A malvertising campaign reported in July 2019 caused compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious destinations. This campaign exploited known vulnerabilities in plugins that were installed on thousands of sites.
Unfortunately, this type of widespread attack is not singular. In fact, over 90,000 attacks are made on WordPress sites every minute.
The good news is that there are plenty of steps you can take to protect your site. In this post, we’ll discuss how you can choose a secure theme to create a site that’s well-designed and protected. Then we’ll walk through additional steps you can take to improve the security of your site as you build it out.
Selecting a Secure WordPress Theme
When selecting and installing a theme for your WordPress site, you might consider design and functionality first. Does it have multi-column layouts? Is it compatible with page builders? Does it have a flexible header? But even if you find a theme that checks all these boxes, you’ll need to make sure it’s secure.
A secure theme is consistently updated so that it’s compatible with your version of WordPress and your plugins. An outdated theme may have compatibility issues with the latest version of the WordPress software, for example, which can be easily exploited by hackers. You’ll also want to make sure the theme has no known security vulnerabilities and follows WordPress’s code standards.
If you’re not familiar with these standards, then you may not be able to evaluate if a theme is properly coded. In that case, you can use a tool like W3C validator to check if the code is standards-compliant. Just enter the URL of a theme’s live demo or a site using that theme into the search bar.
To find a secure theme, start at the official theme directory on WordPress.org. It requires themes to pass a strict review process to be included in the directory. If you don’t find a free theme that meets the needs of your site, then you can find premium themes at reputable third-party marketplaces like WooCommerce and Elegant Themes.
How to Secure Your WordPress Site
- Pick a secure host.
- Switch from HTTP to HTTPs.
- Use secure login credentials.
- Set up two-factor authentication.
- Customize your login URL.
- Block IP addresses of malicious visitors.
- Monitor user activity.
- Automatically log out idle users.
- Regularly update your plugins.
- Manually back up your site.
Step 1: Pick a Secure Host
41% of hacked WordPress sites are attacked through a security vulnerability on their hosting platform, according to research from WP White Security.
That’s why choosing a secure host is one of the most important decisions you’ll make when creating a WordPress site. While all hosts implement basic security controls, you’ll want to select one that offers advanced security configurations.
WP Engine, for example, offers free SSL certificates, automatic backups and WordPress updates, malware scans, two-factor authentication, a web application firewall, and more.
Step 2: Switch From HTTP To HTTPS
Have you ever noticed that some sites have a padlock icon next to their URLs in the address bar?
That means that the site uses Hypertext Transfer Protocol Secure (HTTPS), an encryption method that secures the connection between your browser and the site’s servers.
Today’s online consumers expect sites to use HTTPS to protect their login, contact, payment, and other personal information from eavesdroppers. Eavesdroppers may be hackers, government agencies, or other users looking to view, steal, or modify information exchanged between browsers and sites.
To encourage website owners to make the switch from HTTP to HTTPS, Google made HTTPS a ranking factor in 2014 and Chrome web browsers began marking all HTTP websites as “Not Secure” in July 2018.
If you set up an HTTP site with your hosting provider, then you may be looking to migrate it to HTTPS to secure your site against eavesdroppers, foster trust with your customers, and improve your rankings. To do so, you’ll need to purchase and install an SSL certificate on your server, edit your wp-config.php file, and update your URLs in the General Settings of your dashboard. There are a variety of WordPress plugins that can help you with this process, including Really Simple SSL and Insecure Content Fixer.
Step 3: Use Secure Login Credentials
Broken authentication is the second most critical security risk to web applications, according to the OWASP Top 10. Attackers can exploit authentication weaknesses to compromise passwords, keys, or session tokens to assume users’ identities temporarily or permanently.
To help protect your WordPress site against authentication-related attacks, pick a password that you haven’t used elsewhere on the web. Also, because password-cracking software allows hackers to try random combinations of characters to gain access to your site by brute force, try to make the password as long and complex as possible. Avoid basing it on personal information that might be publicly available, like your child's name or alma mater.
Changing the default username — “admin” for a WordPress administrator — can also help prevent an attacker from gaining unauthorized access to your site.
Step 4: Set Up Two-Factor Authentication
Imagine a hacker cracks your admin password only to realize they need access to your cell phone to actually get into your site.
That's the kind of defense that two-factor authentication (2FA) provides. With current two-step implementations, every time you enter the correct login credentials to your admin account, a one-time access code is sent to your cell phone. You’ll have to enter that code into your browser to access your WordPress site.
While implementing 2FA will require you to spend a little more time logging in to your site on a new device, it's worth it to protect your identity, data, and visitors from hackers. If your host doesn’t offer 2FA, then you can use a plugin like Duo to add it to your WordPress site in just a few minutes.
Step 5: Customize Your Login URL
Another way to prevent automated brute force attacks is to change the login URL of your WordPress site.
By default, your login URL will be: http://yoursite.com/wp-login.php. That means that a hacker could look at your page’s source code and see lines like /wp-content/themes/style.css and /wp-content/plugins/ to figure out that you host your site on WordPress. Once they know that, they’ll know your login URL is /wp-login.php. They might also guess that you’re using the default username “admin.” In that case, all they’ll need to do is guess your password to gain access to your site.
To customize your login URL, you can use a plugin like WPS Hide Login. With this tool, you can easily change the url of the login form page to anything you want. This will help prevent hackers from logging into the admin panel of your site.
Step 6: Block IP Addresses of Malicious Visitors
Implementing the security practices above will help stop hackers from forcing their way into your site, but it won't stop them from trying. In addition to these authentication protocols, you can use blacklisting to further protect your site.
Blacklisting is the practice of banning the IP addresses of users that repeatedly try to log in to your admin account. This will prevent hackers from trying random combinations of popular usernames and passwords to guess your login credentials.
You can block individual IP addresses manually by editing your .htaccess file. Just copy and paste the following code snippet at the bottom of your .htaccess file, replacing the string of numbers with the IP address you want to block.
Allow from all
Deny from 111.222.333.444
To block more than one IP address, just add a “Deny from” line with the correct IP address.
If many hacking attempts are made on your site, then you may need an automated solution. In that case, you can use a Web Application Firewall (WAF) like Sucuri, Malcare or BBQ: Block Bad Queries. Basically, WAFs examine all your website traffic for unusual activity and automatically block suspicious IP addresses.
Whichever method you choose, blacklisting IP addresses can enable you to block hackers and spammers without inconveniencing your legitimate visitors.
Step 7: Monitor User Activity
As a WordPress site owner, you have the ability to control what users can and cannot do within your site. Depending on the roles and permissions you assign, users may be able to change your settings, install plugins, add new posts, and moderate comments.
If you share control over your site in this way, then you’ll want to monitor user activity. That way, if an error or suspicious activity occurs, then you can easily figure out what went wrong and who did it. This will not only ensure you resolve the issue more quickly, it will also enable you to educate any users who accidentally make a mistake and catch any untrustworthy users.
Say a user with the editor role approves a comment that doesn’t fit your comment guidelines. Then you can view your audit log to figure out which editor made the mistake and re-educate them on best practices for moderating the comments section. Or say you hire a freelance developer who changes your affiliate links or otherwise tampers with your site. Then you can detect this unusual activity in the audit log and address it as quickly as possible.
With the free Activity Log plugin, you can track user activity right in your WordPress dashboard.
Step 8: Automatically Log Out Idle Users
Idle users pose a serious security risk. When a user stays inactive for too long after logging in, hackers can hijack their session using cookies and gain unauthorized access to your site.
You can prevent this by using the Inactive Logout plugin to automatically log out users that are inactive for a certain period of time. You can set this time limit as two minutes or two hours, depending on your preference.
You may be worried that implementing this security protocol will frustrate trustworthy users who are simply switching between multiple browser tabs, going to the restroom, or otherwise remaining idle for the duration that you set. To protect the user experience as well as your site, you can configure the plugin to display a 10-second countdown before logging the user out. You can also display a custom pop-up message to explain that the user will be logged out if they remain inactive, as shown below.
Step 9: Regularly Update Your Plugins
According to data from Wordfence, plugins are the most common way that attackers compromise WordPress sites.
To limit this risk, it is critical that you only install plugins that have been updated in the past six months, keep them up to date, and delete them if they are abandoned. Plugins that haven’t been updated in the last two years are generally referred to as “abandoned.”
Installing the latest version of your plugins makes it harder for hackers to find and exploit vulnerabilities to gain access to your site. And with WordPress’s built-in update system, the process is simple.
When there is a new update available, you’ll see a notification in your WordPress dashboard. You can then update these plugins with a click of a button without leaving your dashboard.
Step 10: Manually Back Up Your Site
While many hosting providers offer automatic backups, WordPress recommends that you perform your own backups every few months.
While it’s a good idea in case the backups stored on your host’s server becomes corrupted or damaged, the primary reason to keep your own set of backups is that it will allow you to restore your site more quickly. Say your site is compromised and you haven’t created a backup of your site. Then you’ll need to request a copy of your site from your host’s backups, which takes time.
Being able to back up and restore your own site files will help ensure a speedy recovery if you ever need one. You can follow this step-by-step guide to learn how to manually backup your WordPress site using cPanel.
Protecting Your WordPress Site
There’s no way to secure your site against every threat. However, by following the steps above, you can greatly reduce the risk of your site getting hacked. This will provide you and your visitors with peace of mind.
Originally published Jan 24, 2020 1:29:27 PM, updated March 17 2021