Over a million developers have joined DZone.

Fortress WordPress: Too Hard for Hackers

WordPress runs 74.6 million websites, yet WordPress security is often handed-off to plugins; this article is about making your WordPress security impenetrable.

· Web Dev Zone

Start coding today to experience the powerful engine that drives data application’s development, brought to you in partnership with Qlik.

While a vast majority of hackers get blocked, there are those few who are persistent. With the sheer number of websites using WordPress, any vulnerability or security flaw is likely to affect thousands, if not millions, of users across the world. This is why no simple security plugin, no matter how robust, just isn’t enough against the onslaught, you need a few special tricks up your sleeves. This article isn’t about installing and using plugins. It’s about those tricks that make your WordPress security impenetrable.

It’s not security. It’s war.

1. Start with Securing Your Workstation

Get started right at the beginning: Not with your WordPress, but your workstation. Seal all security loopholes on every PC and web server you use to work on WordPress. Update your browser to its most recently released version and set it to patch automatically. Rinse and repeat with your anti-virus software and operating system. Scan for and eliminate all malware regularly and frequently.
This is to ensure that your WordPress security isn’t compromised by vulnerabilities on your system. Think how sad it would be if you put some serious effort into putting code (we’ll get to it in a minute) and having a really secure password, only to be K.O.-ed by a keylogger.

2. Get the Best Host you Can Find

All your efforts to deck out your site with the best security plugins and hacks will go right down the drain if your hosting-provider isn’t up to scratch. As of 2013, 41% of WordPress sites were hacked via hosting provider.

That’s an alarming percentage of websites hacked through no fault of their own.
So you have to pull up your socks; do something about your hosting plan, pronto. Managed hosting providers like WP Engine and SiteGround are the closest thing you can get to being practically-hacker-proof.

If that’s already raising a red flag named screaming ‘Cost’ in your head, you can go with shared hosting. Try to get a provider which has plans that include account isolation, which will prevent someone else’s site from affecting yours. Bluehost is a popular choice for many, and Web Hosting Hub will provide great value and has won several awards to prove the same.

3. Update your WordPress, Themes, and Plugins.

The word ‘update’ is nightmare-fuel for many developers, because of WordPress updates proclivity to break and smash a lovingly assembled site to pieces. Then again, not updating will make you a sitting duck for any hacker with a gun named ‘Security and Maintenance Release page’. Have fun walking that tightrope.

Here’s another alarming factoid: by 2013, 29% of WordPress websites got hacked by theme vulnerability. That’s not to mention the other 22% hacked through plugin security flaws. You’ve gotta hand it to the hackers though, they are getting more sophisticated than brute-forcing their way through everything.
Stay one step ahead by updating. Install the most recent version of WordPress and all your themes and plugins as soon as possible. Unlike WordPress updates, themes and plugins are going to require some meticulous effort as you need to update them manually.

However, if you’re not one to manually maintain you site, you can configure plugins and themes to update automatically by adding a bit of code to wp-config.php:

For plugins: add_filter( 'auto_update_plugin', '__return_true' );
For themes: add_filter( 'auto_update_theme', '__return_true' );

4. Hide Indexes or Use .htaccess to Protect Vital Files

There’s being warm and inviting, and then there’s being just plain stupid. Protect what’s yours and don’t let anyone see your wp-content/plugins/directory unless you authenticate it first. You forget to disable public access to your indexes; you may as well wrap-up your list of plugin vulnerabilities and hand it to the hackers like a gift coupon.

If your web server uses .htaccess files, it’ll take a little bit of code-tweaking to hide your important files from hackers. Insert as many or as few codes as you like outside #BEGIN WordPress and #END WordPress tags. You can get the codes from WordPress codex.

Start by hiding your wp-config.php by adding this code to your .htaccess file:

<files wpconfig.php>
  order allow,deny
  deny from all

You can also allow or deny access to wp-admin and wp-login, or restrict access to it.
To allow access to a list of IP addresses:

<files wp-login.php>
  order deny,allow
  Deny from all
  # allow access from my IP address
  allow from

To blacklist specific IP addresses from accessing wp-admin or wp-login:

order allow,deny
deny from
allow from all

You can also make your directories non-browsable with this simple bit:
Options All -Indexes

5. Remove PHP Error Reports

The plugins or themes you use may not be working properly, creating an error message. These error reports are great for troubleshooting. Not so great when they get you hacked.
See, these error messages are another little set of treats for those pestilent hackers; the error reports would be all they need to get your exact server path. You’re basically handing them a detailed map of your website to do with as they please. That’s not going to end well.
The huge cons of getting you hacked ought to outweigh any troubleshooting benefits these error reports may have, in my personal opinion. I’d recommend disabling them altogether by adding this little poem to wp-config.php:

  @ini_set('display_errors', 0);

6. Hide the Authors, Hide the Login Page

It may be harsh, but I really think anyone who leaves WordPress defaults untouched is practically asking for trouble.
When the defaults are left intact, finding out the authors and their usernames on your site becomes a cake walk. Anyone who adds, ?author=1 after your main URL can see who the main author is. And since the main author is usually also the administrator, it basically equates to you simply inviting hackers to use the ol’ brute-force algorithm to hack you.
So what’s the trick? Hide the authors usernames by adding this code in your functions.php file:

add_action('themes_redirect', ' themes_redirect');
function themes_redirect() {
  if (is_author()) {
    wp_redirect( home_url() ); exit;

So if the hackers attempt to get smart with ?author=1,hoping to see admin details, you can show em the homepage instead and laugh at their pain.
You can also relocate and rename your login page to give it that extra bit of security. There are several security plugins that will let you change your login page from the traditional www.yourdomain.com/wp-admin or www.yourdoman.com/wp-login.php. Lockdown WP Admin and Stealth Login can do it for you in a trifle.
Obscuring and redirection is not infallible, but then, what is? In any case, it’s better than nothing.

7. Back It All Up

This is your safety net. And you need to keep it in place at all times or there’s really no point to it at all.
Create a schedule and backup your WordPress site as frequently as you update/maintain it. Backups are there as your ‘disaster-mitigation strategy’. If you get hacked, or mess something up, or simply lock yourself out by accident, you can use the latest backup to restore your site to a prior version.
Creating a stringent schedule for automatic backups can be easily done with backup services/ plugins like VaultPress, BackupBuddy, UpdraftPlus, etc. and they also come with built-in restore options.

8. Don’t Look Like a Defenseless Newbie

Impressions and appearances are just as important on the web as they are in the real world.
It’s usually a given with hackers: 1. sites with default posts and comments, or 2. ‘Powered by WordPress’ footers, or 3. even those with installation and upgrade scripts are infinitely easier to hack. This is why you’ll have to remove all default posts, tags, and comments.

Proud though you may be to be ‘Powered by WordPress’, those footers are actually bad news. Crackers simply put the phrase in search engines to find sites to crack. You’d do better to remove them ASAP.
Hide which version of WordPress you’re using to make hacking even more difficult. In wp-content/(your WordPress theme name)/header.php look for "" and remove it. This is the meta generator tag in your template. You will also have to remove your ‘version detail’ from the RSS feed. Open wp-includes/general-template.php, look for line 1858. Around it you’ll find this:

function the_generator ( $args) {
  echo apply_filters('the_generator', get_ the_generator($args), $ args). "\n";

Apply a hash next to the ‘echo’ command and you’re done:

function the_generator ( $args ) {
  #echo apply_filters('the_generator', get_ the_generator ($args), $type). "\n";

You’ll also have to delete /wp-admin/install.php and /wp-admin/upgrade.php after every time you update WordPress. Don’t worry; those scripts won’t affect anything on your site. Besides, all upgrades have them.

You can win this cat-and-mouse game by changing even more default files and directory names. Go to Settings> Miscellaneous in your admin console and change wp-content/directory and wp-comments-post.php to anything you like (I am guessing an evil laugh). Remember to change template URL within the template and wp-comments-post.php too to keep your site functioning.

9. Cut Plugins: Freebies, Premiums, and Pirated

Security, site speed, performance, and functionality are four important factors of a good, functioning site. Every single one of them is affected by plugins, directly and otherwise. This is why you need to select your plugins with care.

There’s no optimum number to how many plugins you ought to have on your site. Try to get those which come packed with a large array of features so you don’t have to install separate plugins for those functions too. Having as few plugins as possible gives hackers less ‘ins’ to use a plugin vulnerability to mess up your site. The plugins you are no longer using should be deleted. Deactivating them is not enough.

There are free and premium plugins for everything. Now those looking to save a quick buck would often try to get smart. By downloading premium plugins for free from sources that can only be described as digital equivalents of a dank, seedy-looking back-alley. Make no mistake, that WILL come back to bite.
You cannot, in any instance, trust these dodgy sources. They corrupt the most legit plugins by stuffing them with malware and then let the gullible masses do the rest. You are essentially giving the hackers a direct line to your site’s backend. All for saving a few bucks.
Bottom line: Pirated plugins? Just say no.

10. Get Your Security Plugins Straight

They can and will make a world of difference. Here’s a checklist of what you absolutely must-have:

  • Two-Step Authentication: Great way to prevent anyone from brute-forcing their way in, plugins like Google Authenticator and Duo Two-Factor Authentication will add an extra layer of protection to your site. The login will then require an authorization code (usually sent via SMS) along with the usual password.
  • Limit Login Attempts: Given enough time and an endless supply of login attempts, hackers WILL eventually crack your password with incessant use of brute force algorithm. You can prevent that by limiting the number of allowed login attempts from any IP within a specific period of time. Plugins like Login LockDown is specifically built to cover this. Others like iThemes Security and Sucuri come packed with Login Limiting feature. User Locker will even give those making invalid attempts a-whack-on-the-nose by locking their accounts.
  • Additional plugins: Chap Secure Login will encrypt your login details (except username) with Chap protocol and SHA-256 algorithm. The beautiful BBQ (Block Bad Queries) will block request URIs containing eval( or ‘base64′, and other dubiously long request strings. Scan your theme for malware with Theme Authenticity Checker and conduct regular site scans with trusted antivirus plugins like Sucuri, Codeguard, or Antivirus.

In the End

Keep in mind that WordPress security isn’t about throwing a bunch of plugins and code in your site. It’s a constant, ongoing effort to keep your site safe.

The best and worst thing about WordPress is its vast knowledge-base and open-source code, not to mention millions of users that can be affected if a single flaw comes to light. While that’s every hacker’s dream-come-true, information about security is also thankfully abundant to keep them at bay and even help you stay one step ahead.

Adapt your security strategy as WordPress grows and evolves.

Create data driven applications in Qlik’s free and easy to use coding environment, brought to you in partnership with Qlik.


Published at DZone with permission of Andrey Prikaznov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}