Hardening your WP website
This article clarifies the significance of hardening of WP of your most valued website and how it saves your man-hours, money and avoiding the post-attack remedial measures.
Simply put, WordPress runs near about 28 % of the entire internet. Around 15,886,000 websites on the entire websites use WordPress. The concerned part is that only 22% of the WP sites are running with an updated version. More than 70% of the WP websites are vulnerable to hack-attacks.
Web Security will never be comprehensive. It’s all about the risk management. Risks will never be nullified, but can be prevented, unless you regularly follow the process of securing your WP website using the potential tools and tips.
Let’s see some of them in this article.
A. What does Hardening mean?
B. What makes WP a target for hackers?
C. How your WP website might be a potential Target for hackers to breach-in?
D. Ways to harden the security of your WordPress website
F. Your website is hacked, What next?
G. Wrapping up
(A) What does Hardening mean?
Providing different ways of protection in a computer device is called Hardening. A more secured computer system is called a hardened system. The protection will be in multiple layers, starting from the host level to the next level which is application level and then to the OS level and the user level and goes further to all the sub-levels.
(B) What makes WP a target for hackers?
About 28.6% of all the websites, used across the globe, primary uses WordPress platform.
Market share: WordPress – 59.4%, Others – 30.3%, Joomla – 6.8%, Drupal –4.7%
Latest report elucidates that WordPress based websites who are using “version 4” accounts to 92.7% – Survey by W3Techs.
A recent report by WP White states that most popular WP are vulnerable to attacks. There are totally 40000 popular WP out of which 73% of it are considered security threats.
Below are few stats, given for your understanding about the significance of hardening.
Nearly 15886000 websites in the internet world are using WP. There are near about 77 million WordPress.com blogs. Everyday 5000 new WordPress.com websites are launched. In 2014, it was estimated that totally 123,498,018 themes and more than 1 Billion plug-ins were downloaded from wordpress.org
The sad part to tell is that, only 22% of the entire WP websites are running on the latest version. The condition of more than 70% of the total WP websites are vulnerable and are prone to be hacked any moment.
The latest Update of WP is version 4.8.1. Download it @ https://wordpress.org/download/
(C) How your WP website might be a potential Target for hackers to breach-in?
As I have said before that, WP Security Hardening does not mean to nullify the threats from happening, but to take precautions and preventive measures to lock down your Word Press website to avoid vulnerabilities and getting hacked.
Securing one’s valuable website is the primary concern these days. The worst nightmare for a WP web-owner is to get his site hacked.
Don’t ever think that getting hacked will be highly unlikely. Hacks are very common and a frequent scenario these days. Your valued website may be hacked any moment now.
By following certain security practices and norms, your WP websites may not be a potential target. In section (E) the security practices are given for your guidance.
(D) Ways to harden the security of your WP website:
Let’s discuss about the key points straightly and the security practices for Hardening your WP website from any malicious attacks. Follow these steps systematically to tighten your security, thereby not giving any chance for the intruders.
- Update – Update the WP Core, WP Themes and WP Plug-ins regularly. Analyzing the threats, most usual cause for a WordPress hack-attack is due to an outdated component. The files when not updated regularly, are easily traced and becomes a potential target for the attackers.
- Install – Install the Plug-ins and Themes only from Trusted and reputed websites. Try using wordpress.org for installing plug-ins and themes, when you plan to download from a trusted site.
- Remove – Remove the unused Plug-ins and Themes. Even your WordPress websites need housekeeping. As you keep on installing newer plug-ins and themes, delete the older ones which are no longer needed. Inorder to detect the unused plug-ins used in your website, provided you are using many WP sites, it is advised to use a plug-in like Plugin Activation Status to conduct an audit and give results of the plug-ins which are no longer used and to be removed.
- Install – Install a WP Security Plug-in and run malware scan at periodical intervals. Try using iThemes security, Bulletproof security, All in one WP security & Firewall, Securi, Acutenix WP security, Wordfence Security plugin
- Backup – Periodically backup your WP website. Considering the online security, there is never 100%. It is recommended to do a backup on daily basis, provided there are multiple updates every day.
- Strengthen – Strengthen the Username and Password. The attacker easily tries numerous times to access your login page brutally by the use of different combinations of user login and passwords again and again. This is called Brute-Force attack. It’s wise to prevent such attacks by creating a very strong, complex, long and unique passwords using password generator. Absolutely avoid the use of username as “Admin”. By doing this, you are giving half the access in the hands of hackers making him to work on the password only.
- Hide – Hide your WP version. One good practice is to hide the version your sites’s WP being used, thereby you are not displaying the current version which creates a hurdle to the hackers.
- Use – Use Secure Protocols (HTTPS). Usually when you attempt to make a connection to a website, it is normally done through HTTP protocol. It is unencrypted. Also, your password will be sent in a simple text. Similar thing happens when you log into your database via “phpMyAdmin”. It is highly recommended to use HTTPS (secured http) which encrypts your connection and keeps your network protected from any intruders from snooping around.
- Implement – Implement Two Factor Authentication. It creates a double layer protection. By enabling 2FA, it requests for a second level of information which can be provided only by you and forms an additional security. It sends a code to your mobile phone to verify activity on a particular computer device. This makes harder for the attackers in an effort to steal your credentials, by logging from a different device.
- Limit – Limit the login attempts. Though we try to stop the brute-force attacks, many determined attackers will never rest, until they get what they want. Limit Login acts as a shield to protect from these multiple login attempts by restricting the number of logins and even black-lists their IDs. By doing this, you might lose your trusted customers. It will be wise to white-list the authenticated customers IDs alone.
- Check – Check File permission. The scheme of permission will be 755 and 644 folders. There a many ways to manage this change and also variations to these permissions which comprise to changing them to more restrictive. However these are the default advice given.To avoid unfavorable effects on the performance of your website, check with the host before making any permissions change.
- Move – Move “wp-config.php” file outside the web root folder. It is to be noted that the file “wp-config” contains the details of base configuration of your website. In a measure to protect your “wp-config.php” file from any intrusion, it is recommended that you add the below mentioned code to your “.htaccess” file to deny access to anyone snooping around for it:
deny from all
- Use – Use a Web Application FireWall (WAF). A WAF must be located at the web server layer as it is not usually available to the implementer. To add protection, a WAF plug-in can be utilized, which blocks the threats as listed in the top 10 chart of vulnerabilities.
- Use – Using Logs to detect and avoid attacks. Most of the WordPress admins completely neglect the web logs. They are a sensitive source of data. Web access log and error log are the two most significant logs which are available.
You may need to communicate with the hosting provider and request them for the location and to have access to these logs. It is to be noticed that few Hosting environments create many error logs in many directories on your sites and it all depends on error occurrence.
The access log contains more information than error log. If you are searching for any malicious activity, it is wise to start with error log, as it is written when a problem takes place.
- Use – Use SSH and SFTP. Never use old FTP. Ensure that you use a SFTP connection (secured FTP) everytime you connect to your server. This makes sure that the connection between your computer and the server is secured.
There are a few ways to connect.
FTP – This sends all the information in plain text so that anyone can see it as it is unencrypted. You may use any FTP client to communicate to your server via port #21.
SFTP – It is highly recommended that you connect to your server using SFTP. Many clients who support FTP also supports SFTP via port #22.
For better understanding consider referring the below links,
A Infographic will help you for better understanding.
(E) DIY (Doing It Yourself)
WP can be monitored, updated whenever needed and can be protected from the hackers. But the protection can be compromised by hackers at any moment, as they wait for single window of opportunity for an intrusion every second.
Hence, you have to be prepared for everything. DIY the security norms and practices, at regular cycles as suggested above for preventing hack attacks, and the post-attack remedial measures, as given below will keep your website on the healthy run.
(F) Your website is hacked, what next?
It is always advisable that the security experts does this part of work for you. But, understanding and gaining knowledge doesn’t harm anything. Following are some of the steps to cleanup the hack and get back on the track.
- When you come to know that your website is hacked, you would be in immense stress and tension, so I suggest you calm down a bit and execute this process before it reaches any further.
- Always use different login password before and after the cleanup.
- Identifying the hack. There are a few ways to verifying and ask for the hosting company for assistance. 1)Are you able to login to your WordPress admin panel?. 2)Check if your WP site is getting directed to another site?. 3)Whether your WP website contains any unauthorized links? 4)See to that your website is marked insecure by Google.
- Restore from Backup. Its wise to take backup of your site daily or at regular periods, provided you are posting a new content or making any alterations in your website. By doing this, it will be easy to restore your valuable website from the backups done by you, from the archives.
Consider that you are having an automated backup which is scheduled, and if your site is hacked, try to recover your website by using the backup files available, one day/week/month before the actual attack happened. In case you are not good at taking backups, you may contact your host and request them for a backed up copy of your website. Many good hosts take systematic backups and updates.
- The Host: Initiate by making a contact to your host and follow their guidelines. If you are shared hosting, then probabilities are more for the other sites also to get affected. In that case, you might be fortune enough that the host themselves might cleanup the hack for you. Consider the attack happening from the server side, under regular circumstances, the web host must help you in restoring your websites.
- Malware scan and elimination of the hack: One of the common locations, where hacker hide their backdoor is in the inactive WP Plug-ins and themes. So run a scan and check your WordPress website for any inactive or outdated plugins and themes and delete the same. Uploading the backdoor at the first thing is what many talented hacker do. Run the security scan for the removal of the hack and the result projects the hiding locations of the hacks. Some of the most usual locations where the hacks normally hid are ” wp-includes”, “.htaccess” file, “wp-config.php”, “themes” and “plug-in” directory,”upload” directory.
- User permission check
Checking the user permissions of all your WordPress users is recommended. Ensure that the admin accounts are accessed by you and your team. Also it should not affect other user’s permission.
Try removing immediately if any suspicious new users are identified.
- Alter your keys:
Ensure that you alter the login passwords in accordance with your WP website which includes your WP dashboard password, FTP, cPanel, My SQL database and any others that might give an access for an intrusion to your website.
Its highly recommended to use a password generator to make sure that the password is long, unique, strong for a hacker, making it a tougher job to crack it using brute-force.
Try using ithemes security plugin for ensuring your WP site being secured by changing you secret keys and salt.
Having followed these steps, the hack has being cleaned and that your WordPress website is secured. Don’t ever think that the hackers wont try an attack again. The security of WordPress is a continuous process and those with a cruel intent will never cease to make an intrusion to your website.
(G) Wrapping up
Always remember that Security is an ongoing process and you can’t completely nullify the vulnerability. Having said that, you can’t just stare at your website, being crushed by some stranger. Yes, I understand how it aches you. By periodically adhering to the security norms and practices of hardening of WP, you possibly can avoid the hackers from breaching into your website.
WP is a very popular CMS and knowledge about its security is widely available. Be aware of all the security practices and apply them in your workforce. All these can be attained only if You take efforts. So simply said “SEC_RITY” will be imperfect without “U”.
Owning a WordPress site is mere a very easy thing, but the real difficulty comes it comes to safety. Its high time that YOU take security seriously and learn all the norms and practices to prevent any intrusions.
In this blog of the tightening of WordPress,
We are pretty sure that you would have gained ample information relating to WordPress vulnerabilities and its prevention techniques.
Hope you found it very resourceful.
We have suggested what we knew.
I’m also sure that you would have many personal experiences, hardening the WordPress.
If you feel that we have forgot to mention some suggestions, feel free to express yourself by sharing us all your thoughts,ideas by commenting us.
How do you Harden the WordPress?.