Imagine with me for a moment that you’re a hacker looking for ways to hijack reputable websites and use them to funnel unsuspecting traffic to a nefarious phishing scam.
How would you target websites for maximum impact? One option would be to locate and target a single vulnerability that affects hundreds or thousands of sites. If such a thing could be found and exploited you could create digital carnage in very short order.
Are you starting to see why hardening WordPress is so important?
As the most popular content management system on the web, WordPress is a prime target for hackers everywhere. But there’s something you can do about it.
Why Do Bad Hacks Happen to Good Websites?
Thankfully, the WordPress core software is quite secure. Hacks are rarely able to get under your website’s skin by going straight after the core. When exploits in the core are identified they’re promptly patched.
Rather than go after the core – which they know is a tough nut to crack – hackers generally target things like lazily chosen passwords, poorly-coded plugins, lax file permissions, and sites that haven’t been updated in far too long and are therefore vulnerable to patched exploits.
Since hackers tend to go after the low-hanging fruit, it really isn’t that complicated to harden WordPress and keep it secure. As a matter of fact, you can keep your site at the far upper end of the security bell curve by taking eight simple steps.
Let me walk you through them.
Step 1: Update Everything
Every once in a while, a WordPress update will be released and accompanied by an ominous disclaimer: “This is a critical security release.” While such a disclaimer makes things crystal clear, it’s important to install every WordPress update as quickly as possible – even those that don’t tout their own importance.
This doesn’t just apply to the core either. Installing plugin and theme updates promptly is just as important as installing core updates as quickly as possible.
Many updates to themes, plugins, and the WordPress core are released to address significant security vulnerabilities. So the number one thing you must do to keep WordPress secure is to keep everything updated.
Step 2: Use a Unique Username and Secure Password
What’s worse than using “admin” as your admin username? How about pairing it with a boneheaded password like “password.”
The WordPress login page is a common target for automated, brute-force, login-attempting bots. They’ll just hang out at /wp-login.php trying combination after combination of common usernames and passwords hoping you’ve been lazy enough to leave the front door unlocked.
The solution is to use a unique username and password. While I personally tend to go for nonsense usernames like “s3r7as,” any unique username will be a vast improvement over “admin.” Your password, on the other hand, really should be random nonsense.
Considering that WordPress has a built-in random secure password generator, there’s really no excuse for using an easy-to-guess password. So if your password isn’t secure go to Users > Your Profile now and close this security loophole.
Step 3: Disable Trackbacks and Pingbacks
If you don’t use trackbacks and pingbacks on your WordPress site, disable them. You can do this with a plugin, as we’ll see in a moment, or you can go to Settings > Discussion and uncheck the boxes next to Attempt to notify any blogs linked to from the article and Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.
Changing these settings will still allow trackbacks and pingbacks to be turned on for individual posts and pages. So a better option is to use a plugin that will completely lock down pingbacks and trackbacks once and for all. I’ll show you how in just a moment.
There are at least two good reasons why you should consider disabling trackbacks and pingbacks: they can lead to comment spam and they can be used in a coordinated DDoS and brute force attack. If you do use them, then at least take the time to do what you can to protect your site against trackback spam and brute force attacks. However, most of us are better off just disabling them entirely.
Step 4: Hide PHP Errors
PHP has built-in debugging capabilities and you can display the error messages generated by PHP on the front-end of your site by adding
define( 'WP_DEBUG', true); to your site’s wp-config.php file. It’s a really useful tool for theme and plugin developers. However, you should never display PHP errors on a public facing site.
In some cases, displaying PHP errors can provide information that a sophisticated hacker can use to compromise your site. The simple solution is to set
WP_DEBUG to false. You can either add that bit code to your site’s wp-config.php file manually or use a plugin to do the job.
Step 5: Use a Unique Database Table Prefix
If a hacker identifies a security vulnerability that allows them to write information to your site database, the last piece of information they need to carry out the exploit is your database prefix. By default, WordPress uses wp_ to prefix all database tables. So an easy way to lock up your WordPress database a little more tightly is to change the prefix to something hackers are less likely to guess.
While you can change your database prefix manually, it is a bit complex, and if you get it wrong you’ll have a mess to clean up. Instead of doing that, just change your database prefix with a plugin in a matter of seconds.
Step 6: Prevent PHP Execution
Some themes and plugins include features that allow users to upload files to your web server. These files are then used in a variety of ways, such as to display a user profile photo. However, this feature can be exploited to upload PHP files bearing a site-hijacking or defacing payload. Then, when WordPress accesses those files, the code is executed and your site is damaged or compromised.
So, what is the solution? Should you stop letting users upload photos or files? Of course not. Just prevent the execution of PHP code in every directory that doesn’t require that permission.
You can prevent PHP execution on a directory-by-directory basis. If your site is hosted on an Apache server, as is the case for most WordPress websites, then you can add an .htaccess file to each directory with the instructions
<Files *.php>deny from all</Files> to lock down PHP execution in that particular directory.
On the other hand, if you aren’t sure which directories to lock down or just don’t want to have to lock down each directory manually, you can lock them all down in one fell swoop with a plugin.
Step 7: Prevent Information Disclosure
Have you ever stumbled onto a webpage that looked like a list of directories? What you’re seeing is something called a directory listing and browsing those files is referred to as directory browsing. Directory browsing is problematic because it allows someone to gather a great deal of information about your website, including some really sensitive information, such as your sites wp-config.php file.
WordPress is designed to prevent this sort of thing right out of the box. However, you’ll rest easier if you do all you can to avoid this sort of disclosure. What you need to do to prevent this sort of thing is to disable directory browsing and then specifically deny access to critical files such as .htaccess, wp-config.php, and sensitive files in your site’s wp-content directory.
Once again, this is something you can do manually. However, it’s a pretty complex task to tackle, and there’s no reason to do it manually since you can do it quite easily with a plugin.
Step 8: Regularly Scan Your Site for New Vulnerabilities
By the time you complete steps 1 through 7 you will have hardened WordPress quite effectively. However, the key is to maintain website security over time, and the only way to do that is to scan your site periodically looking for new security vulnerabilities.
Your security scan procedure needs to watch for every one of the factors covered in steps 1 through 7: insecure credentials, website components that need to be updated, and common WordPress security vulnerabilities. While you certainly can keep an eye on your site manually, the ideal arrangement is to set up automated scans that will alert you when anything is amiss.
If you’re anything like me and would rather set this step on autopilot, there’s a plugin for that.
Harden WordPress and Keep Your Site Secure with Defender
You can implement every one of these hardening steps manually. Or you can knock every single one out in a matter of seconds with Defender. It’s almost embarrassingly easy to do:
- Install and activate the WPMU DEV Dashboard and log into your WPMU DEV account within the plugin.
- Go to WPMU DEV > Plugins and then locate, install, and activate Defender.
- Go to Defender > Hardener and walk through the suggested hardening steps. As you do, you’ll hit every one of the steps recommended in this article.
In a matter of minutes you’ll harden WordPress and boost your website security into the far upper reaches of the security bell curve. Next, the trick is to stay there.
Put Your WordPress Security Scanning on Autopilot
The key to maintaining WordPress security over time is to get a security checkup on a regular basis. Thankfully, Defender makes this easy.
Go to Defender > Automated Scans and select daily, weekly, or monthly scans. Busy sites should opt for daily or weekly scans. Low-traffic and low-profile sites can opt for weekly or monthly scans.
While you’re setting up automated security scans, go to Defender > Settings to make sure that Defender will be sending emails to the right email address and according to your preferences. Then sit back and watch while Defender does his thing. When he finds a vulnerability that needs to be addressed, he’ll let you know so you can go fix things up.
Defender’s Got Your Back
While we’re already covered the basics of hardening WordPress and maintaining security over time, Defender offers four additional features you’ll want to know about.
First, you can use Defender to periodically reset all security keys. Doing so will log everyone out of your site and force them to log back in. This means that any saved credentials will no longer be valid. It may seem like a hassle, but it reduces the risk that an unauthorized user will stumble upon your site using a logged-in browser and wreak havoc.
Second, Defender will gladly keep a comprehensive log of user activity on your site.
To get things rolling, go to Defender > Dashboard and select the option to enable audit logging. Then, go to Defender > Audit Logging to see a record of actions such as failed login attempts. You can use this information to figure out how hackers and bots are targeting your site and take steps to neutralize their efforts.
Third, make sure your site stays off of Google’s blacklist — and find out right away if your site ever gets flagged — by enabling blacklist monitoring. Just go to Defender > Dashboard and click Activate Blacklist Monitoring.
Fourth, once you install the WPMU DEV Dashboard and Defender, your site will be automatically added to the hub. If you manage multiple sites, logging into the hub will provide a snapshot off issues you need to address. Set up Defender, and the relevant icon will be colored red when a security issue needs to be addressed.
Use Defender, or Use the Other Guys, Just Keep Your Site Secure
Here’s the deal, whether you use our products or someone else’s, we want you to secure your website. The web is a better place for all of us when hackers and scam artists are kept at bay. So, if you aren’t sold on using Defender to secure your site, you should still set up and configure a high-quality security plugin such as WordFence, Sucuri Security, iThemes Security, or JetPack Premium.
While WordFence and Sucuri are quality products, they just don’t compare well to the suite of products and services you get when you sign up for WPMU DEV. However, Jetpack Premium and iThemes both offer a wide range of products and services that overlap to a certain degree with what we do here. Just in case you’re weighing the decision to pick WPMU DEV, Jetpack, or iThemes for your website, here’s a handy comparison of the security features offered by each of these options.
As you can see, iThemes Security gives Defender a run for its money, and it would be understandable to go with either Jetpack or iThemes if you plan to use their entire suite of offerings. However, if you’re open to suggestions, let me make two:
- Our development roadmap for Defender is ambitious, to say the least. While iThemes Security may have the edge in terms of the raw number of features it has right now, we plan to close that gap rapidly.
- Make sure that your selected security provider can provide everything you need to address all five of the core factors every web developer must address: performance, monitoring, security, backups, and SEO. Life is easier when all of your core website need can all be met by one integrated solution.
We’re proud of the product that Defender is today and excited about the plans we have to make it even better. However, WPMU DEV is a lot more than just Defender. We also offer award-winning 24/7 support, an innovative drag-and-drop theme builder in Upfront, some of the finest performance plugins available today in Smush and Hummingbird, dozens of additional best-in-class plugins, a learning resource that can turn you into a WordPress developer in the Academy, and a lot more.
If your WordPress websites don’t mean very much to you, and you don’t mind the hassle of dealing with the fallout of a hacked site, then by all means, do absolutely nothing.
However, if you do value the effort you’ve put into building your WordPress website(s), then failing to harden WordPress and keep it secure over the long run is an unacceptable oversight.
Hardening WordPress with Defender is quite literally a two-to-three minute process that will leave your site more secure that it has ever been before. And thanks to automated security scans, once you secure it your site, keeping it secure will be a walk in the park.