Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.
Hardening WordPress – WordPress.org Documentation
Pick a good, secure, reputable, known hosting provider.
Securing WordPress begins at the beginning. Something reliable and known is better than Joe’s House O’ Hosting – even if Joe is saying his hosting will be $0.99/year.
I tend to rely on consensus feedback in these situations, and I prefer to look no further than a quick google search of what developers/hosting experts on Reddit are saying. Of course, this meant parsing everyone from what “non-EIG” hosting meant to managed hosting to whether you/your client is US-based or not. Personally, I am enjoying working with A2Hosting [non-affiliate link], and that was based on Reddit recommendation.
I opted for a non-managed hosting plan, so I can have access to my database/terminal access. Yes my server is still shared; however, I’ve found that I can do most of what I need for this site through CPanel access.
In my professional experience, working with multiple clients (well over 100 websites), it makes more sense to handle our hosting on a much larger scale, so we switched from dedicated hosting to AWS soon after I joined the company.
I have learned how to deploy, migrate, and launch sites on Plesk/AWS Lightsail. I also took it a step further by setting up a CDN, and load balancing as well for some of our larger sites. We’ve seen a massive jump in speed/security by utilizing industry standard tools.
Keep it up-to-date
Very recently, the company I work for had a security breech on 3 of our 100+ websites due to a plugin we utilize. No client/user-data was gathered as they are small informational websites; however, there was downtime on all 3 of those sites.
The plugin was the cause, and updating the plugin was the cure. Keeping everything as up-to-date as possible from PHP to WordPress Core to Plugins is the simplest way to avoid security issues.
Updating plugins can break your site, so be wary. Test, test, test. And to quote Code-Jedi: “Backup early and often!”
If everyone is an ADMIN then no one is.
Not everyone needs admin level access to your site. Not even the admin should technically have admin, as it’s highly recommended that WordPress administrators do not use the default user name of “admin” or “administrator” or even “domain name”.
If you have started your site already, you can change your username by creating a new user with an alternate name, granting it admin access, and then delete the old one.
Or you can hop into phpAdmin and change your username in the database.
Change your password once every few months, and implement MFA/2FA if possible! (you’ll need a plugin for MFA/2FA).
As for any other users, make sure to utilize WordPress’ built in user-roles of Editor, Author, Contributor and Subscriber.
You shall not pass!
Password Hygiene is seriously the magic spell that will stop nefarious attacks from the gate.
Update those keys
In WordPress, the wp-config.php file is the file that stores the database information that WordPress needs to connect its circuit, so-to-speak. This file contains the name, address and password of the MySQL database that stores all of your user info, blog posts and other important content.
Using a secret key, you can make it even more difficult for someone to gain access to your account.
Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php
I do this about once a month, but once every 90 days is acceptable too. There’s a plugin for that!
.htaccess
An .htaccess file allows you to set access limits to certain directories. Limiting access to a specific IP address, which means that only people from that location can access your information, or a million other options. There’s a lot to learn here, so I definitely recommend taking some time to read the basics.
Change your Database Prefix
Anything standard in WordPress opens you up to a vulnerability. Definitely do not use the standard wp_ prefix for your Database Prefix. Here’s a quick and dirty how-to on changing your database prefix.
Change the default install folder
When you install WordPress, install it in a folder with a random name. No really, anything would be better than the default folder.
Block the bots
.htaccess should include the following to block bad bots that you don’t want crawling your site.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(agent1|Wget|Catall Spider).*$ [NC]
RewriteRule .* - [F,L]Security Plugins
Bots, User Agents, and Numeration are all vulnerabilities to any website. This means you have to utilize a plugin or 2.
- WP Customizer [non-affiliate link] – Super light-weight. Fantastically well coded. Just the best of the best when it comes to incorporating what you need for a secure wordpress install.
Plus, a lot of the individual components of code are available on their blog. This includes speed optimization as well as removing that pesky xml-rpc vulnerability that WordPress is fairly well known for! - Apocalypse Meow: Testing this one currently, and it’s been working well. It is lightweight and intuitive. It’s been working for me.
- All in One Security: Doesn’t have a paid version! This is a huge win for those clients that need to be cost-effective. It’s also well reviewed overall and it works! I’ve had the most success with this security plugin on a majority of the sites I’ve worked on!
- iThemes Security: Light-weight, only creates 3 tables, and simple. It also includes back-ups. Free version on WordPress Plugin page, and current info on paid versions can be found here [non-affiliated link].
- Wordfence Security: Nope, don’t do it. It’s added so much junk to the database and generally slows down my sites. I truly hate this plugin, and would recommend staying far, far away.
There’s more, and I am sure I will continue to update this.
