Tag Archives: WordPress security

Tips to secure your WordPress website against vulnerabilities

secure-wp
You might end up on this article searching for How to secure WordPress website against exploits? or

How to prevent by WordPress site against hacks and malware?

Or Tips securing your WordPress website against all exploits.

Of course this is the right article and this talks about all sorts of techniques, tools and plugins to help you secure your WordPress website.

As per W3Techs WordPress powers more than 58% of all the websites that use CMS which comes out to 24.9% of all websites in the world.

So with the increase in usage of WordPress and with the ever increasing popularity of how easy it is to set up and how easy it is to use there has been a rise of using more and more WordPress Themes as well as plugins.

But since it is easy there is also a rider which comes along with it. It becomes quite easy for hackers to hack it if used in all its default settings.

Hence the need to understand security and to secure your WordPress powered website because no one likes to get their website hacked.

It is obvious when you search on Google this keyword: “prevent WordPress hack” it comes up with 8 million or more results that how desperately people like developers as well as novice users want to know hack prevention techniques and tools for their WordPress website.

Here is a list of tips and tools as well as techniques we as WordPress theme developers could think of.

Of course this article can lead to a discussion and more input and more additions can be made as time passes by.

We will start with the simplest techniques and then move on to the more complex ones:

Simpler tips for security:

hosting
1. Hosting: Your hosting plays a crucial and important part in having your WordPress website secure. Many times its the bad host which gets you hacked. If you have a great hosting in place many things can be sorted out quickly and most of your frustration can be reduced. For example: Backups are easy. Brute Force attacks and spam and SQL injection are often checked and avoided. Hence we will talk about the most recommended hosts and their tools.

a. Shared Hosting: Most people just want to start their website and hence they don’t want to spend a lot in their first go and thus select shared hosting as their platform. There are thousands of hosting companies which provide shared hosting and we can’t possibly add all of them here but we are including only 4 shared hosting which we have personally tried and can recommend. However there might be even better or similar service. Do let us know:

i. Bluehost: Bluehost has been referred constantly by WordPress.org on its hosting page: https://wordpress.org/hosting/ It is a good starting point for shared hosting in case you need a WordPress website since it has both WordPress premium hosting for future and simple shared hosting with 1 click install. Since its a shared hosting which costs you 3 to 4 USD per month you can’t complain much about lack of features or services. However it has an automated tool for backup known as backup wizard comes along with cpanel which you can use. Thus backups can ensure that you are safe and if ever your website gets hacked you can restore the backup.

ii. A Small Orange: We are personally hosted on this hosting and most of the features present in Bluehost are present here. But above all which we like most and can say that is even better than the above host is the support. Support tickets are answered within 5-6 hours and always we get to chat with someone on the live chat within a few minutes. Support is what makes this host stand out from the rest because there are a lot of answers and help which they can provide free. All you need to do is ask them for it. Example: NGINX server cache installation, Backups and how to use it etc.

iii. SiteGround: Another popular WordPress shared hosting they also provide good tools for you to backup your website. Rest cpanel and standard features are present. Chat is also proactive and support tickets are answered often.

iv. Godaddy: Godaddy is the largest registrar of domains and hence many prefer it for their hosting as well. Overtime Godaddy also has made several changes to make it a reliable hosting for WordPress. It also has started giving standard Cpanel WordPress hosting which allows for backups and other easy to use tools.

b. Managed WordPress hosting: For those who have a little budget and want to have hosting manage their security for them. These 2 hosting companies out of the many out there we found reliable, cheaper than rest and often helping you secure your website as well as letting you know which plugins are good and which aren’t good. They also have nightly backups means that you are at peace of mind with them. So ever a hack happens which is rare since they manage it, they can restore the backup quickly:

i. WP Engine: WP Engine lets you know the list of plugins that they recommend for most. Hence vulnerable plugins are kept at bay.

ii. FlyWheel: Flywheel tells you not to install any security plugin as they handle the security themselves which means you don’t need to do anything once you install with them and they take care of the rest.

2. Back Ups: BackUps can be by use of cpanel file manager or via ftp (for files) and database download using phpMyAdmin using cpanel or the host database access. There are 100s of tutorials out there on how you can backup your WordPress website manually. However you should consider reading the Codex Backup Procedures as they are safe and have been written nicely: http://codex.wordpress.org/WordPress_Backups. There are several plugins as well. We will talk about them in short as most of them we mentioned here are working fine and have good reviews from others:

a. BackUpWordPress https://wordpress.org/plugins/backupwordpress/
b. BackUpBuddy (paid version of this plugin also present)
c. VaultPress
d. Dropbox Backup and Restore
e. Amazon S3 BackUp and Restore

3. Update WordPress Version: Most of the times due to use of older version of WordPress your site is at risk of getting hacked. WordPress recognises many security flaws and parameters in its previous versions and as reported by fellow contributors which from time to time are updated. Hence using the latest version of WordPress should reduce the risk of getting hacked or attached by malware.

4. Updating WordPress plugins and themes: Generally in the same way theme authors and plugin authors release updates and features. Most of the time they are feature updates. But from time to time these authors also recoginize security flaws and hence its a good practice to keep using the updated plugins and themes as well.

5. Change default username and password: Default username and default password use like simple series of number or keeping admin is fine as long as you are on local server or on a test site. But for business websites it is important that you change the default username and password. Now with WordPress latest versions it is possible to choose secured username and it generates secured password but for users with older versions of WordPress you may go to your profile to change your password. However for changing username use either phpMyAdmin in case you are comfortable changing it from there or else use any of the plugins below:
a. Admin renamer extended
b. Username Changer

6. 2 Step Authentication for Brute Force Attacks: 2 step authentication is essential in case your site receives a lot of Brute force attacks and has a high traffic or sensitive information. 2 step authentication secures your WordPress login area and makes it very complex for brute force attacks. Plugins which can be used for 2 step authentication are:
a. Clef
b. Duo
c. Authy
d. Google Authenticator
e. Rublon

These simple steps should make an user feel at piece of mind in terms of at least having timely backups and at least presenting his website with bare minimum security.

The next steps we are going to discuss are more complex steps in securing your WordPress website even further.

Complex Steps:

1. Steps listed in Hardening WordPress by Codex: http://codex.wordpress.org/Hardening_WordPress
Most of these steps are for developers or for people who have been using WordPress for quite long and understand how wp-config works. Have used file manager or ftp and can implement changes in htaccess, wp-config etc.

These steps surely act as a starting point in securing your website. However still some of the few security plugins we are going to discuss next will place a net cover of security on your WordPress website and hence you should check the following ones as well:

2. Plugins that will help in malware detections and change of files detection:

a. Sucuri Site Scan: Sucuri Site Scan has quite a few tabs. On the first tab are general settings about when to get notified for alerts like login, brute force attacks, registration of new users, alerts for failed login attempts, plugin installation etc. So if you have many users in your website and many administrators or editors who might install plugin then these features are useful and essential. The second one is malware scan which tells you about any kind of malware or malicious codes present in any plugin or theme directory. It also checks for error files, modified files if any. Scan should be reduced if your site traffic is low and you are hosted on shared hosting since scan also takes up a lot of hosting ram. The third part is hardening of security like removing WordPress version (as lower versions are more prone to hack, hackers check version and they know on which version what kind of security vulnerabilities are present). Hence removal of WordPress version, Uploads directory where media gets stored needs to be secured and hardened, restricting wp-content access, readme.html to be hardened, default admin account to be removed and changed, default database prefix to be changed Sucuri Firewall protection we haven’t tested this but shows up using Cloudproxy Firewall which it claims should help you secure your site against DDOS, Brute Force and SQL injections. If you have used this feature then do let us know as we don’t have proof of this firewall really helping.

b. Antivirus: Another plugin which we have found useful is Antivirus. It detects WordPress Theme files and database files for security and exploit. Only con of this security plugin is that it will use wp-cron and if you set up a daily scan and in case your shared hosting isn’t that powerful and your website is bigger in size in terms of pages, posts and database then this plugin might eat up a lot of resource as it scans through the files and database tables.

c. Anti-Malware and Brute Force Security by ELI: Anti-malware and Brute Force Security as the name suggests does a great job in this regard. In case you sign up for the plugin at gotmls.net you get all the updates of known threats. It also scans htaccess for any scripts, it checks for timthumb exploits and warns you, it checks for any backdoor scripts and asks not to use you, and checks your login for any vulnerabilities. So this way this plugin does the task of anti-malware. Checks all original WordPress files as well. You may use it and check for any problems in your existing website and rectify them.

d. Theme Authenticity Checker: Well for most cases we try to have plugins scanned and general WordPress dashboard security like login, WordPress files etc but WordPress themes and their security is also important because there can be unnecessary scripts or obfuscated malicious code which can be easily hacked. Hence this plugin serves as a nice tool to get your theme scanned and checked and once you know which files are unwanted or which code is problematic can refer it to original theme author for either removal or change of code to safer practices or if there are too many vulnerabilities rather use a more safer theme. For most cases for theme checks it does better than Antivirus.

3. Security Plugins that will secure it further

a. All in One WP Security and Firewall: This one takes care of the following which summarizes most of the security you can take on your website:
i. User Login Security
ii. User Account Security
iii. User Registration Security
iv. System File Security
v. Firewall SetUp
vi. Blacklist Feature
vii. Database Security
viii. BackUps
ix. Firewall and Brute Force

b. WordFence Security

c. Better WP Security (now iThemes Security)

d. BulletProof Security

4. Others kept out of this list but may be useful:

a. Acunetix WP Security: Recently a lot of negative reviews have cropped up for this plugin on WordPress.org hence we couldn’t recommend it to you.

b. 6Scan Security: Many clients have complained about site going blank after installation of this plugin and hence we couldn’t recommend it to you.

c. Exploit Scanner

d. Quttera Web Malware Scanner