How to secure WordPress

How to secure WordPress and keep your site from being hacked

WordPress is probably the most popular open source software on the internet, and many of our clients have it installed on their website.  Initially WordPress was designed as a blogging platform, but it has since grown into a full featured CMS and even as a E-commerce platform through its plugins.  Because of this, wordpress has actually become one of the most exploited opensource software as well.  On average, we see around 2 exploited wordpress websites per week.  A lot of these exploits happen because users just install the blog and do not do any maintenance on it.  In this article, we will discuss how to secure WordPress after you have installed it.

  1. Install Wordfence.  Wordfence is a free security plugin which provide a lot of features to secure your wordpress installation.  One of the main feature is that it scans the wordpress directory and files in it for known exploits.  It also scan plugins and themes which is very important.  This plugin can be installed inside your wordpress administrator panel.  Go to Plugin -> Add New and search for “Wordfence” for easy installation.
    They have some features which are only available for paid customers.  If you can afford it, do support them and subscribe to the paid version.
  2. Create another user with limited access and use that to make your blog post instead of the default admin user.  It will also be wise if the admin users a username not so easy go guess.  For example, use sl22l as the admin username, and create another user buser which you will only use to make blog posts.
  3. Only install plugins which are absolutely needed.  With so many free plugins, it will seem fun to install as many of them as you see fit.  However, the most plugin you install, the slower your site will be, and most importantly, there are more attack vector for exploits.  Even if all the plugins you installed are from reputable sources, the time it take to regularly applying for updates is probably not worth it.
  4. Password protect the wp-admin directory.  This will add another layout of protection for the admin panel.  To do this, go into cPanel, and then “Password Protect Directories”.  In there, navigate to wp-admin directory and apply password protection to it.
    Now, in the wordpress directory root, add the following line to the .htaccess file:

    ErrorDocument 401 default

    Next in the .htaccess file in the wp-admin directory, add the following lines:

    <Files admin-ajax.php>
        Order allow,deny
        Allow from all
        Satisfy any
    </Files>

    Note:  We have found some installation of wordpress have other files in their wp-admin/ folder which are included site wide.  In these cases you will need to allow these files using <Files> in the .htaccess as well.

  5. Use Cloudflare.  Cloudflare can protect your website against DDos attacks and common attacks for your blog.  The good thing with using Cloudflare is that it actually speed up your website and provide caching for your static files automaticlly.

  6. Keep your wordpress and plugins up to date.  You can check for updates when you log into wordpress admin.  Wordfence will send you notification of updates, and you should try to apply them ASAP. 

  7. Enable Two-Step Authentication.  You can enable Two-Step authentication by installing plugins such as “Google Authenticator“.
  8. Do not download paid theme and plugins from website offering them for free.  Exploits are usually hidden in these downloads.  Only download themes and plugins within your wordpress admin control panel, or from the official website of the theme and plugin developers.  If you like a theme or plugin, support the developer by paying for them.
  9. Disable signup and comments if you do not need them.

There are many more things you can do to protect your blog, but if you do everything mentioned above, I will say you have dramatically reduced the changes of your blog getting exploited.