This article was originally written in Feb 2014 and receives regular updates as tactics change.
Tip: If your website is currently hacked, this isn’t the guide you want. Check out our guide to cleaning a hacked WordPress site. Then come back here to harden it after the website has been cleaned.
How and why do websites get defaced, hacked, or corrupted?
Most sites are compromised by known vulnerabilities in outdated web-based scripts and applications. Simply put, this means if you run outdated versions of popular software such as message boards, blogging software, or content management systems, your website could be at risk. Other ways a website is commonly compromised is due to insecure or stolen passwords and incorrect file permissions.
Why would anyone want to hack my website? I don’t store any personal or financial information on my site so I shouldn’t worry about this right? Many people feel that because they think no one wants to compromise their website they don’t need to worry about its security. Stop it.
Although they may not want any of the information on your site, most of the time your site will be used to spread viruses, spyware, or deceive your visitors into going to sites with them. Most compromised sites we see have malicious code injected into the files in order to do just this.
Security Plugins and Tools
Be wary of WordPress security plugins and tools. Most of them tend to focus on either preventing further damage after someone has already hacked in to your site, or hiding things like your WordPress login page (which is like tossing a sheet over your door and hoping nobody notices), rather than actually preventing intrusions.
After someone has gained access, it’s exceptionally difficult to ascertain what they’ve done, so it’s considerably more important to block them in the first place. Therefore, our tips focus on the kinds of changes you can make to your site that will prevent intrusions.
You might be thinking “but aren’t you missing dozens of other security practices?!” Perhaps you’ve read about them on other blogs or from other hosting providers or WordPress experts. There’s a bunch of articles out there with 50+ security improvements you can make to WordPress… in our opinion anything more than what you see below is overkill. The majority of those 50+ tweaks are designed to stop automated tools from inflicting damage after they’ve already gained admin access to your website. Following every step of this guide will instead set you down a path towards preventing access to your WordPress website in the first place.
10 ways to harden your website
#1 Tip: Take regular backups! (If you host with us, here’s how to automate backups) If you have a backup, restoring a backup is orders of magnitude faster and simpler than cleaning a hacked WordPress site.
1. Install a Limit Login Attempts Plugin
Note: this is optional if you host with us. The reason why can be found in the box below.
This plugin will let you limit the number of unsuccessful login attempts for your WordPress dashboard. This will protect against people trying to login to your website with random passwords over and over again in an attempt to “brute force” the system. You can download the plugin here, which will set the limit to 3 attempts.
If you have used our one-click web applications installer than this plugin should be installed by default. If it isn’t you can install it by using the link above.
Did you know that our WordPress hosting comes with server-level tools to automatically detect multiple login attempts from the same IP and ban the malicious IP addresses? It doesn’t do any harm to install a plugin, but with our hosting, it’s no longer essential!
2. Admin Users: Use secure passwords & audit them
Never use a “temporary” password that you plan on going back to change later – it’s too easy to forget to adjust. When you go to change your password in WordPress under Users, it defaults to providing an autogenerated secure password. Please use what it provides and do not try to use one of your own, which will likely be weaker.
If you have trouble keeping/remembering long passwords, we don’t blame you: use a password manager like LastPass or 1Password that will keep track of all of your randomly generated passwords for you and lock them all with one strong master password.
It’s also recommended to audit your admin users every few months by deleting admin users you do not require. Set a task in your to-do list software of choice to do this quarterly.
3. Always update your software
Note: updates are 100% automated if you host your wordpress site with us, ensure any premium plugins or themes have their licenses activated, and have auto updates enabled in 1-click web apps.
This includes the core WordPress software, all plugins, and all themes that you have installed. This step combined with secure passwords, are the two most important steps. WordPress and plugin and theme developers release updates to both add features and repair security flaws. It is crucial that you update your software whenever a new version is available.
If you are using commercial plugins or themes, make sure to follow their instructions to save a license key to the plugin’s settings to enable auto update. This is an option for most commercial plugins like BeaverBuilder, Gravity Forms and WooCommerce extensions.
If your commercial theme or plugin does not support auto-update, you will need to add a recurring task to your to-do list software of choice to regularly check for updates and install them manually. When we encounter such plugins, we the developer to add auto-update and, if they do not intend to, we’ll find an alternative. This is because it’s not worth the time necessary to stay on top of manual plugin or theme updates.
4. Delete old software
If you have multiple versions of WordPress installed on your website (or any other piece of software for that matter) and you aren’t using one of them anymore, you’ll still need to make sure it’s up to date or remove it entirely. Outdated and forgotten-about software installations are a very common method that automated hacking tools gain access to your website.
The same is true for installed plugins and themes. If you’re not using them, remove them!
5. Enable and Force HTTPS
Using HTTPS instead of the insecure HTTP is easy these days!
- Click here to learn how to install a Let’s Encrypt certificate on your domain
- Follow our guide to learn how to force HTTPS across your entire website.
Now all logins to WordPress will be fully secured end-to-end. No passwords can be sniffed over the wire!
6. Use a security plugin like WordFence or Sucuri
There’s a few things to note about this:
- If you’re hosted with us, this is not an essential tool. We use a combination of firewalls that block just about all the same types of intrusion attempts as WordFence, from bruteforce attacks to vulnerability probing.
- Many security plugins are a sham that only make recommendations and don’t actively protect your website. We find WordFence to be the best of the bunch, with Sucuri a close second.
- WordFence is also handy when cleaning a hacked website as it tends to find the most infected files and clean them automatically.
- If you’re on a VPS, it doesn’t hurt to enable weekly WordFence scans. If you’re on shared hosting enabling those scans may eat up resources unnecessarily, particularly if you’ll be implementing everything else on this list and if you host with us.
Note: we’ve tested many of these tools to come to these conclusions. We’ve even seen some so-called security plugins previously installed on sites that have been hacked — lot of good they did!
7. Deny access to login to anyone but yourself
This step isn’t essential if you already have very secure passwords for all your admin level users, however there’s no harm in applying it if you like wearing a tinfoil hat.
Read our guide to learn how to password protect your wp-admin folder with HTTP authentication. When following the guide, the folder to enter will be the wp-admin folder.
Once completed, you will have two levels of password entry before reaching the admin, HTTP Auth, and your standard WordPress admin login. Be sure to make the passwords different; if they are the same then a bot trying to guess them won’t have any trouble after getting through the first layer.
8. Run the latest PHP In Fast-CGI or FPM mode whenever possible.
If you are using a control panel that is current you’ll be able to choose between running PHP by FastCGI or Apache PHP. Choose the FastCGI or FPM method when possible.
In WordPress, there are many themes and plugins that think they need global access 777 permissions set in order to properly write to the folders and upload content. They’re wrong in most cases. “777” means that everyone hosted on that server can read, write, and execute any of the files that have those permissions.
This is a big security risk and is a major problem if you are on a shared web hosting environment. If another website is compromised on the same server, they will be able to access any of your files and folders that have the 777 permission set.
Using FastCGI or FPM mode forces PHP to run as your username and will avoid these problems altogether and work great with default file and folder permissions. If you’re hosting with us then FPM or FastCGI mode is the default for your website.
Be sure you’re running the latest version of PHP. Only the latest couple of major versions are regularly supported by the PHP developers, so running older versions like 7.0 or older (as of Dec 2019) could create security risks for your site.
9. Never store your passwords on your computer unless they are encrypted
Many programs on your computer actually store your passwords in plain text. This means that if you have a virus or a particular piece of spyware on your computer it may be able to access the FTP or web-based credentials for your WordPress or website installation.
If you want to save your passwords in your applications be sure to verify if they are encrypted or stored in plain text. For example, any application which stores passwords using Apple’s Keychain system, has fully secured password storage. Unfortunately FileZilla is not one of these apps, so saving your password in FileZilla’s site manager tool could be problematic if your computer is ever infected by a virus that knows to look for FileZilla data files.
10. Ensure you are always running anti-malware software on your computer
Although this one should go without saying, it’s very common that people don’t run either of these. It doesn’t matter how secure your website or the server is if people are able to get your passwords from your personal computer.
If you follow these tips, there are only two remaining methods that could be used to hack your site:
- Zero day vulnerabilities, which are impossible to predict and protect against, though the best answer to them is fast updates, which our 1-click web apps utility handles for you.
- Social engineering, where someone tricks you into giving up your password. To prevent this, simply be vigilant and do not give out your password.