WordPress: 10 tips to secure your website
Keep hackers out of the world's most popular content management system
A lot of people use WordPress to manage their website, therefore it's no surprise people ask me to have a look at their site's security. As ethical hacker, I encounter WordPress in different shapes, sizes and states. Some of them are really badly protected against hacks. Prevent your site from being hacked using these 10 practical tips.
1) Update WordPress (and plugins + themes)
The majority of WordPress hacks is the result from a lackluster update policy. Hackers use automated bots to find outdated software versions containing known security problems. Once they have found your website to be vulnerable, hacking it is often a piece of cake.
These days updating WordPress can be done automatically, so you won't have to do it yourself. Check out the instructions on how to update WordPress.
2) Plugins and Themes
The bad security reputation WordPress has earned is mostly due to the platform's extensible parts, specifically plugins and themes. These are the primary attack vectors exploited by cyber criminals to hack and abuse your WordPress website. Their security vulnerabilities are usually the result of mistakes and oversights during development.
Be very reluctant and cautious to install plugins on your WordPress website. You should check who's the developer of the plugin or theme, determine if they have a good reputation when it comes to writing safe code. Plugins and themes with lots of downloads are often actively being maintained, a good indicator for security. Update all plugins and themes and keep an eye on the security track record using a website like wpvulndb.com.
3) Use encryption (TLS/SSL)
WordPress websites without TLS/SSL encryption pose a security risk because whenever you login to administer the website, your password is sent in clear text. This means that anybody that is listening to your network traffic can easily get your password. With a valid password hackers can simply login, you don't want to make it that easy for them, right?
Use TLS/SSL to encrypt all communication between the webserver and your browser. That means nobody can decipher what you type into the password field by looking at the network traffic. TLS/SSL certificates that you need to enable HTTPS encryption are very cheap these days, ask your hosting provider to get one on your site.
4) Use strong passwords
No matter if you follow all the other tips to secure your website, weak passwords are another common source for WordPress security breaches. Because most WordPress installations have an "admin" user, hackers can use password dictionaries to automatically guess your password.
Think of a strong password as of something that nobody has used before. This usually means longer, with more different characters, not comprising known words or phrases. You can use a password generator to get something really hard to guess (and easy to forget...). Prevent using the same password on multiple sites and consider enabling two step authentication for maximum access control.
5) Use a trusted computer and network
Just like you should not flaunt your cash and gadgets in shady streets, you should be careful where (and when) you login to your website. A computer with spyware, malware or a virus can record key strokes (and your password) and send it to criminals. Or even in a non-digital way: an adversary can literally look over your shoulder (in the bus, train or coffee shop) while you enter your password.
Be careful where and when you work on your website. Don't work on a shared or public computer when you don't need to. If you work using a public WiFi hotspot you must use encryption to prevent anyone from sneaking along. You can do this using TLS/SSL or by using a VPN (like buffered.com). Make sure your computer, tablet or smartphone is updated.
6) Disable WordPress REST API
The WordPress REST API provides access to all data that is available on your website in machine readable JSON format. Posts, pages, categories, tags, comments, media, users, settings and more can be easily accessed. For instance, try adding this part to your website address: /wp-json/wp/v2/users to get a list of all the valid usernames of your website, do you want to share that with hackers?
Disable the REST-API to prevent content scraping (plagiarism) and to prevent leaking user data. User data is personal and should no be shared publicly if you value privacy and security - think GDPR. You can disable the REST API using a plugins like Disable REST API or REST API Toolbox. Check out the detailed blog post by Jeff Star for more about securing the WP REST API.
7) Disable XML-RPC access
The XML-RPC is a feature of WordPress that enables remote control of your website using XML (RPC stands for "remote procedure call"). This mechanism allows you to manage your website without logging into WP-Admin, for instance using external services or apps. Unfortunately, the XML-RPC feature is a security weakness since it basically is a backdoor that hackers can try to break using brute force or special commands.
Prevent xml-rpc.php problems by disabling this WordPress feature entirely. You can do this using the Disable XML-RPC plugin or by manually configuring the webserver using a htaccess file.
8) Hide or protect the login page (wp-admin)
Everybody knows that to login to WordPress, you simply add '/wp-admin' to your website address. Any hacker can easily get started with brute forcing your website because of this. It's much harder to break a lock if you cannot find it.
Consider hiding or replacing the wp-admin page. Experts call this "security through obscurity", relying on secrecy for security. You can use a plugin for this, or configure the webserver to limit access to wp-admin by IP address filtering. Check out this blog post for ways to hide and protect the wp-admin page. Be warned though, relying on secrecy alone is not enough - you should implement the other tips, too.
9) Reliable hosting
Even if you implement all these security tips to secure your WordPress website, it might not be enough if your hosting is insecure. Hosting is the service that allows your website to be made available on the internet. This is done using special computers called servers. Just like the website itself, the web server publishing it must be secure, too. Think of a hosting as a ship, if it sinks it will take all passengers (websites) with it...
Invest in reliable hosting by selecting a hosting company with a good reputation. Pick one that fits your company well, consider hosting using a dedicated (managed) VPS. Be aware that cheap hosting options are often cheap because the server is shared with (many) other (possibly insecure) websites. Read along to understand the security concerns in shared hosting.
10) Backup and checkup
Although your website may be up and running smoothly now, things may change for the worse in the future. Security is never an absolute thing, it's always possible you'll run into bad weather. Prepare yourself for trouble and don't let security problems go unnoticed.
Check your own website regularly - or hire somebody to do this for you. With a plugin like WP Security Audit Log you can spot attacks and suspicious behaviour early on. Make backups of your website, so you're ready to recover from cyber disaster. Accidents happens to the best of us, make a backup of your website to prevent loosing your work completely. Check this blog post to learn about different ways to backup your WordPress website.
The security of your website is just like the security of your office or house. When you leave it, you close the windows and lock the doors, right? Don't neglect the security of your website, it's just as important as its design and content.
If you implement these security tips, your website will be much harder to hack by cyber criminals. Do it yourself or ask somebody to help you.