How To Secure Your WordPress Site

Auto-Install Applications > Wordpress

Essential WordPress security measures

There are several essential steps you should take to enhance the security of a WordPress site:

Strong WordPress Passwords

Use strong, unique passwords for all of your WordPress accounts, and consider using a password manager to generate and store your passwords. You can also limit the number of login attempts allowed by using a plugin like Login Lockdown. To break into an account with strong passwords, hackers use a brute force attack. Stopping brute force attacks is covered below.

If your site has been compromised (or you even suspect that it has been compromised), you must also change the security keys in the wp-config.php file that are used to encrypt cookies. Simply changing passwords is not enough, because an attacker may still have a valid cookie and be able to access your site.

For more information about how to configure security keys in the wp-config.php file, please visit here
Unique WordPress Username

Do not use the default admin username for the administrator. Instead, create a user with a different username, assign the administrative role to it, and then delete the default admin administrator.

Update WordPress, Plugins and Themes

WordPress is updated regularly to address known vulnerabilities. Running old versions of WordPress makes it easy for hackers to gain access to your site. Run updates regularly to make sure WordPress and all related plugins are up to date. For more information about how to update WordPress, please see this article

Delete Unused WordPress Plugins and Themes

Even though unused plugins and themes are disabled, that code is still visible on the Internet and can be a target for hackers. Be sure to delete any unused themes or plugins in order to reduce the opportunity for hackers to gain access to your site.

Working on WordPress files and database
  • Use tools in Control Panel --->Wordpress ProDesk to tighten your site permission.
  • Hide your wp-config.php
This is another file that is most vulnerable to attacks and by default will be located at your_host/wordpress/wp-config.php. You can move it to the root directory i.e your_host/wp-config.php because WordPress automatically checks the root directory for this file if it doesn’t find it at the default location.
  • Disable File Editing
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to log in, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins', and 'edit_files' capabilities of all users:
define('DISALLOW_FILE_EDIT', true);
  • Change the table prefix

Many published WordPress-specific SQL injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks, please click here for details
This would not prevent an attacker from uploading malicious files to your site but might stop some attacks.

 
Regular Backups

Make regular backups of your WordPress site. Backups will not prevent a site from being compromised but they do help get a site back online quickly in case of compromise. 

Enable HTTPS

HTTPS encrypts data transmitted between your site and its visitors, making it more difficult for hackers to intercept sensitive information. You can enable HTTPS on your site by installing an SSL certificate. 

Defending against WordPress brute force attacks

A brute force attack is a simplistic type of attack where a user or script tries to gain access to a site by repeatedly guessing the different username and password combinations. Unfortunately, many people have username and password combinations that are easily guessed, so brute force attacks are often effective.

If your WordPress site experiences a brute force attack, you may notice that the site responds slowly, or not at all. Additionally, you may be unable to log in. This is because the flood of login attempts during a brute force attack causes numerous PHP and MySQL calls. These calls increase server load and adversely affect website performance.

There are several measures you can take to defend against brute force attacks on your site:

Method #1: Block IP addresses from accessing the WordPress login page

With this configuration, you can allow one (or several) IP addresses to access the WordPress login page, and block everything else.

If you enable IP address blocking and also use Cloudflare, make sure you test site logins thoroughly. On some server configurations, the combination of Cloudflare and IP address blocking may prevent logins from working correctly.

simply create a web.config file within the wp-admin directory and enter the following, replace the IP address with your own:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <ipSecurity allowUnlisted="false">
                <add ipAddress="8.8.8.8" allowed="true" />
            </ipSecurity>
        </security>
    </system.webServer>
</configuration>
  • To grant access to multiple IP addresses, you can add multiple allow from lines.
  • To determine your current IP address, you can visit http://ipfinder.us.
 
Another way to counter brute force attacks is by Denying Access to No Referrer Requests.
In the root web.config under your WordPress root path, add the rewrite rule:
 
<rule name="block_comments_without_referer" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" ignoreCase="true" />
  <conditions logicalGrouping="MatchAll">
    <add input="{URL}" pattern="^/(wp-comments-post|wp-login)\.php" negate="false"/>
    <add input="{HTTP_REFERER}" pattern=".*example\.com.*" negate="true" />
    <add input="{HTTP_METHOD}" pattern="POST" />  </conditions>
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="No comments without referrer!" />
</rule>
  • Change example.com to your domain.
  • If you’re using Multisite with mapped domains, you’ll want to change example.com to (example.com|example.net|example4.com) and so on.
Now that xmlrpc.php has its downsides. It can introduce vulnerabilities to your WordPress site and has now been superseded by the WordPress REST API, which does a much better job of opening up WordPress to other applications.
Disable xmlrpc.php by IIS:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <denyUrlSequences>
                    <add sequence="xmlrpc.php" />
                </denyUrlSequences>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>
Or using URL Rewrite:
<rule name="Block xmlrpc" stopProcessing="true">
  <match url="(.*)" ignoreCase="true" />
    <conditions logicalGrouping="MatchAll">
      <add input="{URL}" pattern="/xmlrpc.php" ignoreCase="true" negate="false" />
      <add input="{REQUEST_METHOD}" pattern="POST" ignoreCase="true" negate="false" />
    </conditions>
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
 
A template of web.config for wordpress:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
		<rules>
			<rule name="WordPress" patternSyntax="Wildcard">
				<match url="*" />
					<conditions>
						<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
						<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
					</conditions>
				<action type="Rewrite" url="index.php" />
			</rule>
			<rule name="block_login" stopProcessing="true">
				<match url="(.*)" ignoreCase="true" />
					<conditions logicalGrouping="MatchAll">
						<add input="{URL}" pattern="^/(wp-comments-post|wp-login)\.php" negate="false"/>
						<add input="{HTTP_REFERER}" pattern="^$" />
						<add input="{HTTP_METHOD}" pattern="POST" />  
					</conditions>
				<action type="AbortRequest" />
			</rule>
		</rules>
    </rewrite>
	<security>
		<requestFiltering>
			<denyUrlSequences>
				<add sequence="xmlrpc.php" />
			</denyUrlSequences>
		</requestFiltering>
	</security>
	<staticContent>
		<mimeMap fileExtension="webp" mimeType="image/webp" />
	</staticContent>
  </system.webServer>
</configuration>
 

Method #2: Change the WordPress login URL

The default WordPress login page is wp-login.php, and a basic WordPress installation does not allow you to change this location. However, the Rename wp-login.php plugin allows you to change the WordPress login URL. Doing so can reduce the impact of brute force attacks, which are usually scripts that are programmed to hit the wp-login.php page over and over again with login attempts.

When you change the WordPress login URL, anyone who tries to access the wp-login.php page or wp-admin directory receives a “404 Not Found” error message.

To change the WordPress login URL, follow these steps:

  1. Log in to your WordPress site.
  2. Click Plugins, and then click Add New.
  3. In the Search text box, type rename wp-login, and then click Search Plugins.
  4. The Rename wp-login.php plugin appears in the list of search results.
  5. Under Rename wp-login.php, click Install Now, and then click OK to start the installation.
  6. After the plugin installation finishes, click Activate Plugin. The Permalink Settings page appears.
  7. Under Common Settings, select a permalink structure for your site.
  8. Under Login, in the Rename wp-login.php text box, type a URL for the login page, or accept the default value of login.
  9. Click Save Changes. The new WordPress login URL appears near the top of the Permalink Settings page.
  10. Test your WordPress site to make sure that it still functions correctly, and that you can access the login page using the new URL. Additionally, if you try to access wp-login.php or wp-admin, you should receive a “404 Not Found” error message.
  11. Set custom error page for “404 Not Found” in the root web.config  to protect your server
    • <httpErrors errorMode="Custom">
       <error statusCode="404"
       subStatusCode="2"
       prefixLanguageFilePath=""
       path="404.htm"
       responseMode="File" />
      </httpErrors>
You cannot use the default permalink structure with the Rename wp-login.php plugin.

Method #3: Enable Cloudflare for your site

Cloudflare is a content delivery network (CDN) that can block malicious requests before they reach your site. For example, Cloudflare-enabled sites were significantly protected during a large-scale WordPress brute force attack that occurred in April 2013.

Cloudflare works by routing traffic to your website through its own network. As a result, Cloudflare is able to block certain types of malicious requests. Cloudflare also increases website performance by leveraging its worldwide server network to deliver content to users more efficiently.

For general information about Cloudflare, please see these articles. You can enable Cloudflare for your site from your hosting control panel --> CDN --> Click "Enable" button.

If you enable Cloudflare and also use the IP address blocking method described in this article, make sure you test site logins thoroughly. On some server configurations, the combination of Cloudflare and IP address blocking may prevent logins from working correctly.