Some systems are hard to hack, but most of the time, websites get hacked because they are vulnerable, and basic security measures still need to be taken.
In this post, we will discuss how to harden your WordPress website.
Related: A Beginner’s Guide To Hardening WordPress Security
Before you start
We’ve organized the listing with ease of execution so you can begin on top and function your means down. Please begin by mounting MalCare and using the Solidifying website option. That’s a significant action in the proper instructions, and afterward, you can return below for further activity.
Pro-Tip: We recommend that you always back up your site before making any changes, even those that are security related. Better safe than sorry!
5 EASY ways to increase your WordPress security
Let’s start this list with the low-hanging fruit. If you make these basic adjustments, we’ll all feel good about our progress in securing WordPress.
Related: How To Make A Website Secure: Tips You Can’t Ignore
1. Set strong passwords
Passwords are the lowest hanging of all the low-hanging fruit. That’s why they’re so often neglected. And that’s why they go to the top of the list of things to do to secure WordPress sites.
Passwords are hard to remember, and some of the best practices are tedious: no duplicate passwords; no simple passwords; a mix of letters, numbers, and signs; the list is indeed daunting, especially when you stop counting how many services you use.
Even though the probability is low, brute force attacks now use dictionary attacks to guess passwords. We recognize this, so we suggest using a password manager like LastPass. Use an instantly created string of numbers, letters, and symbols to protect your account.
2. Require the use of strong passwords
Staying on solid passwords is the next item on your to-do list.
If multiple users use your website, you must make sure each user uses a strong password and regularly changes it. On a small scale, this may be easier, but when it comes to a larger team, it would be better to have software that automates this for you.
WordPress will warn you by default if you choose a weak password
However, you can override this by enabling the “Confirm use of a weak password” option. In this way, you make your website vulnerable to attacks.
Used Plugins like Expire passwords to force users to upgrade their passwords. That permitted you to establish a maximum number of days before the password expires. Nevertheless, many of these plugins last updated a very long time ago, so we would not suggest their use.
3. Implementing permissions with the least privileges
You can have six predefined roles on a WordPress site: Super Admin, Manager, Editor, Author, Contributor, and Subscriber. Each duty has a collection of consents and can perform particular tasks. These tasks are called abilities. Can locate the complete checklist of functions and also abilities right here.
Note: For a single site, the administrator role is the most powerful; for a multisite, it’s the super admin role.
For a single site, you only require a limited number of administrators. The rule of thumb here is that you should have as few administrators as possible. The reason is simple: you reduce the risk of hackers stealing administrators’ credentials.
4. Install SSL
SSL is a way to transfer data securely from the user to the server and back over an encrypted connection.
Apart from the fact that it is an excellent safety method, Google needs websites to have SSL. It tends to penalize sites by displaying “Not Secure” in the web browser rather than the friendly eco-friendly lock, suggesting that an internet site is running over HTTPS rather than HTTP.
It made it reasonably complicated to mount an SSL certificate, yet that’s all over now. We have a complete guide on mounting SSL and an additional one to guarantee all your web pages are HTTPS.
Related: Why SSL Is Important For Website Security
5. Set up a WordPress security plugin
All the other products in our listing approximately this factor are hands-on enhancements you make to your website. Feel confident these are easy steps that do not require excessive configuration or plugin setup.
The rest of this list is more intricate. Many of the actions are included in MalCare’s Site Setting attribute.
You’ll save a lot of time by mounting the plugin and using our dashboard to establish the steps.
6 MEDIUM measures to harden WordPress
Each of the WordPress hardening measures presented in this section requires a plugin to be installed. We do not recommend installing plugins frivolously, as they often contain vulnerabilities and become entry points for infections. Please choose a plugin wisely to implement the following security measures.
1. 2-factor authentication
One of the most common techniques hackers use to infiltrate websites is the login page. They use a method called strength strikes, where they utilize robots to think about an internet site’s login credentials. Hackers recognize that many individuals use the same username and password for numerous accounts on the Internet, so it becomes easier to play the guessing game! Another way for hackers to break into a website is if your data has been shared from another website.
To protect yourself, you can set up two-factor verification for each user – whether they are a super administrator, administrator, editor, author, contributor, or subscriber.
Many sites, such as Gmail, offer users the option of two-step verification to log in to their accounts. That requires customers to offer their credentials and a password created in real-time (typically a one-time password sent to the signed-up telephone number). That makes it harder for hackers to split your account or access your WordPress control panel.
2. Limit login attempts
There’s a reason why websites, especially banks, only give their users three attempts to enter their usernames and password correctly. After that, you can select “forgot password” or even get locked out of your accounts. The following image is an instance of a warning displayed on the login screen when the user has tried to log in with incorrect credentials.
That is important to prevent brute force attacks and reduce the success of hackers and scammers.
WordPress allows a limitless variety of login attempts by default. Enabling a minimal variety of login attempts on your site raises safety and security and makes you confident that hackers can not attempt thousands of mixes to get. You can use three methods to limit login efforts on your website.
➢ You can install a plugin as Limit Login Attempts Reloaded
The plugin carries out captcha-based security that protects against destructive robots from accessing your website. If you currently have the MalCare security plugin on your internet site, you will instantly have limited protection against stopped-working login efforts.
By manually putting code right into the functions.php file. You must add a WordPress activity and hook a filter with a suitable callback function. This approach is practically challenging and high-risk. If you are not knowledgeable about shows, you must not attempt this.
You can find the code for the 3rd choice and an extra thorough explanation in our short article regarding limiting login efforts.
3. Keep an audit log
While this isn’t a WordPress hardening measure per se, it is an essential security measure.
Set up a plugin like WP Security Audit Log that records whatever is on your website. That way, you’ll understand what your customers are doing and when. You can, after that, monitor what’s taking place on your site and hold users answerable for their actions.
The plugin tracks every little thing – logins and logouts, adjustments made, productions, adjustments, deletions, additions, updates, and so on. You can check out the task log to recognize suspicious activity or adjustments made if you get hacked.
Can notify you immediately if critical changes have been made to your website. You can also log out or block any user with just one click.
4. Automatic logout of inactive users
This function is mainly found on banking websites and applications that log you out after a particular period of inactivity. That is to secure your account from unauthorized access.
You can use a plugin with a logout attribute for non-active sessions to set this up.
5. Set up alerts for suspicious WordPress logins
Hackers are constantly finding new ways to bypass security features, so we need to be vigilant. It is advisable to set up alerts on your site to be informed about suspicious activities as soon as they occur.
For this purpose, you need to utilize a security plugin like MalCare. It will constantly scan your website and warn you when it detects malware or something suspicious.
6. Set up a web application firewall
A web application firewall blocks hackers even before they visit your website. It does this by tracking IP addresses – a numerical identifier designated to every tool connected to the Web.
If the IP address has performed malicious activity, it will be flagged and blocked from visiting your website.
If you set up a firewall with a security plugin, you can be sure that you have the best possible protection for your website.
7 COMPLEX WordPress Hardening Methods
Now we come to the complicated methods for hardening WordPress. The following measures require some programming or development experience. Otherwise, mistakes can lead to website crashes and downtime.
Proceed with some caution when using these hardening methods, and if you haven’t done it yet, please secure your site.
1. Block PHP execution in untrusted folders
That is a bit technical, but let’s simplify it as much as possible.
First, you must know that PHP is a scripting language utilized in internet development. A PHP feature is a block of code written in a program that can perform to execute a particular job. Likewise, your WP website contains files and also folders. However, only specific documents and also folders use PHP features. Once a hacker has access to your website, he can develop his folders or insert his PHP functions right into the existing folders.
To stop such a hack, you can obstruct the execution of PHP functions from an unknown folder. Also, you can disable the execution of PHP functions in places where it is not necessary.
To do this, perform the following steps:
Tampering with the backend files and database tables of WordPress is a risky business and can lead to the collapse of your website. It requires technical knowledge. If you need to know what you are doing, it is best to get help from a professional.
1. Access your Website’s files through cPanel > File Manager. You will need your FTP credentials to access your files. If you do not have accessibility to cPanel, you can utilize an FTP client like FileZilla.
2. go to public_html, and you will see three folders: wp-includes, wp-admin, and wp-content.
3. next, look for the .htaccess file. If it is not, you can develop one by opening up a text editor like Notepad and saving the file as .htaccess.
4. Paste the following code into your .htaccess file.
- <files *.php>
- deny from all
- </files>
5. When creating a new file, you must upload it to two directories: wp-includes and wp-content/uploads.
That will change the file permissions and prevent a PHP file from running in those directories. If all this is too technical for you, you can automate this with security plugins like MalCare.
➢ Disable file editor
Hackers can control your site if they access a WordPress admin account. From the control panel, they can modify the coding of your theme and plugins via the “Editor” option. The most common hacks done through these editors are SQL injections, SEO spam hacks, and Japanese SEO spam. They can also upload scripts to display their content, deface your website, spam your users, etc.
To locate the editor, go to Appearance > Editor. And Also, Plugins > Plugin Editor.
To disable the editor, you require to access your wp-config documents. Can utilize the same way we utilized documents manager or FTP to access the internet site files right here.
The next part requires technical programming skills and risks breaking your website if you need to do it right. If you don’t know what you’re doing, you shouldn’t try it, even if it looks so easy. We recommend utilizing the “disable file editor” feature in MalCare.
If you want to proceed with the manual method, we have detailed the steps you need to follow.
1. In your file manager, locate your wp-config file and right-click to bring up the “Edit” option.
2. Now your wp-config file opens, and you wonder what to do next! Don’t panic. Scroll down and find the line:
/* That’s all. Finish editing! Have fun publishing. */
3. Paste above it the following code
define( ‘DISALLOW_FILE_EDIT’, true );
4. Save the variations and close the editor.
5. Return to your dashboard and see that you no longer get the editor option.
Note: If you don’t have access to cPanel, you can download your wp-config documents employing FTP. Open it in any full-screen editor and include the line of code. Publish the data back to the website as you downloaded it. You can overwrite the old file.
➢ Change security key
WordPress saves your credentials for easy login, so you don’t have to re-enter them whenever you want to log in. It is important to note that the data is stored in encrypted form.
If the information is stored in plain text, a hacker can easily read it if they get their hands on it. When the data is encrypted, it looks like random text that they can’t use.
To encrypt the information, WordPress has to use recalled security keys and salts. Keys are random variables that encrypt your administrator username and password, and salts help take the encryption a step further.
Hackers can decrypt the encrypted data and hack into your account if they get their hands on your security keys and salts.
Now access your files using the method described above and paste the generated values into your wp-config file here:
Again, this requires a code change, so we only advise WordPress website owners to try this if they are technically savvy. Using a security plugin that will do the job for you is best.
2. Prohibit plugin installations
To set up a plugin, a customer or client must extensively examine its compatibility and credibility. That can result in various problems on your site, so it is best to avoid this opportunity altogether.
You can disable the plugin and also theme updates and setups in two ways:
- You can include a line of code in the wp_config.php configuration files.
- Following the same method as described in the previous section, add the following line:
- define(‘DISALLOW_FILE_MODS’,true);
Note: Please note that you need to delete this line of code if you want to update themes and plugins or install new ones.
➢ Making use of a safety plugin
The easiest way to make it possible and disable this function is to utilize a plugin. If you make use of MalCare, all you must do is click a button to make it possible and disable the attribute.
That is an extreme measure, but it is necessary if you have a lot of users working with your website or if you want to prevent your customers from installing plugins unnecessarily.
➢ Save your wp-config.php file
The wp-config.php data is one of the most critical files in your WordPress installation and a favorite target for hackers. The wp-config file not only contains the credentials for your website’s database but is also responsible for making a WordPress website work.
Besides disabling file editing, you can do two things here: change security keys and disallow plugin installation.
Hide wp-config.php
The first option is to move the wp-config.php file up one level. That is not a specific measure in the true sense but is meant to make it harder for malware to find the file. However, moving the file does not make it impenetrable, so set appropriate expectations.
Note: There is no consensus among developers on whether moving the file is a good idea or not. This action may be ineffective in some cases, such as the vulnerability in Contact Form 7. However, we make getting hacked as hard as possible.
➢ Reject access to wp-config. PHP
Denying access is a far more concrete action; if you do this, you will not have to relocate the file. Go to yours. htaccess documents and also add the complying with code at the very beginning:
- <files wp-config.php>
- order allow, deny
- deny from all
- </files>
There are a couple of points you can make to safeguard your wp-config. PHP documents. This article gives a list of every one of them that you can do in one session.
➢ Separate databases
If you are running more than one website with separate WordPress installations, it is advisable to separate the databases and store them in different locations. If hackers gain access to one site, your other sites will remain unharmed – at least in theory, as much depends on the other sites’ security.
Although this is best done during installation, it can also do it later, and it’s worth the effort. However, this requires some familiarity with MySQL and its configurations.
➢ Securing wp-admin
To take login security to the next level – which you should do – you can force logins to be transmitted over SSL. Make sure you’ve installed SSL and fixed any mixed content issues.
Then, navigate to the wp-config.php file you’re familiar with by now and paste in this code:
define(‘FORCE_SSL_ADMIN’, true);
We know this is a straightforward step, but there’s a reason it’s included here in the Complex section. Plugins sometimes play poorly with SSL; sometimes, SSL can be configured in unusual ways.
➢ Using a WordPress security plugin
To do much of what we recommended above quickly and rapidly, mount MalCare.
Good WordPress safety and security plugins incorporate the website hardening actions you need to execute on your site with a web application firewall program, robot protection, and a scanner. So you can invest a little time figuring out the technological facets.
However, only some plugins offer the same convenience and benefits. There are quite a few plugins, but we recommend MalCare because it gets the job done quickly and conveniently with just a few clicks.
When you mount the plugin, your website is already protected. Below’s just how:
- Checks your internet site regularly and also checks for the dubious task.
- A proactive firewall that blocks malicious traffic from visiting your website
- Real-time notifications when malware is present on your Website
3. 1-click malware cleanup
Apart from all these features, there are various levels of website hardening that you can implement on your website. These measures are optional, as only some website owners want to implement these security measures on their websites. You can decide what you intend to do depending on your needs.
Related: How To Secure Your WordPress Website Against Malware Infection
The three levels of website hardening that you can implement are
Basic measure
That allows you to block PHP from running in untrusted folders. You can also disable file editing. As mentioned earlier, this is a step you should take.
Under normal circumstances, you wouldn’t be dealing with WordPress files and folders. You would only operate your website through the wp-admin dashboard. You also don’t require to edit anything in the file editor of themes and plugins. By disabling them, you lose some of the doors that hackers can use to attack your website.
Advanced
You can block the installation of plugins and themes, meaning no one can install new plugins and themes on your website. This measure is extreme and should be taken if you suspect a hack or too many people are working on the website. If you require to install a new plugin/theme, you need to disable it from the MalCare dashboard.
Paranoia
Often WordPress websites are run by a team of people, with each person having their login. That increases the possibility for hackers to think credentials and access your website. Here you can change the security keys and reset the passwords for all users.
It is vital to alter all security keys and passwords regularly. If you have a big group, this will undoubtedly assist automate and speed up the process.
That is a crucial step to ensure you don’t get hacked again if you recover from a hacking attack.
You’ll also benefit from the following WordPress security features for your website:
- Limited login attempts
- CAPTCHA-based login
- Warnings in case of unauthorized access
- An activity log that shows file changes/updates on your website.
- It also assesses every IP request to secure you from hacks like brute-force strikes.
It additionally prevents usual WordPress security dangers like SQL injection assaults and SEO spam, as well as utilizing your Website for DDOS strikes.
A full-fledged WordPress security plugin is more than the number of its parts. Although these procedures are adequate danger security, they form a powerful obstacle against malicious tasks. Install MalCare now, and rest assured that you’ve done everything possible to protect your website.
➢ For extra credit
While the following tips do not fall into the category of WordPress hardening, they are still best practices for security-conscious website administrators. We recommend implementing these measures once you’ve worked through the list above.
4. Secure your Website
The decidedly uninteresting access on this checklist: Back-ups. We know this; we develop the best-in-class backup plugin for WordPress.
A bad scenario best illustrates the importance of a good backup. Imagine you’ve invested months and years in building your website. It has customers, engages content, generates revenue through advertising, and has a good reputation. And poof, one day, it’s gone. Maybe a malware infection or a server was failing at your host; for one of a million factors. Imagine that. What would you certainly offer to have a backup under those circumstances?
Back-ups are vital. It’s just common sense
5. Keep your computer free of malware
Sometimes it’s the obvious things that get to us. Whatever computer you use – or even WiFi – has an impact on the security of your website. There’s no point protecting WordPress if there’s a keylogger on your computer; you’ve given your credentials to a hacker.
➢ Always keep everything up to date
Aside from WordPress, it’s essential to keep themes and plugins up to date. Vulnerabilities are discovered daily, and plugin developers release patches to fix those vulnerabilities.
If you do not utilize plugins or styles, you should eliminate them. You can constantly reinstall them later on if you need them once again.
On a side note, this is a vital factor in buying plugins. A paid plugin is typically actively maintained and also has an assistance channel for concerns you might have. A proactively preserved plugin is an investment in safety and security.
6. Use SFTP
If you utilize FTP to transfer files to your server, you need to change to SFTP. SFTP functions the same way when transferring files other than over SSH. The moved information is encrypted and can not be read throughout the transfer. Likewise, SFTP uses authentication for both the customer and the web server.
SFTP is ending up being the brand-new criterion, replacing FTP. The arrangement is virtually the same, so there is no good factor to continue with the old methods.
7. Use a trusted web host
Most security articles (like this one) focus on what you can do as a website administrator to make your site secure. You can do a lot, and installed applications cause most security breaches. However, that doesn’t mean the server is invulnerable.
You can only do something if your web host does its part to protect its servers. Servers are also vulnerable to attacks, and not just the digital variety. For example, are the servers in a physically secure location? Could a hacker gain access to the space and steal data that way? These are essential considerations, but a website administrator has limited influence.
So what can you do? Choose a trusted web host. A good web host will be transparent about their practices and list specific measures to protect their servers from attacks. There are better places to cut corners, as a cheap web host could be a very costly decision in the long run.
Conclusion
Malware removal is a tedious and challenging process that can lead to missteps and costly mistakes. Experts should only perform this process, and that can be expensive. Moreover, you have already lost data, traffic, reputation, and much more at this point.
So yes, take a preventative technique to security and mount a great WordPress security plugin. Then come back to this article and apply it to solidify actions, and lastly, check your site for usual WordPress solidifying mistakes.
If You Want To Make Your Website Security More Robust, You Need To Think About Hardening. To Harden, Your Website Means To Add Different Layers Of Protection To Reduce The Potential Attack Surface. With Website hardening, the Fix Hacked Site team can apply vulnerability-agnostic patches to any website.