WordPress Security(Part 01)
WordPress was started as a blogging tool, but it evolved into a powerful website builder and robust content management system.
WordPress is free, open-source, and self-hosted that’s why it’s considered the best tool for making websites, blogs, and web applications. That’s why it currently powers more than 43% of the top 10 million websites on the Internet. WordPress’ usability, extensibility, and mature development community make it a popular and secure choice for websites of all sizes.
But WordPress is also the best choice for hackers because of its market share. If the hacker finds a loophole in any plugin or theme, then the hacker can hack all the websites using the same plugin or theme.
Most of the time the plugins, themes, or misconfiguration make the website vulnerable. The core of WordPress is very secure. Since its inception in 2003, WordPress is continuously releasing new versions in order to keep the core safe from common security threats.
WordPress has the best security team, made up of approximately 50 experts including lead developers and security researchers which ensure the security of the WordPress core.
This was the overview of WordPress, now let's narrow it down to the main purpose of this article which is how to make WordPress secure and unhackable.
File Permissions: File permissions define who can read, write, and execute the files that make up your WordPress site. If these permissions are set incorrectly, unauthorized users and hackers could edit them, insert spam content, and inject malware.
These are the recommended file permissions from the WordPress community.
- All directory permissions should be 755
- All files permissions should be 644
- Wp-config.php permissions should be 440
Wp-config.php is the configuration file. This file is located at the root of your website. Inside this file, you can find all your configurations like database configuration, etc. The security of this file is vital for your project.
You can read this post to know more about WordPress file permissions.
Protect WP-Admin Directory: This is the directory where the WordPress admin panel is stored. Admin Panel is the main source of managing and controlling the whole website. It’s where you create and manage content, add functionality in the form of plugins, change styling in the form of themes, and lots, lots more.
If all these things are possible from the admin panel, then this means we should keep them very secure.
One layer of security is to protect the directory from unauthorized users and make it unavailable to the public.
You can read this post to know how you can protect this specific directory through a password.
Whitelist IP addresses: This is another layer of security for your WordPress. You should Whitelist only those IP addresses, from which you log in to your WordPress admin panel.
The IP address(s) which you whitelist will be the only authorized IP address to log in to your WordPress admin panel.
Usually, .htaccess which is a server configuration file is used for whitelisting and blacklisting IP addresses.
You can read this post to know more about IP Whitelisting and Blacklisting.
Google ReCaptcha: Often WordPress login, registration, and any other form are a prime target for hackers, spammers, and brute force attacks.
The attacker’s motivation is often to gain unauthorized access to your WordPress admin area to distribute malware or in other cases crash the entire network of websites hosted with a specific web hosting company to collect the ransom.
One way to avoid these attacks is by using Google ReCaptcha which effectively blocks spambots and protects your site from being hacked.
Personally, I use reCaptcha by BestWebSoft which works for me as expected.
Change Database Tables Prefix: Database is the place where WordPress stores each and every small piece of information. Your posts, pages, comments, settings, etc. everything is stored in the database.
Due to this reason, the database is the favorite target for spammers and hackers.
You should change the default prefix which is wp_ to something else. So, no one with bad intentions can guess the name of your tables easily.
WordPress asks for a prefix during installation, in case you didn’t change then read this post to change it.
Hide Login URL: Sometimes the hacker tries random passwords to find your valid password and access the WordPress Admin Panel. This attack is called brute force and mostly it is performed by various tools.
It is better to change the default login URL. So, that nobody can access it.
This can be done manually as well as through a plugin. But I recommend, the manual way because if you install a plugin for everything then your website will become very slow.
The commonly used plugin for changing the default login URL is WP Hide Login.
Here is a post if you want to know, how to do it practically.
Limit Login Attempts: You should block the user for some time if he continuously enters an incorrect username or password.
This is another way of protecting your website from brute force attacks.
You can easily limit login attempts by using a plugin called Limit Login Attempts Reloaded. The usage of this plugin is explained in this post.
Limit Login Access Based on Geo Location: If the business for which you designed the website is limited to a specific geographical area, then I will recommend blocking access to your website from all other countries where the business is not operating.
If you don’t want to block the access of the whole website then try to block only the login page.
There are many ways to impose this restriction, again the easy way is to use a plugin which I don’t recommend if you’re a developer.
Non-technical people usually use a plugin named rc-geo-access for this kind of security.
There are also many other ways, but here I will talk about the CPanel and Cloudflare.
Cpanel has one option named ModSecurity. You can use this option of Cpanel to limit access to your website. For more details, read this thread.
If you’re using Cloudflare, then you can achieve this security through Cloudflare firewall also. Here is a detailed article from Cloudflare.
The last two options CPanel and Cloudflare are the best way. Because in these two ways, the user request never reaches the website. The server blocks it as received.
Don’t use Nulled Themes and Plugins: Nulled themes and plugins are pirated copies of the premium WordPress product.
The hackers and spammers distribute them with some bad intentions. The person who distributes these pirated copies can easily access your website.
Not only this, there are many other disadvantages about which you can read here.
The recommended way is always to buy the themes and plugins from the real author.
Written with 🧡 by Sajid Javed in 🇦🇪
