Security Tactics for WordPress

As the most used content management system on the web, WordPress has a target painted on its back. It powers over 25% of all sites across the web.  Any piece of software that is used in mass automatically becomes a point of vulnerability. The best example of this is the vast pool of malware developed for Windows. It’s often said that macOS systems get fewer viruses, but this isn’t necessarily due to them being more secure. Windows machines are more vulnerable, simply because there are more of them. Thus, it is more efficient for hackers to target them. In the same sense, running a site on WordPress means you should be taking some precautions. Check out the list below for some of our recommendations. Keep in mind that it’s a good idea to do these on a developer site in case something goes wrong.

1. Choose your hosting wisely: The majority of successful hacking attempts occur through the fault of a hosting company. Avoid this by running your website through a reputable, trustworthy hosting company.
2. Keep WordPress and all your plugins up to date: One of the advantages of using WordPress is that it has a great community that is constantly working to fix security vulnerabilities that are discovered. The same goes for your plugins.
3. Protect yourself from brute force attacks: A common hacking technique is to run a password-guessing robot on a website’s login page. This is called a “brute force” hack. There are several ways you can avoid this type of attack. You can configure all of these options in the plugin All In One WP Security & Firewall.
   1. Rename your login page: It’s a good idea to put your login page a different URL instead of on the standard http://yourwebsite.com/wp-login/ directory to make it more difficult for hackers to get access to your login form.
   2. Limit login attempts: Another great tactic is to limit the number of times someone can enter an incorrect password before they are locked out, either for a duration of time or even permanently!
   3. Use a captcha: For an additional layer of protection, make users fill out a captcha before they log in.
   4. Use a strong password and avoid generic usernames: This should go without saying, but if your login is username “admin” with password “pass123”, it’s a good idea to change it to something more secure.
4. Disable or remove XML-RPC: XML-RPC is a component of WordPress that deals with connecting to external services. Apps that allow you to interface with WordPress, such as the WordPress mobile app, make use of this feature. Unfortunately, leaving XML-RPC enabled can render your website vulnerable to a handful of attacks. The most common are brute force and DDoS attacks. Fortunately, if you don’t need XML-RPC, there are a variety of plugins to help you disable it.
5. Disallow access to wp-config.php: The wp-config.php is a critical file for WordPress, so it’s a good idea to disallow access to it from the world. You can do this by adding a few lines of code to your .htaccess file.
   

   <files wp-config.php>
   order allow,deny
   deny from all
   </files>

6. Disable the WordPress admin file editor: Have you ever noticed you can edit your theme files in the WordPress admin panel? That’s not good. It makes a hacker’s job a lot easier if they can edit files without having access to your server. Just add this line of code to wp-config.php to disable it.
   

   define( ‘DISALLOW_FILE_EDIT’, true );

7. Don’t use the default database table prefix: You may have noticed the option to change the database table prefix from “wp_” in the WordPress installation. Not changing this can make your site more vulnerable to SQL injection attacks.
8. Disable error reporting: While error reporting is useful to developers, it may be just about as useful to hackers since it gives away valuable information about your site. In production, be sure to turn this off by placing these two lines of code in your wp-config.php file.

error_reporting(0);

@ini_set(‘display_errors’, 0);