Between the years of 2017 and 2021 I was part of two “Securing WordPress” initiatives, both of which were triggered shortly after our team was notified by WordPress of a brute-force login attempt on our wp-admin page. In our defense, the web designers hired by my employers did not have experience with web security, and thus only used the basic security features built into WordPress.
In an effort to educate young IT pros and myself about WordPress security (since breaches due to misconfigured WordPress instances are quite common). I researched and listed some WordPress security best practices:
Best Practices
1. Secure your login.
- Use strong passwords: Make sure that all your WordPress administrators are using strong passwords. You might want to use one of the recommended password managers to generate strong passwords and keep track of them.
- Enable two-factor authentication: Two-factor authentication (2FA) is a very effective tool in preventing unauthorized access to an account, and although WordPress does not have a native 2FA feature there are plugins that make adding this feature to your wp-admin page fairly simple (Which you can find here).
- Change the default “admin” username: The username “admin” is one of if not the most used username for administrative accounts, so chances are it will be the first username attackers will try to breach during a brute force attack. If you’ve already created a user with this name we strongly recommend you create an administrator account with a different username.
- Limit login attempts: Limiting the number of failed login attempts an account can have will prevent hackers from running effective brute-force attacks (Limit Login Attempts plugin).
2. Use a secure WordPress host.
If you plan on using a cloud service provider to host your WordPress site consider a host that will protect your information and allow you to recover your site if an attack occurs. See this list of recommended WordPress hosting providers.
3. Keep your WordPress UpToDate.
Outdated versions of WordPress are common targets for hackers. Make sure you regularly check for and install WordPress updates to eliminate vulnerabilities found in older versions.
4. Update PHP.
Running the latest version of PHP is a key component to maintaining a secure WordPress site. Most cloud hosts and even your WordPress instance will notify you once an upgrade is available.
5. Use a secure WordPress theme.
There are thousands of themes that are compatible with WordPress so make sure to choose one that meets WordPress standards. To verify that your current theme meets requirements, copy your website URL (or the URL of the themes live demo) into the W3C’s validator. If you find your theme isn’t compliant, search for a new theme in the official WordPress theme directory.
6. Use security plugins.
Security plugins are designed to enhance WordPress security and are a life saver if your WordPress is self hosted.
If used adequately they can do much of the security-related manual work for you, including :
- Monitoring and logging your site for unauthorized changes.
- Alerting you of unauthorized login attempts.
- Scanning for source files that might leave your site susceptible.
- Allow admins to reset or restore the site.
- Prevent content theft.
Whichever plugin you install, make sure it comes from a well-established and legitimate source. HubSpot has a great list of security plugins which I have linked here.
Advance Best Practices
1. Filter user input.
If any part of your website accepts input from visitors, it can server as a potential gateway for an XSS or SQL injection attack. To avoid this problem, make sure you filter out special characters from user input before it is processed, better yet you can use a plugin to detect malicious code.
2. Change the default WordPress login URL.
By default the WordPress admin login page is <yourdomain>.com/wp-admin. This makes it easy for hackers to find. Plugins like WPS Hide Login change this login page URL for you.
3. Disable your xmlrpc.php file.
XML-RPC (later replaced by REST APIs) is a communication protocol that allows WordPress to interact with external systems (servers,mobiles,etc). If you are not using XML-RPC you can disable the file with a plugin like Disable XML-RPC-API.
4. Hide your WordPress version.
Hiding the WordPress version your site is running will make it harder for hackers to know what vulnerabilities work on your site. Here’s a tutorial on how to hide your WordPress version.
5. Use .htaccess to restrict access based on IP
If you or your cloud host are using Apache web server you can take advantage of the .htacces file which allows administrators to restrict access to any page on your site based on IP. Unlike step2 which changes the wp-admin URL, modifying the .htaccess file will prohibit users from reaching the page unless they are connecting from a whitelisted IP.