Preventing Most Common WordPress Security Issues - Part 2

Preventing Most Common WordPress Security Issues – Part 2

In our previous article, we told you 10 ways to make your website a difficult target for hackers. Now we’ll show you 10 more advanced methods to improve the results.

Keep in mind that strengthening your website security is way easier than restoring an already hacked site. That’s why you need all the tips and tricks to bring your site as close as possible to the impossible ideal of a perfectly secured website.

Here’s what you need to do next:

11. Limit access to your login page

A reliable way to prevent hacker attacks is limiting access to your wp-admin and wp-login.php by IP addresses. This method is recommended only if you use one or several static IP addresses.

You can do it by adding the following code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
# whitelist Your IP addresses
RewriteCond %{REMOTE_ADDR} !^Your IP1$
RewriteCond %{REMOTE_ADDR} !^Your IP2$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Replace Your IP1, Your IP2 with the different IP addresses you want to give access to.

12. Secure the wp-config.php file

The wp-config.php file contains the most valuable data about your site, so it is very important to secure it. There are 2 ways to hide wp-config.php form hackers.

  1. WordPress can see wp-config.php file even if it had been moved to a higher level than root directory, so just move it higher.
  2. If your server supports .htaccess, you can add the following code to it.
<files wp-config.php>
order allow,deny
deny from all
</files>

13. Disabling directory browsing

If directory browsing is enabled, hackers can find out important information about installed plugins, themes, copy images, your directory structure, etc. So, they can, for example, check whether you use a compromised plugin/theme or not.

This is why we highly recommend disabling directory browsing to stop hackers from getting valuable information.
You can do it by adding this line to your .htaccess file:

Options All -Indexes

Or you can add an empty index.html file in each directory and subdirectory except the root.

14. Set up file and directory permissions

Files and directories have permissions that specify who can read, write, and modify them. If your website uses shared hosting, wrong file permissions can give another user access to your files. Please make sure that you don’t have a file with 777 permission.

Here is a recommendation for file/directory permissions:

755 or 750 for all directories
644 or 640 for files
600 for wp-config.php

You can read more about file/directory permissions here.

15. Disable XML-RPC in WordPress

XML-RPC allows you to connect your WordPress site to web and mobile apps, but it also increases the effectiveness of brute force attacks: a hacker can make 100 different login attempts with one XML-RPC call.

If you don’t use XML-RPC, disable it. You can do it by adding the following code to your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Or you can install this plugin.

16. Disable file editing

WordPress has a built-in code editor which lets you edit your theme and plugin files from your WordPress dashboard. If a hacker somehow obtains admin access to your website, he or she can edit plugin and theme files. It is safer to disable file editor and work on files via FTP.

You can do it by adding the following line of code in the wp-config.php.

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

17. Hide PHP errors

We always enable PHP error reporting during the website development process because we need it for debugging. Don’t forget to disable error reporting after releasing the website, because error messages can contain valuable information for hackers. For example, they can get your server path.

You can disable PHP error reporting by adding this code to wp-config.php.

define( 'WP_DEBUG', false );

18. Hide the WordPress version number

WordPress adds a meta tag which contains info on the WP version to the site head section. For example:

<meta name="generator" content="WordPress 4.9.4" />

It’s especially dangerous if you use an old version which has known vulnerabilities. Hackers crawl the net to find websites which run compromised WordPress versions, and your site can become an easy target.

This is a code that removes this unnecessary meta:

remove_action('wp_head', 'wp_generator');

Just add it to your theme’s functions.php file.

19. Disable trackbacks and pingbacks

Pingbacks and trackbacks notify that your content has been mentioned on another website. You can read more about that WordPress feature here.

Hackers can use trackbacks for organizing massive DDoS attacks and posting spam comments on your posts, so better disable that function by going to Settings -> Discussion, and unchecking the “Allow link notifications from other blogs (pingbacks and trackbacks) on new article ” option.

20. Use 10Web

Following all of the abovementioned advice will make your website pretty secure. And yet, you can never be 100% sure. Even the security of tech giants from Silicon Valley with large security departments keeps getting compromised. So, besides preventive actions, you are going to need options for tracking all the changes and reversing them, if needed. That is one of the perks of 10Web security service. Overall, the service includes:

  • Scanning your WordPress core, plugins, and themes for vulnerabilities;
  • File changes scanning and comparing the changed files to the originals;
  • Restoring original files in case there’s something wrong with the changed version;
  • As long as your 10Web subscription is active, the number of scans is unlimited;
  • You can schedule regular automatic scans to save your time.

Our software constantly scans your site for vulnerabilities and malware. It tracks the changes in all the files you store and lets you restore their earlier versions. That way you get to spend your valuable time on the development of your website, instead of manual security checks.

Are there any security tricks we missed that you want to add? Let us know in the comments!

Sergey Markosyan
Sergey Markosyan

Leave a comment

Your email address will not be published. Required fields are marked *

Your email address will never be published or shared. Required fields are marked *

COMMENT

NAME *

WEBSITE

Cancel reply