WP Hardening – Best Practices for securing a WordPress website
WordPress is the most popular content management system with a market share of 30% of all the websites followed by Joomla at 3% (Source: W3Tech Surveys). The reason for such a widespread use of WordPress is because of its easy customization and simple admin user interface. But when it comes to security WordPress has mediocre quality as it has been an easy target for the hackers over the years. The security concern can still be taken care of by addition of few reinforcements. So in this article we will focus on best practices/approaches for securing a WordPress site.
While the WordPress core is very secure and is audited regularly there is a lot required to harden a WordPress site. At Lemon, we have always given equal importance to both risk elimination and risk reduction.
There are many good practices for securing your WP site but we have listed below the best and most basic approaches to begin with.
WordPress is an open source CMS which is regularly maintained and updated. It is important to frequently update the WordPress core, plugins and themes to the latest releases which generally consist of security patches. You can get step by step guide for updating WordPress here.
Keep in mind to download plugins and themes only from trusted and secure sources. It is a good practice to remove unwanted or unused plugins from your site as it considerably reduces chances of an attack.
File Permissions and Editing
WordPress has an inbuilt editor to edit theme and plugin files from your WordPress admin area. This could prove hazardous if fallen in wrong hands, so turning this feature off is highly recommended. This could be easily achieved by adding or editing below line of code in wp-config.php file.
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
A good approach is to configure directories with 755 or 750 instead of 777 and 640 for wp-config.php. Remove those files from your WordPress folder which reveals critical information about your site such as credentials for database, WordPress versions etc.
A stich in time saves nine, frequently backing up your WordPress site files and database would be a good analogy for this saying. Backups allow you to quickly restore your site incase if any unwanted situation arises. Always make sure to take full site (Files + Database) backups and store it to a remote location too (which is not your hosting account).
There are many free and paid backup plugins which can be installed. Depending on how frequently you update your website backups should be taken daily or at least once a week.
Once you are done setting up your backups, the next and most important practice is to install a security plugin which can audit and monitor your site thereby tracking every minute activity happening on your website. Wordfence, iThemes Security and Sucuri Security are the most popular and widely installed security plugins to name a few. These plugins helps in achieving the below:
- Malware Scanning
- Enforcing usage of strong password
- Securing admin credentials – never use ‘admin’ as your WordPress admin username
- Google recaptcha to protect from spammer
- Prevent brute force attacks
- Limits Login attempts
Keep in mind that the free versions of above mentioned plugins will come with only a few functionalities, so buying the paid version will be more effective and is highly recommended.
An attacker can easily request your wp-admin folder and login page to try few hacking tricks or implement a DDoS attack. You can prevent this by adding another layer of security which can block those request. To achieve this you can install a plugin called WP BASIC Auth.
Prevent XSS Attacks
Cross Site Scripting (XXS) is one the most common way intruders try to run malicious script on your website. Even though there aren’t many WordPress security articles over the net which highlight this issue but we will show you how to prevent XSS attacks as this is a major requirement in passing security audits of almost every renowned IT audit firms.
To prevent XSS attacks we can use a simple but effective Prevent XSS Vulnerability plugin which helps us in encoding and removing special characters in parameters of your URLs. However this alone will not help you will also need to make sure that all your forms input are sanitized before it is stored in your database.
That’s all. We hope that this article benefits you to the fullest in securing your website. Remember to stick to these best practices for maximum security of your website if you are planning to build a website or even if you own one.
In case you need any additional assistance or have queries regarding your website security please call us on +971 6 562 9519.