Securing your WP Site is not always a job left to those who are expert system administrators. With some new tools, combined with a friendly hosting, you can do that by yourself and have a secured site without any outside assistance. Today I’m going to show you how to do just that with the least amount of plugins possible. Following my own advice of “the less plugins the better”, in today’s article I’m going to use just one !
On your Hosting
The first step to have a very secured site comes directly from your hosting account. If your site is not secured by a certificate, now it’s the time. Securing your site with a certificate is easy enough and everyone should be able to do it from cPanel & Plesk based services without outside intervention.
Before proceeding to enable https inside WordPress we need to load the certificate into our domain. This is fully automatic on cPanel through a button and some newer cPanel installations comes with automated Let’s Encrypt certificates so as soon as your account is created you’ll have a certificate loaded into your domain.
If you’re using Plesk, you can create a Let’s Encrypt certificate from the main menu. You should also include the “www” and mail certificate. This will increase the security of your site by not allowing to load unsecure content and it’s the most recommended first step to secure your site.
Changing Permissions on Important Files
The single second most important security rule is to limit file access to Read Only on the following files: wp-config.php, wp-settings.php and index.php on the WordPress root folder.
This can be easily done on cPanel & Plesk and the vast majority of Control Panels by changing the permissions like this:
The only one that should have “write access” on those specific files should be the owner. No other group should have any other permissions applied as those files will be read by WordPress alone. This will effectively reduce the security risk of your site by not exposing any kind of access to the outside world.
If by any chance your site gets hacked or has a malicious worm, this is how it’s going to look like.
A bad file permission or outdated theme could inflict serious harm to your WordPress installation by allowing injection of malicious code into your site. This is a classic example. Notice the @include surrounded by /*f2e34*/ ? That code is actually a “worm” that was injected by bad file permissions into a WP site. This kinds of codes could potentially create a backdoor for anyone to access your site and inject advertising, steal information and any kind of bad behavior. This is why manually changing permissions on those important files is so essential.
On your WordPress
Now let’s tweak our WordPress site to improve the security even more.
Now that we have our SSL certificate we should now change the URL address to https.
Once our site changes to https we can move forward and install a security plugin. For this tutorial I selected one of the best and that’s All in One WP Security & Firewall. This is a very simple plugin that does not mess with extra rules and does not add any latency to your site.
The first thing we are going to do is to limit login to our wp-admin by enabling the Login Lockdown.
With this option turned on we are going to have a max of 5 retries to a login attempt before WP lock access to that specific IP. You’re free to modify these variables as best fits your needs, but these are the most secured so far.
This next tweak will disable the server signature and limit file upload, protecting wp-config.php is something we already did on the hosting level.
A good technique to block login attempts is to just change the login page to something else, this will effectively remove the wp-login link from WordPress so any automatic login attempt will be responded with “disabled page”. Put whatever page you want and the plugin will disable the standard login page. Just be sure to remember what you did before saving settings!
Now onto comments spam:
Enabling both options is almost essential to protect your site from spambots and all kind of intrusive advertising that gets in the way of a good blog experience.
Securing your DB is also good practice. Lots of attacks try to hijack the database by accesing the default wp_ tables. By changing the prefix of those tables to something else you’re creating an extra step for any automated attacker to be able to get in.
The objective with this plugin is to manage to get at least 100 points in security. Don’t forget to check that Login Lockdown, File Permission & Basic Firewall are all enabled.
Further Security Advice
It is always suggested to use at least one letter, one number and one symbol with a character length of no less than 8. If you refuse to improve your password strength, no security measure will be good enough, it is also recommended to never give your Control Panel access to anyone who is willing to help unless you really know that person or if that person is part of the hosting company you’re using. By borrowing a user’s Control Panel access an attacker can do a lot of harm and any advice given here will be rendered useless. Always store your WP & Control panel passwords in a safe place.
Use Complex passwords provided by the automated saving of passwords services like LastPass. This can save you time and improve your security by not trying to remember each password, this will also remove your need to put addresses, name of your kids and numbers from your house as passwords as that could prove to be the single most fatal flaw you could make.
Always use very complex database passwords with no less than 10 characters composed of numbers, letters and symbols.
Always update your plugins & themes. Do not accept any theme that is a year old without updates.
Older themes & plugins are the number one cause of hacking attempts and malware injections. And last but not least don’t you ever use cracked or nulled themes as those are the first candidates to have malware inserted. Nobody benefits from a hacked theme more than the hacker that nulled said theme, and the vast majority will go to great lengths to include their “shaddy” practices and advertising links inside the theme, so you’ll have a nightmare in your hands, plus the majority of search engines could target your site as malicious and severely penalize your score. If you care about your business and customers, always buy legitimate themes for your sites.
The most basic security advice is to always use common sense.
Having a secure WP site is pretty straightforward and fairly easy to do if you follow these steps, and you’d be reducing the risk of infection/attacks by more than 90%. The vast majority of attacks comes from having basic security disabled, by not having a secured certificate loaded or by simply allowing anyone to login to your basic wp-login page. And last but not least, lots of attacks come from using older themes & nulled themes. Reduce risks by implementing this steps and you’ll have a pretty fun time working with WordPress without having to worry too much about its security.