By: Amanda Garceau

Date: March 16, 2017

WordPress is one of the most widely used and popular content management systems (CMS). Its ease of use makes it a natural fit for companies and individuals wishing to have a CMS that allows for easy content updates and a flexibility that developers and designers can create from.

Its ease of use makes it ideal for many businesses and individuals, but also a ripe target for attacks. Fortunately, there are many steps to take that will help to ensure your site is secure. Below is an outline of options for hardening your WordPress website.

Hosting

One of the initial steps in setting up a website is to acquire server space to host your website. Hosting plays an important role in setting a good foundation for your website and making sure that everything is optimized properly from the ground up.

The options are endless and range in price greatly. There are several different types of servers:

Shared Server
Most of the cheaper options will involve a shared server, which means that your website is hosted within the same space as thousands of other customers. Typically, shared servers will offer unlimited space and bandwidth. However, they usually do not offer the same promise of CPU power and memory. Using a shared server also leaves your website more vulnerable since there are no guarantees that other websites on that same server haven’t been compromised.

Virtual Private Server (VPS)
This is a good in between for those looking to save on cost, but don’t want to be on a shared server. With a VPS, they will offer a minimum allocation of resources that is guaranteed to you (meaning much less people on the same server). Costs for this type of server can range depending on the level of resources needed. This option will also give you more control over your server.

Dedicated Server
A dedicated server is great for large-scale or resource intensive websites. Costs for this type of server are high, but it guarantees that you are the only user on the server and that your website is not impacted by other potentially compromised sites sharing the same space. This option allows for the most control of the server.

Managed WordPress
Due to the popularity of WordPress, many hosting providers have started offering hosting on servers that have been optimized specifically for WordPress. These servers are ideal for running WordPress code and ensuring that certain areas of the server are locked down. Some popular managed WordPress solutions include WP Engine, Pagely, Flywheel, DreamPress, and Media Temple.

Security Configuration

Once you’ve selected a hosting provider, it’s time to set up your website and layer in security measures to harden your website even further. The following is a list of must-have security measures to implement on any WordPress website.

Securing WordPress Admin
It’s a good idea to use HTTPS on the front-end of your site (since it now has an impact on your Google search rankings), but it’s also important to lock down the admin panel for your website. By now, you can get SSL certificates free (or very cheap) which will allow you to use the following code within the wp-config.php file:

define( 'FORCE_SSL_ADMIN', true );

There are many ways to secure the login screen itself, they all have their advantages and ideally would all be implemented. However, because some of them can get annoying to deal with on an everyday basis, weigh your options carefully.

  • 2-Step Authentication: this is one of the more strict ways of locking the admin down. This option will require you to use a second step (such as receiving a text message with confirmation code to enter) in order for you to log in.
  • Restrict Admin to Specific IPs: this option allows you to restrict access to the admin panel by supplying IP addresses of the users who need to have access.
  • Restrict Admin to Specific Times of Day: this option will limit the times of day that anyone can access the admin panel.
  • Update admin URL: by default, the admin can be accessed at /wp-admin or /wp-login.php URLs. This is well-known by hackers and this will be one of the first attempts at accessing your site. Change this login URL to something unique that no one would easily guess.
  • Enforce Strong Passwords: enabling this option will force your site administrators to select strong passwords, making it more difficult for an attacker to guess passwords. Also, remember that it is never a good idea to share your passwords (even with other co-workers). If multiple people need to edit the site, individual users should be set up for each.
  • Limit Login Attempts: WordPress does not limit the number of login attempts unless you set this up. The options are configurable (number of attempts before lockout, lockout time, etc). Enabling this option will help prevent against brute-force attacks.

Securing File Editing Capabilities

First, it is critical to have proper backups of your website files and data. All of the code should be maintained within a repository (such as GIT) and database backups should be scheduled to happen at a regular interval.  It is important while setting up the site, to ensure that proper file permissions are set at the server level, and that .htaccess rules are in place.

WordPress, by default will allow file changes and other actions to be taken from inside of the admin panel. It is important to be aware of this and in many cases it makes sense to disable this ability. The following code added to the wp-config.php file will lock down file editing:

define( 'DISALLOW_FILE_EDIT', true );

Or, if you want to disallow file editing, and also disallow the upgrading of plugin and themes from within the admin, add this code instead:

define( 'DISALLOW_FILE_MODS', true );

While limiting plugin and theme upgrades might be ideal for your situation, there are critical security updates that should be allowed automatically. Using this snippet is helpful if you don’t pay frequent attention to your upgrade notices, are unsure about how to upgrade your site, or occasionally miss an upgrade availability which can result in old, vulnerable WordPress installations. Add the following code to wp-config to allow this:

define( 'WP_AUTO_UPDATE_CORE', true );

However, it may not always be ideal to allow WordPress to automatically upgrade depending on your code deployment process. As mentioned above, it’s best to maintain all code and upgrades within a repository. This will allow for deployment into the various environments for testing prior to pushing the code live.

Other Security Methods

  • Make sure your site is always up-to-date: this includes WordPress Core, Plugins, and themes.
  • Update initial admin user: when setting your site up, it requires you to create the first admin user. Make sure that the username is not something common (like ‘admin’) and also make sure that the user ID is not 1 (there are plugins, or SQL commands that you can use to change the ID of the user.)
  • Remove WordPress version number: there is atag on most WordPress sites that will list the version number. This will allow attackers to easily find the version you are using and determine if your version is vulnerable.
  • Rename your database prefix: the default prefix is ‘wp_’ which is well-known to attackers. Changing the prefix to something unique (and difficult to guess) will yield the best results. This is something you’d want to set up as you are installing WordPress, but if you must change it after setup – there are plugins that will help with this update.
  • Use plugins and themes from trusted developers: make sure that the plugins and themes you select are from trusted sources, have good reviews and are updated frequently. Make sure to keep these up-to-date when new versions are released. You can use tools that will check your current plugins and themes for vulnerabilities.

While security measures are not always top of mind when it comes to creating a new website, they do need to be taken into consideration and accounted for. Many of the options outlined above can be configured fairly quickly, and in the end taking that time to set things up properly will pay off.