Ultimate WordPress Security Guide – Have a 100% Secured Website This article is written for all those who for the first time meet with WP security, or should I say, to everyone who wants to find out what it means and what it takes to protect the WordPress site. It will give you basic guidance on what you need to think about when it comes to the security of your site. So let’s go. Introduction Security of your computer Computer network security Hosting security (server) Protecting WordPress site Backup WordPress updates, plugins and themes WordPress Security Plugins Additional plugins for even higher levels of protection What else to think about (advanced settings) Introduction The security of a WP site is a very complex thing, and it is important to approach it as seriously as possible. So, it’s not just about whether the site is protected or not. There are some other circumstances, i.e. Factors that can affect the security of the site: Security of your computer – This refers primarily to the health of your operating system. Is it infected with viruses or malware? Do you use secure passwords? Security of the computer network from which you are accessing a blog or site – What happens within your home or work network affects the security of the site. Security of your hosting account – It is very important that you host your site on a secure server. If your Internet service provider does not consider the security of the server in the right way, compromising any site on that server can endanger your site. Protecting WordPress website – It’s critical that your site is well protected. We will pay special attention to this in this article. All of the above is important. It’s enough to have only one “leakage” and your security will be compromised. Therefore it is crucial that you access this very seriously. Security of your computer As we said above, it is very important for the safety of your site to be well protected and completely clean and as well your personal computer. And here’s why… Let’s be real, most of us use our business computers for some personal things. For example, watching movies, using social networks, and many other things. The more frequent use of your computer for these other purposes, there is a greater risk that you will be infected sooner or later by some computer virus or something even worse. And when that finally happens, all of your codes and business correspondence, like all other data (personal and business), are in the hands to those who can easily abuse your computer, and therefore your website. They do this through computer viruses or Trojans, more and more often with malware that you sometimes install on your computer. Just hope that someone doesn’t install a keylogger that monitors everything you type on a keyboard or crypto-sticker that “locks” all of your data and raises them to the Internet. If this happens, then they ask you for small sums of money to get you back. To prevent this, I advise you to: Use the computer for work only for work. Make sure your computer is clean, i.e. That there are no viruses, malware or any other malicious scripts and codes. Scan it with your antivirus and anti-malware software. Many antiviruses are working very well nowadays, but far from providing you with secure protection. But even today, ideal antivirus does not exist. Do not install any suspicious programs or tools, especially not cracked. Use only trusted and verified tools. Everything you do not use you should uninstall! Update your operating system, web browser, antivirus, anti-malware, programs, etc. It’s desirable, but not necessary, to use Linux instead of Windows. Nowadays, Linux operating systems provide a modern and great looking graphical interface that you already have on Windows. Also, they are completely safe from viruses and malware. There is almost no possibility of compromising Linux in a way that happens very often on Windows. Computer network security It’s not enough just to keep your computer safe. It is very important that you access the website as well as the rest of the Internet from a secure computer network. It would be a good idea that your computer, that is, the place from which you access your site and the hosting server has a separate public and fixed IP address. If your IP address is unique and if it never changes, then you can use it to prohibit all other IP addresses from accessing your site’s administration. This is a good and recommended method of protection. If this is not the case, then at least try to isolate your computer from the rest of your computer network, because virtually every computer on the network can affect your security. You can achieve this with the help of a firewall (software or hardware). If you go to the Internet with a shared IP address i.e. an address used by other users on your network, then you should know that all actions, as well as the status of any computer on the network, is directly affected by you and vice versa. Hosting security (server) Are you hosting the website on self-hosted or on shared hosting/server? Are there other websites next to your site on that same server? Do you trust your hosting provider? Do you think that they are professionals and is the server quality protected? I ask all these questions for a very simple reason. Even if you have the best possible protection on the website, if the server on which you host is unprotected, then that high-quality protection of the website is worth nothing. I had experiences from some shared servers where some of mine clients kept their websites that they were hacked literally from other accounts. How does it work? Very simple. Hacker “breaks” any of the sites that are on your server, and then by launching a special script, one hack fires all other sites. So, it is very important where and how you host. It’s best when one site is on a separate VPS, but this option requires a lot more knowledge and money. Protecting WordPress site And here is the main topic of this article, and this is definitely the protection of the WordPress site. So, what do you need to think about when it comes to site security – briefly how to protect the WordPress site? Checking the current status and health of the site Before we go into that story, what do you have to do to protect it, let’s first check if it’s already compromised. To check this, you need to scan the entire file system of your site. How to do it? There are plugins for WordPress that allow you to scan the entire file system. One of them is Wordfence with Scan, which allows you to scan with one click and get a report on whether there are malicious scripts and files on the site. Another plugin of value is Sucuri Security, with the Malware Scan option that works in the same way as Wordfence, though it offers a little more transparent reports. If you have access to your server and if it has a server-side antivirus and antimalware installed on it, then you can also check if there are malicious scripts and files on your site. The most common case is that under your hosting package (if cPanel) you have installed ClamAV or even better Maldet. The other one does not have a graphical interface but starts from the terminal. If you are not sure if you have these options, contact your hosting provider and ask them to install and check your hosting package. In most cases, your service providers will help you around setting up the terminal. If you do not have direct access to your server (except for FTP), then it may be best to backup your entire account, then download it, unpack it on your local machine, and start scanning with your antivirus / antimalware. In most cases, these programs recognize malicious web scripts. If you know WordPress structure inside and out and if you have a file manager installed within the hosting package, then you can also manually check all the key locations and locations within your CMS installation. Look for files that have been modified and whose date on the server is different from other WP files, then compare them with the original files. If everything is okay, continue reading, and if it is not then try to remove all that you have found that is malicious on your site. If you are not sure how to do this, we advise you to hire an expert, because clearing hacked sites is not at all a simple matter. How much it would cost if expert needs to fix this issue? It varies how big problem you have and how big your database is. General rule of thumb is, if expert can find and remove all code from a website within one day it would cost around $700-$2000. If you have a bit larger database and you have plugins that are not updated for a long time, this can be serious problem and it would cost over $2000. It all depends in which condition is your hosting and database. I like to compare that to a car, if you don’t maintain your car it will cost you the longer you ignore an issue. And this is very important if not the most important part of your website. Backup If you know that your website is 100% clean and fully functional, then it’s a good time to make a backup of the entire site. I’ll not talk here in detail about how to back up because this is not the subject of this article, but you should know that from time to time it is more than desirable to create and save a backup of the whole site. There are pretty good WordPress plugins that automate this process, but mine recommendation is to backup it through the administrative hosting panel. Here is a quick walkthrough how you can do that: Some hosting providers also provide the ability to automate the backup process (daily, weekly, or monthly), and this may be the best approach. WordPress updates, plugins and themes It’s vital that you have the latest version of WordPress, as well as all the plugins and threads you use on the site at any time. Unwanted Plugins and CMS are the most common cause of hacking sites. WordPress is actually a pretty secure CMS, but when it’s updated. There’s no perfect program, so WordPress also has some flaws. Nevertheless, what matters is that it provides you with absolute security is the fact that it is very often updated and perfected very often. Security is always in the foreground of a developer community that develops WordPress. Updating WordPress, plugins, and themes you use is very easy. All you need to do is start the application, and the CMS will do everything else on its own. But make sure that you first make a backup of the whole site before the app, because it is possible that a plugin or theme will have a compatibility issue with the new version of CMS. If this happens, simply restore only the old version of this plugin – do not touch everything else. Something very important, about plugins and WP themes: do not use cracked versions! They are very dangerous, because you can not know what’s in them. And you can not even update them, which means they are not safe on this side. And finally, all the add-ons or themes you do not use, delete from the site! There is no need to keep them on the website because they are just a potential danger. WordPress Security Plugins Because WordPress is a fairly safe solution, it’s more than advisable to enhance its security further, and this is achieved by installing and configuring plugins for security. And before we move on to the story itself, it’s important to realize that when we say the degree of WordPress protection, we actually mean three different things: the protection, monitoring, and scanning of content. Protection – It implies to an additional level of protection within the CMS. It is generally achieved in two different ways. The first is to turn on / off certain options in relation to the standard WordPress installation. The other is by strengthening the .htaccess files that are the foundation of today’s web servers. Supervision – Supervision is, in fact, a system for monitoring all processes that have to do with the functioning and operation of the website. It primarily comes down to who and when to access which pages, i.e. Files, and then what changes are made by the complete CMS. Scanning content – We’ve already written about this, but let’s just sum up that story again. Scanning content involves “deep scanning” of all the files your site compiled, and then comparing it with what the source file is, ie, The original version of the CMS and the plugins you use. There are a number of different plugins for security, but I will mention here only four that I think are the best way to combine the three above-mentioned protection levels, such as Sucuri Security, Wordfence, iThemes Security and BulletProof Security. All four of these plugins are pretty good, but before you go on, you should also keep in mind this: None of these plugins provide perfect protection because the perfect protection does not exist! These plugins are compatible with each other, but only if you individually use their different, but also separate functions. So, you can not install them all, then tick-on in all the possible options and still expect that everything will work normally. Because they will not! None of these plugins have all the options that these other plugins have, especially not for free. What I have described here is valid for the day the article was published. Plugins for security are constantly changing, and it’s quite possible that much will change quite a bit along the way in front of us. You get incomparably better functionality only if you buy a premium version of these plugins. It is recommended that in addition to one of these plug-ins you also install additional plugins that complement the specific functionality and offer an additional level of protection (you can read more about this at the bottom of the article). I tested each of these plugins. And for a reason, I can say that they are very high quality and provide a good level of protection, even in the free version. But of course, I will not tell you to use this or that. This decision must only be yours. Instead, I will try to reduce their functionality to a shorter form, and then if you are interested in reading more about it, open an article that discusses security plugins much more detailed than I did under this article. Here’s mine sublimation: Sucuri Security – Sucuri is probably the highest quality of the plugins mentioned here but in the premium version. The free version provides a pretty good scanning module, as well as certain options for “curing” the site. It has a very logical user interface and is very easy to use. However, those best Sucuri options are locked for free users. IThemes Security – One of the most popular free plugins, which until recently provided a high level of protection completely free. Since it has been installed and used by an extremely large number of WordPress users, it has been limited in part with the latest apps in the form of available options. Its advantage is certainly a logical interface, but it is a flaw that is a slightly worse scan module. Wordfence – Wordfence is a great plugin whose main advantage is control of the site itself. This plugin, of course, has all of the above mentioned basic elements, but let’s say it’s not that great in the part that relates to the hardening of htaccess files. It is relatively easy and takes up little system resources (provided you exclude some of the unnecessary options). BulletProof Security – Probably the smallest plugin in terms of taking system resources. It’s great when it comes to hardening htaccess files, though with a little more effort than other plugins. Its lack is certainly a set of alternative settings, i.e. Options that other plugins have even in a free version. In any case, it is EXTREMELY important that any of the plugins listed after installation should be installed correctly. It’s usually not difficult. In most cases, you will be offered “wizards” to set up. After all, take a look at what the installed plugin is all about and get in touch with Google if you have some of the options unclear. Additional plugins for even higher levels of protection One of the biggest problems of all modern CMSs is spam comments. Fortunately, Akismet also tackles this problem quite well. Akismet is actually a standard part of almost all WordPress installations. To “let it go” you need to register to get a free and fully functional API key that you then enter into Akismet settings, and the system is immediately fully functional. Custom Login URL – It’s a good practice to hide wp-login, i.e. When the standard address is changed. This partially hides the identity of your CMS, and also disables brute-force (logging method). This plugin is very simple and in any case recommended for use. Duo Two-Factor Authentication – The Duo system involves two-step authentication. After typing the username and password, you need to authenticate (mobile phone or email) additionally. This prevents unauthorized use of your administration panel, even if someone has your login information. This degree of protection, that is, The Duo system uses many large homes: Cisco, Citrix, Microsoft, etc. What else to think about – Advanced settings The above-mentioned security plugins provide an additional level of protection, which includes the inclusion/exclusion of certain options within WordPress. However, as we wrote above, each of these plugins does not have all these options. This is because they are considered lower-priority security settings. But that does not mean that these options are irrelevant. On the contrary! That’s why we decided to specify some of them here (to determine which one of these plugins to use or to look for an additional level of protection): Strong Passwords – This option allows you to use strong passwords when registering new users. User Blacklist – Allows banning certain users, as well as using the user’s Internet database. 404 Detection – Detect access to non-existent files. This is important because web robots usually “feel” and search for weak spots on the Internet. Away mode – Lock the administration in a certain period of the day. For example, ban access to the administration from 0h to 6am in the morning. Database Backups – Automatically backup the entire database and send it to email. File Change Detection – Allows you to scan files and find modified files. Directory Browsing – Banning the search for “internal” directories that make up the structure of WordPress. Long URL Strings – Prohibit the use of long URL strings because this is usually done by inserting malicious code into a database. Disable PHP and Uploads – Prohibit execution of PHP files from the Upload folder, because there are usually only images that you upload through the content section. Disable File Editor – Turn off WordPress file editor. File editors are mostly used by malicious bots, which in turn change the structure of PHP files within your site. Disable XML-RPC – This option also uses malicious bots to take control of your site. If you do not use this option, it would be best to turn it off completely. Country Blocking – Hacker attacks usually come from certain countries. It is therefore recommended that you exclude access from countries from which you do not expect any visits. Rate Limiting Rules – A filter that allows certain actions (such as a block or throttle in case of certain unusual activities – e.g., 404 detection frequencies) Idle Session Logout – Logging leave a cookie that can be misused to take control of the site or your account. It is therefore advisable to use the automatic “eject” option from the administrative panel in case of inactivity. Here are just a few “hardcore” tips that will interest only WordPress developers, but it is important to know them: Permissions on folders and files Another method of preventing a hacker intrusion is to make sure the permissions on the folders and files are properly placed. Most hosting companies allow changing permissions. If this is not the case with your hosting, then regular FTP programs provide the possibility for the user to modify the permissions. It’s a good practice to put permissions 644 in the files and 755 folders. This will give plugins and themes the access they need. If there is a problem that causes a certain permission, it can be changed. Change the prefix in the table WordPress tables used in the database put prefix wp_. This is another information that the hackers know perfectly well. Files in the database can be hidden, but only if the prefix changes from default to a single one. This change can be made within the wp-config.php file. These changes are best done before installing WordPress. Changing already existing tables can be quite complicated. Moving the wp-config.php file After the release of WordPress version 2.6, users get the ability to move the wp-config.php file. Moving a file can disable hackers to find that file and make unwanted changes. The file can only be moved to the parent folder of the WordPress installation. For example, if the file is installed in: Public_html / wordpress / wp-config.php Can be moved to: Public_html / wp-config.php WordPress is programmed to search only the parent directory. If the configuration file moves to another location, an error will occur. Locking through .htaccess This method can be a bit difficult to adjust, but it is very effective in suppressing hacker attacks. The goal is to specify the IP address or range of IP addresses that can access the site administration. To accomplish this, create a .htaccess file in the wp-admin directory. This file should contain the following information: AuthUserFile / dev / null AuthGroupFile / dev / null AuthName "Access Control" AuthType Basic Order deny, allow Deny from all #IP address to Whitelist Allow from xxx.xxx.xxx.xxx You can define as much as you want an IP address and, of course, can easily change the IP address. There is one bad side of this method. If multiple computers from several different locations access the admin site to do something, many IP addresses need to be sent. For users who need access to admin work from multiple locations, this can be a problem. SSL encryption WordPress users can include SSL encryption on logins on the administration part of their site. This can be achieved by changing the wp-config.php file. The following lines of code should be added to the file: Front-end login – define (‘FORCE_SSL_LOGIN’, true); Login to admin part – define (‘FORCE_SSL_ADMIN’, true); If a user wants to use this option, it is necessary to make sure that the server on which the site is located supports SSL encryption before it is enabled. As you can see, protecting WordPress sites is a very serious thing that is not easy to access. Mine recommendation is to address the security of WordPress seriously. You never know where and when a hacker attack or some other type of abuse of your site could happen. That’s why it’s better to prevent everything possible; then you can sleep peacefully. Because it is better to prevent the problem than to treat it.