Important Security Update
No business is too small to be hacked. Having your WordPress site hacked is one of the most stressful experiences for any website owner. Securing your WordPress site should be at the very top of your priority list. While you cannot completely eliminate all security risks, you can certainly reduce it greatly.
In this post, I've shared some easily-executable tips that will greatly improve your WordPress site security.
Never Set File/Folder Permission to 777
Each file / folder on your server has 3 basic permission types:
- Read - can be viewed.
- Write - can be updated.
- Execute - can be run/executed.
Each file / folder on your server has three user groups:
1. User (owner)
2. Group (a collection of user accounts)
3. Others (everyone else).
You can assign permissions to each user group to control what they can actually do to your files/folders:
User Permissions − determines the actions the owner of the file can perform on the file/folder.
Group Permissions − determines the actions a user, who is a member of the group that a file belongs to (but not the owner of the file), can perform on the file/folder.
Other (world) Permissions − determines the action all other users can perform on the file/folder.
The greatest amount of access you can grant to the files / folders on your web site is "777" where the user, group and others (public) have access to read, write and execute files.
If you set file/folder permission to 777 for whatever reason and then forget to change it back, it's like extending an invitation to the hackers to take control of your site.
Never set file/folder permission to 777.
The general rule of thumb for setting file/folder permissions is:
- 755 for Folders
- 644 for Files
If you want to change file or folder permission, ftp to your site, right-click the selected file or folder and click on "File Attributes". It'll bring up a "Change File Attributes" editor where you can update the permission.
Disable File Edit from WordPress Dashboard
WordPress, by default, gives you the ability to edit theme and plugin files directly from within the WordPress control panel. However, if hackers gain access to your WordPress admin, they can use the file edit feature to add malicious code and cause a lot of damage to your site.
They can use it to add any code they want, without requiring FTP access.
So unless you regularly edit plugin and theme files directly from within WordPress dashboard, disable this option.
To disable file edit from WP dashboard, just add this to your wp-config.php:
define(‘DISALLOW_FILE_EDIT’, true);
Limit Login Attempts
Brute Force attacks are one of the most common form of attacks. A computer program is used to systematically try out various usernames and passwords over and over again until the right combination is found. It can easily crack most commonly used usernames like ‘admin’ and passwords like ‘123456’.
The good news is...you can take simple steps to protect your site from such attacks.
There are plugins (for e.g. Login Lockdown, Limit Login Attempt) that can limit login attempts, record IP address and timestamp of every failed login attempt, and can automatically disable login if more than a certain number of attempts are detected within a short period of time from the same IP range.
But instead of using a security plugin that is specific to login lockdown, we strongly recommend the use of a comprehensive security plugin like Wordfence Security that can not just lock down your login page but do a lot more to protect your website. More on Wordfence later in this post.
Stop Brute Force Attack - Hide your WordPress Login Page
To prevent a brute force attack, the 3 key pieces of information that you need to protect are:
1. Your wordpress login URL
2. Your wordpress admin username
3. Your wordpress admin password
In order to access your WordPress admin dashboard, all a hacker has to do is type in the url of your site with /wp-login.php or wp-admin. That's why if you do not change the default login url (wp-admin / wp-login.php), you'll leave your site more vulnerable to brute force attacks.
Hide your wordpress login page as it'll make it a lot more difficult for hackers to identify the entry point to your WordPress site.
You can use plugins like Lockdown WP Admin or Hide Login+ to hide your WordPress login but instead of using security plugins that can handle just one aspect of your WordPress security, use a more comprehensive plugin (for e.g. iThemes Security) to manage your website security. You can configure iThemes Security to hide your WordPress login page.
We use both Wordfence Security and iThemes Security plugin to protect our WordPress websites. While they do have some overlapping security features, they also offer some unique site protection features that allows us to better protect our site. If you decide to use both, do not enable the same protection feature in both as it can cause conflict between these plugins.
If you would rather have someone set this all up for you, we also offer a full-fledged security package called "WordPress Advanced Security & Performance (WASAP)" where we customize and fine tune different security options offered by these plugins to make sure that 95% of all commonly known vulnerabilities, risks and security holes are completely patched and locked down on your site.
Don't wait until it's too late!
Secure your wp-config.php file
The wp-config.php file contains your database credentials. So this is a file that you must protect.
You can add the following lines of code towards the top of your .htaccess file to secure your wp-config.php file:
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
If you use a security plugin like iThemes security, you can configure it to prevent access to wp-config.php, .htaccess and a bunch of other key system files without having to manually add code to your .htaccess file.
Protect your uploads folder
The /wp-content/uploads folder in WordPress is writable by default to allow users access to upload files. But the problem is, hackers can exploit it by uploading malicious PHP scripts that allows them to take control and wreak havoc on your site.The good news is, even if they are able to upload malicious scripts to the uploads folder, you can prevent them from executing it.
You can add the following lines of code to .htaccess file under /wp-content/uploads folder to prevent hackers from executing php scripts under uploads folder. If you don't have a .htaccess file under /wp-content/uploads, you can create one and then add the following lines of code to it :
<FilesMatch ".(php|php.)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Instead of doing this manually, it's better to use a plugin like iThemes Security to do this. It comes with easy configuration options that'll allow you to protect your uploads folder. This way you'll not have to update or create .htaccess manually.
Two Factor Authentication
Two factor authentication adds another step to the login process. If you enable it for admin login, you'll have to enter your username and password first as usual but before you’re logged in, you'll have to complete a second step of confirming your identity (say using your cellphone).
Use "Two Factor Authentication" to add another layer of security to your WordPress admin login process.
The Wordfence security plugin supports Two Factor Authentication. They call it "Cellphone Sign-in" because it involves verification via SMS.
Do NOT use outdated Plugins / Themes
Outdated themes & plugins pose a big threat to site security.
No matter how good you feel about your site security, if a 3rd party plugin or theme that you use has a vulnerability, that's enough for a hacker to inject malicious code and once they have done that, they can take full control of your site and wreak havoc.
By using plugins or themes that are not maintained, or if you use an outdated version of WordPress, you’re just making it easier for the hackers to gain access to your site. Even deactivated themes and plugins can leave your site vulnerable.
Do not use outdated versions of plugins/themes as they are vulnerable to attacks. Always upgrade to the latest stable version of WordPress, plugins & themes.
If a plugin hasn’t been updated for a long time, find a replacement that’s actively maintained.
Remove plugins that you don’t need. If you eliminate what you don’t need, you’ll not only reduce the risk of a potential vulnerability, but it’ll also speed up your site considerably.
Do not use free themes. Since free themes tend to not be updated as frequently as the paid ones, they are more likely to open up your site to security vulnerabilities.
You can use Wordfence security plugin to scan WordPress core files, themes and plugins, and alert you about any existing threats or concerns. In the event your site gets hacked or is infected with malicious code, spam, malware etc., then security plugins like Wordfence will also help clean your site.
Use Strong Password
Passwords are a key component of any WordPress security strategy. Use a strong password to make it more difficult for attackers to gain access to your site. Do not use the same password in multiple places. Make your password hard to guess. Anything you can do to increase your site security, just do it. Don't wait.
Passwords are a key component of any WordPress security strategy. Use a strong password to make it more difficult for attackers to gain access to your site. Anything you can do to increase your site security, just do it. Don't wait.
Also, change your password regularly. It's one thing we all tend to put off but don't. In fact put it on your calendar so you won't forget about it.
WordPress Admin User Name
Do not use “admin” as your WordPress admin username. Easy target for hackers.
Just create another user in your WordPress admin panel, and assign administrator roles to it. Use a username that's hard for a hacker to guess. Login using this new admin account to make sure it works. Then delete the original admin user (with username "admin").
Here's a good article on the steps to change admin username.
Table Prefix
Do not use default table prefix of “wp_” when you install WordPress. It’ll make your site more vulnerable to SQL injections.
Use a prefix that’s impossible to guess. It's one of the best ways to protect your wordpress database. It's a lot more work to change table prefix of an already established site but it's doable. If you want to do it, then be sure to take a full database backup first, and also if you're not familiar with database commands to update/alter table names, then do not do it yourself. If you mess things up, it'll be a lot of work to recover your site. Hire someone who is well familiar with the process to do it.
Take Regular Backups
If your website gets hacked or your database gets erased or corrupted or you accidentally delete files, you might end up losing all your work. While your hosting provider might offer backup services, take your own backups instead of just relying on your webhost. With a backup of your WordPress database and files, you can quickly restore things back to normal.
Two very popular plugins for WordPress website backup are: UpDraftPlus, BackupBuddy and Duplicator.
The Duplicator plugin has a free version that can be used for backups but does not allow scheduled backups (which is important when you run a membership site) and does not support automatic upload to S3, Dropbox etc. Both Duplicator Pro (paid version) and Backup Buddy allow you to schedule your backups and store them in Dropbox, Amazon S3, Rackspace Cloud, FTP etc.
Security Plugins
There are a lot of great security plugins like Wordfence, iThemes Security, Sitelock, Sucuri etc that can lock things down and greatly help with WordPress site security. We use iThemes or Wordfence security to secure our sites.
All these security plugins are highly customizable and provide several options to lock down your site. You can fine tune the config settings to patch up and lock down 95% of all commonly known vulnerabilities, risks and security holes.
Also in your security plugin, look for one click hardening option such as protecting your uploads folder, disabling theme and plugin editors, and restricting access to the /wp-content/ and /wp-includes/ directories.
If you’re overwhelmed with all this and would like to hire someone to help out with fully securing your web site, the good news is that we also offer a full-fledged security package ourselves where we'll take care of everything for you. It's certainly a HUGE time and money saver.
So if you're worried your website security, need help to beef up security but don't want the hassle of figuring it out yourself, then checkout our WordPress Advanced Security And Performance (WASAP) package. We also offer a full-fledged security package where we'll take care of all your WordPress and DAP security needs for you. It'll be a HUGE time and money saver for you.
Malware Detection & Removal
If you website gets hacked, don't panic. It's not the end of the world. Yes, you'll will likely use time, money and you might lose some data as well, but take comfort in the fact that you'll recover from it. You're not alone in this. All is not lost. This happens to thousands of people everyday on every kind of platform.
Site security is all about reducing risks. You cannot eliminate it a 100% but you can take steps to reduce the possibility of your website getting hacked, and if does, have a plan in place to recover it quickly.
This is why it's so very important to take regular backup of your site (files and database). This way, if your site gets hacked, you can easily restore it to a clean version.
In the event that your site gets hacked, here are some simple steps to get it back up and running:
1. Contact your Hosting Provider
Contact your hosting provider right away. If it's a shared webhosting platform, it might have also affected other websites that are sharing the same server. Your webhosting provider can confirm if your site has been hacked or if it's just a server or software issue.
2. Take a backup
Unfortunately most people do not realize the importance of regular site backups until their website gets hacked.
Don't make that mistake. Imagine having to setup everything from scratch! You don't want to be in that boat!
But say that you're in that boat. Your site gets hacked and you don't have a backup. Before you do anything else, first take a full backup of your site. Yes, you'll end up with a backup of the infected site, but at least you'll have a backup rather than no backup! In most cases, you can use a security plugin or tool (like Wordfence Security, Sucuri, Sitelock etc) to detect malware and clean the infected files. It might not be easy to find and clean all the infected files but in most cases (depends on the extent of damage done by the hackers), you'll be able to do it. And even if you can't do it yourself, you can always hire a WordPress security specialist to help you out.
If you still have access to your WordPress admin (after your site has been hacked) , you can use a backup plugin (like Updraft) to take a backup. If not, you'll have to do it manually (using FTP). You can request your webhosting support to help with the backup. Another reason why it's so important to host your membership site on a webhosting platform that offers great tech support and that's one of the reasons, we love and use LiquidWeb for hosting our websites.
3. Change Password
Login to your WordPress admin dashboard and change your wordpress admin password. If you're not able to login to your WordPress admin, you can use phpmyadmin on your webhost cpanel to update your password.
Here's a good article on how you can use phpmyadmin to update your WordPress admin password.
4. Run Malware Scan
There are great FREE tools and plugins which will allow you to check the integrity of all WordPress files and database.
- Wordfence Security
Wordfence is WordPress security plugin that can verify and repair your WordPress core, theme and plugin files.
It can scan your website core files, theme files, and plugin files, against known threats. It also provides a log of changes to your website and offers many options for hardening your website and making it more secure.
You can also get Wordfence to scan files outside of your WordPress folder.
And the great thing about Wordfence is that it provides enterprise-class WordPress security for FREE. You can download their WordPress plugin for free. They also offer a premium (paid) version with access to premium support and support for Country Blocking, Scheduled Scans, Password Auditing etc.
- Sucuri Security
Sucuri offers a free WordPress Security plugin. You can use it to audit all your website activities such as file changes, file uploads etc and it can also check if your core WordPress files are intact. You can use it (in addition to Wordfence Security) to detect malware.
If your website was hacked, and you've already done a scan and cleanup using Wordfence, then the chances are the free version of Sucuri plugin might not report anything new but it's good to run the scan anyway just to double check and make sure no new files are detected.
Securi also offers remote malware scanning with it's free Sucuri SiteCheck Scanner. Enter a URL (ex. yoursite.com) and the Sucuri SiteCheck scanner will check the website for known malware, blacklisting status, website errors, and out-of-date software.
If you want to use Sucuri to completely secure your website, supplement the free Sucuri plugin with their paid services for Website Firewall, Malware Removal etc.
Get WordPress Advanced Security Package!
If you're worried your website security, need help to beef up security and don't want the hassle of figuring it out yourself, then our WordPress Advanced Security & Performance is just for YOU!
Go ahead and purchase our WordPress Advanced Security And Performance (WASAP) Package and you won't regret it.
We'll install the right security plugins and customize and fine tune the various configuration options in these plugins to make sure that 95% of all commonly known vulnerabilities, risks and security holes are completely patched and locked down!
Questions/Concerns?
Join my Free, Private Facebook group for Membership-Site users. I'll be happy to answer any questions or concerns you may have about your WordPress or DAP site security.