secure your wordpress installation without the use of plugins.
- 1 The reasons for your website being hacked fall in three main categories:
- 2 Steps for hardening your wordpress website security:
- 2.1 I. Using the correct file permissions
- 2.2 II. Editing wp-config.php
- 2.3 III. Hardening your wordpress security through the .htaccess file
- 2.3.1 1. Securing your wp-config.php file
- 2.3.2 2. Restricting access to your wordpress admin area to a specific IP
- 2.3.3 3. Blocking users by IP address
- 2.3.4 4. Blocking bad user agents and IP addresses
- 2.3.5 5. Securing your wp-includes directory
- 2.3.6 6. Disabling browser listing
- 2.3.7 7. Protecting the .htaccess file
- 3 IV. Always do a backup
- 4 V. Update your wordpress installation
The reasons for your website being hacked fall in three main categories:
- Insecure web server
- Poorly coded themes and plugins
- Bad login credentials
Insecure web server
The choice of a hosting provider is very important. Almost half of the hacking attempts are being caused by outdated and improperly configured web servers. It’s crucial to pick a reliable hosting provider that cares about security. You can choose from general hosting providers like Hostgator or you can go with more specialized ones for WordPress like Wpengine or Siteground. The web host is the foundation on which you are going to build your website and you want those foundations to be sturdy. You can choose from different hosting solutions like Shared hosting, VPS (Virtual private server) or Dedicated server. If you don’t know what is the difference between them you can check here.
Most entry level users prefer shared hosting because it’s more affordable (starting from 5$ a month) and goes with provided support. Even if your web host is properly configured and secured, being a shared web server makes it more vulnerable to security threats because your website is being hosted with many others. The corruption of one website may lead to the hacking of many others.
Users that have more advanced knowledge and are in need for more resources go with VPS or even with Dedicated servers. If properly configured, they can provide better security. On the down side they are more costly, especially the managed versions in which you get support and a control panel for controlling your websites.
Your choice of a web hosting provider has to be based on your needs for resources, security and support.
Poorly coded themes and plugins
The choice of a good theme is also very important. Always pick the theme that best suits your needs. This way you won’t be going to need to install additional plugins, making your website more secure and light. The use of many plugins leads to more possibilities for your website being hacked – the less the better. Apart from that, always download your themes from reputable developers known for their good coding skills! This way you can be sure that your website is properly protected.
If you have a bad theme or a bad plugin which makes your website vulnerable to hackers, no matter how well your webserver or website is being secured, you are going to be hacked.
Most of the times your website will be injected with a script that turns your website and server into a Spammy Email Sender, thus possibly leading to your webserver being blacklisted. This is very frustrating because all the Emails send from a blacklisted server go to the spam folder.
Bad login credentials
You’ll be surprised how many people use passwords like: password, 123456789, 987654321 etc. Always pick passwords that consist of upper and lowercase letters and digits and avoid dictionary words.
When you choose your username never go for the default admin-a person or an automated attack will always first go for the admin username.
Steps for hardening your wordpress website security:
I. Using the correct file permissions
Using your ftp client you have to make sure your wordpress folders are set to 755 or 750 and your files to 644 or 640. Your wp-config.php file needs to have 600 permissions. Giving a folder or a file a higher value can lead to potential security threat.
II. Editing wp-config.php
In order for you to install a wordpress website you need to edit the wp-config.php file. This file is very important for the security of your website. It holds information about your wordpress user and database. With it you can also secure your wordpress website.
The first step is to generate your salt keys. Salt keys improve the encryption of the information that is stored in the user’s cookies and also make your passwords harder to crack so don’t be lazy and just do it.
Follow this link and generate your salt keys https://api.wordpress.org/secret-key/1.1/salt/
The default table prefix for wordpress is wp_. You should change it to something different. This way no one can guess it easily.
This will work only on a newly installed wordpress website. If you want to change the table prefix on an existing wordpress website you have to access your database through phpMyAdmin.
Once you get there, you’ll have to run this SQL script.
Next you need to update your usermeta and options tables:
Don’t forget to check whether you’ve changed your database prefix in wp-config.php. Otherwise wordpress will attempt to make another installation.
Deactivating wordpress plugin and theme editor
It’s a good idea to deactivate your inbuilt wordpress editor. If someone manages to get into your dashboard, you don’t want him to be able to change files.
Add this code in your wp-config.php
If you are a security freak you can also disable the ability for a user to update and upload plugins and themes through the wordpress dashboard. In order to do this add:
III. Hardening your wordpress security through the .htaccess file
By using the .htaccess you can change the way your webserver operates. Through it you can configure your pretty permalinks. It is also the main tool for hardening your wordpress security. Most of the wordpress security plugins use the .htaccess file to do their job.
If you can’t find the .htaccess file through your ftp client you have to make sure that the option for seeing hidden files is enabled.
When editing your .htaccess file it’s a good idea to make a backup first. Also, don’t forget to add the code snippets OUTSIDE the WordPress #BEGIN and #END tags. Otherwise your code can be changed by WordPress itself.
1. Securing your wp-config.php file
As stated above your wordpress wp-config.php file is very important. So securing it is a good idea. In order to achieve this add the following code:
2. Restricting access to your wordpress admin area to a specific IP
This is an excellent way to secure your wordpress website. By doing this you can control from where and by whom your wordpress admin area can be accessed. You can add as many IP addresses as you like. In order to do this you have to create a new .htaccess file and put it into the wp-admin folder. Edit the .htaccess file and insert this code. If you insert this code in your main .htaccess file in the root directory of your website your users won’t be able to access your website.
3. Blocking users by IP address
If you want to prevent a certain user from accessing your website you can block him by using his IP address:
4. Blocking bad user agents and IP addresses
You want to block these users form accessing your website. They are proved to be spammy and malicious. Put this code into your .htaccess file.
Those Blacklists are created by Jeff Starr – you can check his work on https://perishablepress.com/
5. Securing your wp-includes directory
The wp-includes folder contains some important files and It is a good idea to secure them:
6. Disabling browser listing
You don’t want malicious users to be able to see your folders and files structure. Because of that you have to disable it. You can achieve this by using the following code in your .htaccess file:
7. Protecting the .htaccess file
The last thing we need to do is to protect our .htaccess file:
Another way for you to add extra security to your website is to hide your login page. By doing this you secure your website from Brute force attacks. You can do it with the help of some wordpress plugins. This article can give you additional information on this topic.
IV. Always do a backup
No matter how secured you wordpress website is, you have to remember that bad things can happen. By using these techniques you minimize the chance for your website to be compromised to a large degree. However, there is always a chance for something to go wrong. So the best advice I can give you is to always make a full backup of your website and database. This way in case your website gets compromised you can bring it back to normal. Don’t rely solely on your Hosting company for doing your backups. There are some great plugins out there like UpdraftPlus Backup that allow you to back up your website to Google Dropbox, Google Drive , Amazon Cloud Drive etc. You can also backup it by using FTP to anywhere you want.
V. Update your wordpress installation
Don’t forget to always keep your installation to the last available version. This way your website will be more secured. It’s a good idea to make a backup before you update your wordpress website, especially if it’s a major update.
Following these steps will harden your wordpress website by making it more resilient to hacking attempts. Always use unique usernames and passwords, be mindful from where you access your website (it’s a bad idea to access it through unprotected public networks) and always make a full backup of your website.
If you have some insights on this topic feel free to share them in the comments field below.