Advanced WordPress Security Best Practices
- Filter special characters from user input.
There is a possibility of an XSS attack or database injection if a part of your website receives a response from visitors. This could be a payment form or contact form or a comment section on a post. An attacker could insert malicious code in any of these fields to disrupt your website’s backend.
- Limit WordPress user permissions
Multiple user accounts are common on WordPress sites. To limit access to what they need, we recommend that each user be assigned a different role. WordPress offers six roles for each user.
Limiting administrator permissions to users will reduce the likelihood of attackers brute-forcing into admin accounts. This will also limit the damage that could be done if attackers correctly guess user credentials.
- WordPress monitoring
You should have a website monitoring system. You will be notified of suspicious activity on your website. Although you can prevent such activity with your existing measures, it is better to know sooner than later. A WordPress monitoring plugin can be used to receive an alert in the event of a breach.
- Log user activity.
Another way to avoid problems is to keep a log of all activities on your website. You can then check the log for suspicious activity periodically. You’ll be able to see if someone is doing something suspicious (e.g. changing passwords, altering plugin files or installing plugins without permission). Logs can also be useful in cleaning up after hacking, providing details about what went wrong and when.
However, this doesn’t mean that every file modification or password change is a sign of hacker activity within your organization. It’s a good idea, however, to monitor external contributors you employ and give them access rights.
Many WordPress plugins can create activity logs. There are many logging plugins available for WordPress like WP Activity Log and the free Activity Log plugin.
- Modify the default WordPress login URL.
We’ve already mentioned that the default URL for WordPress’ login page is easy to find. There are ways to change it to increase your security. You can use plugins such as iThemes and other hide login plugins change the URL of your login page.
- You can disable file editing from the WordPress dashboard.
WordPress allows administrators to edit the code in their files with the code editor. If an attacker gains access to your account, this gives them an easy way to modify your files. This feature can be disabled by a plugin if it has not been disabled. You can disable it yourself by doing some light programming. The code below should be added to the end of wp-config.php.
- Change your database file prefix.
Your WordPress database’s file names begin with “wp_” default. It’s true: Hackers have the ability to use this setting to locate your database files and perform SQL injections.
Simply change the prefix to something such as “wpdb_”, or “wptable_”. This setting can be set up even during installation of the WordPress CMS. We recommend being very careful if this is not done during the initial configuration, especially if you have already gone on a plug-in install spree. One wrong step and all of the sudden the screen goes white and you get the dreaded email saying your site may be experiencing issues. Not that I have ever seen that email of course.
- Disable xmlrpc.php.
XML-RPC allows the WordPress CMS to communicate with other web and mobile applications using a communication protocol called XML. It is still used by some to launch devastating attacks against WordPress sites.
Because attackers can submit hundreds of commands to XML-RPC technology, it makes it easier for them to execute brute force login attacks. XML-RPC has a lower security than REST, as it contains authentication credentials that can easily be exploited.
You can disable the xmlrpc.php if you don’t use XML-RPC. Check first whether the file is being used by your site. To check if your site is using the protocol, enter your URL into the XML-RPC validator. You can disable XML-RPC with WordPress security plugins such as Wordfence.
- You might want to delete the default WordPress admin account.
While we have discussed the possibility of changing the username of the default WordPress admin account (“admin”), it is worth considering deleting the default account and automatically blocking any IP address that attempts to gain access to your WordPress website with a security plugin. This is standard practice with every site that we build and support.
- Consider hiding your WordPress version.
Hackers won’t be able to find out your WordPress version if you hide it. You must always upgrade to the most current version of WordPress, as we have already explained. It is important to conceal any potential vulnerabilities if you have not yet done so.
How to Respond if You Are Hacked
You’ve taken all the steps above and are now ready to go in the event of an emergency. Or something went wrong. Whatever the reason, here are some things you can do.
- Try to remain calm.
Even those who worked hard to secure their sites, security breaches can still happen, remember security is a risk reduction, not an elimination. Know who you’re going to call ahead of time if you yourself are not a WordPress expert. If not, do you have a developer on standby? Do you have an agency that maintains your website and actively monitor for issues? If you’re not a WordPress expert and the answer to those two questions is no, then do your research now because more than likely if you just call your hosting provider, you’re sense of urgency and theirs is likely light years apart. No offense to hosting providers, there are some great ones out there, but they have no intimate knowledge of your site and well, like I said, try to remain calm.
- Your website should be in maintenance mode.
Next, if you are able to access the administrative console, you need to restrict access to the site. This keeps visitors away from the site and protects them against attack. You should not reopen your website until you feel that the intrusion has been fully remediated and the situation is under control.
- Start creating an incident log.
Next, gather all the facts that you can use in an incident report. These facts can be used as clues to help you solve the problem. Pay attention to:
- When you discovered the problem.
- What made you believe that you were being attacked?
- Your current theme, active plug-ins, and hosting provider.
- Any recent modifications you made to your WordPress website before the incident.
- A log of all actions taken during the investigation and resolution of the problem.
As more information becomes available, be sure to update this document.
- Reset permissions and access.
To prevent website modifications, change all passwords on your WordPress site. Next, force-logout all users who are still logged into your WordPress site.
It is highly recommended that account holders update their passwords on work and personal devices as well as personal accounts. You don’t know what the attackers could access beyond your WordPress website. It’s not easy, but it can reduce the damage caused by the attack.
- Find the problem.
You may be able to search for the problem using a security plugin in some cases. You may need to hire someone to diagnose the problem and repair your site depending on how severe the attack was. No matter what your method of attack, you should run a security scan of your site and all local files. This will allow you to remove any malicious code or files that the attackers may have left behind and restore any files that are missing.
- Check out related websites, especially on shared hosting.
Are you linked to any other platforms through your website? You should also take steps to secure any accounts linked to your website from other platforms.
- Backup, themes, and plugins can be reinstalled.
Double-check that your plugins and themes are safe before you re-install them. You can restore any backups you may have made before the incident.
- Change your site passwords again.
WordPress security is a delicate matter. Although you have already reset your passwords and fixed the problem, it is possible that the credentials were compromised. It is impossible to be too cautious. Consider changing them again.
- Notify you customers.
Once you have validated that the issue is clear and your website is back online, you should notify your customers of the breach, especially if customer personal information was potentially accessed and taken. This is not an easy thing to communicate as a business owner, but your customers trust your business. If your information had been leaked from such a breach, would you want to know? As you can imagine, you will probably get varying reactions, but you should be prepared for some less than positive responses. The sooner you notify your customers, the better.
These best practices have been defined for a reason and if you think you will never be the target of a hacker, you just might get lucky. Implementing these standard WordPress security practices will surely lessen the chance of a hacker being successful, which in turn will help protect the credibility and continued growth of your online business. As a business owner, you should discuss your options with your web developer, hosting platform, or the agency that you trust your WordPress site to. If none of those options are available, just reach out and we will be more than happy to give you an assessment that includes steps to remediate any vulnerabilities that we may uncover.