How to secure your Wordpress website

Wordpress is one of the best opensource tools to host a website, portfolio or an ecommerce store with a ton of functionalities and features it makes the best choice of development. It offers you a pretty stable infrastructure to build your website and in some cases web applications in. Its is one of the most used opensource applications of all time. But as we all know we hear about wordpress hacks and attacks almost every season. So here are a few ways through which we keep our clients website clean, clear and secure from the inside.

How to Secure Your WordPress Site

Secure your login procedures.

First and the most basic thing to do is to use a strong password. Characteristics of using a strong password.
Dont use sequential numbers or letters
Dont use your public date or information as your password
Always use a combination of letters, digital and special characters
Always combine unrealated words
Don't reuse passwords

Use two factor authentication if possible. You can use two factor authentication plugins to enable two factor authentication in wordpress. You can use google authenticator method to do this. Google Authenticator – Two Factor Authentication (2FA) Google Authenticator – Two Factor Authentication (2FA). By using this you will get a layer of added authentication where you will have to respond to a physical device which is near your to authenticate every authentication requests.

Install Web Application Firewall

Install a Web Application Firewall like Wordfence which can do most of the security things for you even if you are a free user, premium features gets more. Configuring wordfence to limit login attempts, prevent bruteforce attacks,  regular malware scanning, vulnerability alerts and two factor authencation.

Wordfence would be nice choice since their free version catches most of the erros and is one of the most used application firewalls. You can just search for wordfence in your wordpress plugin to install it. You can also click here to install Wordfence. Run a scan of the whole website to see if there are any existing vulnerabilities inside your website.

Disable REST API

Wordpress by default has a REST API built in which can be used to connect external application or mobile applications to this system. This is a very effective feature if you want to pull or push data to and from wordpress system. These APIs are used to connect web apps also to the system for example if your system web application is an ecommerce store and you want to connect a mobile app to it using your wordpress instance as a backend you can easily integrate them by using WooCommerce and REST APIs. You can find these APIs using the link http://<yourwebsite.com>/wp-json. To check it you should replace your website url to <yourwebsite.com>/wp-json. You can see the API structure of your instance. If your website is a stand alone website and there are no external APIs consuming the APIs you should consider disableing the REST feature since it is an area of vulenrability for wordpress. To disable REST API you can use Disable REST API plugin which will do it for you without breaking your wordpress website.

For the more curious people out there the vulnerability which is exploited using wordpress REST API is called wordpress content injection hack.  By using this type of hack hackers can easily push their content to your website which can be used for Defacement Campaigns, SEO Spam exploitations.

Disable XML RPC

XML RPC which expands to XML Remote Procedure Calls allows different Remote procedure calls to different applications directly over the web. This is not an essential feature for websites this can be disabled for regular websites. To disble XML RPC in your website you will have to add a the following code

This method is easier and recommended for all WordPress users.All you need to do is install and activate the Disable XML-RPC plugin. For more details, see our step by step guide on how to install a WordPress plugin.The plugin works out of the box and there are no settings for you to configure.Simply activating the plugin will deactivate XML-RPC on your WordPress website.

You can also use the following alternative method to disable wordpress XML RPC through .htaccess file. Use the following code to disable XML RPC for everyone who is accessing the website.

1
2
3
4
5
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
</Files>

For the cases where you will have to give access to a particular IP number you will have to use the following code in .htaccess file. In the following case 123.123.123.123 is the IP number of the application which is allowed to access XML RPC to your wordpress instance.

1
2
3
4
5
6
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
allow from 123.123.123.123
</Files>

Use secure WordPress hosting

For wordpress most of the people prefer to use a shared hosting account. This system is cost effective but this system has some draw backs. Disability to customise your hosting to an OS level. This might get important in some cases. For hosting a wordpress website for performance or security I would prefer to use a VPS server, Amazon EC2 Instance or an Amazon Lightsail server. AWS servers are a good place to host your website since they have a greater security level, reporting facilities and management systems. If you want to add more security to your wordpress instance you can keep your database in Amazon RDS, Keep your website files and statics in S3 storage which will also improve your website performance. You can also connect cloudfront for your website for an increased performance.

Also be sure to keep the file permissions correct in your wordpress hosting storage. Correct file permission for the PHP file in the wp-root. The suggested file permission will be 444. This permission gives reading authority to all, including the user and the group. The below given is a preferred method for wordpress files.

Files/Folders Permissions
wp-content 755
wp-includes 755
All .php files 644
All folders 755
wp-config.php (public_html folder) 400/440
index.php (public_html folder) 444/644

Update your version of WordPress

Always keep your wordpress version updated to the latest version which will help you have the latest version patches of security updates from the wordpress core team.

Update to the latest version of PHP

Make sure you have the latest version of PHP installed in your servers. This can be difficult if you own a shared hosting.  If using VPS you can upgrade it manually using terminal on your servers.

Use a secure WordPress theme

Don't use nulled themes or cracked plugins these can be the entry point to your website hack. Also website some themes can be an entry point of your vulnerability. Some of the free themes and even some paid themes have this issue.

Enable SSL/HTTPS

Be sure to enable SSL in your website. You can either purchase on or you can get one free using Let's Encrypt certificates.

Back up your website.

Create a backup of your website using plugins like duplicator. This is for the cases where your website gets hacked. In that case you will have a backup of your website. I would prefer using duplicator since  setting the website back is easy using their installer.php feature.

Limit WordPress user permissions.

When you provide user permission to team members always remember to give specific permission to users rather than giving everyone admin access. You have editor, administrator and subscriber access to your wordpress instance use them intelligently.

Change the default WordPress Admin URL.

Wordress gives all the users a common login url which can be found at http://yourwebsite.com/wp-admin. This is a point where the hackers know where they should apply their bruteforce in. This can be prevented changing the URL to a custom one. This can be done using certain plugins at wordpress plugin marketplace.

Disable file editing in the WordPress config file

You can disable it by adding ( 'DISALLOW_FILE_EDIT', true ); to wp-config.php

Disable PHP file execution to  upload folder

Some type of Wordpress vulnerabilities are caused due to uploaded files via wordpress upload functionality this can be even from public forms. Disabling PHP file execution from upload folder can prevent hacks a lot.

Change your database file prefix.

When you setup your wordpress instance change your wordpress database table prefix.

Deleting the default WordPress admin account.

When you setup you will have a default admin account which will have the username as admin and a password which is setup using wordpress installation. Consider using a different username and password for your website. This will prevent bruteforce attack to your website, because most wordpress websites use admin as the username and they just have to bruteforce the password to gain access to your website.

Hide your WordPress version.

Hinding your wordpress version will prevent a percentage of hacks because some vulnerabilities are only applicable for certain version of wordpress. Hideing them will prevent hackers from targeting specific version of your wordpress website.