WordPress is one of the most popular Content Management Systems on the internet. It has attracted billions of users and is used by millions of websites. Because of it being such a high-profile system it is also the target of many attacks and hacking attempts. Therefore it is critical that every website using WordPress take the required steps to secure their system, and its owners avoid insecure practices. In this article we hope to give a review of some of the security best practices for your WordPress website. We take security very seriously here at Cloud22 and hope that this information will help you better understand what is required of us and our users to keep WordPress safe and secure for all.
Table of Contents
- Use a Web Application Firewall (WAF)
- Implement Scheduled Updates
- Implement Scheduled Security Scans
- Use a Separate Database For Multiple Installs
- Use Unique Names For MySQL Databases
- Move Your wp-config.php File
- Disable XML-RPC
- Hide Your WordPress Version
- Enable SSL Certificates
- Enable 2 Factor Authentication (2FA)
- Use a Content Delivery Network (CDN)
- Only Use Themes and Plugins From Trusted Sources
- Change Your WordPress Login URL
- Limit Login Attempts
- Select a Unique Username for Admin Credentials
- Use a Unique Password and Password Manager
Use a Web Application Firewall (WAF)
A web application firewall is a specific type of firewall application that monitors HTTP requests into a server. This type of software monitors known malicious requests that target specific applications such as WordPress or Drupal. By comparing each request against known vulnerabilities such as SQL injections or XSS, this type of software can block malicious traffic before it even reaches the web server.
We utilize a WAF on our networks 24/7 to constantly monitor incoming requests for bad behavior.
Implement Scheduled Updates
New security vulnerabilities are discovered every day. Because of this, software developers are constantly forced to update their code to protect against new innovative ways to hack websites and other systems. This is why it often seems updates show little noticeable differences afterwards. While it may seem redundant and unnecessary to constantly update your software it is critical to maintain a secure WordPress installation. Keeping your WordPress core, themes, and plugins up-to-date will guarantee that your website is protected against known vulnerabilities.
Because updating your WordPress core, themes, and plugins is so critical we provide managed update services that ensure your WordPress website is utilizing the most up-to-date and secure software possible. Our managed updates focus on WordPress core, themes, and plugins, however on the back-end we also ensure that the server architecture is kept up-to-date as well including PHP am MySQL.
Implement Scheduled Security Scans
Typically it is advised that computer users run a regular virus protection scan on their computers on a regular basis. These scans search the file system for known viruses that may be infecting your computer. Running these scans on a regular basis can detect viruses before they cause any issues to your system. This same type of virus scan should also be utilized for your WordPress installation to protect your website from known vulnerabilities and malware.
Here at Cloud22 we offer our security scans on a daily basis that cover three main areas:
Malware Scan
This type of scan looks for code that has been injected into your WordPress file system that is meant for malicious purposes. This type of code would be designed only to carry out malicious activity. Our scans are designed to compare code found in files within your WordPress file system against known malicious applications and to notify support technicians if any are found.
Vulnerabilities Scan
This type of scan looks for vulnerabilities within WordPress or server configurations. These vulnerabilities may not be intentional but rather overlooked by poor management or inexperienced web developers. Such examples of vulnerabilities may be outdated plugins, disabled PHP extensions, or even unused themes. If a vulnerability is detected, a technician is notified and the risk is assessed with further review.
3rd Party Monitoring Services Scan
In some rare cases your website may be flagged by a third party monitoring service that is focused on protecting it’s users. Sometimes this can happen if your website is exhibiting the same characteristics of a known hack. In other rare instances a website may be flagged by one of these services incorrectly. Either way, it’s important to know if your website is being blacklisted by any of these services, because it may cause problems with their users accessing your web pages. We check the following third-party services to verify that your website is not blacklisted or flagged by these services.
Use a Separate Database For Multiple Installs
By editing a few lines in the wp-config.php file you can easily install multiple versions of WordPress on the same database. While this practice may make management easier, it is highly advised against. By having multiple WordPress installations on the same database it opens each installation up to unforeseen vulnerabilities because every plug-in and theme installed will have access to each site’s content whether they belong to each or not. To maintain strict security, each installation on your account should utilize a separate database connection with unique user authentication.
All of our site creation modules are designed to create unique MySQL databases and unique MySQL user credentials for each WordPress installation. This mitigates the risk of sharing credentials across multiple installations. Each WordPress installation is isolated from each other at the database level.
Use Unique Names For MySQL Databases
Not only is it important to create a separate MySQL database for each WordPress install, but it’s also equally important to make sure that each database uses a unique name. For example you should not use generic names such as a ‘wordpress’ or ‘blog’ for your database name. Instead make sure to use a unique name for each database that WordPress utilizes. To be extra safe and secure, you can even use just a random string of letters and numbers as your database name. Either way the point is to choose a name that would not be easily guessed by an attacker that may be trying to gain access to your MySQL database.
Here at Cloud22 all of our site creation modules select a unique name for each MySQL database that is almost impossible to guess.
Move Your wp-config.php File
The wp-config.php file contains highly sensitive information that if exposed, could make your WordPress site more vulnerable to attacks. Within this file is the username and password for the MySQL database that the WordPress installation uses, as well as security keys used to encrypt things like your password and other important information within the database. Because this file contains such critical information it is important that it be kept in a very safe place that attackers would have a difficult time accessing. Moving the wp-config.php file to a location not accessible to outside users will mitigate the risk of this file being exposed.
In extremely rare situations the web server may malfunction resulting in PHP failing to work. If this occurs any PHP file found on the public sections of the web server, will be visible to users on the internet. You can mitigate the risk of exposing the wp-config.php file by moving it to a non web accessible location on the server. If you move this file one directory up from its default location, WordPress will look for it there automatically. We advise users to contact their hosting provider before making this change to verify that no problems will occur. If you need assistance moving your wp-config.php file please contact support and we will make the change for you.
Disable XML-RPC
XML-RPC Is a type of API that allows external devices to connect to your WordPress installation in order to manage your site’s content. If you are using the WordPress mobile app on your mobile phone it is this API that you use to connect to with that application. There are other third-party applications that use this same API to manage WordPress. This API also is used for trackbacks and pingbacks. Because this API can be used in these ways you may not want to disable it, especially if you are using the WordPress mobile app.
However, if you are not using this API then you can disable it using a Disable XML-RPC plugin. Keeping this API enabled does not present an inherent security vulnerability however it does allow for one more access point for attackers to gain entry if they have your login credentials. Also this API is designed to publish large quantities of content at once which makes it the ideal attack vector for brute force attacks. If you are not using this API, disabling it is easy and may provide extra peace of mind. If you need assistance disabling this API on your Cloud22 site, please contact support.
Hide Your WordPress Version
“Security through obscurity” is a practice used by many security professionals which involves hiding information from the general public that could be utilized to hack an existing system. For example unless there is a specific reason, the general public has no need to know which version of WordPress your website runs off of. Even though you should always keep WordPress up-to-date at all times there may be instances where you allowed a WordPress update to lapse, and because of this a specific vulnerability is exposed to the public. Therefore it is important to always hide your WordPress version number from the public view. You can easily do this by adding the following PHP code to your theme’s functions.php file. To make this change as safely as possible we advise downloading the file first and editing it using a text editor and then re-uploading it with FTP. If you need assistance making this change to your Cloud22 website please contact support.
function wp_version_remove_version() {
return '';
}
add_filter('the_generator', 'wp_version_remove_version');
Enable SSL Certificates
Secure Socket Layer (SSL) enables an encrypted connection between your web server and your users’ computer. This allows for your users to have the best privacy possible through the HTTPS protocol. SSL protects the general public from things like the “man in the middle” attacks and other methods of web traffic interception. Because of this, SSL has been broadly accepted as an industry standard and is used on the vast majority of websites.
However, using SSL can also help protect your WordPress installation, because it will also encrypt the traffic between your WordPress back-end and your computer. This means that you will be able to login to your WordPress admin area from any network without the fear of exposing your login credentials to watchful eyes. You will be able to login to WordPress at your favorite coffee shop or while staying at a hotel without worrying if your credentials are at risk of being copied or stolen.
We offer SSL certificates with every account through Let’s Encrypt™ SSL. To enable yours, login to your cPanel and click the Let’s Encrypt™ icon underneath the security section. If you need assistance please contact our support staff.
Enable 2 Factor Authentication (2FA)
2 factor authentication (2FA) is when a system requires a second set of credentials other than a username and password to log the user into a system. Traditionally this comes in the form of a SMS text message sent to the user’s mobile device that contains a unique pass-code that can be entered into the system to authenticate the user. Other systems utilize authentication tokens through a mobile app or USB key, and some may simply use an alternative email address. Either way the purpose of 2FA is to add a second layer of identity verification that would normally not be accessible to an attacker that may have access to a username and password.
We provide 2FA for our Account Center and encourage users to also implement 2FA on their WordPress install using a third-party plugin from a trusted vendor. We can provide recommendations that will work for your specific WordPress installation if needed.
Use a Content Delivery Network (CDN)
Many popular content delivery networks (CDN) come with two main security features. The first is a web application firewall (WAF) and a system to protect against distributed denial-of-service (DDOS) attacks. In the beginning of this article we have already discussed WAFs and why they are important. If you are a Cloud22 customer, we already have this feature enabled for you by default. However if you’re using a different hosting company you can easily enable a WAF by utilizing a CDN such as Cloudflare.
The second popular security feature many CDNs offer is protection against DDOS attacks. These types of attacks attempt to knock a victim’s website offline by overloading the web server with millions of requests very quickly. If the attacker is successful the web server will become overloaded with requests and will have no other option but to shut down entirely or slow response time to valid users significantly. To protect against this style of attack website owners should utilize a CDN such as Cloudflare which offers protection against DDOS attacks within its free offering. Cloud22 customers can sign up for Cloudflare through their cPanel interface. We encourage our customers to take advantage of Cloudflare’s free service to protect against DDOS attacks and provide speedy delivery of their WordPress content.
Only Use Themes and Plugins From Trusted Sources
Because WordPress is open source anyone can view and edit the source code. This also applies for WordPress themes and plugins. This level of transparency and openness allows for unparalleled innovation and quick development. However it can also allow for malicious activity to be easily embedded inside a WordPress theme or plugin. Because of this it is important to only select WordPress themes and plugins from trusted sources that have a reputation for good products or strict Quality Assurance (QA) guidelines. The best place to download WordPress themes and plugins is WordPress.org. The volunteer team of developers at WordPress.org apply a strict review process for all themes and plugins found in the repository. This process monitors QA guidelines as well as security best practices to ensure that malicious code is not inserted into any themes or plugins. Other third-party sources may also be safe however its best to select themes and plugins that have a strong reputation from the WordPress community or other users. It’s important to read unbiased user reviews for themes and plugins.
If you need recommendations on a specific theme or plugin for your Cloud22 website please contact support and we can guide you to the best possible option.
Change Your WordPress Login URL
If you want to keep criminals from breaking into your home the first thing you should do is make sure your front door has a secure lock. But a more effective measure might be to also hide your front door entirely! If attackers cannot find an access point to a system it makes it almost impossible to break in. WordPress is the same. If we can successfully hide your WordPress login page then attackers will have a much more difficult time breaking in. The default URL for WordPress’s login page is example.com/wp-login.php We can change the location of this page using a plugin such as WPS Hide Login.
If you need assistance changing the location of your WordPress login page on your Cloud22 website please contact support.
Limit Login Attempts
Brute-force hacking is when an attacker will try many different combinations of username and password over and over again until they get lucky and find one that works. Many hackers will write their own software that automates this process and allows them to make thousands of attempts in a very short period of time. One way to defend your WordPress site against this type of attack is to limit the number of attempts used at the login page. With Login LockDown you can limit the number of attempts made to login to WordPress easily.
Select a Unique Username for Admin Credentials
The default username for new WordPress installations is admin. Many users do not change this default username because it is easy to remember and corresponds with the administrative user privileges that the default account is assigned. However, easy to remember usernames are also easy to guess. Because of this it is important that all users with administrative privileges have unique usernames that are not known by the general public. You can easily select a unique username when installing WordPress for the first time or replace the default admin username by creating a new account with administrator privileges then logging into that account and deleting the admin user. It’s important to make sure that your new user account has administrator privileges and no plugins or external services use the admin authorization for its functioning. Otherwise deleting the admin user account after a new administrator account has been created is perfectly harmless and will protect against attackers that may attempt to guess the login credentials to your WordPress admin area.
Here at Cloud22 we offer the ability to select your own unique username during the site creation process. We have purposely avoided recommending a default username during this process to encourage users to develop their own unique username.
Use a Unique Password and Password Manager
When you manage your own website you most likely will have to set up multiple login credentials for different services or control panels. Here at Cloud22 for example customers will have separate login credentials for their domain register, Cloud22 Account Center, cPanel, their WordPress admin, and any email accounts. To make managing these logins easier it will be tempting to use the same password for each account. This is a very insecure practice and can result in multiple accounts being vulnerable to attack. If an attacker discovers your password for one account they will be able to access all of the other accounts as well.
To mitigate this risk we advise using a unique password for each account associated with your WordPress web hosting as well as using a password manager to make remembering each of these passwords easier. With a password manager you can store all of your account information in a third-party secure service that integrates with your web browser and mobile device. When you need to login to one of your accounts there is no need to remember your password because your password manager can automatically insert your password into the login screen for you. This way you will only need to remember one “master password” that can only be accessed your library of other passwords from a verified device such as your laptop, desktop, or mobile device. This allows for you to have a completely unique password on every account that you utilize on the internet. Having this level of unique user credentials will isolate each account from being accessed by a hacker that may obtain just one password.
We advise using the following password managers so for your Cloud22 accounts and other password needs.
Most WordPress websites will never experience security issues or get hacked. However failure to take the necessary steps to mitigate this risk leaves your website vulnerable in ways that maybe detrimental to the objectives of your organization. Adhering to the best practices outlined within this article can dramatically improve the security of your WordPress website. For more information on how we can help secure and improve your WordPress experience please contact us today.
Andy Kuiper says:
Great Guide – thanks for sharing Joe 🙂
Joe says:
Thanks! I am glad you found this useful. Please share it with your friends!
Nardeban says:
Changing default DB prefix from wp_* to something else is important