Top 10 WordPress Security Tips

Written by Christian | Nov 12, 2024 9:19:07 PM

Securing a WordPress website is essential because WordPress, as one of the most popular content management systems (CMS) worldwide, is frequently targeted by cybercriminals. Its widespread use makes it attractive not only to legitimate users but also to hackers who aim to exploit vulnerabilities in websites for various malicious purposes, including data theft, spam, defacement, and malware distribution.

This vulnerability doesn’t stem from WordPress being inherently insecure; instead, it arises from a combination of factors such as the large user base, a rich ecosystem of plugins and themes (which may have varying levels of security), and common misconfigurations or outdated software versions.

A compromised WordPress site can lead to severe consequences: loss of sensitive data, diminished user trust, search engine penalties, and in some cases, even legal repercussions. Moreover, recovering from a cyberattack can be costly and time-consuming, especially if backups aren’t regularly maintained or security measures aren’t in place.

To safeguard your site, it’s crucial to conduct regular security checks and take proactive steps to prevent vulnerabilities from being exploited. These steps cover everything from basic best practices—like keeping software updated and using strong passwords—to more advanced methods, such as disabling unused features, configuring firewalls, and monitoring user activities.

By following these essential security checks, you can significantly reduce the likelihood of your WordPress site falling victim to attacks and maintain a safe, reliable experience for your users.

1. Update Core, Themes, and Plugins

Ensure WordPress core files, plugins, and themes are always up to date. Developers regularly release updates to patch vulnerabilities.

2. Strong Passwords and User Permissions

Use strong passwords for all users, especially administrators, and limit user permissions. Only grant necessary access to each role (avoid giving admin privileges unnecessarily).

3. Two-Factor Authentication (2FA)

Enable 2FA for user logins to add an extra layer of security.

4. Limit Login Attempts

Restrict the number of login attempts to prevent brute-force attacks. Many security plugins offer this feature, but my favourite it Wordfence which offers free and premium versions.

5. Change Default Login URL

Customise the login URL (e.g., from /wp-admin to something unique) to prevent automated login attacks.

6. Install a Security Plugin

Use a trusted security plugin like Wordfence, Sucuri, or iThemes Security, which offer features like firewall protection, malware scanning, and login security.

7. Enable Web Application Firewall (WAF)

A WAF protects against malicious traffic. Sucuri and Cloudflare offer WAF services that integrate with WordPress.

8. SSL Certificate

Ensure an SSL certificate is installed to encrypt data between your site and visitors, which also improves SEO and credibility.

9. Regular Backups

Schedule regular backups of your WordPress site. My favourite is UpdraftPlus which offers automated backups to Google Docs, Dropbox, MS OneDrive, Sharepoint and other platforms, but fundamentally it allows you to restore your site quickly and efficiently if it is compromised.

10. Disable File Editing

Disable file editing in the WordPress dashboard by adding this line in wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

This prevents users from editing theme and plugin files directly in the dashboard.

We'll that's my top 10, but here are a few bonus WordPress security improvements I highly recommend.

11. Set Correct File Permissions

Restrict file permissions for key directories:

wp-config.php should be set to 440 or 400.
Directories should generally be 755, and files should be 644.

12. Monitor and Scan Regularly

Run regular malware scans to detect any threats. Plugins like Wordfence and Sucuri provide on-demand and scheduled scans.

13. Remove Unused Themes and Plugins

Delete unused themes and plugins, as outdated or inactive plugins can be a source of vulnerabilities.

14. Hide WordPress Version

Remove WordPress version information from your site by adding this line to your theme’s functions.php file:

remove_action( 'wp_head', 'wp_generator' );

This makes it harder for attackers to target known vulnerabilities in specific WordPress versions.

15. Database Security

Change the default wp_ table prefix to something unique during installation or with a plugin if it’s an existing site.
Restrict access to your database to prevent SQL injection attacks.

16. Implement HTTP Security Headers

Use headers like Content Security Policy (CSP), X-Content-Type-Options, and X-Frame-Options to protect against cross-site scripting (XSS) and clickjacking attacks.

By conducting these checks and maintaining a proactive security approach, you can significantly reduce the risk of your WordPress site being compromised.

Disabling XML-RPC and securing the wp-json/wp/v2/users endpoint are essential steps to protect your WordPress site further from potential exploits and information leaks. Here’s how to implement these security measures:

17. Disable XML-RPC

XML-RPC can be exploited for brute-force attacks, DDoS, and other vulnerabilities. To disable it, you have a few options:

Using a Plugin: Many security plugins, like Wordfence and iThemes Security, offer an option to disable XML-RPC.

Manual Method (add to .htaccess): Add the following code to your .htaccess file to disable XML-RPC:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Functions.php Method:

Add this line to your theme’s functions.php file to disable XML-RPC programmatically:

add_filter( 'xmlrpc_enabled', '__return_false' );

18. Redirect or Block Access to `/wp-json/wp/v2/users`

The /wp-json/wp/v2/users endpoint in the WordPress REST API can expose usernames, which may lead to targeted brute-force login attempts.

Option 1: Redirect the Endpoint

To prevent access, redirect requests to the users endpoint back to the homepage. Add the following code to your theme’s functions.php file:

add_action( 'rest_api_init', function() {
    if ( !is_user_logged_in() ) {
        remove_action( 'rest_api_init', 'wp_oembed_register_route' );
        add_filter( 'rest_endpoints', function( $endpoints ) {
            if ( isset( $endpoints['/wp/v2/users'] ) ) {
                unset( $endpoints['/wp/v2/users'] );
            }
            return $endpoints;
        } );
    }
});

Option 2: Use .htaccess to Block the Endpoint

Another method is to block access via .htaccess:

# Block access to REST API Users endpoint
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [NC]
    RewriteRule ^(.*)$ - [F,L]
</IfModule>

Option 3: Disable REST API for Non-Logged-In Users

If you don’t need the REST API for non-logged-in users, you can disable it entirely for them:

add_filter( 'rest_authentication_errors', function( $result ) {
    if ( !is_user_logged_in() ) {
        return new WP_Error( 'rest_cannot_access', __( 'REST API restricted to authenticated users only.' ), array( 'status' => 401 ) );
    }
    return $result;
});

By disabling XML-RPC and securing the REST API user endpoint, you reduce common attack vectors and enhance your WordPress site’s security.

View full post