Your friends and colleagues tell you them, the web has plenty of horror stories, all involving security problems with WordPress sites. Maybe they’ve got you worried about your own site. Most likely these stories have shied you away from using WordPress for your: blog, website, corporation or enterprise.
The simple truth is, any site is only as secure as it’s weakest security measure and we could all implement additional measures for securing our WordPress installs,and websites in general. Naturally this article will focus in on WordPress. I’m going to share with you five things you can do today to step up the security of your WordPress-powered sites.
Secure Your Admin Area
So you implement strong and random username and passwords for accessing the WordPress administration dashboard, using additional layers of authentication is still a good idea. They can drastically lower the chance of a brute-force attack becoming successful.
Here are three options for creating strong security into the WordPress admin dashboard.
Option 1: Password Protect the WordPress Login Page
On an Apache web server, you can use htpasswd, which is a simple method of password-protecting website files. (IIS, Nginx and other web servers will have their own version of password protection).
For WordPress, you could password protect the
wp-login.php file, as an example. Doing this will require administrators of your site to type in an additional username and password before they can access the WordPress login page.
Read this great tutorial on how to password protect your WordPress admin area.
Option 2: Set Up Two-Step Verification
Two-step verification requires two separate steps of authentication before allowing you into your WordPress admin area. If your username and password are ever compromised without your knowledge, this additional layer of authentication helps secure your WordPress site. Two-step verification can give you time to reset your login information before your WordPress admin area is breached. The second layer of authentication also informs you when there are attempts to log into your WordPress admin area.
Here’s how it works:
- You sign into WordPress as you normally do.
- Right after entering your login information, you’ll receive a unique, one-time-use password on your mobile phone that will expire after a certain amount of time.
- If the unique password is incorrect or if the password has expired, access to your WordPress admin area will be denied, even if the login credentials used are valid.
Duo Two-Factor Authentication is another plugin to consider. It can be set up to send an SMS to your mobile phone or to perform a voice call that discloses your unique password.
Option 3: IP Address Whitelisting
With this option, only authorized (whitelisted) IP addresses can access the WordPress admin area.
One of the drawbacks with IP address whitelisting is, if you work in many places (coffee shops, coworking spaces, etc.) or if you’re travelling frequently, this security measure can be a hassle since you’d have to whitelist the IP address you are using before you can access your admin area. Of course, there are work arounds, using a VPN so that you have a static IP address regardless of which network you’re connecting from.
Whitelisting IP addresses can be done through your site’s
.htaccess file. You can use the following directive to deny access to WordPress’s
wp-login.php page if the request does not originate from your IP address (replace
your.ip.address below with the IP address you normally use):
<files wp-login.php> order deny,allow deny from all allow from your.ip.address </files>
If you want to whitelist multiple IP addresses, just add additional
allow from lines. Here’s an example where the directive whitelists three different IP addresses:
<files wp-login.php> order deny,allow deny from all allow from 255.255.255.0 allow from 192.168.0.1 allow from 188.8.131.52 </files>
Maintain a Good Password Policy
WordPress sites involve several services that have user authentication: Your MySQL database, graphical user interfaces that you use to manage your WordPress-related assets and hosting such as phpMyAdmin and cPanel, WordPress admin dashboard, and so on. It’s best to use strong, randomly-generated passwords for all services that can potentially be exploited to affect your WordPress site.
Make it your practice to never use the same username and password credentials for different services. If one of your login credentials is compromised, then the breach is contained to just one service.
Use a password manager such as LastPass (or from this list of Best Password Managers) can help you keep track of your passwords. Because a password manager remembers your passwords for you, it gives you the freedom to choose complex and more secure passwords that you don’t have to memorize.
Remove Website Files That You Don’t Need
Nothing beats having a regular website maintenance routine where you remove unused and outdated website files can improve WordPress security by reducing potential attack vectors.
Many people either forget or don’t bother to remove unused or outdated files, or don’t think these files can be harmful, so they don’t take the time to maintain them. It’s possible in the future, that these files can cause security problems such as cross-site contamination, where attackers exploit vulnerabilities in old files that you’ve forgotten about.
- Deactivated and unused plugins and themes – reinstall them later if needed.
- Old WordPress installs and unused website files – staging or development sites for your WordPress projects? These should be removed from public-facing servers and archived somewhere safe.
- Pages and Posts in the Trash folder – also if you have items saved in your Drafts folder and won’t be using them soon, delete them too.
- Comments in the Spam or Trash folder – anything in your Pending folder should be approved or permanently deleted.
- Any backups that you have on your server – if you’re automatically backing up your website files and databases on your web hosting account or web server, remove them and store them in a location that isn’t public accessible.
Protect Your WordPress Site Against DDoS Attacks
Distributed denial-of-service (DDoS) attachs are attacks that attempt to crash your website. Many people don’t think they can be a target of a DDoS attack, but it can happen to anyone.
With regular reports and studies showing that DDoS attack frequency, duration and size are growing drastically, now is the time to take steps to defend your site against downtime and subsequent revenue loss caused by denial-of-service.
If you’re concerned about DDoS attacks, here are some services you can look into:
Use a Web Application Firewall
It doesn’t matter how big or small your WordPress site is, it needs a web application firewall. A web application firewall blocks attacks that attempt to exploit common security vulnerabilities.
Even keeping your WordPress install, theme and plugins up-to-date with the latest security patches, still leaves you at risk of exposure to zero-day attacks. Zero-day attacks in the context of WordPress can come from things like unpatched security issues that are unknown to the developers of your theme or plugins, or that the developers know about but have not had time to fix and release a patch for. A web application firewall could significantly reduce zero-day-attack vulnerabilities by blocking commonly know exploits such as SQL injection and XSS (Cross Site Scripting).
If you run your own Apache web server or VPS), ModSecurity is a free and open source web application firewall module you can install.
If you have some money to spend, look into CloudProxy, a suite of website protection software. It comes with a web application firewall that supports many types of publishing platforms, including WordPress.
On a shared web host with limited ability to configure your web server? Check out the Block Bad Queries WordPress plugin. Although technically it isn’t a web application firewall, it does a good job of stopping malicious requests. Block Bad Queries adds directives to your
.htaccess file that monitors your incoming website traffic for bad requests.