Lock against code - WordPress security steps to take in 2018

Posted by & filed under List Posts.

Statistics garnered from analysis of tens of thousands of WordPress sites within the Alexa top 1 million suggest why hackers often choose WordPress to attack. Incredibly, the study from WP WhiteSecurity found that 70% of installations are vulnerable to hacking.

The researchers looked at the WordPress installation status and behavior of these WordPress sites in the four days following the release of WordPress 3.6.1 (replacing 3.6) on September 11, 2013. The researchers found that there were 74 different versions of the WordPress software being used. Four days following the release of WordPress 3.6.1, 30.95% of the websites (13,034 WordPress installations) were still running WP 3.6, which had known security flaws.

Five years later, many sites could still use help with security best practices. The below steps to harden WordPress in 2018 will discuss fast updating and other actions you can take to better protect your sensitive data.

Quickly update to new WP versions.

WordPress is open source, and it is frequently updated to patch security holes (as well as to fix bugs and add features). You typically do not need to worry about minor updates, because WordPress auto-installs them by default. However, when updates are classified as major versions, you will have to start the update process manually.

Beyond the core code, there are thousands of themes and plugins that you can attach to your site; these add-ons are developed by independent parties, and the most attractive ones are also updated regularly.

Updates are critical for your site’s security, as well as its stability. All components of your site should always reflect the most up-to-date version of the software.

Use a password manager, and strengthen your passwords.

If you know any of your passwords and have used them to log in to an account on another service, your password policy should be changed, noted Gerroald Barron of premium WP plugin firm iThemes. A strong password is long, unique (i.e., only used once), and randomly generated. If you are able to remember any of your passwords, they probably need to be strengthened. If you have a credible, well-maintained password manager, you can keep your account logins secure while also being able to choose random strings of characters (as you can do through Perfect Passwords).

A password manager can both generate passwords and securely store them via a browser extension. You then just need to know the master password for the password manager.

Utilize a web application firewall (WAF).  

Using a web application firewall will help stop unauthorized traffic prior to it accessing your site.

Switch your WP salts and keys routinely. 

Another important task brought up by Barron is regular replacement of salts and keys. WordPress stores data in your browser, as cookies, to verify anyone who uses the installation internally or places a comment. It is important that all the login data stored in these cookies is encrypted so no one can view it after the fact. WordPress achieves that encryption through authentication salts and keys stored in the configuration file (wp-config.php). Modify these on a regular basis. If you want, you can use a plugin to manage the process.

Disable file editing.

There is a code editor, built into WordPress, that enables the editing of themes and plugins with the admin page. This feature should be disabled, though, so that no one exploits it to insert malicious code.

To disable file editing, you need to insert a snippet of code yourself into the wp-config.php file:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true ); 

Strengthen user and admin logins.

Go beyond the use of strong passwords. You certainly want to change the administrative account name from admin to something else. Actually, it is a good idea to create a new user and assign it with admin privileges. The admin account can then be removed or switched to having subscriber permissions.

Use two-factor authentication (2FA) for better security. When you use two-factor authentication, you are sent an additional token or code to a secondary device for an extra layer of authentication.

Change the default setting to limit the allowable login attempts. You can limit the number of login efforts through a plugin. Some plugins will additionally ban the IP address of the user and send you a notification about the incident.

Finally, switch to a custom login page. You can prevent the vast majority of brute-force attacks through taking greater care with your username and password, as well as changing the URL for login. Examples of changed URLs from Anushree Sen of Page Potato are as follows:

  • Change wp-login.php to my_new_login
  • Change wp_admin/ to my_new_admin
  • Change wp-login.php?action=register to my_new_registration.

Back up the WordPress database.

To improve your database security, create a backup at regular intervals. Backups may not seem to be security measures, but they are because they will ensure that you still have a clean copy of the data regardless if an attack were to succeed. Backing up will allow you to know that you can recover if a disaster occurs. Data should be backed up regularly – at least once per day. Secure cloud backup is a strong idea. Your hosting service could keep the backup safe and in a distant physical location, for additional disaster preparedness.

Change your database table prefix.

It makes it easier to conduct SQL injection attacks when the default prefix for your database table is retained. It should be changed to a challenging string of characters. The default prefix is wp_. You could change to wp_38sjR94_, for instance. Whatever you choose, do not go with your gomain name as the prefix. In order to change this prefix, update the wp-config.php file. You can only use numbers, letters, and underscores.

Here is the adjusted line in code:

$table_prefix  = ‘wp_38sjR94_’;

Now go to your database, via phpMyAdmin. There, modify the name of the table so it matches what you put in the configuration file. If you use cPanel, you will see phpMyAdmin within it, in the Databases section. Once you are in, run this SQL query from WPBeginner to change the names with one action:

RENAME table `wp_commentmeta` TO `wp_38sjR94_commentmeta`;

RENAME table `wp_comments` TO `wp_38sjR94_comments`;

RENAME table `wp_links` TO `wp_38sjR94_links`;

RENAME table `wp_options` TO `wp_38sjR94_options`;

RENAME table `wp_postmeta` TO `wp_38sjR94_postmeta`;

RENAME table `wp_posts` TO `wp_38sjR94_posts`;

RENAME table `wp_terms` TO `wp_38sjR94_terms`;

RENAME table `wp_termmeta` TO `wp_38sjR94_termmeta`;

RENAME table `wp_term_relationships` TO `wp_38sjR94_term_relationships`;

RENAME table `wp_term_taxonomy` TO `wp_38sjR94_term_taxonomy`;

RENAME table `wp_usermeta` TO `wp_38sjR94_usermeta`;

RENAME table `wp_users` TO `wp_38sjR94_users`;

You may also have to add a few lines related to any plugins since they will sometimes insert their own tables into the database. Your goal here is to adjust all of the table prefixes.

Choose a secure host.

According to Sen, your choice of a secure WordPress host is the most important one you will make related to data protection. Your account could be hacked if you use a low-end shared hosting service. “[C]hoos[e] a reputable and trusted web-hosting service provider… who understands the risks of cross-contamination, segregates the website accounts and configures the security permissions of each account present in their WordPress-optimised environment,” noted Sen.

Are you in need of a secure WordPress environment? Turning to an experienced WordPress hosting provider allows you to the leverage the niche expertise derived from focusing on IT infrastructure. At Total Server Solutions, our data center is PCI-DSS compliant and SSAE-16 audited. See our commitment to the security gold standard.