WordPress security is taken very seriously by its development team. Security patches and upgrades are frequently released to help ensure WordPress keeps pace with an increasingly challenging online environment. As part of these efforts, WordPress runs a responsible disclosure program for vulnerabilities, so these issues are not left unaddressed.
Apart from the efforts of the WordPress development team, individual users should also take steps to minimize their security risks—often referred to as “hardening WordPress.” Several quick wins can secure your WordPress website, and we covered these easy to implement steps in a recent post, How to Keep WordPress Secure: The Basics.
Beyond the basic steps, there are also more advanced security techniques that can be employed to further secure your WordPress website as well as important security dos and don’ts when managing a WordPress website.
Let’s dive in and take a look at a few of them.
SFTP – Connecting to Your Server
First, it’s crucial to ensure that when you connect to your web server, you do this using SFTP, which is similar to FTP except that your password and other data is encrypted as it travels between you and your server. FileZilla is an excellent file transfer application that supports several file transfer protocols, including SFTP. You can find out how to install and transfer files to your Linode using FileZilla here.
Brute Force Attack Prevention
Brute force attacks occur when an attacker repeatedly and systematically submits different usernames and passwords to try and gain access to a website. It’s important to note that brute force attacks are not endemic to WordPress. Every web app is susceptible.
The first defense against these kinds of attacks is to make sure your password is secure. The ultimate aim of a brute force attack is to gain entry to your website. Choosing a hard-to-crack password was discussed in our previous article in securing WordPress, so we won’t go into it in more detail. Suffice to say, make sure your password is a good one. It’s also well worth enabling two-step authentication within your WordPress instance.
Next, use a plugin to limit the number of sequential login attempts to your site. A popular plugin is Limit Login Attempts Reloaded, which has more than 1 million downloads. It limits the number of login attempts that are possible through the normal login as well as XMLRPC, WooCommerce, and custom login pages.
Another option is to change the wp-admin login location. By default, all WordPress websites have their login pages located at /wp-admin (e.g., www.examplesite.com/wp-admin.) Bots that carry out brute force attacks often immediately target this page. Use WPS Hide Login to help.
As always, before installing new and untested plugins, it’s always worth taking a backup of your site. Although most of the popular plugins won’t harm your website, there is always the possibility of an incompatibility. A backup gives you peace of mind that any damage done by an errant plugin can get reversed quickly and easily.
WordPress Admin HTTP Authentication
You can further lock down your WP Admin by adding basic HTTP Authentication. This process will require a user to enter a username and password before even reaching the WP Login page, which can help stop brute force bots in their tracks.
To do this, you’ll need to create a .htpasswd file. Try using a great free resource from Hosting Canada to do this. You’ll need to enter the username you’d like to use along with a password, select an encryption method from the dropdown box, and click ‘Generate Password’. A long text string gets generated. Copy and paste this into a new text file. Save this file simply as ‘.htpasswd’.
Next, log in to your server and head to your WordPress wp-admin folder. Open this up and in wp-admin create a new folder called ‘htpasswd’. Then upload your .htpasswd file that we created earlier into this folder. You must transfer your files using ‘ASCII’ mode only and not the ‘BINARY’ mode.
The final stage is to create a new file that contains the following:
AuthName "Admins Only" AuthUserFile /home/public_html/wp-admin/htpasswd/.htpasswd AuthType basic Require user yourusername <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
You will need to update the AuthUserFile location with the full directory URL of your .htpasswd file as well as yourusername with the username you used for the .htpasswd file. Save this file as .htaccess and upload this .htaccess file to your wp-admin folder on your server, and that’s it. Next time you log in to your site at www.examplesite.com/wp-admin you’ll be prompted for your username and password before the WordPress Admin login screen will show.
Useful Tip: If you don’t know the full directory url of your .htpasswd file then a handy trick is to use a small PHP script:
<?php echo "Absolute path: ", getcwd(); ?>
Create a file that contains this script called testpath.php and upload this to the htpasswd file and then visit this url (e.g. www.example.com/wp-admin/htpasswd/testpath.php) to get the full file path to your .passwd file.
There are specific scripts included in your WordPress install that aren’t intended to be accessed. They do, however, offer a possible route into your site by hackers. Because of this, it can be worth locking them down. You can block access to these files with a mod_rewrite in the .htaccess file. To do this, add the following code to your .htaccess file (typically located in the document root of your WordPress site) outside the # BEGIN WordPress and # END WordPress tags; otherwise, WordPress may overwrite it:
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
Disable File Editing
A lot of aspects to securing a WordPress website revolve around making life harder for a potential hacker. In the same way a burglar will look for a house on an unlit street with no alarm or security lights, a hacker prefers to target a website that lacks basic security features rather than one where the metaphorical windows and doors have firmly bolted shut.
By default, WordPress allows admins to edit PHP files such as themes and plugins from within the Dashboard. Because this feature allows code execution, it’s an obvious target for a hacker. For most web developers, changes to code are made with a text editor like Sublime rather than from within the Dashboard. It makes sense to ‘bolt’ this particular WordPress window and, in doing so, remove another potential point of access for a hacker.
To do this, place this line of code in the wp-config.php file. This line removes the ‘edit_themes’, ‘edit_plugins’, and ‘edit_files’ capabilities of all users:
While this won’t prevent a hacker from uploading malicious files to your site, it will help stop some attacks in their tracks.
Use a Firewall
A firewall is an excellent way of helping prevent an attacker from reaching your WordPress website. There are a couple of options:
A Firewall Plugin
Several good firewall plugins work by restricting access at the Apache server level before WordPress processes it. A good example is All In One WP Security & Firewall or WordFence. Both will look to filter incoming requests to ensure that no malicious traffic can hit your WordPress install.
Plugins like WordFence filter traffic at the server level. An alternate approach is to intercept traffic on its way to your server before screening it and then sending on the request to your server using a product like Cloudflare. This approach is popular because all you need to do is alter your DNS records to send traffic via an intermediary with no changes to your server required.
WordPress security remains a popular topic. If all of this seems like hard work, then consider using a Managed WordPress host like Pressidium, which can do a lot of the heavy lifting for you. And finally, take regular backups of your website so you can sleep well at night with the knowledge that you can always restore your site.