Best Practices to Secure WordPress Websites

• October 4, 2019
• Leave a comment

WordPress websites face a lot of issues regarding WordPress security. Which can involve common mistakes from developers while developing a WordPress website. WordPress developers ignore the basic steps to secure the website. Due to this, they can face major hacks & vulnerabilities. As we all know, Security plays an important role in every field & work. Developers must considerate these steps while developing the Website for better security and secure your WordPress websites from future attacks.

Plugin’s Issues

• Always use Updated Plugins to resolve security issues. New updates include security fixes.
• Never ever use Nulled Plugins or Add-ons. They can cause security issues.

Stop User Enumeration (Prevent to show your website Usernames)

• Your WordPress CMS is not configured to block user enumeration. 
• User enumeration means exposing usernames to attackers. It’s a type of attack where parties can discover your username (used to login). This is often used as brute-force password attacks.
• You can follow below steps to stop user enumeration:

• • Two-factor authentication – By implementing this you can have an extra layer of security during login. Apart from a username and password, you will need to enter a one-time passcode sent via an SMS to your phone or you can answer security questions to log in to the site. Several plugins like Two-factor authentication, Google Authenticator and Google Invisible reCAPTCHA are available to implement this feature effectively.
  • Limit login attempt – You can restrict the user for attempting to log in again & again. For this, you can use Plugin Limit Login Attempts . By using this plugin, you can restrict users up-to different level.
  • Login  URL (/wp-login.php)
    • By default in WordPress, login URL is exposed to everyone on the internet and also it’s common. This should be changed. Rename wp-login.php plugin allows us to add a desired login page name and will block the current working wp-login.php page. After the activation of this plugin, you will be redirected to the permalinks settings page in which you have an option to write your own name for login page instead of wp-login.
• Since WordPress 4.5 user data can also be obtained by Rest API calls (http://example.com/wp-json/wp/v2/users) without logging in, this is a WordPress feature, But this should be disabled. Use below code it for will hide the user’s list and give 404 as a result, while the rest of the  API calls keep running as they were.

• Stop displaying usernames under posts/author, author archive or author widgets. Always use first or last name.
• Don’t keep “admin” or “super admin” as the username. Use a unique username.

Prevent SQL Injection And URL Hacking

• Many of today’s cyberattacks on the website are accomplished by various forms of SQL injections. SQL injections are attacks in which hackers embed commands whether in URL or user input/comment box to trigger/perform a particular behavior in the database. Hackers can use this to insert data in the database and modify data.
• To prevent this Input Data Validation can be done through JS as well from PHP. Also, it can be managed by adding some code snippets in .htaccess for Apache Web Servers.

Set Unique prefix in database

• Always Set Unique prefix in Database. Because Automated scripts that target the WordPress database aim for these default table names during their attacks.

Deny Access To Sensitive Files and Directory Indexes in WordPress

• Deny access to sensitive files such as the wp-config.php, install.php, and the readme.html, xmlrpc.php files.
• Access to these files can be blocked by adding following code in .htaccess file

• • The above-mentioned code will not allow accessing any of the file mentioned in the code. You can allow access to specific IP as well. As mentioned in the code ( Allow from 88.77.66.55 ).
• Disable access to directory paths like /wp-content/plugins
  • Access to plugins directory should be disabled because it will display installed plugins on your website.
  • Add the following line to your .htaccess file: Options -Indexes

Hide WordPress version

• WordPress version shouldn’t be shown publically. Because of Showing WordPress version security issues can occur.
• Disable readme.html because from this file your WP version can be explored. You can disable it by adding code which is mentioned above.
• Remove your WP version from the styles and scripts
  • Place the following chunk of code to your functions.php file. This code will remove the versions from the styles and scripts using in your theme.

Switch off debugging

• Set WP_Debug False file because it shows files path i.e error on this file on line #
  • Add this code in your wp-config.php file to Disable debugging
  • define( ‘WP_DEBUG’, false );

Written By: Waleed Tariq