You never think your website will get hacked until it does.
That feeling of helplessness, frustration, and pure unadulterated rage that wants to punch holes in concrete is justified when it’s hundreds of hours of your time, efforts, hopes, and dreams down the gutter. Trust me, I know.
It’s pretty difficult, if not impossible, to put a name, face, and URL on the person responsible for bringing your site down. You were likely the victim of an automated attack, carried out by a bot that identified vulnerabilities and exploited them for nefarious purposes of its spiteful master: data scraping, black hat SEO, spam mailing, et al.
It’s not paranoia when you know that nobody’s safe, even, and especially on WordPress. Hackers love those massive numbers of users and they don’t discriminate; more targets means higher probability of making a hit. A single vulnerability in a popular plugin puts every single site using it at risk.
So once you have your site back online and kicking, you want to make sure none of this ever happens again.
In this article, we’ll take a look at 7 ways to cover your bases when you’re hardening security of a WordPress website.
Note: This post is a little more advanced than creating backups and using stronger passwords. I am assuming you are doing that already and don’t need to be reminded.
Up for it? Here’s what you need to do:
1. New WordPress Secret Keys
Information stored in user cookies is a goldmine for malicious crackers who know what they’re looking for. WordPress Security Keys make sure that that information remains protected via encryption.
You can use the online generator to create a unique set of keys. Once you have them, open your wp-config.php file and find this bit of code (somewhere between line 40 and 50) and swap the second parameter in each line for the adjacent key:
define( 'AUTH_KEY', ‘put your unique phrase here’);
define( 'SECURE_AUTH_KEY', ‘put your unique phrase here’);
define( 'LOGGED_IN_KEY', ‘put your unique phrase here’ );
define( 'NONCE_KEY', ‘put your unique phrase here’);
define( 'AUTH_SALT', ‘put your unique phrase here’ );
define( 'SECURE_AUTH_SALT', ‘put your unique phrase here’ );
define( 'LOGGED_IN_SALT', ‘put your unique phrase here’);
define( 'NONCE_SALT', ‘put your unique phrase here’);
2. Change your $table_prefix value
Your database is sacred and contains pretty much everything you call your own on the internet. Give it basic protection from SQL injections by changing its prefix from the default “wp_” to practically anything else.
This is another change you have to make via your wp_config.php file. Look for this and change the ‘CA_TWS02’ value to whatever you like:
$table_prefix = 'CA_TWS02'; // Use letters, numbers, and underscores only!
3. Rewrite some rules in .htaccess
.htaccess controls your web server’s configuration, which means that you can use it to create specific rules for your WordPress website’s domain to give significant boost to security. The best feature by far is IP range blocking.
Plugins like BulletProof Security and Wordfence have this feature built-in, so you don’t have to worry your head over it. Other than that, add this code to .htacces file (before #Begin WordPress) to secure the core wp-includes.php file:
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
# BEGIN WordPress
4. Disable XML-RPC
I can’t wait for the day XML-RPC gets replaced by JSON REST API once and for all.
XML-RPC used to be great until someone figured out how to use the system.multicall to execute multiple methods inside a single HTTP request. That means that any security provided by login attempt filters is rendered useless.
The temporary solution is to delete the xmlrpc.php file. You can disable it with this code (which goes into your .htaccess file):
Deny from all
Plugins like Disable XML-RPC which will do the same. And there are more ways, explained by Tony of Geek T’n’T here.
5. Disable PHP error reporting
“Error logs should not be located in the publicly accessible portion of your server.” – WordPress Codex
PHP error logs display server path on every logged error. This is great news for troubleshooting, not so much when a hacker gets their mitts on it. This is a classic, tragic case of good intentions used for evil purposes.
Just disable it by a simple snippet in your wp-config.php file:
6. Advanced Monitoring
There’s this plugin called WP Security Audit Log which is like your own network of informants spread across the website, bringing you intel from everywhere about everything.
The plugin lets you keep an audit of every single change made under the hood and everything happening on your WordPress website. A professional WordPress developer or security expert can make great use of the plugin’s real-time user activity audit log, support for reverse proxies and security firewalls, attacker identification (via IP address), configurable security alerts based on User roles and critical activity status, and so much more.
Use it for your advantage. Note: You need some programming skills to make sense of it.
7. Keep pace with Sucuri and WordFence
These two are unquestionably the best in WordPress security services, and their blogs reflect that. Matt Barry of WordFence even takes (unconfirmed) credit for discovering the recently fixed SSRF vulnerability. And after reading up on their research on the subject, I’m personally inclined to agree.
The two highly efficient, well optimized, and extremely user friendly plugins are well-known providers of enterprise grade security solutions for WordPress websites. At least one of these plugins is an absolute requirement for general security, monitoring, blacklisting, scanning, and keeping your site safe from attackers.
Sucuri’s SiteCheck scanner is terrifyingly efficient and pulls data from 10 most noteworthy blacklist engines on the web, including Norton, McAfee, Google Safe Browsing, AVG, and more.
There is so much more to WordPress security than installing a few plugins and calling it a day. It’s an ongoing battle. If you can’t win against the hackers, you can make sure to survive and fight for as long as you can. That’s as close to victory as you can get on digital realm, in any case.