WordPress is one of the most ubiquitous content management systems in the world. Even better, it's open source! However, as an open source piece of software, it can be vulnerable to malicious individuals digging through code and finding vulnerabilities in the code, which they attempt to exploit. As such, WordPress sites have been prone to security breaches and being hacked, and having your WordPress site hacked can be damaging to your reputation and your business. At Themify, we often hear about WordPress security issues from members, thus it inspired us to share this article.
WordPress itself constantly badgers you about new updates that are available for WordPress - don’t ignore these! It’s vital that you stay up to date on your WordPress installs, themes, and plugins to ensure that any existing vulnerabilities have been patched up.
WordPress will display the update notifications as soon as you login, Themify shows you notifications on the Themify admin panel, and other plugins and themes should have something similar. Keep updating your files and stay up to date!
Remove Inactive / Old Themes and Plugins
WordPress Themes and plugins that are installed on your WordPress website, but are currently inactive or old versions are security risks: they may not be the most up to date and have security holes that malicious attacks can take advantage of.
Your best bet is to remove any themes and plugins that you are not currently using and stick with what you need.
Disable the Theme / Plugin Editor
Intruders who are able to guess your admin login and password are able to access your theme or plugin files and insert their own malicious code. For example, they can replace a template file into a PHP uploader and upload more files or change file permissions without your knowledge.
Disabling the built-in Theme and Plugin text editor inside of WordPress ensures that these intruders aren’t able to modify your Theme or Plugin code in any way.
In the directory that you’ve installed WordPress into, you will find a file called wp-config.php, and you will need to add the following code into that file:
/* disable theme editor and plugin editor */ define( 'DISALLOW_FILE_EDIT', true ); define( 'DISALLOW_FILE_MODS', true );
Once disabled, you should no longer be able to edit files inside of the WordPress admin panel.
Protect Your .htaccess File
Your .htaccess file acts like the gatekeeper for your website’s figurative guts. It allows you to control permissions of files, meaning you can determine who has access to specific files or file types. It’s a hidden file that sits in the root directory of your website, and you’ll need to show hidden files in order to be able to access it.
Once you are able to edit it, add this to the file:
# protect .htaccess file <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
This will ensure that no one from the outside world can access your .htaccess file, protecting yourself from intruders who attempt to change file permissions on your website.
Disable Directory Listing
While you’re inside of .htaccess, you might as well disable the ability to get directory listings from your WordPress install.
Directory listings are used to see all of the contents of folders, and are often used to look at websites as a whole. However, being able to see them is not good, as it usually means it’s exposed to the public, meaning that people can search for vulnerable files and exploit security holes.
You must be editing the root .htaccess (the one for your entire website install) of your website, and you need to add this:
This will restrict the ability for anyone and everyone from being able to list the contents of your website, making it that much harder to find vulnerable files.
Protect the ‘wp-config.php’ File
Another fun thing to add to your .htaccess file, since you’ve been inside of it for the previous two!
Your wp-config.php file contains a lot of information that can be very sensitive, should someone ever gain access to it. Things like your database username and password, which is essentially your WordPress website’s lifeline.
The WordPress website database can be protected by ensuring the wp-config.php file is locked down and secured. Add this to your .htaccess file:
# protect wp-config.php <files wp-config.php> order allow,deny deny from all </files>
As with everything else, this code prevents outside, public access for wp-config.php, ensuring that your very sensitive data is relatively secure!
Prevent ‘wp-login.php’ From Being Accessed by Unknown IPs
If you haven’t guessed yet, this is another fun trick done by editing the .htaccess file. The file, wp-login.php, is the gatekeeper to your WordPress admin panel. By default, you can access this page from anywhere and everywhere, which is convenient, but also a huge security risk.
Using .htaccess, a list of IPs can be created that are allowed access, commonly referred to as a ‘whitelist,’ to prevent non-known IPs from attempting password guesses.
Inside the root folder’s .htaccess, add this code:
<files wp-login.php> order deny,allow deny from all # static IP allow from xxx.xxx.xxx.xxx # dynamic IP allow from xxx.xxx.xxx.0/8 allow from xxx.xxx.0.0/8 </files>
Fill in your actual IPs in place of the x-placeholders. If you know your actual IP, stick with static (just be sure to update it, should it change!) or use dynamic if you need to allow a range of IPs. There are a multitude of websites that will give you your exact IP address, and they are a quick search away.
Prevent ‘wp-admin’ From Being Accessed by Unknown IPs
The protection levels of 'wp-login.php' through an IP whitelist can be doubled by creating the same whitelist for the wp-admin folder inside of the WordPress directory. Add this code to your .htaccess file to prevent non-known IPs from accessing your wp-admin folder:
<LIMIT GET> order deny,allow deny from all # static IP allow from xxx.xxx.xxx.xxx # dynamic IP allow from xxx.xxx.xxx.0/8 allow from xxx.xxx.0.0/8 </LIMIT>
Deny Executable Files Like .exe Extension
Executable files are trouble - they will often contain malicious code that can install worms and virus on user's computer. These can be blocked, of course, using .htaccess!
Add this to your .htaccess file:
# deny all .exe files <files "*.exe"> order deny,allow deny from all </files>
This, like the other code, prevents any and all .exe files from being access on the server, ensuring that you steer well away from those troublesome executables.
Add a Firewall
Much like the .htaccess whitelist, allowing only known IPs access to wp-login.php, a firewall will only allow known IPs to access your FTP server. This is something that you will have to contact your website hosting provider to set up.
Additional Plugin Recommendations
Website security is typically the last thing on the minds of website owners, but priorities should be raised on website security to keep WordPress sites safe and secure. The above list is a solid start, and hopefully useful.
- Securing Your WordPress Website (Smashing Magazine)
- WordPress Security: How to Secure WordPress Thoroughly (Onextrapixel)
- Unleashing .htaccess for WordPress (Onextrapixel)