Hardening and protecting WordPress websites

All applications and solutions including WordPress have default naming approaches and settings that are commonly known by users. Offering a basic starting block, these default settings give users the flexibility in implementing and building solutions as per their requirements. These, however, could be exploited if not tightened or hardened. Risks need to be reduced and managed; taking preemptive steps to harden security go a long way in closing easy backdoors for those looking at exploiting a website. Potential risks include service disruption, stolen user information, phishing, malware distribution to users and subscribers, website redirection, account takeover, and domain blocklisting to name a few.

Common avenues that compromise a website and possible interventions

The leading reasons for compromised websites have included:

  • Hosting-related security vulnerabilities
  • Theme weaknesses being exploited
  • Plugins being exploited
  • Human Error: Weak passwords, outdated software, and applications using insecure connections

1. Addressing hosting-related challenges

  • While selecting a hosting provider for the website, review the secure performance history and interventions by the provider.
  • Review security and hardening practices at the hosting level. The most common hosting security features include: Firewall and distributed denial-of-service (DDoS), virus protection at the host level, and SSL security certificate and domain owner detail masking.
  • While large hosting providers are of high interest for hackers, they tend to invest in security improvement and tightening as their experience grows. This may or may not be possible for smaller hosting providers.
  • Build a clear understanding of how and what the hosting provider protects; the remaining unprotected portions will be website owner or admin’s responsibility.
    • A secure hosting provider who does not manage a webserver, usually protects the availability, privacy, and authenticity of infrastructure resources (the physical or virtual server on which a website is hosted). The security of the webserver and its applications remains the responsibility of the web admin.

2. Addressing theme-related challenges

  • Themes are available within WordPress. There are both free, buyable, or custom (imported from a third-party) themes.
    • Professional themes available for free or for a price are regularly updated to address known security and performance issues. Only minor updates may automatically apply and it is the site owner’s responsibility to check and test major updates before implementing them on a live site. There are plugins that track theme updates and send a notification with information about new versions or updates being published.
    • Custom themes that are sourced from unknown or non-verifiable developer sources present the risk of security vulnerabilities that could expose the WordPress site to malware and hacking possibilities. These risks could be due to poor code and/or malicious code insertions. Patching security weakness and similar follow-up services may not always be an option, adding to the risk of custom themes.
  • Installing provisions for themes and plugins can be disabled on WordPress through the admin module. This hardening approach may work for some sites that use themes and plugins without frequent updates

3. Addressing plugin-related challenges

  • The WordPress Admin page has detailed information on listed plugins. This should be checked before installation; WordPress regularly updates and flags issues with plugins when discovered. This advisory remains till the plugin passes WordPress acceptance. Use WordPress plugins where possible rather than third-party custom plugins.
  • Plugins that need write access to WordPress files and directories should be code checked. To check for known issues with plugins, go to https://wordpress.org/support/welcome/, chat with other WordPress users on the forums, or reach out to the plugin supplier.
  • Once a plugin is installed, it’s good practice to run a malware and vulnerabilities scan.
    • Some online malware scanners check for malware through software algorithms that crawl the URL entered to identify known malware and suspected malicious code. There are plugins that do this as a routine task, too.
    • Similarly, if site performance degrades inexplicably, running the malware scanner is a good idea.
  • Disable and delete all unused plugins.
  • Some plugins may need and allow PHP or other code to execute from entries in a database, which creates a risk if the website is compromised. A workaround used in conjunction with locking or disallowing file editing is to use a custom page template to call the function.

4. Other actions that can be taken to harden and protect your WordPress website

Keep everything updated
  • Usually, updates are triggered due to known issues, incompatibilities, and vulnerabilities. Installing updates and patches help harden the website. Keep WordPress and its supporting applications like the database, PHP, and others updated
  • Major updates to WordPress and supporting applications may need testing before roll out. This will ensure that the website and the customizations, if any, all work as intended. If the update is found to be incompatible with other parts of the website, one approach is to assess the vulnerability that is addressed through the new patch or update and its impact on your website instance. If there is an impact, you need to decide whether to invest in upgrading or changing the incompatible portions of the website. Meanwhile, consider disabling or removing compromised sections of the website.
Keep strong access approaches

Websites can be accessed by website admins, registered users or subscribers, and casual site visitors. The following approaches help reduce vulnerabilities for those accessing and the website.

  • Strong Password Strategy – WordPress has a built-in random secure password generator capability. Admin Module > My Sites > Users > UserProfile > Security.
    • Consider setting up Two-Step Authentication as an added security approach. Once enabled, logging in to WordPress will require entry of a unique passcode generated by an app on the user’s mobile device or sent via text message in addition to the username and password. This adds another layer of security while logging in.
    • This strong password approach should be used across different interfaces including host/admin, database, File Transfer Protocol (FTP) accounts, and primary site email addresses of domain/web admins.
  • Add more challenge interfaces: Implement CAPTCHAs that users much complete before they can post, discuss, comment, offer feedback, and respond to the website. This will ensure that bots do not create mass entries and malicious feeds into your discussion threads.
  • Consider setting up auto-logout for idle users in WordPress. This will need a plugin to help monitor and logout inactive users.
  • Use Secure File Transfer Protocol (SFTP) instead of FTP to upload and manipulate files on the webserver. This keeps your user information encrypted while performing transfers.
Change defaults

Take backups and maintain restorable files before making changes.

  • Default admin: The default administrator name on WordPress is "admin." If this isn't changed, it becomes an open door for those looking for vulnerabilities. Bots can keep trying password combinations (brute-force attack) to attempt a break-in. Similarly, the default URL for admin login is website.com/wp-admin. Changing this will ensure that those looking to execute password combination attempts towards the default link do not get access to the admin login page.

    Additionally, the maximum failed login attempts can be changed from the to a restricted number of times, after which the defaulting IP or user is barred from accessing the website

  • Default naming conventions: WordPress WP_ table_prefix: By default, the WordPress database uses WP_ as a prefix to data tables. Experience has shown that a number of know WordPress-specific SQL-injection attacks have used the table prefix as WP_. Changing this to another random prefix will break any SQL injection attack that uses this assumption. Changing the database prefix is done through the wp-config.php file and changing database table names is done through phpMyAdmin.
  • Default file permissions::

    1. Lock down write and delete file permissions where possible. This an effective approach, especially when hosted on shared environments allowing web server user or selected user(s) write access. These restrictions can be loosened when write access is needed. Create separate folders with limited restrictions to allow upload of files by users if needed.

    2. Database hardening:

    • Assign a unique user ID to manage each blog. Have an individual database for each blog, instead of the default user and a single database for all blogs. This can be set while setting up the WordPress installation and works as a containment strategy. If a WordPress blog installation is compromised, this stops intruders from gaining access to and altering other blogs.
    • Secure the database (if you are the database admin). Disable features that are not used by your configuration. For example, if the feature of accepting remote TCP connections is not needed, disable it. Most operations including posting blogs, uploading files, posting comments need only data read and data write privileges to the database. Removing user database administration access will ensure that applying changes to the database structure is not possible for unauthorized users. This works as a containment approach if the installation is compromised. The vaveat, however, is that some major updates and supporting applications (including themes and plugins) may require access to make structural changes in the database (including addition of new tables or changes in the schema). The work around is to temporarily allow required privileges before installing or updating the plugin, theme, or application.

Hardening through .htaccess and wp-config.php files

.htaccess and wp-config.php are important files in a WordPress installation and must be secure and protected.

  • The .htaccess is a distributed configuration file used by Apache (web server software) to understand configurations on a per-directory basis. Based on additional instructions in .htaccess, WordPress instructs Apache how files from its root directory and subdirectories must be managed. For example, the .htaccess file is modified to be able to handle Pretty Permalinks.
  • Disable PHP file and script execution in directories that do not need this facility. For example, upload folders where a user can upload a file don't need to allow PHP file and script execution. These settings can be adjusted in the .htaccess file and kept in the hardened folder. The Apache server will read these instructions in the .htaccess file and disallow any PHP file execution in the upload folder.
  • wp-config.php could be saved in a directory above the root directory that WordPress installs into. Ensure that file read/write permissions are in place for the admin and read permissions are in place for the web server.
Maintain audit logs and backup/restore capabilities
  • An audit log helps track all activities and changes to the WordPress site. This can include user activity like logins, logouts, updates, posts, and application update activities.
  • The activity log can be referred to for any suspicious activity or changes made. There are backup plugins that allow restoration to a specific point in an audit log. Notifications can be set for critical website changes initiated.
General good practices
  • Compromised computers, if used for admin-related work on the web server, can be used to gain access to confidential information through keyloggers, viruses, spyware, or malware.
  • Compromised local network: If an admin or user is on a compromised local network and accessing the web server for admin related work, confidential information could be extracted.
  • Monitor actively: Monitor logs to track changes to files and applications. Third-party applications like OSSEC help trace suspicious activity through logs and file change alerts. Plugins are available to monitor, track, analyze, and notify about suspicious activity.

Some popular WordPress security and hardening plugins

1. Jetpack

Jetpack is a plugin platform that consist of multiple plugin options including security, performance, marketing, and design tools. The security component of the plugin provides, site security features including malware scanning, spam protection, brute-force protection, and downtime and uptime monitoring. The security plugin includes capabilities for:

  • Automatic malware and other code threat scans with the option to restore the website from malware in one click.
  • Block spam comments and form responses with anti-spam features powered by Akismet.
  • Brute-force attack protection to protect the WordPress login pages from attacks.
  • Monitoring the site uptime and downtime and getting instant email alerts about any change.
  • Secure login with optional two factor authentication(2FA) for extra protection.
  • Auto-update individual plugins for easy site maintenance and management.

Jetpack details: https://wordpress.org/plugins/jetpack/

  • Version: 9.5
  • Active installations: 5 million +
  • Works on WordPress version: 5.6 or higher
  • Tested up to WordPress version: 5.7
  • Works on PHP version: 5.6 or higher
  • Languages supported: 43

2. Wordfence

Wordfence Security includes an endpoint firewall and malware scanner to protect WordPress sites. Wordfence maintains a threat defense feed that updates the newest firewall rules, malware signature,s and malicious IP addresses to manage website safety in addition to 2FA.

Wordfence's security scanner features:

  • Protects the site at the endpoint, enabling deep integration with WordPress.
  • ntegrated malware scanner blocks requests that include malicious code or content.
    • Malware scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects, and code injections.
    • Compares site core files, themes, and plugins with what is in the WordPress repository, checking their integrity and reporting any changes.
  • Protection from brute-force attacks by limiting login attempts.
  • Web Application Firewall identifies and blocks malicious traffic.
  • Repairs files that have changed by overwriting them with the original version.
  • Checks site for known security vulnerabilities and alerts to any issues. Also alerts to potential security issues when a plugin has been closed or abandoned.
  • Checks the safety of your content by scanning file contents, posts, and comments for dangerous URLs and suspicious content.
  • Offers 2FA for secure remote system authentication available via any time-based one-time password (TOTP) authenticator app or service.
    • Login page CAPTCHAs stop bots from logging in
    • Disable or add 2FA to XML-RPC.
    • Block logins for administrators using known compromised passwords.
  • [Premium]
    • Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
    • The Real-time IP blocklist blocks all requests from the most malicious IPs, protecting your site while reducing the load on it.
    • Checks to see if your site or IP have been blocklisted for malicious activity, generating spam, or another security issue.

Wordfence details: https://wordpress.org/plugins/wordfence/

  • Version: 7.5.2
  • Active installations: 4 million+
  • Works on WordPress version: 3.9 or higher
  • Tested up to WordPress version: 5.7
  • Works on PHP version: 5.3 or higher
  • Languages supported: 5

3. Tips and Tricks HQ

Tips and Tricks HQ offers features to secure user registration, login, and accounts, file systems, and firewalls. It also offers spam protection, blocklist referencing, front-end text protection, database security, security scanning, and more. Some other features include:

  • Reduced security risk by checking for vulnerabilities, and implementing and enforcing the latest recommended WordPress security practices and techniques.
  • Offers a feature of security points grading system to measure how well the site is being protected based on the security features activated.
  • Security and firewall rules are categorized into three categories, basic “ntermediate, and advanced, allowing applicability of the firewall rules progressively allowing check and without impacting the website’s functionality.
  • User-based security features:
    • Detect if user accounts have identical login and display names.
    • Enforce strong passwords using the password strength tool.
    • Prevent user enumeration. This prevents users or bots from discovering user info via author permalinks.
    • Get notified via email whenever a user gets locked out from too many failed login attempts to protect against brute-force attacks. View a list of all locked out users and unlock individual or bulk IP addresses as needed.
    • Monitor the account activity of all user accounts on your system by keeping track of the username, IP address, login date and time, and logout date and time.
    • See a list of all users who are currently logged in to your site.
    • Specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have access to your WP login page
    • Add Google reCAPTCHA or plain math CAPTCHA to WordPress login forms and system logins.
    • Add Honeypot to the WordPress’s user registration form to reduce registration attempts by robots.
  • The file change detection scanner alerts about any files that have been changed in the WordPress system. These can be investigated to check if that was a legitimate change or if bad code was injected.
  • Spam monitoring includes:
  • Monitoring the active IP addresses that persistently produce the most spam and blocking them
  • Preventing comments from being submitted if they doesn’t originate from your domain.
  • Implementing CAPTCHAs on comment forms to add an additional layer of security against comment spam.
  • Automatically and permanently block IP addresses that have exceeded a certain number of comments labelled as spam.

All-in-one WP security and firewall details: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  • Version: 4.4.8
  • Active installations: Nearly 1 million
  • Works on WordPress version: 5.0 or higher
  • Tested up to WordPress version: 5.7
  • Languages supported: 13

4. Sucuri

Sucuri Security offers an auditing, malware scanning, and security hardening WordPress plugin. This plugin consisting of a security suite offering users a set of security features for WordPress. Some of the key features include:

  • Security activity auditing - Monitor all security-related events including changes that occur within the application and its environment, including who's logging in and what changes are being made.
  • File integrity monitoring - Compare known good file versions with the current files. This covers all the directories at the root of the install, including plugins, themes, and core files.
  • Remote malware scanning: Security scanner – Use the SiteCheck feature to scan for malware.
  • Blocklist monitoring – Monitor blocklist engines to prevent known malicious IP addresses and users from accessing a site, and remove legitimate user sites from that list if any are inadvertently added.
  • Effective security hardening – Configuration learnings from cleaned websites are used to harden security.
  • Post-hack security actions – Use these to help with recovery in the event of a hack.
  • Security notifications.
  • Website Firewall (premium) – Includes protection against:
    • DOS and distributed DOS (DDOS) attacks
    • Exploitation of software vulnerabilities
    • Zero-day disclosure patches
    • Brute-force attacks against your access control mechanisms
    • Performance optimization
    • Advanced access control features
    • Failover and redundancy

Sucuri Website Firewall filters out bad traffic before it reaches the website.

Sucuri security details: https://wordpress.org/plugins/sucuri-scanner/

  • Version: 1.8.26
  • Active installations: 800 thousand+
  • Works on WordPress version: 3.6 or higher
  • Tested up to WordPress version: 5.7
  • Languages supported: 10

5. MalCare Security

MalCare Security offers a free malware detection and removal plugin with a one-click malware removal option. It also offers a cloud-based firewall for website protection. Geo-blocking at a country level helps to mitigate hack attacks originating from certain geographies. MalCare comes integrated with a website management module that ensures security and site management from a single dashboard. The tool checks performance and notifies when a website goes down; it also keeps an eye on site loading speed. MalCare allows white label solutions to help developers support customers with their own branding.

MalCare features:

1. Cloud-based malware scanner

  • Daily scan
  • On-demand site scans
  • Scan non-WP files

2. Instant malware removal

  • View details on hacked files
  • Instant automatic malware removal
  • Removal of unknown and new malware

5. Support

  • Email, chat, and social media

3. Intelligent malware protection

  • Web application firewall
  • IP Allow listing
  • CAPTCHA-based login protection
  • Logs for traffic and logins
  • Geo-blocking
  • Alerts for suspicious logins

4. Website hardening

  • Block PHP execution in untrusted folders
  • Disable file editing
  • Block plugin or theme installation
  • Change security keys
  • Reset all passwords

6. Complete website management

  • Centralized dashboard
  • Plugins and themes management and update
  • Management of users, teams, and clients
  • Generate and schedule reports
  • White-labeling solution
  • Monitoring optime and site speed
  • Blocklist alarms
  • Slack integration

MalCare security services details: https://wordpress.org/plugins/malcare-security/

  • Version: 4.57
  • Active installations: 100 thousand+
  • Works on WordPress version: 4.0 or higher
  • Tested up to WordPress version: 5.7
  • Supports PHP version: 5.4.0 or higher

Summary

Making WordPress secure is an ongoing and continuous exercise. Closing the known loopholes through hardening strategies and actions helps make it harder for break-ins and website corruption to happen. We looked at hardening at various levels including the physical level like host servers and networks along with the application level with stronger access criteria including passwords, secure protocols, and masking or changing default details. Use of tools and plugins help automate and monitor some of the areas that can be tracked for analysis. We looked at some popular security plugins that help secure and harden a WordPress website.