Security Hardening Checklist

What are the steps to harden your WordPress website?

• Use HTTPS to secure your website

  Everything you do online flows through the network and wire cables. Between the browser and the server, HTTP sends data as plain text. As a result, anyone with access to the network connecting the server and the browser can see your unencrypted data. You risk exposing important data to attacks if you don’t secure your connection. With HTTPS (AKA: SSL) your data will be encrypted so that even if an attacker gains access to your network, they will not be able to read the data transmitted.

  Apart from the fact that SSL is a smart security practice, Google requires the use of SSL on websites. Instead of the nice green lock that signifies a website runs on HTTPS rather than HTTP, it tends to penalize websites by displaying “Not secure” in the browser.

• Use strong passwords at all times

  Weak or pwned passwords are the most common way hackers get access to websites. You’ll be vulnerable to brute-force attacks as a result of this. To keep your account secure, use at least 8 characters in your password, including one number, one uppercase letter, one lowercase letter, and one special symbol. Passwords should not contain the names of your family, friends, or pets. Postcodes, house numbers, phone numbers, birthdates, ID card numbers, social security numbers, and other personal information should not be used as passwords. In your passwords, avoid using any dictionary words. Also, do not use two or more passwords that are almost identical in terms of characters.

• On the Login and Registration Form, enable CAPTCHA

  You’ve already made life harder for hackers by securing your website with HTTPS and employing strong passwords. However, adding CAPTCHA to login forms will make it even more difficult. CAPTCHAs are a great tool to prevent brute-force attacks on your login forms.

• Set up two-factor authentication (2FA)

  Yes, you are better protected with strong passwords and CAPTCHAs on login forms. But what if hackers used surveillance techniques and videotaped you typing your website’s password? Only two-factor authentication can keep your website safe from hackers once they know your password.

• Maintain the latest versions of WordPress and its plugins

  Vulnerabilities in the WordPress core and plugins arise frequently, and when they do, they are discovered and reported. To prevent websites from being hacked due to known and reported flaws in files, make sure to upgrade your plugins to the most recent version.

  Switching to automatic updating is not recommended since it may cause your websites to malfunction without your notice. However, because these updates include security patches for the core, I strongly advise you to enable WordPress core minor updates by adding this line of code to wp-config.php.

  define( ‘WP_AUTO_UPDATE_CORE’, ‘minor’ );

• Disable WordPress's file editing

  The ability to change files from the admin backend is a well-known feature of WordPress. Developers use SFTP and rarely utilize this, thus it’s not really necessary.

• WordPress version should be hidden

  WordPress automatically inserts a comment in the HTML of the page with the WordPress version. It also provides the attacker with the WordPress version you have installed. 

• Install a firewall for WordPress

  A web application that runs on a website and examines all incoming HTTP requests is known as a firewall. It uses advanced logic to screen out requests that could pose a security risk. To block requests, one can add their own rules to the firewall’s built-in rules. SQL injection is one of the most popular kinds of attacks.

  Let’s say you’re unaware that a WordPress plugin you’re using is vulnerable to SQL injections. Even if the attacker is aware of the plugin’s security issue, he will be unable to hack the website if you use a firewall. This is because requests containing SQL injections will be blocked by the firewall.

• Set up an SSL certificate

  SSL is a method of securely transmitting data from a user to a server and back over an encrypted connection.

  Apart from the fact that it is a smart security practice, Google requires the use of SSL on websites. Instead of the nice green lock that signifies a website runs on HTTPS rather than HTTP, it tends to penalize websites by displaying “Not secure” in the browser.

• Prevent PHP from running in untrusted folders

  You should understand that PHP is a scripting language used in web development. A PHP function is a section of code in a program that can be invoked to complete a specific purpose. Your WordPress website is then made up of files and folders. Only a few files and folders, however, make use of PHP functions. Once a hacker has gained access to your website, they can build new folders or install their own PHP routines into existing ones.

  You can prohibit the execution of PHP functions from any unknown folder to prevent such a hack. You can also disable PHP executions in places where they aren’t required.

• Change security keys

  WordPress remembers your login credentials so you don’t have to type them in each time you want to log in. But the fact that it’s encrypted is crucial. 

  If the information is saved in plain text, a hacker can simply read it. If the information is encrypted, it will seem as random text, which they will be unable to use. Security keys and salts are used by WordPress to encrypt the data. To put it another way, keys are random variables that encode your admin username and password, while salts aid to improve the encryption one step further.

  If hackers gain access to your security keys and salts, they can decrypt the encrypted data and gain access to your account. It is recommended that you change your old keys and salts on a regular basis.

• Make sure your computer is malware-free

  Your website security is affected by the computer you use, as well as by the WiFi you utilize. If you have a keylogger on your computer, it’s pointless to harden WordPress because you’ve already given a hacker your login credentials.

• Use SFTP

  Consider using SFTP instead of FTP to transmit files to your server. It transfers files in a similar manner, however it does so via SSH. Data is encrypted and cannot be read while in transit. In addition, both the user and the server must be authenticated while using SFTP.

  As a result, SFTP is becoming the new standard, and FTP is being phased out. Because the configuration is nearly identical, there’s no reason to stick using the legacy protocols.

• Make sure you're using a trusted web hosting service

  There’s not much you can do if your web host isn’t doing their part to keep their servers safe. 

  Servers are vulnerable to attacks of all kinds, not just digital ones. Are the servers, for example, in a physically secure location? Is it possible for a hacker to obtain access to the room and steal information this way? These are crucial factors to consider, but a website administrator has limited control over them.

  So, what are your options? Choose a reliable web host. A quality web host is open about their methods and will detail the steps they take to keep their servers safe from hackers.

• Hide login page

  Anyone with a basic understanding of WordPress can access the backend by putting /wp-admin/ at the end of the URL. This will bring them to the WordPress login page. 

  Some people would try to get around the login page by using bots. They will know your account’s username based on the author URL. They’ll need a password after that. The software will be used for guessing passwords. You can password encrypt or hide the WordPress admin directory to secure your website from attackers.

• HTTP headers

  HTTP security headers are a type of security precaution that helps your website’s server to detect and mitigate some common security issues before they have an impact on your website.

  When a user accesses your website, your web server responds with an HTTP header response to the user’s browser. Error codes, cache control, and other statuses are communicated to browsers via this response.

  HTTP 200 is the status code for a standard header response. The user’s browser then loads your webpage. If your website is experiencing issues, your web server may transmit a different HTTP header.

  HTTP security headers are a subset of these headers that protect websites from typical threats such as clickjacking, cross-site scripting, brute force attacks, and more.

• Auto Redirects

  Compromise of files to cause the website to automatically redirect users to a different address is a frequent attack vector used against WordPress websites. Malicious redirection is the term for such an attack.

  A hacker will use malicious redirection to send visitors from your website to a different website. Your visitors may be exposed to malware, advertising spam, or phishing attempts after being redirected.

  Always maintain a security plugin running on your site to avoid this. These plugins will scan your site and keep an eye on it. This way, you’ll be notified right away if there’s any unusual behavior. Also, install a firewall and utilize WPForms, which comes with built-in spam protection. Consider switching to a secure hosting provider and keeping a backup copy of your website.

• Cookie / session expiration

  If users (or even ourselves, as publishers/admins of a blog) forget to log out after working on our website, we risk another user seeing something they aren’t supposed to see. Especially if we’re sharing a computer.

  Installing an inactive logout plugin, which automatically terminates idle user sessions and protects the site if users leave unattended sessions, is the solution.

• X-frame-options

  Attackers may try to steal information by embedding one website inside another. Modern web browsers can read an X-Frame-Options header to see if an embed is allowed, preventing your website from being embedded inside another.

  WordPress enables this header by default on the admin and login pages, but everything else is up to you. Because the default WordPress behavior doesn’t secure the front-end of your site, you’ll need to protect items like forms and login pages that aren’t in your WordPress admin.

  To begin, go to your WordPress dashboard and log in. The Security Headers plugin should then be installed and activated.Hover over Settings, then click HTTP Headers on the left side menu to view the plugin’s options. Enable the checkbox labeled Restrict Framing of Main Site to enable the X-Frame-Options header.

• X-Powered-By

  The X-Powered-By header provides details on the Web Server’s technology. This is another piece of information that you should hide from public view if you use common values like ASP.NET or PHP/5.4.0.

  In order to prevent PHP from revealing that it is installed on the server by adding its signature to the webserver header, you must locate and disable the expose_php variable in php.ini.

• Feature Policy

  Feature Policy can help secure your site from third-party APIs that have security and privacy implications, and also from your own team adding outdated APIs or uploading images that aren’t optimized.

  The aim of Feature Policy is for us, the marketers, project managers, and web developers, to be able to directly indicate to the browser how we use a web platform feature. By doing so, we are agreeing to use, or not use, this feature. The browser can then take action to disable specific features or notify us that a feature it didn’t expect to see is being used.

  The browser needs to know two things in order to use Feature Policy: which feature you’re setting a policy for and how you want that feature to be handled.

• Directory Indexing

  When your webserver can’t find an index file (such as index.php or index.html), it displays an index page that lists the contents of the directory by default. This could expose your site to hack attacks by providing crucial information needed to exploit a vulnerability in a WordPress plugin, theme, or your server as a whole. This is why directory browsing in WordPress must be disabled.

  All you have to do to disable directory browsing in WordPress is add a single line of code to your site’s .htaccess file, which is located in the root directory of your website. To modify the .htaccess file, you’ll need to use an FTP client to connect to your website.

  Once you’ve connected to your website, look for a .htaccess file in the root directory. Because .htaccess is a hidden file, if you can’t find it on your server, make sure your FTP client is set to show hidden files.

  Download your .htaccess file to your desktop and open it in a text editor like Notepad to edit it. Now, simply add the following line at the bottom of your WordPress generated code in the .htaccess file:

  1 |   Options  -Indexes

  Save your .htaccess file and use your FTP client to re-upload it to your server. And that’s it. 

   

   

  You’ve got everything you need to keep your website safe. Take the time to go over this checklist step by step, even if you only have a small WordPress site. Make sure you don’t spend time and effort creating a great website only to have it hacked by a WordPress-targeted attack. Applying the various hardening strategies outlined, you’re making it much more difficult for an attacker to acquire a foothold and successfully attack your WordPress website.

   

  If you have any other questions don’t hesitate to contact us.

   

  For more checklists, you can visit our resources page.