You have surely read articles on how to secure a WordPress Website. However, very often, the authors only touch on the good practices that should frame the obtaining of a site in WordPress. I propose a continuation of steps to secure your WordPress website. This article will discuss steps to take to achieve WordPress concretely.
Be careful you do not need to apply a point anywhere but in all aspects of improving your safety. Some point is without impact if others do not complete them.
Table of Contents
1. Updates, yes, but not no matter how
The updates are an essential and indispensable element for the excellent security of WordPress, as everything is on the computer at the end. Since WordPress 4.7.1, the updates are automatic for WordPress, out of the plugin. But, because there is a big but, by default, the automatic updates only work if and only if you have a visitor to the website or if you are a third party.
It’s a big nuance because a hacker could take advantage of the time between the triggering of the automaton and the application of the update to succeed in its attack. By experience, we can have up to 1 minute to make an attack, which is more than enough.
Reminder: Automatic updates only concern minor updates and security. For example, if your site uses WordPress 4.7.4, it will be automatically updated to 4.7.5 and not too 4.8 or V5.0. WordPress offers very long support for security updates, which is a big advantage of the platform.
To overcome this problem, we have a solution – you can add a “cron” task to your server that will trigger the WordPress controller. For this, you need to do the following steps:
1 - disable WP_Cron in the WordPress configuration file (wp-config.php):
// - added this line in your configuration file
define ('DISABLE_WP_CRON', true);
2 - Add the task to your manager on your server; here is the case of a Linux server with crontab: entrepreneuryork.com
* / 30 * * * * curl ; / dev / null 2> & 1
Explanation on the line if above, your server will come to run every 30 minutes automatic WordPress tasks. Why 30 minutes? The intervals for triggering tasks are, by default, one hour, twice a day, or once a day. It is, of course, possible to have plugins that require a more regular execution. If this is your case, you will need to adjust the value in your crontab. Be careful; however, the more cronjob you have on your server, the more likely you are to lose overall performance on the machine.
A small bonus for those who manage a server, I advise you to create a bash file that will be called every 30 minutes in which you have all your WordPress sites, for example:
#! / bin/bash
# filename: all_wordpress_cron.sh
# launch crowns for these websites:
curl ; / dev / null 2> & 1
curl ; / dev / null 2> & 1
curl ; / dev / null 2> & 1
Then your crontab will include only the call to the file and no longer the call to each site directly:
* / 30 * * * * /home/all_wordpress_cron.sh> / dev / null 2> & 1
The core, yes, but not only:
This is a new feature added since WordPress 3.7; you can, in addition to the automatic security updates of the core, add the automatic update of the following elements:
- plugins
- themes
- Translation files
To add these automatic updates nothing more, simply adds these two lines to the file function.php of your theme or child theme:
// - activation of the automatic update of all plugins
add_filter ('auto_update_plugin', '__return_true');
// - activation of the automatic update of all
add_filter themes ('auto_update_theme', '__return_true');
However, be careful if you have plugins that you had to change to update automatically will not be possible because you would lose your changes. Ditto for themes if you have not done a child theme.
For the plugins you would have modified, here is an example to allow you to make the exhaustive list of plugins you want to see automatic updates (so do not put the line above):
function auto_update_specific_plugins ($ update, $ item) {
// List of slugs of plugins to update automatically
$ plugins = array (
'akismet',
'buddypress',
);
if (in_array ($ item-> slug, $ plugins)) {
return true; // we allow the update of the plugins above
} else {
return false; // we refuse to update the other plugins
}
}
add_filter ('auto_update_plugin', 'auto_update_specific_plugins', 10, 2);</**i>
The slug is neither more nor less than the name of the plugin directory. Here you have an autonomous system for updating your WordPress from A to Z. You can go on vacation without worries!
2. Backups
The other element that we always find when we talk about computer security, in addition to updates, is, of course, backups. You have several possible solutions according to your skills, of course, but also depending on your access to the server. Generally, your host already offers an automatic backup service, just check the frequency of backups and if you can access it easily and quickly.
Choose the frequency of your backups, depending on the changes you make on your site or that your users do, for example, by leaving comments. For a blog, a weekly backup is more than enough. For an e-commerce site, it will surely be necessary to make a daily backup to see all the hours according to the periods of affluence (sales, Christmas, etc.).
You can also use backup plugins. There are many in the world of WordPress, so I chose to present two quickly, which I use for some customers.
First: BackUpWordpress
Compared to others, the advantage of this plugin is that it will not only make a backup of your database but also allow you to save your entire website.
You can define the number of backups to keep. Depending on the space you have allocated to the host, you also have the option to exclude folders and files from the backup. We use it for our clients who are hosted on servers that we do not control.
I still advise you to always download backups to store elsewhere in a secure way. It is also one of the bases of good backup management. Another strong point is that it allows you to plan the frequency of your backups very finely.
The second: iThemes Security
It is mainly a security plugin for WordPress; therefore, it embeds simplified management of backups in its free version. This simplified version allows you to have a daily backup of your database; the latter, you can choose to store it on the server side directly or receive it by e-mail.
Personally, when using iThemes Security to make a backup of the database, we ask to receive it by e-mail because there have been many configuration problems at iThemes. We have often made security updates to fix flaws that allowed a typical user to access backups.
You will understand that it will depend largely on the criticality of your website and especially the control that you have or not of its hosting. Besides, I hope that if you manage the server in its entirety, you already have an effective backup policy.
3. Security keys
WordPress incorporates a security key management system to ensure a good cryptographic base of several key elements of the website. These keys will, in particular, serve you for all the authentication mechanics of users and administrators via securing cookies. So, this is a very important element for the security of your WordPress site and must absolutely change after hacking your website.
By modifying the secret security keys, you will automatically disconnect all the active sessions of the users of the site in question. Very practical after an attack to be certain to have disconnected a hacker who would use an administrator account, for example.
These keys are found in the WordPress configuration file wp-config.php at the root of your site. Here is an example of keys (be careful not to use those in the example):
ct] qeopa9 ‘); define (‘NONCE_SALT’, ‘6+ 1j6v_v | + PWeI! b ~; M & tdZP8le? 0,6`aC $> tu0-‘m <^ 5W5Wi35)! olQEL *? [#>’);
To be sure to generate new strong keys, I advise you to use the WordPress API at the following address is simple as a copy/paste: https://api.wordpress.org/secret-key/1.1 / salt /
I even invite you to change your keys when you go from testing to uploading your website and do the same thing if you change the server.
4. The prefixes of the tables of the database will change
When you install WordPress, it asks you for your login credentials to the database, the name of the database to use for the site, and the prefix that you want to use for your tables. By default, it offers “wp_”, which is also an abortion, it is a parameter that you will have to change. For example, instead of using “wp_” you can use “2tHdat_” or “ntbl_”, the purpose of the maneuver is in case of an attack by SQL injection, the attacker is not easily able to extract your data if it does not do not know the table prefix.
Be careful; however, depending on the flaw present, this measure could be useless at all, but it is in good practice, and I confirm that it can really save you sometimes the worst. For example, see all your quote requests fly or all user access to your website. It is not impossible that some plugins and themes selection developed your causes of the worries by having used in hard in their requests the basic prefix of WordPress.
One day hopes this prefix will be random as soon as the installation procedure.
5. Apache specificity
If you use Apache as a web server, you are directly concerned by this security point. Any WordPress below 4.7.5 contains a flaw that allows the password recovery email to be sent to an email chosen by the attacker and not the user.
This vulnerability was released on May 3, 2017, by Dawid Golunski. It is specific to apache because to work, it requires several parameters.
1. What is the web server?
2. When we type the server’s IP address in a browser, we arrive directly on the WordPress site. (very often the case for the very big site which uses a dedicated server just for them, or in the case of bad configuration server)
3. Not having configured the “UseCanonicalName” apache variable in your host’s declaration to ON
( https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname )
If you met these criteria, you were in danger, and if you still have not updated to version 4.7.5 of WordPress, it is still the case. I mention it in good security practices because you never know it could be a new problem one day. Namely that the webserver Nginx is not at all concerned by this attack.
6. Change the access address of the administration
If you use a WordPress site or several regularly, you must know that to access the administration, simply add “wp-admin” to the site URL to access. Of course, if you know, the pirates also know it, and so it is easy for them to implement a series of attacks, including brute force (we come back to this point just after).
To modify this address of access, I advise you to use plugins like, for example (iThemes Security) and to respect the following rule: Do not use simple words that a pirate could guess like admin or administration. I strongly urge you to use a random string that you would keep in your favorites, for example, aYJJRrcb or KqKgUoyJtLPDaouAyvidmVtXAHOS.
So your address to connect to the administration will no longer be:
but
or
The ideal way to create these channels is to use a password generator.
7. Two-factor authentication
What is two-factor authentication? It is a mechanism that, in addition to your password, will ask you for a code that will be sent to you by SMS or generated by an application that you have on your phone. Without the valid entry of this code, you will be unable to log in.
This mechanism has become almost indispensable nowadays to slow down hackers trying to guess your passwords, and it is the best way now to quickly and easily increase access to the administration of WordPress. I advise you to use an application like Google Authenticator as a second factor of authentication, for those who know it’s the same principle as that of Battle.net, rather than SMS.
The second factor via SMS has shown great signs of weakness, is not considered robust, and is strongly discouraged.
To set it up, you have several options. In the simplest, you have a quantity of plugin that offers you the establishment of Google Authenticator. A large majority of security plugins offer these options; however, you will have to buy the premium version most of the time.
Here’s what Google Authenticator looks like on your mobile:
You will understand in addition to installing a plugin on your WordPress site, you must install the application on your Smartphone.
8. Protection against Brute force
The “Brute Force” or brute force attack in French is to try, at large scales, the different possibilities, login + password, to connect to a user account. This technique is used on websites, but also on all other computer systems even your mailboxes, your computer sessions, and Mac OS, etc.
You will find several cases of Brute Force here are the main ones that concern you as the owner of a WordPress site:
The hacker knows your login and will “just” try different passwords by testing all possible combinations (if your password is strong it will take him years)
1. The hacker knows your identifier but will use a list of commonly used passwords or pre-established lists, there are many on the internet, and there your favorite password may not last years
2. The hacker knows your identifier but will use a list of commonly used passwords or pre-established lists, there are many on the internet, and there your favorite password may not last years
3. The hacker does not know your username, and so he will have to guess. Be careful however often if it finds your e-mail address there is a good chance that it is your identifier.
You’ll understand that to slow down the hacker you have to do four things:
- Use strong random passwords.
- Do not use a simple and known identifier such as admin, administrator, administrator.
- Set up two-factor authentication.
- Change the address of your administration.
To return to point # 3 if you use a second robust factor the hacker will surely stop his attack because it will be too complex for him to bypass the second factor. To give you an idea, we find between 500 and 1000 fraudulent connection attempts on the sites we manage and this per week! There are times spades that exceed 2000 per day, especially when there are new versions of WordPress coming out.
And to go further, I advise you to add an anti-brute force program that will allow including ban IP addresses that generate too much connection error and slow down hacker by prohibiting connection to an account or there is had too much attempt for a given time (often 20 minutes). All the good security plugins of WordPress has this feature and to change a little I suggest you look: Sucuri Scanner, very good plugin too.
These plugins will also allow you to set up a vital thing to slow hackers: Do not display the text of error messages and so do not reveal if it is the password that is not correct or if it ‘is the username that is invalid.
9. Track the modification of the files
Once your website is online, you will not often need to make changes in your theme or another programming file. So, it is good practice to set up monitoring of the modification of files on your website. To do this, you have several possibilities on WordPress the use of plugin which is an intelligent way will not alert you if the modification is due to a voluntary update of WordPress, plugin, or your theme.
For this, you have especially Sucuri Scanner, iThemes Security and others. Advantages of Sucuri Scanner against it will allow you to be alerted when editing page or article again if you directly manage the site it can allow you to detect an intrusion.
Alternatively, if you are managing the server or hosting your website you can use control scripts like the one, I proposed some time ago. The disadvantage of these solutions and which often in case of automatic updates of WordPress it remounts you all the files that have been updated and thus generate a lot of false positive.
The goal is to detect any file changes by an attacker who has modified one or more of your files to add malicious code. It could also have added new files on your server to broadcast malicious codes to carry out phishing actions or to preserve long-term access on your Internet site (it is what we call backdoors).
10. Set up an SSL certificate
An SSL certificate will allow you to encrypt the data, make it incomprehensible, during their transit on the Internet between your Internet site and the person who consult your page. It is a security standard for years we see it almost systematically when paying online if you do not see the green padlock during a payment flee the site!
The goal here is to increase the security of your users by preventing an intruder from seeing what they view or send as information, for example, their passwords if they have an account on your site. It also allows your user to be certain that your site has sent the page and no one has changed it in the meantime. Modern browsers like Chrome or Firefox warn of growing concern that a site does not have SSL as you can see in the following image and this is just the beginning.
For you as a site manager, the advantage is double, the most important is that you do not risk to steal your password when you connect from a cyber-café, by the way, it is still a bad idea, or if someone is spying on your computer network. Indeed, the data being encrypted an intruder could not understand them and therefore use them or steal them.
The second lighter advantage is that Google will slightly improve your positioning in these results. Even if we did not really notice a really significant gap between a site with or without SSL. The latest information you can get free SSL security certificates through Let’s Encrypt.
11. Themes and plugins
You probably know your WordPress site uses a theme, or several, and plugins to work these different elements are very often the cause of hacking your website. Why? At first, the manager and the person or the team who realized the plugin or the theme, unfortunately nowadays very often still the security is only an option in the creation of the computer program. While security should be at the same level of importance as the features.
You will probably have plugins or themes that contain security flaws, in itself have not been incurable and very often in the ecosystem of WordPress security updates are made very quickly. By cons, you must be careful to apply them on your side as soon as updates.
But there is one point that is rarely addressed when you read security articles on WordPress; it’s abandoned themes and plugins. Why because you often try one plugin then another, you disable them then you probably did the same with the themes. In fact, there are often at least two themes on a WordPress site.
The risk? It is that even deactivated a plugin or a theme remains accessible directly, especially if the developer did not respect the recommendations and good practices, and that if it contains a flaw, it can be exploited. So, if you no longer use a plugin or theme removed completely because it is a real and serious risk for your website.
Another important point to install only the plugins of the official site of WordPress or still recognized the market place and having a good reputation like Codecanyon. Attention in both cases there is no guarantee of the quality of themes and plugins or their security.
12. The right of access to files
If you host your website on a Linux server, you may know that each file and folder have access rights assigned to it. Example of rights on a folder and a file:
-rw-r – r– 1 usersite groupsite 5035 Sep 29 2017 wp-activate.php
drwxr-xr-x 9 usersite groupsite 4096 5 sep. 2017 wp-admin
The first line corresponds to a file and the second to a directory (the “d” at the beginning of the line), the rights of the file are: read and write permission for the owner of the file, read-only for all the others. For the file, they are different because the owner can read, write and execute a program, for others, they can only read and execute.
For the file, the correspondence in Linux of law is 644, and for the file, it is 755. This means that the rights applied to these files are correctly configured to ensure a good base of security to your Internet site. Besides, there is a great article on the subject in the official documentation of WordPress.
But why should you control or modify these rights? Because often your website is not the only one on a server and if you allow everyone to write in your files, an attacker could attack another site on the server and so from this site modify your files.
For some very specific file like the configuration file: wp-config.php it is recommended to give it rights 600, that is to say, that only the owner can read and write and that all others cannot even read it. As a reminder in this file is your security keys and especially access to your database.
Another important point, these settings have value only if on your server there is one user per website, if you have as a user www-data, your server is misconfigured, because all sites can access the files of one and others. Changing this setting will be the subject of another article.
To help you here are two lines of code that will allow you to change your permissions on all your folders and files:
cd / way / from / site / www /
# update the rights for the
find files . -example type chmod 755 {} \;
# update rights for
find files. -type f -exec chmod 644 {} \;
Do not forget to modify the rights of the wp-config.php after having launched these two commands. Especially if you are not familiar with these commands, be careful because it is possible that it causes problems with updates and plugins and cache plugins. I reassure you that this only causes problem on servers misconfigured but unfortunately this is not what is missing today.
13. Security plugin
To help you put in place all the points that you could see discussed in this article I strongly advise you to install a security plugin. They all have their advantages and disadvantages and the most serious ones have almost all been mentioned above. Here is my selection for your security plugins for WordPress to try:
- iThemes Security (has a Pro version)
- Wordfence Security (has a premium version)
- Sucuri Security (has a premium version)
- Quttera
You can also use the following plugin to control the code of themes installed on your WordPress:
- Theme Check
Conclusion
You’ve understood it just by reading the 13 different steps to secure WordPress is not as easy as setting up backups and updating it. There are indeed many more steps to realize and to which you will have to pay attention to all the life of your WordPress site.
But you also see it is not impossible to secure, however, 100% absolute security does not exist, and it will never exist that it is for a website or anything else in the world.
Did you like this article? Do not hesitate to share it! In any case, do not hesitate to write to me for any comments and reactions!