Few words before we start...
Today 2017, Security on the website is still a big problem, maybe for lack of knowledge by webmaster and developer about the security field or just because the laziness from people to spend 30 minutes more, to ensure a safe web browsing by people visit their pages.
We all know, the search engine such Google each day are fighting again bad web pages that include malware or similar threat, and if your website is not well protected can be easily be attacked by hackers and be blacklisted on "Google blacklists". This will cause a major drop off visitors to your blog / online business just because you didn't want to fully protect your website. I create this Ultime Final Step by Step guide that will help you protect your Wordpress installation! So.. let's start!
Two more words about Wordpress Security
Wordpress is a beautiful web application, with a core structure strong that in last 6 years has evolved so much thanks to the strong community of expert developer and security expert.
Because Wordpress is so popular for each update the WP community put out there, there are many security issues solved every time, so how is that possible Wordpress is still not so safe?
Wordpress is safe but is using many external plugins created by other developers, and most of the time these plugins are not always updated to the last version, keeping your Wordpress installation vulnerable, so to prevent an attacker from uploading any kind of evil code to our pages, we need to follow the following steps.
Update your Wordpress with the latest version!
Keeping Wordpress Updated is probably the most important and easy thing to do to be safe, because as I said before, it will fix many security issues, it will replace the core files of your installation each time with the new one, so it will help to make sure you have a clean installation, at least of the "Wordpress core file".
You can easily update WordPress using the auto update on your Dashboard, where WP will show all the updates available. Make sure to update also all the plugins always to the last version available! It will help to fix vulnerability of these installed plugins!
Avoid Weak Passwords
Avoid Users Weak Passwords and Admin Permissions
One of the most common Wordpress hacking attempts is a hacker trying to access your admin area with a stolen passwords, and if possible get the admin username and password. Having these credentials the hacker will easily manage your WordPress installation and will be able to upload any file using the upload plugin area, or modifying some .php files using the theme editor area. So how to avoid this? How to control users are not using weak passwords?
The first thing to do will be to have an admin strong password, if possible a unique password that you don't use on other websites, secondly, you'll need to change the admin username, do not leave "Admin", will be too easy to guess by a Hacker. Now that the main user has a strong password, double check the permissions you set for each user will register to your website, and set as "subscriber", so they will not have any power to modify anything on your website. Will see later in this guide how to check if a user is using a weak password. So keep reading :-)
Backup, Backup, and Backup
In case the Hacker can infect your website, let say with a malware, the best thing to do is to go back to the fresh backup of your website, firstly to avoid Google Backlist and to avoid users are starting to download evil malware to their computer. So is important to have a Wordpress Backup Solution, that will help us bring back our website back to life if the Hacker bypass our security. Some of the hosting already have BackUp solutions, and as we'll see the hosting will play an important part in the website security. So let's see which hosting plays a fundamental role in the security of our WP installation.
How SUCURI FIREWALL works - Best WP Security Plugin 2017sucuri.net
As we see from this image, the SUCURI FIREWALL work as a real WALL defending your WordPress installation from Hackers, Attacks and DDoS thanks to the SUCURI NETWORK SCAN filtering the evil traffic!
Choose the right Wordpress Hosting Hacking Proof
When you choose a hosting, you need to check the price, but also the support they give an offer and how much serious are about security. You can have an amazing fast hosting, but if is having a security problem, will not help at all and will be a waste of time.
I personally really love the guys of Siteground, that offer a fantastic support via chat and ticketing, and they are super serious about security, using the latest technologies and since 2017 they have a strong Security Partner "SUCURI". If you don't know SUCURI, are the security experts that just found the REST API Wordpress Vulnerability last January 2017!
Sharing hosting or a dedicated solution? Which are the safer?
Even if you think a sharing hosting will be more safe, because you think the hosting prefer to protect more website using one machine, is not. The reason I say that is simple, websites are host in different "folders", and when you choose a sharing hosting you'll safe on money, but you are at high risk of a cross-site contamination where a hacker can easily user a neighbouring website to attack also yours.
Using a dedicated solution, even if you'll need to set up everything (not always like with SiteGround), it will help protect your website from cross-site contamination because your website will use a single machine/server. Another well know hosting I can suggest is WPEngine for Wordpress.
Now that we know which kind of hosting we need, let's protect our Wordpress with the best security plugins. Below the list!
Best Wordpress Secure Hosting? Probably yes..
Best Wordpress Security Plugin 2017
Out there are so many security plugins, but I only suggest few, that I really think are doing the job without using the many server resources. What I'm looking for a Security Plugin is something the include failed login attempts, malware scanning and that will help me to add some firewall rules. So here the best Wordpress Security Plugin 2017
- Sucuri Security Plugin
This plugin is just amazing and is free, created by the famous security team of Sucuri, it will really boost your Wordpress Security to the next level adding security rules, give tips to protect folders and files, using their malware scan and adding a Firewall (WAF) for the premium user (PAID). When you download and activate this security WordPress plugin you'll need to generate a free API key, that will enable more functions like audit logging, integrity checking, and other features!
The feature I really love of Sucuri Security Plugin is the Hardening tab, where Sucuri will suggest important action do to "Harden" your WordPress installation. Some of these are "Information leakage (readme.html), "remote upload permission" and more. Thanks to SUCURI you'll lock down the principal area that attackers are looking for, add an 80% extra security to your website!
WAF firewall Do I really need to activate?
The Firewall will help you set different rules to prevent many kinds of attack by a hacker to your WordPress installation, so do you really need to activate this firewall, I will say if you have some money and you care about having a clean website, YES.
How is WAF working? This firewall it will block any kind of malicious traffic to reach your website, because will first scan and clean by the SUCURI's NETWORK, where with a large database it will make sure to keep a clean traffic to your website. Because you are paying 199$ a year they also offer the malware cleanup and blacklist removal if your website was already attacked. I think is a good deal calculate a security freelancer expert will cost you also 200$ a hour.. So do the math :-)
Don't allow File Editing
One of the most common attacks by Hacker is to upload a .php file that will start run a script and overwrite your application files with an evil code. One example of this kind of attack is explained in my other post (Remove Malware from Wordpress). Do during my last malware clean up I learn to disable the file editing, to avoid this automatic script to run and write on files, if they bypass the upload firewall rules.
You can easily disallow file editing adding this line of code to your wp-config.php
// Disallow file edit
define ( 'DISALLOW_FILE_EDIT' , true);
This will remove the Editor from the Appearance tab in your Wordpress Dashboard, but I also suggest to change the folder permission to 544 of your WP.
Wordfence Securing your Wordpress website
Wordfence Plugin - Best Security Scan
Wordfence is probably the most popular security plugin for WordPress, and it has a strong community offering a free version and a paid version, that will add some extra feature. This plugin is very powerful, offering a website scan, it will keep you update with email alert if suspicious login attempts are made, or any core and plugin files are modified. This will help you monitoring your website and keeping clean.
Wordfence Security Plugin Firewall is it good?
I also use the Wordfence Firewall and is free, it will still add some rules to keep the attacker away but will not offer a full protection like the SUCURI one, but hey... is free!
Change the Wordpress Admin and Login Page
Most Hacker use automatic software to scan Wordpress Admin and Login pages one of this is WP SCAN, and after they find the admin page they will brute force the username name and password guessing the credentials using a password.txt file where the most popular password in the world are listed. So one of the hacking tricks to prevent this kind of DDoS attacks is to limit the access to this page or to change the URL address.
There are 3 ways to avoid this kind of attack:
- - Add an IP restriction to your admin page (allow only certain IP to access the page)
- - Change the Admin URL to something unique e difficult to find out.
- + Add the Login lockdown plugin (it will lock down your logins pages)
Avoid Session Hijacking!
Avoid hijacking user session
Another kind of attack your WordPress website can be vulnerable is the Hijack session, basically, a Hacker can use the login session of a user that is not really browsing anymore the website. Did you ever log to your website and then switch browser tab to look something help and then come back to do what you are doing, and wondering why you are still able to modify pages even after many minutes? This is happening because for each user there is a session, that is creating with a unique secret login key, but an attacker can catch that session and use it to enter into your website! To avoid the user hijack session you can use the Idle User Logout plugin, and it will set an auto Logout Duration for each user!
Captcha or Security question will help protect your WordPress
As I said before once the hacker will know the login page will try to DDoS attack this page trying to guess the username and password to gain the access! We can slow down the process adding a Captcha or Security Questions, that only humans will know how to answer. This will keep away WP SCAN and another scanner, and likely the hacker will not attack us anymore :-) There are a WP Security Questions plugins that are doing the perfect job!
Typical warming message of site that contains malware
Now is too late... How can I fix a Hacked Website?
Are you reading this Wordpress Security Ultimate Guide to late? Your website has been hacked and malware, are spreading everywhere? Don't worry there is always a solution!
As I said in this article and before you can manually fix the problem, identifying the source of the attack and the kind of evil code injected on your files or use the SUCURI Service, that with few dollars will do the job for you. But of course make your hands dirty it will help you understand and prevent a future attack. So good luck!
Which security plugins are you using?