Because it is so popular, WordPress is probably the most targeted web application for hackers to attack. This post is intended to provide some basic steps that you can take to protect your site. Let’s step through all the things you should do or be aware of.
By default, WordPress has ‘standard’ folder and file naming, making it really easy to spot that your site is using WordPress. Hide My WP changes these. Unfortunately, not all plugins follow the ‘WordPress rules’ when naming things, and so Hide My WP might break parts of your site, and for this it has some pre-built compatibility modes that you can import. The more plugins that you have, the more likely it will be that you will need to use one of these compatibility modes. Fortunately, plugin writers frequently update their plugins, and I have seen quite a few that have been re-written to avoid this issue. You can only purchase Hide My WP from CodeCanyon, but the cost, at US$22 is very reasonable.
After you have purchased, downloaded and installed Hide My WP, in your admin screen left menu, go to Settings => Hide My WP => Start. You will want to enter your purchase code here, and then select one of the Import Options. The one I found best for me was the ‘Medium Privacy – More Compatibility (Recommended)’ setting. Save that page, and then go to the next tab; General Settings. The very first option is to do with your Error 404 page. This subject merits its own blog post, so read about the Error 404 page here. PLEASE set this option, as it is most important.
The next important option to focus on here is the ‘Hide Login Page’ option. Most brute force attacks on WordPress sites start with the login page, and they know it is called wp-login.php. This option means that to login there must also be a parameter entered, or else a 404 error is thrown, hopefully making the attacking program that this is not a WordPress site. If you are going to use this option, you should really rename the parameter name and value, but be sure to make a secure note of what you set them to! Frankly, I think this option is of limited value. It even suggests an alternative plugin to rename the login page, called Theme My Login. I use one called Rename wp-login.php, but this is no longer maintained. You might also want to set the minify setting here, unless you have a plugin for this purpose, and also the email options.
On the Permalinks & URLs tab, make sure that you are happy with the renaming of the folders – you can give them any valid name as long as it is still meaningful to search engines! There are a lot more options, but I have left most where they are for now, including the minify option (set at Safe minify) and the Anti-Spam system (enabled). The final tab is the PHP IDS (Intrusion Detection System). Again, for now, leave the options as they are, with the Enable IDS on to monitor and set to frontend. If you want to explore the options further, I suggest reading the documentation.
WordPress Security and Firewall
There are two main (popular) plugins available:
- All In One WP Security & Firewall, which has over 600,000 downloads to date, and is entirely free.
- Wordfence Security, which has over 4,200,000 downloads to date. It has a free and a ‘premium’ version.
I am going to focus on Wordfence Security Premium. If you buy the annual license, it will cost US$39 per year. But, you can buy as many license API Keys as you want, and each lasts a year. So, to get 3 year’s coverage, it adds only US$40 for the additional 2 years, or an average of just over US$26 per annum. The license API Key is valid from when you first use it, so you can start the clock ticking whenever you want. Other than the daily scan (and the alert emails it generates) and the regular email newsletter, the two features I use most are the IP Blocking and the Advanced Blocking. At the moment I get IP numbers to block from two sources; spam contact emails (using the contact form on the site – I get very few of those as there is spam filtering on it anyway) and from Intrusion Detection Alerts (I discussed this in the previous section on Hide My WP. Did you know that worldwide, Wordfence typically blocks nearly 20,000 login hacking attempts per minute! They have a live map you can see this on on their homepage. Most options you can leave at the default setting, unless you notice a problem. The Wordfence documentation can be found here.
Another hacking method is to send a url request with a ‘bad query’ attached. A really simple solution exits for this, and is free. Install the Block Bad Queries plugin. No settings are needed.
Every person I know hates doing these, because, for 99% of the time, you never need them. And then it all goes wrong. The hours, days and weeks it takes to recover, if indeed you can, are very painful. There are quite a few options, but it boils down to either doing it manually (you WILL forget) or an automated option. I will look at automated options. Some are partial services and some full. The partial services tend to only back parts of your site up and often any recovery has to be done manually. Full service options do full backups and have a recovery system or service. Take it from someone who has had to recover websites, this latter type is the only type to use.
If you have a big site and cost is not an issue, then there is no doubt that VaultPress is the best choice. The best free plugin is probably WP-DB-Backup, but it only backs up your database. Most of the other ‘free’ plugins are limited in their free form and require you to pay for the ‘pro’ or ‘premium’ versions. Despite its slightly harder to follow options, my preference is for Updraft Plus Premium, which, at the time I purchased it cost US$5 per month for the first year and US$3 per month thereafter, but now costs 17% more. Notice that the license applies to sites that you own. You cannot use the developer version, for example, that has a license to install it on unlimited domains, and install it on a site you develop for someone else.
If you have a site that does not need a publicly accessible login page, where any member can be emailed the login page url, you may wish to rename the login page. I discussed this above when looking at Hide My WP. It is of no use if you have a shop where users have accounts, or for general social use, such as a forum. Renaming the login page still has its uses, as leaving it at the WordPress default is making it easier for a hacker, which is why I use Rename wp-login.php, but sadly the author is no longer supporting it, so I shall have to look further afield for an alternative. I could not find a direct replacement on the WordPress.org plugin repository or on CodeCanyon.
An alternative is to use login widgets, as these do not need to access the login page. It is a great shame that the WordPress core developers have not really focused on user login and user profiles in an attempt to standardize the use of them. There are many plugins available to handle this, and the decent ones all seem to be paid for premium plugins, mostly on CodeCanyon. Sadly, so far none of them support the Google authenticator plugins (see the next section for more detail on this).
Because the standard login page in WordPress used to throw errors back at the hacker as they try to log in, giving them a clue as to what was wrong; username or password, this is now disabled in WordPress by default. The only error it now throws is that the username and password combination was wrong, or that one or both were missing. No need to edit your functions.php file to fix what was a security hole in WordPress, they fixed it!
Two Factor Authentication
Something that has been available for nearly a year in Joomla! core, two factor authentication is possible, but highly problematic in WordPress, as it is not a core feature, nor is it likely to be any time soon, as requests to add it to the core have been firmly rejected. Install Google Authenticator and the Per User prompt plugins and use them for administrator accounts. What this extra security feature does is to allow a user to set a second access key to their account. The first key is their normal password, but this feature requires the user to have a smartphone and this provides a time limited second key. Even if a hacker has the user name and password, they cannot access the account with the user’s smartphone, and as the codes change every thirty seconds, it makes hacking much harder to do.
But, until the WordPress core developers make 2FA a core feature (where either the user can opt in to 2FA, or the site admin can force its use), it will never be of much practical use. A shame really, but there it is.
When a user registers or asks for a password reset, by default WordPress sends the new password to the user by unencrypted email. How stupid is that? Better to have the user set their own password, with a plugin to force a strong password (one that is hard to hack), and where the password reset request is subject to checks.
Encryption, https and SSL
If you aren’t novice to the workings of virtual world, SSL would most definitely ring a bell. It deals with encryption, and that’s how it protects your website against hacking attacks. Only the authorized personnel has the key to decrypt the encryption and that’s how unauthorized coders are kept at bay. Now, that was about the external tools that can be leveraged for keeping the hackers to keep at an arm’s distance from your website. But you do not have to always rely on the plugins. There are several modifications you can make to the core architecture of your website in order to lend it a more robust structure.
Keeping directory listing, wp-config and .htaccess safe
By default, a visitor can see the directory listing of any of your folder by simply guessing the folder name and adding this to your site url. One way to stop this is to add an empty file called index.html to every folder. Time consuming and you might miss a folder. Also, your wp-config file has confidential data in and your .htaccess has user control commands in it. So why not secure all three? Edit your site’s .htaccess file and add these 3 blocks of code (make sure that you haven’t already got them, as there is no need to duplicate them):
Restrict access to wp-config:
<Files wp-config.php> order allow,deny deny from all </Files>
Restrict access to .htaccess:
<Files .htaccess=""> order allow,deny deny from all </Files>
Prevent viewing of folders:
# directory browsing Options All -Indexes
- Don’t be a hoarder. Delete unused plugins and themes.
- Don’t use old plugins or themes that are ‘out-of-date’. If a plugin writer stops supporting a plugin on the free WordPress.org plugin repository, it is not unusual for it to be taken over and issued under a new name by another author, or it will suddenly disappear altogether.
- Don’t use plugins or themes (or any other software) that should be paid for but have been hacked or torrented. It is illegal and most likely to contain malicious code.
More later … I am going to stop here. I have just purchased UserPro from CodeCanyon, so I will give that a thorough test and see if it answers the many questions in this article.