A complete overview of securing Wordpress

As a Linux system engineer who works in the webhosting business, I’ve had my fair share of WordPress websites that got attacked, hacked, defaced and so on. While WordPress is a very dependable system, it has it’s flaws - just like anything else. The biggest issue lies in the fact that it is one of the most used systems on the internet, which leads to it being a prime target for hacking.

The rise of cryptocurrency and miners that can be executed on the server, or on the machines of your visitors, doesn’t help here either and has given a rise to the amount of WordPress hacks. And in even more recent years, cryptolockers have arisen that will either hold your website/data hostage or will threaten to sell your personal data. And getting hacked more often that not leads to phising mails being sent on your server, which absolutely tanks your mail deliverability rate. Cheaper hosts will most likely pull your website sdown.

So how would you go about and start securing your WordPress website? It in fact is not so hard, but WordPress websites require a constant maintenance.

TL;DR: Since this blogpost has become very long, I decided to add this summary: it requires constant maintenance and if you focus on building websites, you might not want to focus on maintaining the website.

That, on it’s own, is not a problem if you find someone else to maintain these websites - it needs to happen. In this age, your websites will get hacked quickly if you do not take action.

If you’ve got questions, or just want to see what is possible, feel free to mail me on [email protected].

Maintain your websites.

WordPress has become so big, that there are a ton of bots around that will do nothing else than scouring the internet for vulnerable WordPress-websites. If you don’t update your websites, you will get hacked sooner or later - and the amount of time before you get hacked is a few days, max, in these times.

If you are unable (or if you just want to focus on your core-business) to maintain the websites yourself, search someone to do it for you (for example, this is something that I can do for you - contact me ;)). There are several companies that are able to provide your this service - but, make sure that they cover these things:

  • Do they make backups of your site? How do they store these?
  • Do they make backups of those backups? Are they stored in a redundant way.
  • Do they have WordPress experts that are able to restore your website, if it gets hacked?
  • What do they offer and what is included?

Many service providers just use “WP-Infinite” or “Main-WP” for this, which are great tools, but the tools alone aren’t enough. When things go wrong, you want to ensure that you can fall back on people with the knowledge to help you.

I’m working on a service to maintain your WordPress, so if you are interested, feel free to contact me on [email protected].

A good webhost

Everything starts with a good webhost that understands how WordPress works - don’t fall in the trap of specialized WordPress hosting, since WordPress runs on anything and specialized WordPress-packages are (in almost all cases) nothing more than an attempt to get more money from you.

A good webhost, however, should be able to answer at least these questions (or you should be able to ask them these, or find an answer on the website):

  • First of all, how can I contact the webhost when I experience an issue? Is it by mail, ticket or phone?
  • Is there a way to contact them in the middle of the night, should things go wrong?
  • Do they monitor your website, will they react on their own when a website goes down, or do you have to message them?
  • Do they take backups of your website, and far back do these go?

Cheap webhosters will likely only be reachable by ticket/mail and won’t have an option to contact them in the middle of the night should something go wrong - and when you or your clients websites go down, you don’t want to have to wait for hours before a reponse! The webhoster I currently work for, Nucleus, is reachable 24/24 7/7 and we do monitor websites for our customers and will react if one goes down - even at 4 AM.

Backups are very important, but I’ll talk about them later on.

To keep it short: go for a decent webhost that knows what they are doing. One that installs updates on a regular basis and offers a few PHP-versions, including the latests ones.

The basis of security: passwords

That's a lot of locks.

This is the first one, and the one step where it often goes wrong. Yes, this is still the place where most WordPress websites get hacked: the password.

Don’t re-use passwords and use strong ones. You can best use a password manager and use a strong password for your password manager (that you use only for your password manager). Then use your password manager to create passwords for every website, so you have a unique (and strong) password for every website you manage. The better password managers have integration with Have I Been Pwned to check if your password has been breached in data leaks.

I recommend Bitwarden for this, as I have been using this for many years and I’m a happy customer of them!

The main reason why you shouldn't re-use passwords is that there have been a ton of data breaches in the past, even with reputeable websites like Adobe, TicketCounter and many others among them. If you want to check if you are affected, you can visit the website [Have I Been Pwned](https://haveibeenpawned.com) to check. If you find your mail affected and you are using the password somewhere else - change it immediately! Bots are being used to check these dumped credentials and this more often than not is how hackers get in your website.

It’s 2021, don’t use “Welcome123” as your password anymore.

TFA / Two Factor Authentication

Two factor authentication, nobody likes it, but it is often an effective way to keep hackers outside of your websites. Even when they have your password, you can still keep them out using a TFA app like Microsoft Authenicator, Google Authenticator, Authy or something else. Even sending an email out is better than nothing (unless, ofcourse, you used the same password for your email account…).

While WordPress doesn’t have support for TFA out of the box, there are many plugins that offer just this. An example of this is WordFence Login Security or Two Factor Authentication.

This might be an annoyance while logging in, but it sure beats having to restore a hacked WordPress website.

Take your own backups…

You should always take your own backups and never only rely on the backups that your webhost provides. When things go wrong, it might take your webhost a long while before they can provide your backup. Or what if you need a backup after their office hours, during the night?

In those cases, you’ll be glad that you have made your own backups. This can be done easily - there are a ton of plugins for this, but you can also use some scripts for this or use specialized backup-tools for this.

For my websites, I perform a regular database-dump which gets backed-up every hour - this is likely overkill for most websites, but I like to play it safe.

For basic WordPress website backups, you can look into plugins like UpdraftPlus or BackWPup.

… and store them in a safe way.

Making backups is one, but store them in a safe way. Never, ever, ever put your database backup in a public location - and if you do, don’t name it dump.sql. You might laugh at this one, but I have seen this happening more than enough.

Store your backups in a non-public location (for example, if your website is located in /var/www/website.com/public_html, you can place your backups safely in /var/www/website.com/backups - but not in /var/www/website.com/public_html/backups). If you do store it in a public location, people might find it and download your backup files. Security through obscurity is a very bad idea here!

WordPress file permissions

Everybody hates it, but you should never, never, never chmod everything 777. That would be a very dumb idea. Explaining this requires me to teach you something about how Linux-permissions work.

You should see the number 777 as parts: the first 7 is about the owner, the second one is about the group that owns the file and the last one is for everybody else on the system. 7 means all rights, 5 means that you can execute it but not write to it and 4 means that you can read it.
If you put 777, that means that every user on the system can change that file - if someone on the server gets hacked, that user can change the files of your website! If your webhost hasn’t chrooted (limited) the users to their own folder, they can change your files! This is a HUGE security risk.

This also means that when the web-user is running and gets a malicious request, it can pass this through and that user would be able to change your files due to the permissions!

When you really need a folder to be writeable by anyone, prefer to use 775 or 755 as this is way more safer and will stop hackers that have gotten access to another user.

A list of the correct file permissions can be found on this page.

Changing the location of your login page and securing it

WordPress has a simple structure, and in the login log of many websites, you’ll see posts to wp-login.php - even if the website doesn’t run WordPress!

Due to the popularity of WordPress, bots constantly try to login onto it and this is both annoying and a security risk. But, there are multiple ways to stop this: you can rename the wp-login.php page (using plugins), you can limit login-attemps or the best option (if available) is to deny access to anything except your IP.

I’ll explain how to do this here for each option I listed.

Rename wp-login.php

Don’t actually rename the file, because that will break your website - WordPress is hardwired to use this and to respond to wp-admin. But, using some .htaccess magic, you can change this. I recommend using a plugin for this, though.

The plugin that I have been using for this is called WPS Hide Login, which will rename both wp-login as well as wp-admin. This will then stop almost all auto-login bots on the login page, since they will no longer be able to post to it.

Limit the amount of login-attempts

Another way that you can secure your WordPress-installation, is by limiting the amount of logins and ban the IP’s that have failed too many times. This will still generate load on the server, but it will stop a lot of bots.

The plugin that I have been using for this is called WPS Limit Login.

Restrict access to the wp-login file

When your website isn’t dynamic and your users can’t login, you can opt to restrict access to the wp-login file. If your site has a login-side which is accessible to your users, you can instead opt to limit access to wp-admin instead. This only works if you have a static IP - don’t do this if you have a dynamic IP (if you are not sure, you have a dynamic one).

How you can do this, depends on the webserver that you are using. Here is the way to do it for every server I often use, replace the with your address:

Apache

On Apache servers, you can limit this by adding this to your vhost-config:

<FilesMatch "^(wp-login\.php)|(xmlrpc\.php)|(admin-ajax\.php)$">
  Require ip <IP ADDRESS>
  Require ip <IP ADDRESS>
</FilesMatch>

nginx

For nginx servers, you can limit this by adding this to your Nginx-config:

location = /wp-login.php {
        allow   <IP ADDRESS>;
        allow   <IP ADDRESS>;
        deny    all;
}

Security patches and updates.

Something we often hear is that updates break websites, or that the customer didn’t pay for the website to get updated. Or that updating the website requires manual work.

While that might be true, putting the work into restoring a website is often a lot more expensive compared to simply updating them and working through the upgrade issues. Often, the upgrade issues are quite small and require a little work, but restoring a website brings with it downtime and a lot of manual work for people who know how to restore these sites - and those people (including me), are costly. Certainly more costly compared to simply updating.

WordPress nowadays updates your sites automatically as much as possible - it will install minor versions automatically, but for bigger version bumps, it still requires you to manually set this in motion. Update your websites as much as possible, and when your webhost hasn’t updated PHP in a while, move to another webhost.

There is never a reason not to support the latest (supported) version of PHP. If a webhost can’t provide a recent version of PHP, which should be a core component for most webhosts, imagine what else they aren’t doing.

But I have a lot of websites, I can’t login to them all the time.

True - but there are tools for this, like for example WP Infinite or MainWP. This gives you a central control panel from where you can manage and update all your WordPress websites.

If you don’t want to install this, the next tip will send you an e-mail when an update is available.

WordFence or Sucuri

While the previous tips have been mostly geared towards not getting your sites hacked and securing them, this tip is more about fixing things when it does go wrong. WordFence and Sucuri do multiple things, but the main thing they do is that they keep an eye on your WordPress website.

They do this by scanning the files that your WordPress installation is comprised out of and by checking them against the expected normal WordPress files. If something is missing, or if code has been added, they will catch this and alert you. If files are added that don’t belong there, these are flagged and you get notified of this.

Next to that, they also offer a ton of other features geared towards securing your WordPress website. If you run a WordPress website, install either WordFence or Sucuri. Both of these will inform you when things are found, including updates that are yet to be installed.

Now, this post has gotten quite lengthy already and I’ve got quite a few more things to tell - expect some more blogposts in the future about this.

Yours truly,

Kevin

Posted on Monday, 22 March 2021