WordPress is one of the most popular content management systems in the world. It runs 18.9% of the entire Internet websites and has been installed more than 76.5 million times. Unfortunately, popularity has its cons as well. According to a hack report by Securi, a company which specializes in website security, WordPress is the most hacked CMS in the world. But there is no need to panic! It’s fairly easy to improve WordPress security if you follow best practice guidelines and implement a few tricks provided in this WordPress tutorial.
Table of Contents
- What you’ll need
- Step 1 – Keeping Your WordPress Updated
- Step 2 – Using Less Common Login Credentials
- Step 3 – Enabling 2 Step Authentication
- Step 4 – Disabling PHP Error Reporting
- Step 5 – Not using nulled WordPress Themes
- Step 6 – Scanning WordPress for malware
- Step 7 – Migrating WordPress Website to a More Secure Hosting
- Step 8 – Backing up as frequently as possible
- Step 9 – Turning off File Editing
- Step 10 – Removing Unused Themes and Plugins
- Step 11 – Using .htaccess for Better Security
- Step 12 – Changing default WordPress database prefix to prevent SQL injections
What you’ll need
Before you begin this guide you’ll need the following:
- Access to WordPress Administrator area
- Access to your hosting account (optional)
Step 1 – Keeping Your WordPress Updated
It’s the first and the most important tip. If you want to have a clean and malware free website, it’s a must to keep WordPress up-to-date. Although it may look like elementary advice, only 22% of all WordPress installations run the latest version.
WordPress implemented automatic update feature in 3.7 version, however, it works for minor, small security updates only. Thus, major core updates should be done manually.
In case you don’t know how to update WordPress, see this tutorial.
Step 2 – Using Less Common Login Credentials
Are you using admin as WordPress administrator username? If your answer is yes, you are making hacker’s attempts to break into your dashboard much easier. It’s strongly recommended to change admin username to something else (see this guide if you’re not sure how to do this) or create a new Administrator account with a different username and delete the old one. Follow these steps if you prefer the second way:
- Access WordPress Dashboard
- Navigate to Users section and press on Add New.
- Create a new user and assign Administrator role for him.
- Re-login to WordPress with your new username.
- Head back to Users section and remove Admin user.
Good password plays a huge role when it comes to WordPress security. It’s much harder to brute force a password which consists of numbers, uppercase and lowercase letters and special characters. Tools like LastPass and 1Password can help create and manage complex passwords.
Step 3 – Enabling 2 Step Authentication
Two-step verification adds additional layer of security to your login page. As the name suggests, it adds another step you have to complete in order to login. Most likely you are already using it to access email, online bank or any other account which contains sensitive information. Why not use it on WordPress?
Although it may sound complicated, it’s super easy to enable 2 step verification on WordPress blog. All you need is to install 2 factor authentication app and configure your WordPress. You can find detailed guide how to enable two factor authentication on WordPress here.
Step 4 – Disabling PHP Error Reporting
PHP error reporting might be helpful if you’re developing your website and want to make sure everything is working properly. However, showing errors for everybody else is a serious security flaw.
You should fix this as soon as possible. Don’t be afraid, you don’t have to be a coder to disable PHP error reporting for WordPress. Many hosting providers have an option to disable error reporting inside control panel. If there is none, simply add the following lines to your wp-config.php file. You can use FTP client or File Manager to edit wp-config.php file.
That is it. Error reporting is now turned off.
Step 5 – Not using nulled WordPress Themes
Remember – “The only free cheese is in the mousetrap”. We can say the same about nulled WordPress themes and plugins.
There are thousands of nulled plugins and themes floating around the Internet. Users can download them from various Warez or torrent sites for free. What they don’t know is that most of them are infected with malware or black hat SEO links.
Stop using nulled plugins and themes. It is not only unethical but extremely harmful to your WordPress security. You will end up paying more for developer to clean up your website.
Step 6 – Scanning WordPress for malware
Hackers often use loopholes in themes or plugins in order to infect WordPress with malware. Therefore, it is crucial to scan your blog frequently. There are many well-coded plugins for this purpose. WordFence stands out from the crowd. It offers manual and automatic scan options together with numerous different settings. You can even restore modified / infected files with just a few mouse clicks. It’s free and open source. These facts should be enough for you to install this plugin right now.
Other popular WordPress security plugins:
- BulletProof Security – unlike the WordFence, which we have described earlier, BulletProof will not scan your files, but it will provide you with firewall, database security and more. One of the best things about it is that it will be configured and installed in just a few clicks.
- Sucuri Security – this plugin will protect you from DOS attacks, it will keep a blacklist, scan your website for malware and it will manage your firewall. If it detects something, it will notify you via email. Google, Norton, McAfee – all of these blacklist engines are included in this plugin.
Feel free to try them all. You can find a comprehensive guide how to install WordPress plugins here.
Step 7 – Migrating WordPress Website to a More Secure Hosting
It may sound like a strange advice, but statistics show that more than 40% of WordPress websites were hacked due to security loopholes in hosting accounts. This number alone should force you to reconsider your current hosting choice and migrate WordPress to a more secure hosting. Some key facts to take in mind when looking for a new hosting:
- If it is shared hosting, make sure your account is isolated from other users and there is zero risk that one website will infect all others on the server.
- It has automatic backups feature.
- It must have server side firewall and virus scan tool.
Step 8 – Backing up as frequently as possible
Even the biggest websites get hacked every day despite the fact that their owners spend thousands to harden WordPress security.
If you are following the best practices and fulfill other tips from this article, it’s still crucial to backup your WordPress website regularly.
There are quite a few ways to create backup. For example, you can manually download WordPress files and export database or use your hosting provider’s backup tool. Yet another way is to use WordPress plugins. The most popular WordPress backup plugins:
You can even automate the backup process and store WordPress backups in Dropbox.
Step 9 – Turning off File Editing
As you may know, WordPress has inbuilt file editor which allows editing PHP files. While this feature is very useful, it can do a lot of harm as well. If attacker gains access to your administrator dashboard, the first thing he will look for is File Editor. Some WordPress users prefer to completely disable this feature. It can be turned off by editing wp-config.php file and including the following line of code:
define( 'DISALLOW_FILE_EDIT', true );
That’s all you need to do in order to disable file editing in WordPress.
IMPORTANT In case you want to re-enable this feature, use FTP client or your hosting provider’s File Manager and remove this code from wp-config.php file.
Step 10 – Removing Unused Themes and Plugins
Do a cleanup of your WordPress site and remove all unused plugins and themes. Hackers often scan for disabled and outdated themes and plugins (even official WordPress plugins) and use them to gain access to your Dashboard or upload malicious files to your server. By deleting plugins and themes you stopped using (and probably forgot to update) a long time ago you lower the risk and make WordPress site a bit more secure.
Step 11 – Using .htaccess for Better Security
.htaccess file is required for WordPress links to work correctly. Without correct rules in .htaccess file you would get a lot of 404 errors.
Not many users know that .htaccess can be used to improve WordPress security. For example, with .htaccess you can block access or disable PHP execution on specific folders. Bellow examples show how you can use .htaccess to harden WordPress security.
Disallowing access to WordPress Administrator area
The code below will allow accessing WordPress administrator area from specific IPs only.
AuthName "WordPress Admin Access Control"
deny from all
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
Note that you need to change
XX.XX.XX.XXX to your IP address. You can use this website to check your current IP. If you use more than one connection to manage your WordPress site, make sure to include all other IPs as well (feel free to add as many allow lines as you need). It is not recommended to use this code if you have a dynamic IP address.
Disabling PHP Execution In Specific Folders
Attackers like to upload backdoor scripts to WordPress upload folder. By default this folder is used to upload media files only. Thus, it should not contain any PHP files. You can easily disable PHP execution by creating new .htaccess file in /wp-content/uploads/ with these rules:
deny from all
Protecting wp-config.php File
wp-config.php file contains core WordPress settings and MySQL database details. Thus it’s the most important WordPress file. That’s why it’s the primary target of every WordPress hacker. However, you can easily protect this file using .htaccess rules:
deny from all
Step 12 – Changing default WordPress database prefix to prevent SQL injections
WordPress database holds and stores all the crucial information required for your site to function. As a result, it becomes a juicy target for hackers and spammers who execute automated code to perform SQL injections. When installing WordPress, most people don’t even bother to change the default database prefix wp_. According to WordFence 1 in 5 WordPress hacking cases occur due to SQL injections. Since **wp** is the default setting, hackers will choose to target this value first. In this step, we will briefly overview how you can secure your WordPress site against such attacks.
Changing table prefix for an existing WordPress site
IMPORTANT! Safety comes first. Make sure to backup your WordPress MySQL database before proceeding.
Part 1 – Changing prefix in wp-config.php
You may add numbers, letters, or underscores. After that, save your changes and proceed to the next step. In this tutorial, we will use
wp_1secure1_ as the new table prefix.
While you are in your wp-config.php file, find your database name as well, so that you would know which database you need to edit. Look for
Part 2 – Updating all database tables
Now, you will need to update all entries in your WordPress database. This can be done by using phpMyAdmin.
Find the database that you located in part 1 and access it.
A default WordPress installation has 12 tables and each one has to be updated. However, it can be done faster by using the SQL section of phpMyadmin.
Changing each table manually would take an excessive amount of time, therefore we will use SQL queries to speed things up. Use the following syntax to update all tables in your database.
RENAME table `wp_commentmeta` TO `wp_1secure1_commentmeta`;
RENAME table `wp_comments` TO `wp_1secure1_comments`;
RENAME table `wp_links` TO `wp_1secure1_links`;
RENAME table `wp_options` TO `wp_1secure1_options`;
RENAME table `wp_postmeta` TO `wp_1secure1_postmeta`;
RENAME table `wp_posts` TO `wp_1secure1_posts`;
RENAME table `wp_terms` TO `wp_1secure1_terms`;
RENAME table `wp_termmeta` TO `wp_1secure1_termmeta`;
RENAME table `wp_term_relationships` TO `wp_1secure1_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_1secure1_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_1secure1_usermeta`;
RENAME table `wp_users` TO `wp_1secure1_users`;
Some WordPress themes or plug-ins can create additional tables in the database. In case you have more than 12 tables in your MySQL database, add the remainder of them manually to the SQL query list and execute it.
Part 3 – Checking options and usermeta tables
Depending on the number of plug-ins you have installed, some values in your database will have to be updated manually. That can be done by running separate SQL queries on options and usermeta tables.
For the options table you should use:
SELECT * FROM `wp_1secure1_options` WHERE `option_name` LIKE '%wp_%'
For the usermeta table you should use:
SELECT * FROM `wp_1secure1_usermeta` WHERE `meta_key` LIKE '%wp_%'
When you get the SQL query results, simply update all values from wp_ to your newly configured prefix and you are done. In usermeta table you will need to edit the meta_key field, while on options, the option_name value will need to be changed.
Securing new WordPress installations
If you are planning on installing new WordPress sites, there will be no need to perform this process again. You will simply be able to change your WordPress table prefix during the installation:
Congratulations! You have successfully increased your WordPress database protection against SQL injections.
Although WordPress is the most hacked CMS in the world, it’s not hard to improve its security. In this tutorial we provided 10 tips you should follow in order to harden WordPress.