Learning how to protect WordPress is a task that can be so simple but is often overlooked by many website owners. According to an article published by “techjury“, the statistics regarding attacks on the web are quite disturbing. For example:
- There are over 30,000 websites attacked every day.
- Of these, around 43% of the targeted sites are those of small and medium-sized enterprises (SME).
- In the second quarter of 2019, ransomware increased by 363%.
- And every 39 seconds a website is infected.
With everything that is happening on the web, it’s important to protect your website. If you want to know why hackers attack websites, I’ve published an article on the subject.
It goes without saying that the Internet can be intimidating. For anyone looking to increase their safety while surfing the web, here is a guide on how to stay safe on the Internet.
WordPress Main Vulnerabilities
Before I share my tips on how to protect your WordPress, I’ll explain what the main vulnerabilities are. After all, I believe it’s easier to protect yourself when you understand where the loopholes are coming from.
Here are the main causes that could make your WordPress vulnerable. I’ll explain how to protect yourself from each of them later.
It is an often overlooked attack vector. PHP is the programming language used by WordPress and all its extensions. Therefore, it’s necessary for the website to function.
Basically, PHP is software like any other, so it is constantly evolving.
It is especially necessary to be wary of versions which have reached their end of life (table of EOL versions) and are no longer supported by the community. Hackers often end up finding vulnerabilities in these versions. Since they are no longer upkept, all sites using them may be vulnerable.
Some web hosts, like us, offer “hardened” versions of PHP. A “hardened” version means that the web host will make sure they have a safe version of PHP. Even “EOL” versions have been “patched” to keep them safe.
Unused Themes or Extensions
The themes and plugins present in WordPress sites will always represent a possible vulnerability, even if they are not activated. Each file in a web hosting account can be accessed from web if you know its exact location.
I’ll give you an example. Let’s say I have an old theme in my WordPress with a known vulnerability in the footer. Even if it’s disabled, a hacker could access it as follows:
With this URL, a pirate could easily exploit the flaw of my theme.
Files not Linked to the Website Still in the Hosting Account?
Websites are constantly evolving. On several occasions, a website’s hosting plan has already been used for other purposes or has previously hosted an older version of the site.
I frequently see web hosting accounts with a directory named “old” or “old-site”. When browsing through the directory, I realize that it contains an older version of the website that is no longer updated. These types of folders or archives on the web are a real gold mine for hackers.
If hackers successfully enter the old version of the site, they will be able find and infect all the other sites located in the same web hosting account.
The “wp-login.php” File
This is the file used to access the website dashboard. It is also the most frequently attacked file by hackers.
In our Canadian hosting servers, I’ve noticed that there’s an average of 30 connection attempts on this file at all times. Hackers will try to guess your password with dictionary attacks. In some cases, they can try several thousand of passwords per hour.
Consequently, it’s also a common cause of a slow website.
The “xmlrpc” Protocol
This protocol can be used to remotely control your website. There are several mobile and PC applications that use this protocol to connect to a WordPress site.
While this protocol is available for legit software to remotely control your site, it’s also available for hackers.
With this protocol, hackers could test over 1000 passwords in a single HTTP request. This means that they can now test more passwords in less time while passing easily under the radar.
Themes, Extensions, and Updates
WordPress and its extensions are “open source”. This means that the code can be seen by everyone. I really like this concept because it allows the code to evolve faster. On the other hand, when a vulnerability is discovered, it is also public and available to everyone.
Hackers are using several botnets to regularly scan websites. Their only goal is to find a vulnerable file that was never updated.
First Part of Protecting WordPress
Now that I have shown you the main causes of an infected website, I’ll show you how to protect it.
Before proceeding, always make sure you have a full backup of your site before applying a change. I cannot stress this enough! You never know what could happen when you start optimizing or securing a website. Some plugins may not like the changes you’re making, and it could break your site.
Old Versions of PHP
You have two options when you have an old PHP version running behind your website.
The first option is to do business with a web host that offers “hardened” PHP versions. All our Canadian web hosting servers offer the “hardened” PHP version. This option should only be used if you cannot change the current version with a newer one.
The second option is to update your PHP version. The process of changing the version will vary from one control panel to another. If a version is not available in your control panel, you’ll have to contact your web host, or move your site with us!
Here are the steps to follow with the most popular control panels:
Change the PHP Version in cPanel
- From the cPanel, go to the “MultiPHP Manager” menu.
- Place a checkmark in the right box of the table row corresponding to your WordPress site. It’s located at the bottom of the page.
- In the “PHP version” drop-down menu, select the desired version.
- Press the “Apply” button.
Change the PHP Version in cPanel with CloudLinux
- From the cPanel, go to the “Select a PHP version” menu.
- In the “Current PHP version” drop-down menu, select the desired version.
- Click on the “Set as current” link.
Change the PHP Version in Plesk
- From Plesk control panel, go to the “PHP Settings” menu.
- In the “PHP support (PHP version” drop-down menu, select the desired version.
- Press “OK” at the bottom of the page.
Clean up Unused Themes and Plugins
As mentioned above, every unused theme and plugin can still be an open door for a hacker.
Here’s how to remove those that you don’t need.
Removing a WordPress Plugin
- Enter your website dashboard.
- Go to the “Plugins” menu.
- Under each deactivated extension, you will have a “Delete” link.
- Press the “Delete” link to remove the plugins.
- Repeat for the other inactive plugins.
Removing a WordPress Theme
- Enter your website dashboard.
- Head to the “Appearance -> Themes” menu.
- Select an inactive theme.
- Press the “delete” link located in the lower right corner of the theme window.
A Plugin to Secure your Website
So far, I’ve shown you techniques for securing a website that don’t require plugins. Now, to secure the other vulnerabilities, you will need to install a plugin in your site.
The plugin I’m asking you to install is “iTheme Security”. I have been using this plugin for over 5 years already and it hasn’t let me down yet.
To get started, you need to install the plugin from the WordPress plugins menu.
Once the plugin is installed and activated, you’ll have a new menu on your sidebar under the name “Security”. Upon opening the menu for the first time, the plugin will show a “Security check”. I advise you to skip this step by pressing “close” in the lower left corner.
Protecting the “wp-login.php” File
Here’s the best way of protecting the “wp-login.php” file. You will simply need to change the dashboard login link. Here are the steps to follow:
- Enter the “Security” menu.
- In the upper right corner, you have an “Advanced” link. It will allow you to go to the advanced settings.
- Select the “Hide Backend” option by pressing the “Configure Settings” button.
- Activate the protection by pressing “Enable the hide backend feature”.
- In the “Login Slug” box, enter the word that will be used to replace “wp-login.php” or “wp-admin”.
- Press “Save Setting” to save your changes.
Following this modification, to access your WordPress dashboard, you will have to use a link like this one:
Disabling the “xmlrpc” Protocol
During my entire web hosting experience in Canada, only twice did I encounter a website that used this protocol. For all other sites, it should be closed to prevent attacks from hackers. Here is how to proceed:
- Enter the “Security” menu.
- If you haven’t already, press the “Enable” button on the “WordPress Tweaks” option.
- Now enter the “WordPress Tweaks” by pressing the “Configure Setting” button.
- Next to “XML-RPC”, change the option in the drop-down box to “Disable XML-RPC (recommended)”.
- Now for the “Multiple Authentication Attempts per XML-RPC Request” option. Change the drop-down menu to “Restricted Access (recommended)”.
- Press “Save Setting” button in the lower left corner.
Protecting Themes, Plugins, and Updates
The best way to protect yourself is to always make sure that all your plugins, themes and WordPress are up to date.
The “iTheme Security” plugin can also add an extra layer of protection to our extensions and themes. Here’s how to proceed:
- Enter the “Security” menu.
- If not done already, press the “Enable” button on the “System Tweaks” option.
- Now enter “System Tweaks” by pressing the “Configure Setting” button.
- Check the boxes the following three options:
- PHP in Uploads
- PHP in Plugins
- PHP in Themes
- Press the “Save Setting” button in the lower left corner.
Finally, we have finished protecting WordPress!
The steps we have taken in this article are the minimum that I recommend to all the WordPress website owners.
I am aware that some people may be intimidated after reading this article. But be advised that it’s easier to protect your site than to clean it up after it got infected.
If even after reading this article, you’re afraid to break your site when securing it, you can always give us a shout, we are always here to help out.