Follow these 5 Pro Tips to secure your WordPress installation like Pro. After implementation, you’ll receive a great level of protection, which will be enough for most websites.
Some people feel lazy when hear talking about security and don’t follow very basic instructions (as long won’t hacked). Others become crazy and lock everything that can be locked, making the user experience worse. Let’s fit the gold middle and secure WordPress from the most often threats, but without becoming paranoid. Following these tips will save you from using heavy and expensive security plugins.
Basic for beginners
Here I must say a couple of words about very basic things that are related to security. The next information is only for beginners, feel free to skip it if you feel self-confidence in basic security questions.
So, as a beginner, you must know that most hacks happen not due to vulnerability in code, but due to rough mistakes in using the software.
Passwords
A. Don’t use weak passwords
Any password must contain 16+ random characters, including special characters. Hackers have a list of commonly used phrases and can easily get access to your admin panel, in case your password isn’t a random string. Never, ever use names or words in your password.
B. Don’t share passwords with third party faces
Even with developers. If you need to get some work done by them, create them a separate account, and change the password for the account after they’ve done tasks.
C. Keep password in a safe place
Writing on paper is a bad idea. Storing in online services also may be a bad idea. The best case is using an offline app. There are plenty of programs that allow storing passwords securely. For example, I use KeePassXC.
D. Don’t share passwords via insecure channels
If you need to share a password (for example you’re a developer and have created an account for your client) do it via secure channels or require changing the password after sharing. Slack or messenger channels aren’t fit for this goal.
Unverified themes and plugins
It’s the most common mistake of beginners. They see how many options there are to customize a website and begin to install all plugins and try all themes that can be found. Usually, prefer free or nulled (hacked). Most of these plugins WILL contain viruses or vulnerabilities, it’s a price of accessibility.
If we talk about free plugins, download plugins ONLY from the official WordPress repository (or from the built-in Plugins item in your WordPress admin menu). Also, check the number of active installations (must be bigger than 100) and the last updated date (must be less than a year ago). If we talk about paid Pro plugins, make sure that you’re purchasing on an official website, and that there are independent reviews that confirm the quality of the plugin. (Not on their website, but on other resources).
5 Pro Tips to secure WordPress
1. Change your login url and add a captcha
The brute force of login credentials is the most often practice of hackers. They send hundreds of requests to your website via the login page, and even if you have a strong password it creates extra loading to your website. Plus, if you’re a developer, you can’t guarantee that owner or his editors won’t use weak passwords. This step will be an extra layer that will protect admin accounts.
I use the WPS Hide Login plugin to change the login url. It can be done easily, and furthermore, it won’t change the admin url for authorized users. So it only locks ‘wp-admin’ and ‘wp-login.php’ from unauthorized users, editors and admins must visit a new url to login, and then can use ordinary ‘wp-admin’ to access the admin panel.
I use the Simple Google Captcha plugin to add a captcha to the login page. It works well with the first plugin and adds a captcha via code hooks, which means it will work with any custom login url. The plugin only adds Google Captcha code, but doesn’t sign up a Google account for you. You must sign up and get credentials from Google ReCaptcha to use the plugin.
2. Disable REST API for unauthorized users
REST API allows getting a list of usernames without trouble. Hackers still will need to get a password, but hey, let’s make their life even worse. Plus, even the names (usernames) of editors of your website can be a part of private information, what is the goal to share it with the whole world? REST API is used in WordPress for example by Gutenberg editor (and different plugins), so completely disabling will break the work of a WordPress website.
The golden middle is disabling REST API for unauthorized users, it won’t create any issues for authorized editors and admins, but will protect against leaking usernames to third-party faces.
I use the Disable REST API plugin for this goal, and by default its configured to disable only for unauthorized users, so you can just enable the plugin and don’t make any extra steps.
3. Disable directory browsing
Directory browsing is an insecure feature, that allows seeing a list of files in a request folder via browser, in case the ‘index.php’ file is missing. To find vulnerabilities in your plugins and themes hackers must know their file structure.
WordPress has the index.php stub for all the basic folders, like /wp-content/, /wp-content/plugins/, and /wp-content/themes/, but can't guarantee that every plugin or theme developer does the same. For this goal, you need to make sure that your web server doesn't allow directory browsing.
Try to visit YOUR_DOMAIN/wp-includes/ in your browser and in case you see the 'Not Found' message, it means your server already doesn't allow it, you can skip this item. In case you see a list of files, you must do extra actions to disable directory browsing.
To do this, we need to modify the .htaccess file. I don't recommend editing this file via FTP (like many others suggest), due to the fact that this file is regularly recreated by many plugins (like all cache plugins or others) and your change will be lost after some time. We can add our modification on a permanent basis with the following code snippet, which you can add to your functions.php:
add_filter('mod_rewrite_rules', function ($rules) {
return $rules . "\n" .
"#Disable directory browsing\n" .
"Options -Indexes\n";
});
Then visit the Settings-Permalinks page in your admin panel, it’ll force WordPress to recreate the .htaccess file immediately. After, you can visit YOUR_DOMAIN/wp-includes/ again to make sure that now it displays the 404 message (which is good).
4. Deny access to the git folder
Skip this step in case you use plain hosting or your website was uploaded manually without GIT.
Many developers use GIT, which is a wonderful tool. Using GIT on production is also a good idea, but you must disable access to the .git folder via a browser in this case. Otherwise using the .git/HEAD file they'll be able to recreate all a tree of commits and get the source code of your website.
For this goal, you need to lock all /.git/* requests. You can contact your system administrator or hosting provider, or if you've enough skills and your server uses NGINX then you can reach it by adding the following code (add to the NGINX config file of your website):
# deny access to all special files and folders, like .git, .htaccess
location ~ /\. {
deny all;
}
Don’t forget to restart NGINX after it.
5. Deny access to the xmlrpc.php file
XML-RPC is an old feature of WordPress, which almost isn’t used nowadays and left just from compatibility with old software reasons. This feature allows interaction with your website directly, without opening in a browser. The bad thing is that hackers can brute force passwords using this feature because even if you’ve changed the login url and added a captcha from the steps above, this feature still gives an option for them to check passwords.
To deny access to the file you can contact your system administrator or hosting provider, or if you’ve enough skills and your server uses NGINX then you can reach it by adding the following code (add to the NGINX config file of your website):
# wordpress xmlrpc
location /xmlrpc.php {
deny all;
}
Don’t forget to restart NGINX after it.
Conclusions
We’ve reviewed the 5 most important steps to protect your installation from hacking. In fact, steps 3–5 can be done by a system administrator (or hosting provider) only once and will work for all websites on your account. Since you’ve done them, you can be sure that you have a very good level of protection, and you can don’t purchase security plugins, which are often heavy and slow down a website.
In case you’re a WordPress developer, read what must know good WordPress developer.
Top comments (0)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.