Don’t Get Hacked: Steps To Secure WordPress

A couple weeks ago, I was in California and met someone whose site was hacked, and he was completely unaware. I took on the clean-up of his site and set out to make sure that in the future his site was safe from falling prey again.

That process has really sobered me up, and made me realize just how vulnerable some of my sites have been.

The reality is that the best defense is actually having a defense, if you put your head in the sand, you’re gonna get swift kick in the ass.

The Downside Of Popularity

20% of sites are on WordPress,

Just like driving a really common car, like a Honda Civic, there are a lot of vulnerabilities that come from using the most popular website platform. As more people utilize it, the more lucrative it can be for people to learn how to steal or exploit their availability. Since about 20% of sites now use WordPress, it makes it a bigger target for hacking.

Steps To Secure Your WordPress Site

On average, 20,000 hacked sites are identified every day.

According to Sophos Labs, they identify 30,000 new sites a day that are hacked! That’s a shocking number, but even that is incomplete as it only counts those identified as passing malware and not more subtle hacks that involve redirects or injecting link spam.

Here’s what I learned during the experience I mentioned above and from the helpful comments and contributions from several SEO experts on what you can do proactively to prevent it from happening.

Protect Your Login Page

One of the most common methods for hackers to gain access to your site is through brute force username & password guesses. There are a few options that can be used or combined to reduce the risk of having your password stolen.

Block Access to wp-login.php

The best way to protect your WordPress login page from brute force attacks is to block unauthorized users from even getting to the page in the first place. This will require some editing of your .htaccess file if you’re using Apache and your config file if using Nginx. Most hosts will allow this and if yours doesn’t, it may be worth considering a change.

The first and most secure method we will address is to limit access to your wp-admin directory by IP address. This method should only be used if you know what IP addresses you will be accessing the site from and those addresses won’t change on a regular basis. Typically this isn’t a problem, but it is one to keep in mind since you will block yourself from access if you’re not careful. Use the code below as an example for blocking access based on IP. The code also includes a section that unblocks certain files that may be needed by some of your plugins. If you’re using an Apache server, put this code in a .htaccess file within your wp-admin directory.

# Block access to wp-admin - replace x.x.x.x and y.y.y.y with your IP addresses.
order deny,allow
allow from x.x.x.x 
allow from y.y.y.y
deny from all

# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

If you’re on Nginx, use the following code and replace x.x.x.x and y.y.y.y with your own IP addresses:

error_page  403  http://example.com/forbidden.html;
location /wp-admin {
  deny    192.168.1.1;
  allow   x.x.x.x;
  allow   y.y.y.y;
  deny    all;
}
location /wp-admin/admin-ajax.php {
    allow all;
}

Another method that will block access without the concern of being blocked if your IP changes would be to password protect your login page at the server level. This results in one more level of logging in, but is only a very minor inconvenience. You will want to start with generating a .htpasswd file and uploading it to your server; preferably not in a publicly accessible directory. Once you’ve generated that file and uploaded it to your server, and you’re using Apache, go ahead and add the following code to the .htaccess file in your wp-admin directory (or create the file if it doesn’t already exist). Make sure to update the path in the AuthUserFile line to match the location of the .htpasswd file you created.

# Protect wp-login
<Files wp-login.php>
AuthUserFile /path/to/your/.htpasswd
AuthName "Login Required"
AuthType Basic
require valid-user
</Files>

If you’re using Nginx, you can use the following code in your configuration:

location /wp-login.php {
    auth_basic "Administrator Login";
    auth_basic_user_file .htpasswd;
}

If your host allows, you can pair this basic authentication method with fail2ban for Apache or Nginx and create rules where an abusive IP address gets added to your server’s firewall rules and is blocked for a specified period of time.

Plugin Options

Wordfence – This plugin serves as an additional firewall layer on your WordPress installation. There is an array of login security options available such as enforcing strong passwords and locking users out based on failed logins or the username they are attempting to use. For example, since you should never have “admin” as a username, you can add this to a list of usernames that will result in immediately blocking an IP address. This is frequently one of the first guesses hackers make in a brute force attempt and quickly shutting them out based on that simple rule is a good deterrent. Another handy feature is that you can suppress login errors to avoid tipping a hacker off as to whether or not a username is valid.

Login Lockdown – This is a plugin that can be added into WordPress which will block access to the site after a given number of failed login attempts.

So what’s wrong with your password?

Your password is lame

When we make passwords, we either make something that’s really easy to type, a common pattern, or things that remind us of the word password or the account that we’ve created the password for, or whatever. Or we think about things that make us happy, and we create our password based on things that make us happy. And while this makes typing and remembering your password more fun, it also makes it a lot easier to guess your password. Lorrie Faith Cranor

One solution is to use a longer pass phrase:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Here are some more common sense steps to further secure your password.

  1. Remove employee access to an application when an employee leaves.
  2. DO NOT write passwords down on paper.
  3. Don’t keep passwords in an unsecure spreadsheet or file folder.
  4. Use a pronouncable password, combining vowels and consonents to make something that flows off your tongue like “vadasabi”.
  5. Don’t use monkey, justin or love because they are among the most common words in the hacked password lists floating around the internet.

More Plugins = Less Security

It’s really tempting to say “is there a plugin for this?” unfortunately, that mentality can quickly lead to trouble. Take for example the huge fiasco that happened because of “Rev Slider”. This plugin was included in a slew of very popular themes but had a security vulnerability that ended up causing over 100,000 sites to be hacked!

Over 100,000 sites were hacked due to a single plugin.

What was this plugin actually supposed to do? Build a freakin’ slideshow.

That’s not the only plugin to cause problems. WP Super Cache and W3TC both had major security issues that made them vulnerable to being hacked. Fortunately, those were updated quickly but not every plugin gets the attention and maintenance needed.

Here’s what you should do to limit your plugin vulnerability:

  • Eliminate un-used plugins and themes. There is no reason to open up your site to problems when you’re not even using them.
  • Don’t use a plugin when you can do it yourself. According to Brian LaFranceA good way to approach choosing a plugin vs. writing code for functionality is that a plugin should be used if functionality needs to remain identical even if a theme/design changes. If functionality is set up to fit in with a specific theme, that should be something built into the theme and not through using a plugin.
  • Update RELIGIOUSLY. Monthly is not enough. The more stale your plugins, the more vulnerable you are to exploits targeted at older versions.

Extra Steps To Improve WordPress Security

Setup Google Alerts for spammy keywords related to gambling and medicine - Conrad O'Connell

Conrad O’Connell reminds us that we’re you’re not always going to prevent forest fires, but seeing the smoke early can realy make a difference.


 

Research the potential vulnerabilities of plugins BEFORE you install them

Doc Sheldon reminds us that a search in time saves nine. Know what you’re adding to your site before you download that nifty sounding plugin.


 

Use Cloudflare for a CDN and consider using SSL

Brian Alaway thinks you should consider SSL as well as a secure CDN.


 

Have a backup plan and store that backup somewhere else.

Brian Lafrance reminds you to hedge your bets. He recommends using https://wordpress.org/plugins/backwpup/ and having them dumped into Dropbox and Amazon S3.

What Say You? Have Some WordPress Security Tips?

If you have some worthwhile security advice please add it in the comments. I’ll go ahead and add it to the post in an image too.

 

8 Comments

Conrad O'Connell

Thanks for the shoutout, Jeremy.

It’s a little trick that I never hope to see go off, but if all else fails, then it can cover my rear-end. My one tip on the password end is to use a good password manager like 1Password or LastPass to store all of those super-secure passwords.

Matt

A lot of the problem lies within where a lot of businesses and small solo marketers get their advice for running a WordPress site — other marketers.

The idea of launching your site is often sold as this 5 minute, one-click set and forget concept. It’s not. Anyone who thinks that such a critical cog in your revenue wheel can be handled on the cheap never to be invested in again is doing it wrong. If you plan on running e-comm or any transactions — please seek professional help.

That said, a few other pointers to add to this list:
1. Find a host that is reliable and responsive. (pro tip: same rule applies stay clear of $5/year hosting)
2. Backups. Though this doesn’t prevent hacks, it surely helps recover from them. (even backups can be tainted depending on the hack, so be careful.)
3. Just because a site has 50 plugins installed does not mean it’s anymore vulnerable than a site with only 5 — PLEASE do background research on the organization you’re downloading a plugin or theme from. Make sure they are a valid company, seek their social presence, see if they have a premium option that could get you better features and support.
4. Use a service like Sucuri which will monitor your site for hacks and cleanse them if you run into an issue.
5. Seek professional help. Again, I feel like a lot of us think that because it’s the web and open source we salivate at the thought of massive margins. Even if you’re putting along at a few hundred a month in revenue from your WordPress site, you should invest 10-15% of that with a professional WordPress consultant to keep tabs on your web presence. Be it quarterly security checks, review of the latest plugins, trends in themes etc.

Hire someone to at least look over your site and make sure everything is in order. Do a background check on them too 🙂

Brian LaFrance

Hey Matt. Thanks for the comment. I definitely agree on hosting, backups, and seeking help.

As far as plugins go, the more you have, the more potential there is for a problem. Even the most popular, best researched plugins can have holes in them. It’s like having a house…are you more secure with 5 doors or 50 doors to the outside? A plugin developer could abandon a project and you likely wouldn’t know it until it’s too late. There won’t be any update alerts if there are no updates but that doesn’t mean there isn’t potentially an exploit that comes up later. Even the best WP devs have been caught off guard with various security holes over the years. It happens and one of the best defenses is to not go crazy with plugins…which will also typically help with site performance.

On Sucuri, I’ve been using them for monitoring the past couple years on some things and I agree that it’s a good option for that. On the cleanup side, they’ve had a bad track record lately from what I’ve seen and heard with various sites. More sites that I have seen cleaned come out broken after they do their cleanup than come out clean and fully functioning. That’s probably a side effect of some automation that just isn’t as smooth as cleaning manually. There are other, solid options for monitoring which are free and sometimes easier to work with, such as Wordfence. Ultimately, that’s more a matter of personal preference though. As long as you’re keeping tabs on the site with one of the major plugins, you’re better off than having no protection.

Alan Bleiweiss

Glad to see WordFence included in this post. I have used it to block IP ranges that I found were trying to hack my own sites. It’s invaluable to have this tool, to run scans, and to check the live stream access from time to time.

Patrick

May have missed it, but in addition to the limiting login attempts and blocking admin, should also 2 factor. Setting authenticater is not difficult.

Brian LaFrance

Yup. 2 factor authentication is a good option as well. Sometimes it can be difficult to get buy in for it though depending on who the owner/author on the site is or how big the site is. If there are dozens of writers or they’re not tech savvy, someone is bound to run into issues getting set up. 🙂

Brian

I’ve had a lot of success with security through obscurity, once I changed all of my table_prefixes my sites stopped getting hacked.

I had a lot of issues with sites hosted on Godaddy.

Nate Somsen

Jeremy, wow! You hit me with a lot of useful information, many of which I had never considered.

I loved the infographic of passwords, I somehow felt that the 65% of people using the same password everywhere would have been higher such as in the 80 percents.

You had mentioned the plugin Rev Slider, I have seen that on several wordpress websites, what happened there how did it get hacked?

Once again, amazing article, I’m impressed! I better go beef up the security on some of the WordPress sites I work with now…

Comments are closed.