Your website looks great, you have outstanding traffic, and you are overall satisfied. However, all of this is worthless if your website is hacked, and you lose content, customers, and access to your site.
To prevent this from happening, I’ve written this comprehensive security concept for your WordPress website.
I’ve worked through the entire article Hardening WordPress to show you how to implement all the security recommendations in an easy step-by-step guide to make your WordPress website bulletproof against hacking attempts.
- 1 Video: How to Secure your WordPress Website
- 2 Choosing the Right Hosting Provider
- 3 Secure Updates and Creating a Backup
- 4 Hardening your Website with a Security Plugin
- 4.1 Install the Plugin “iThemes Security”
- 4.2 Start an Initial Security Check
- 4.3 Malware Scanner
- 4.4 The Recommended Modules of “iThemes Security”
- 4.4.1 Security Check
- 4.4.2 Global settings
- 4.4.3 Notification Center
- 4.4.4 User Groups
- 4.4.5 404 Detection
- 4.4.6 Away Mode
- 4.4.7 Banned User
- 4.4.8 Database Backup
- 4.4.9 File Change Detection
- 4.4.10 File Permission
- 4.4.11 Local Brute Force Protection
- 4.4.12 Network Brute Force Protection
- 4.4.13 Password Requirements
- 4.4.14 SSL
- 4.4.15 System Tweaks
- 4.4.16 WordPress Salts
- 4.4.17 WordPress tweaks
- 4.5 The Advanced Modules of “iThemes Security”
Video: How to Secure your WordPress Website
If you prefer watching a video instead of reading this article on how to secure your WordPress site, you can watch this video:
I’ve divided this article into three steps.
- First things first, we take a look at the basis for a secure WordPress website, the hosting provider.
- In the second step, we install the plugin “WP STAGING” to create a safety net when installing new plugins or themes. In order to restore the WordPress website quickly, in the worst case due to a successful hacking attack, we have also going to set up a backup plugin.
- In the last step, we set up the security plugin “iThemes Security” to prevent attackers from being able to gain access to our website.
Choosing the Right Hosting Provider
Let’s start with the foundation of your website’s security, the hosting provider.
There are so many web hosts out there, the vast majority of them meet the minimum requirements for WordPress, but choosing one from the crowd can be time-consuming.
According to WordPress.org, the minimum requirements for the right hosting provider are:
1. PHP version 7.4 or greater.
2. MySQL version 5.6 or greater OR MariaDB version 10.1 or greater.
3. HTTPS support
[This is valid for WordPress 5.7 – March 2021]
In any case, verify that your provider meets these requirements.
If you are not sure which provider you should choose, choose one of the hosting providers recommended by WordPress.org.
If you are already using one of the recommended providers or have verified your provider’s security criteria, you can continue with securing your site.
Secure Updates and Creating a Backup
To fix security issues and errors, it’s recommended to update WordPress core and plugins regularly, because outdated software no longer receives security updates, and your website becomes much more susceptible to malicious hacking attempts.
So make sure that you keep the WordPress core as well as the plugins and themes up to date. Open the WordPress Dashboard and click on “Updates.” You will receive an overview of the WordPress core system’s updates, the plugins, and the themes.
Some WordPress users are afraid to update their WordPress sites. They fear that doing so will damage their website.
We deal with this topic in a separate article called “Why & How You Should Disable WordPress Automatic Updates.”
Secure Updating with “WP STAGING”
To prevent damage to your website during testing and making adjustments, you can use the free plugin “WP STAGING“.
Open the “Plugins” area in the side menu and click “Add new.” Then type “WP STAGING” in the search bar. Install and activate the plugin.
Open the WP STAGING plug-in. Then click on “Create New Staging Site,” assign a name and click on “Start Cloning.” The plugin creates a copy of your site. Then you can use the “Open Staging Site” button to access your staging site and try out all changes in a secure environment without endangering your production site.
I recommend going straight into the implementation and testing the article adjustments on a staging site instead of working directly on your actual website.
You can recognize from the orange menu bar that you are working on the staging site created by WP STAGING.
Creating a Backup with “Updraft”
Backing up your website is a fundamental process for any WordPress site. To not lose all progress, data, and orders in the worst case, when your website gets hacked, it is essential to have a backup of your WordPress site.
I will present the “Updraft” plugin in this article to create a backup from the site.
However, we are currently implementing full site backup into WP STAGING. Before installing Updraft, please visit our WP STAGING website and see whether we’ve already added this new function.
Install A Backup Plugin
From your WordPress dashboard, go over to “Plugins” and then go to “Add new.”
From here, go to the search bar and type in “Updraft.” Click on “Install” now and then click “Activate.”
“Updraft” is going to walk you through it with a simple tutorial. Just click on “Press Here To Start,” or you can go to the “Settings.”
Create a Backup
To take a backup, all you have to do is click on the “Backup Now” button on the right. Ensure that you check the two boxes, and then click on the “Backup Now.”
The backup is running, and it should only take a few seconds. Now it’s done, and you can see that backup by scrolling down.
Schedule an Automatic Backup
That way, you don’t have to do this manually every time.
Go to “settings” and then change the “Files backup schedule” from “Manual” to “Daily,” do the same with the “Database backup schedule.” Set the value to “7,” which means that it’ll take one backup every day, and it’ll only retain the last seven days.
Next, choose where you want these backups to go. I strongly recommend storing the backup externally if you lose access to your website due to a hacking attack.
My personal favorite to choose is Google Drive, click on Google Drive and then scroll down, and you can skip all the settings. If you like, you can allow Updraft to email you whenever the backup is done. Click “Save Changes.”
Now you need to give Updraft permission to upload data to your Google Drive account. Click on the link and then sign in to your Google account; click allow. Then click on “Complete setup” to go back to WordPress. Every day the backups will accumulate until it hits seven, and then it will continuously replace all backups with new ones.
Learn How to Restore a Backup
You can restore it by going back to the Updraft plug-in. Scroll down to the existing backups and then go to an existing backup and click on “Restore.” Make sure that you activate all the checkboxes and then click on “Restore Now.” Click on “Restore” again, and the website is restored.
Make sure to go through step four to ensure that Updraft created the plugin successfully. Otherwise, you may be relying on the plugin, but if there were complications in its backup creation you can not recover your website. So testing the restore process is important and should be made at least one time with the initial most important backup.
Hardening your Website with a Security Plugin
To prepare this article, I’ve checked out the two most popular security plugins: “WordFence” and “iThemes.”
Both are excellent plugins, but I’ve decided to choose iThemes because of the more straightforward setup and the additional features for hardening the WordPress website.
Install the Plugin “iThemes Security”
Install and activate the plugin. Now we can open the new tab “Security” in the sidebar menu by clicking on “Settings.”
Start an Initial Security Check
The iThemes “Security Check” then opens. This “Security Check” is a one-click tool that installs the modules required on every WordPress site. These include, for example, the “Brute Force Protection” or the enforcement of “Strong Passwords.”I will explain the functions of the different modules directly after the “Security Check.”
Check the box and then click on “Secure Site” to continue.
Two more clicks are required to complete the process.
The one-click confirms the “redirection of HTTP requests to HTTPS requests.”. This function ensures that there are no non-encrypted pages available to your visitors.
The other click activates the “Network Brute Force Protection.”
A brute-force attack is a method that tries to find out passwords or keys through automated, random testing. iThemes protects the website with a “Local Brute Force Protection” as well as through a network of “Brute Force Protection.” You add your WordPress site to the network, and iThemes Security protects your website against attacks that have already reached another site in the network.
The admin email address is selected here by default.
You can also give the authorization to be informed about news; I’ll leave this option on “No.”
Confirm the activation and close the security check.
As with many plugins, iThemes also offers a free and a pro version. You can decide in the course of the article whether you consider the Pro version to be useful. If a feature from the premium version makes sense for you, I will mention it.
First, let’s take a look at the malware scan.
WordPress.org points out that it is important not to shift all security responsibility to the web host but to take this into your own hands. In doing so, they refer in particular to the installed applications.
We use the iThemes malware scanner to check if any of the applications you have installed are classified as malicious by iThemes Security.
To do this, we scroll down and find the scanner on the right. The free version of iThemes also has a malware scanner, although it is manual. The Pro version has an automatic malware scanner.
Click “Run Scan” to run a scan of your website. Then go to the “logs page” to check for the results.
To not give malicious applications a chance to get on to your website, install plugins only from trustworthy sources.
The Recommended Modules of “iThemes Security”
Now we come to the individual modules of iThemes Security. There are two display views, the “block view” and the “list view.” It is easier to go through the different modules step by step in the list view; we change the display view in the upper left corner from “block-“to “list view.”
The “Security Check” module only lists the standard precautions that we confirmed at the beginning of the set-up.
“Write to Files”: If you deactivate this option, you have to manually add the configuration options to the “wp-config.php” and “.htaccess” files. Therefore, I do not recommend removing this tick.
Since we will adjust the file permissions at a later point, we will revoke the write permissions for these files anyway, making sense to let iThemes make the adjustments up to this change.
“Lockout messages” are displayed to the host, user, or community if iThemes locks them out of your WordPress site or marks their IP address as malicious. You can edit these messages to make them more friendly if you have customer accounts on your website.
Below are the specific settings for the lockouts. The “Lockout Period” indicates how long WordPress will block the user / IP address after reaching the maximum limit of incorrect login attempts.
The “Ban Lookback Period” regulates how long iThemes remembers the locks and adds them up. “Ban Threshold” is used to determine how many lockouts a user or IP address may receive before he is permanently blocked.
iThemes Security: Lockout settings to specify how many login attempts a user / IP address has before he is blocked, we scroll to the module “Local Brute Force Protection.”
“Minutes to Remember Bad Login” indicates the time in which iThemes adds up the incorrect login attempts. If the user / IP address enters inaccurate login data at 5:05 pm and 5:07 pm, iThemes will count two shots. If the attacker makes the next incorrect login attempt at 6:00 pm, the counter starts again at 1.
In the “Max Login Attempts Per User” area, you can specify how many attempts a username has before he is blocked.
“Max Login Attempts Per Host” sounds very similar. This area comes into play if an attacker uses several computers within one IP address. As soon as the attacker reaches that value, the IP address is blocked.
According to your website, adjust the settings in “Local Brute Force Protection” and “General settings.” If you have customer accounts on your website, you can set the maximum value for incorrect login attempts a little higher or make the duration of a block shorter. You can allow fewer login attempts for websites that only you sign in to.
Example: A user tries five times within five minutes to log into your WordPress site. The user is then blocked for 15 minutes by “Local Brute Force Protection.” If this block is repeated twice within seven days, iThemes blocks the user permanently.
Let us continue with the “Global Settings” module.
The “Authorized Hosts List” allows you to add hosts that iThemes Security will not exclude from the WordPress site. This option prevents you from losing access to your site if you should trigger a lock.
To do this, click on “Add my current IP to the Authorized Hosts List.”
WordPress.org recommends that you dig deeper into your WordPress website’s logging if you need to troubleshoot problems or find out what happened and recover your site after being hacked. iThemes can save both “File Logs” and “Database Logs.” As mentioned during the “Site Scan” module you can access the logs via the sidebar menu by clicking on “Logs.”
If you already use many plugins and like to keep your WordPress menu tidy, you can do this by ticking the box under “Hide Security Menu in Admin Bar.”
In the module “Notification Center,” scroll down to “Site Lockouts.” By default, this setting is activated, which means that you will receive an email notification every time a user or host is blocked. The configuration depends individually on your website. It would be best to deactivate this option for websites that customers or many WordPress users access, as it often happens that someone forgets their password. However, if you only use this site, you can activate it with a clear conscience, as iTheme can notify you directly of a possible hack attack.
We don’t need to adjust any settings under “User Groups.”
iThemes doesn’t activate the “404 Detection” module by default, but you should activate “404 detection”. In addition to the “brute force attack,” there are also attackers who deliberately search for vulnerabilities on your website by attempting to access various links on your website. If these pages do not exist, they will receive the error message “404”. Accordingly, iThemes Security blocks users that receive many “404 errors” in a short time sequence.
For this module, too, you can restrict how often a user can receive the error message “404” and at what time.
I recommend activating the “Away Mode” with caution, as this makes the WordPress dashboard inaccessible to all users for a selected time.
Under the tab “Banned User,” you can block the IP addresses of specific users or hosts. This option means that you immediately and completely deny this IP address access to your website. The list works in the same way as the “Authorized Hosts List” but vice versa. Instead of never blocking specific IP addresses, this list blocks them completely.
You can deactivate the “Database Backup” function because we have already installed a backup plug-in that creates both database and file backups.
File Change Detection
As with “404 Detection”, I recommend activating “File Change Detection.” If, for example, an attacker has hacked your hosting provider’s server and tries to change or delete your WordPress core data, you will receive an email notification. WordPress.org recommends enabling monitoring of changes to files.
The “File Permission” module offers us some fascinating insights into the core of our WordPress site. It’s recommended to check the file permissions.
Open the module window and click on “Load File Permission Details.” iThemes Security now shows the file paths of the security-relevant WordPress files, as well as the access rights of the files or folders. Both the actual value and the target value are displayed. In my case, iThemes suggests a change in two positions: the “wp-config.php” and the “.htaccess” files.
A three-digit number regulates the file permission. The first number regulates the permissions for the “user”; this is the website’s administrator. Several people can have administrator rights. The second number regulates the permissions for the “Group”; this includes the other users of your website, for example, editors, contributors, or other user roles. The last number describes the rights for “World,” which includes every other person on the Internet who accesses your site.
The wp-config.php is the configuration file of your WordPress application. Since this is one of the most critical files, you need to ensure that you have adequately protected it.
iThemes recommends the “444” here; this means that everyone has read access, but no one can write.
WordPress.org recommends protecting the file with the value “400” / “440”. With the value “440,” you as the administrator and the user have read access but no visitor. With “400”, only you as the administrator have read access; this is the most secure option.
It is crucial to understand that these file permissions refer to the actual website; you, as the site owner, can adjust these permissions at any time via FTP / cPanel and never lose real access.
The value to choose depends on the server setup. WordPress.org recommends locking your file permissions as much as possible and only losing these restrictions if you need to allow write access. This means starting with the “400” or “440” permission and increasing the value from there until WordPress works. Use a maximum of “600” or “640”.
Now you understand how the file permissions are made up and which permissions we need to adjust.
However, it would be counterproductive to immediately implement the file permissions adjustment, as we would then deny iThemes Security write permissions, which would mean that we would have to manually add the changes to the “wp-config.php” file at the end of the set-up.
That is why we’ll adjust the file permissions while covering the “System Tweaks” module.
Local Brute Force Protection
The next module is “Local Brute Force Protection.”We have already done these settings in the general settings.
Network Brute Force Protection
And we also made the “Network Brute Force Protection” settings at the beginning during the “Security Check.”
The use of a secure password is another crucial aspect to avoid potential vulnerabilities.
You should prevent the following when choosing a password:
The “Strong Password” module helps to implement these requirements.
By default, iThemes activates this setting for all user roles. You should adjust these settings based on your website. For example, you can only enforce strong passwords for the Administrator user role.
It’s also recommended to use two-factor authentication.
The two-factor authentication technique requires users to log in using a two-step authentication method. The first step is the username and password, and the second factor is the authentication with a code coming from a separate device or app.
This feature is available in the Pro version of iThemes. Alternatively, you can search for the free two-factor authentication plugin “WP2FA” plug-in in the plug-in repository.
First, you need to install and activate the Two-Factor Authentication plugin. After activation, click in the WordPress plugins under “WP 2FA – Two-factor authentication for WordPress on “Configure 2FA Settings”. This will lead you to the “setup wizard.”
Next, install a 2FA app on your phone. I recommend the “Google Authenticator”.
Open your authentication app and scan the QR code that appears in the “Setup wizard.”
Enter the code shown in the app on your smartphone.
If you need further help to set up the app click on “For detailed guides for your desired app, click below.”
That’s all; your authentication app will now save the code sent once by “WP2FA”. Now make the settings that match your WordPress site.
The next time you log into your website, the plugin will ask you for the two-factor authentication code after entering your password.
To do this, open the authentication app on your phone again and enter the code you see on it.
Let´s go back to iThemes Security.
The “SSL” module redirects all “HTTP” requests to HTTPS requests if an SSL certificate is available. iThemes activated this module in the “Security Check.”
Open “System Tweaks” and click “Enable.” We need to check some boxes. Both the “System Tweaks” and the “WordPress Tweaks” modules have several optimizations to improve your WordPress site’s security even further. However, some of these options can conflict with your website; it depends on your website. Therefore, please check the full functionality after each activation by ticking the box, clicking on “Save Settings,” and reloading the page’s front end.
Directory browsing: Hackers can use searching directories to find out if there are files with known vulnerabilities on your WordPress site so that the attackers can use these files to gain access to your website.
Browsing through directories can also be used to look into your files, copy pictures, find out your directory structure, and get other information about the website. For this reason, I highly recommend that you enable “disable directory browsing.”
To test whether directory browsing is already deactivated on your site, enter example.com/wp-content. If you receive a blank page, everything is fine, but there is a significant security issue if your website allows visitors access to the directory.
File write permissions: As already mentioned in the “File Permission” module, iThemes Security only offers the option of setting file permissions to the value “444”.
However, since WordPress.org recommends using “400” or “440”, we make this change manually via FTP.
I use “FileZilla” to access the WordPress installation database via FTP on the hosting provider’s server. Alternatively, you can also do this via cPanel.
Connect to the server; you´ll get the “Host,” “Username,” and “Password” from your hosting provider.
It’s recommended to use SFTP encryption when connecting to your server. If you’re not sure whether your web host is providing SFTP or not, ask them. Using SFTP is the same as FTP, except that your password and other data are encrypted as transmitted between your computer and your website.
Open the “HTML” folder. There you will find the file wp-config.php.
Select the “wp-config.php” file and right-click on it to open the context menu. Click on “file permission.”
Now you can assign the desired file permissions. I revoke read permissions from “public” and “group” and revoke write permissions from the “owner,” also known as “admin.”
Click OK, and FileZilla will save the new permissions.
Make these same changes for the “.htaccess” file again. Revoke read permissions from “public” and “group” and revoke write permissions from the “owner.”
Do not make any changes to the other file paths, for example, the “wp-content” path; otherwise, WordPress will no longer function correctly.
Let’s go back to the “System Tweaks” module in iThemes Security.
“PHP in uploads, PHP in plugins, PHP in themes” if someone tries to upload a PHP file to the frontend of your website, including the media, plugins, and themes area, there is almost always a possible attack. This option, therefore, prohibits the “PHP” file format for these directories.
“WordPress Salts” are protecting your passwords saved in the browser. If you save your password in the browser when you log in, WordPress stores this password in two cookies. However, if WordPress saved your password in clear text, attackers could quickly decrypt it.
Security keys and salts avoid this problem by working together to cryptographically turn that plaintext password into a random jumble of characters.
You can find these security keys and salts in the wp-config.php file; four keys and four salts each.
By confirming “Change WordPress Salts” and saving the settings, iThemes changes the WordPress Salts. However, this also means that all users are logged out of their current session and have to log in again. So think about when to make this change. iThemes Security recommends changing the WordPress “Salts” at least once a month.
Like the system tweaks, we can also make relevant changes to the “WordPress Tweaks” by ticking a few boxes. As with the “System Tweaks,” make sure to check the full functionality of your website after each activation.
First, we check the box next to “Comment Spam”; this reduces spam in the comment area.
We also make sure that the File Editor is disabled; this is another recommendation. WordPress offers the option of editing both plugins and designs by default. This editor opens up another possibility for attackers to access your site.
It is the same with”XML-RPC”. “XML-RPC” is a function of WordPress that you or plugins can use to transfer data. “XML-RPC” also offers attackers the opportunity to gain access to your site. This interface is relevant for using the WordPress app, trackbacks, pingbacks, and the JetPack plugin. If you use one of these functions, you cannot deactivate the “XML-RPC” interface; otherwise, select “Disable XML-RPC.”
Click on “Save Settings.”
The Advanced Modules of “iThemes Security”
At this point, we are through with the “Recommended” modules by iThemes.
However, there are also “Advanced” modules. iThemes helps to make simple one-click changes through these modules that we otherwise would have to do manually.
As mentioned before, I would like to remind you to try all changes on a staging site. Otherwise, it could lead to complications on your website.
The advanced module “Admin User” ticks off another WordPress.org recommendation.
WordPress.org recommends using the principle “Security through obscurity” in two places.
The first is to rename the administrator account, the second is to change the “table_prefix.” iThemes Security offers the possibility to make both adjustments; the change of the “table_prefix” takes place in the next but one step.
When installing WordPress, the admin username is “admin” by default. This default setting is often not changed, especially with one-click WordPress installations by the hosting provider. But even if you install WordPress yourself, you may haven’t changed the username because you didn’t know any better. That makes it much easier for attackers to gain access to the website, as they do not have to crack the name and password, only the password.
If your administrator username is “admin,” you will see the field “New Admin Username.” If you do not see the field, it is an indicator that you did everything correctly during the installation.
I skip the “Change User ID 1” field at this point, as it can lead to complications when using plugins.
Change Content Directory
The same goes for the next module, “Change Content Directory.”As the warning says, you should only use this module when installing WordPress.
Change Database Table Prefix
We now come to the second point where WordPress.org recommends the principle “Security through obscurity.”; the module “Change Database Table Prefix” makes this adjustment.
Many WordPress-specific SQL injection attacks assume that the “table_prefix” is the default value “wp_”. Changing this prefix can block some SQL injection attacks.
If your table prefix is “wp_” you´ll see the following message with the advice to change the prefix. “wpstg0_” is displayed as the table prefix because I´m on the staging site and WP STAGING has created this table prefix.
You can view the database via the “PhpMyAdmin” plug-in. Like the previous plugins, you can download it via “Plugin” and “Add New.” Then open it via the sidebar menu.
Now you can see the tables with “wpstg0”; these are the tables on the staging site. Below are the tables of the production site with the prefix “wp_”.
I´ll go back to iThemes Security. By selecting “Yes” and “Save Settings,” iThemes will assign a new, more complex prefix to the tables.
I switch to the “PhpMyAdmin” tab again, and after refreshing the page, I see the new prefix in front of the tables.
The module “Hide Backend” makes it difficult for attackers to access the WordPress login area. By default, everyone can reach the login page through “example.com/wp-admin” and “example.com/wp-login.php”.
Since this configuration is identical for all WordPress sites, attackers can immediately identify the login area where they start their brute force attack.
Before I explain the login permission, I’d like to mention that I have not activated the module, because it can lead to login issues when using specific plugins.
Under “Login Slug,” you can see your current login extension, change the extension and make a note of it. The next time you access your website, enter “example.com/new extension.”
The module can be useful to prevent cheap brute force attacks. If desired, try out whether the module leads to complications.
In the last module, “wp-config.php Rules,”iThemes offers the possibility to check whether all modules can act correctly.
If iThemes could not find any changes required, you will receive the message “There is nothing that needs to be written to your wp-config.php file.”
Otherwise, you will get the message, “The following rules need to be written to your wp-config.php.”
iThemes: “wp-config.php” Rules. This message appears if iThemes Security doesn’t have “Write” file permission for the “wp-config.php” file.
To write the rules required by iThemes in the “wp-config.php” file, we use FileZilla to reaccess the WordPress site’s database via FTP. As you already know from customizing the file permissions, the “wp-config.php” file is located directly in the “HTML” folder. Right-click to select “View / Edit” and then open the text editor.
Copy and Paste the rules, listed by iThemes, in the “wp-config.php” file directly under “<? PHP”.
To explain, the rule “DISALLOW_FILE_EDIT” ensures that the deactivation of the file editor, which we made in the “WordPress tweaks” module, takes effect.
“FORCE_SSL_ADMIN” means that SSL encryption is also effective at the admin level. iThemes applied that setting in the “Security Check” at the beginning.
Save the changes and close the file, then confirm the upload of the new file via FileZilla.
After inserting these rules in the “wp-config.php” file, please check whether your WordPress site’s staging site is still functional. Click “View Site” in the WordPress Dashboard.”
After testing the changes, push your staging site to the production site by using WP STAGING PRO or repeat the settings on the production site.
Wow, that was a lot of adjustments! Glad you made it to the end.
Now your website is excellently positioned in terms of security by choosing the right hosting provider, automatically creating a backup, and adapting the “iThemes Security” plugin.