WordPress Security – Protect your WordPress website from hackers
You may have heard about the huge attacks that millions of WordPress websites have suffered in early September, you even may have been affected. We’re going to explain all you need to know – how to protect your WordPress website and to restore your website, in this complete guide.
These sort of attacks aren’t new. In fact hackers target WordPress websites more often than you can imagine, with over 90,000 attacks happening every minute! While WordPress attacks are becoming more and more common, fortunately there are many steps you can take to help secure your website against attacks and malicious activity.
In this blog post we aim to guide you through everything related to WordPress security – from understanding why WordPress sites are hacked, to how you can secure your website, and even how you can fix a hacked WordPress website. Following this guide and taking in the basic principles of WordPress security will give you the best chance possible of protecting yourself against an account compromise.
Table of Contents
1. The Basics to protect your WordPress
- Why WordPress Security is Important?
- How to keep your WordPress Updated
- Manage Passwords and User Permissions
- The Importance of Web Hosting
2. Step-by-step to secure your WordPress
- Install and manage your WordPress Backups
- Install a WordPress Security Plugin
- Enable the Web Application Firewall (WAF)
- Install a SSL Certificate and force HTTPS
- Change your username
- Disable PHP File Execution
- Limit the Login Attempts
- Add Two Factor Authentication (2FA)
3. How to restore your website
1. The Basics to protect your WordPress site
Why is WordPress Security so important?
Setting up your WordPress Website security doesn’t only protect your website and your data, but also your users. Imagine yourself surfing on the internet and you reach a website displayed by Google Chrome or Microsoft Edge as “unsecured”. Most likely you’ll leave this website.
That just proves why keeping your WordPress website secured is important. And you will find all you need to know in this guide.
How to keep your WordPress updated?
WordPress is an open source software which means, it’s regularly maintained and updated. On top of that, WordPress has thousands of plugins. And these plugins and themes are maintained by third-party developers which regularly release updates as well.
These WordPress updates are essential for the security and stability of your website. You will need to make sure that your WordPress is up to date or you may have troubles, security issues, and worst case scenario you can even break your site.
When you log in WordPress Dashboard you can easily check the updates that needs to be done.
How do I manage your passwords and permissions?
Manage WordPress passwords
You may already know it but the most common hacks are using stolen passwords. Using stronger and unique passwords will help you protect your website – not only for your admin area but also for your FTP accounts, your hosting account, your email addresses or any other accounts holding your information.
We all have trouble remembering all our passwords, that’s not an easy tasks. But relax, we have you covered and have a look to the “Password” section in our knowledge base.
A great solution is to use a password manager which basically store your passwords and login information.
Manage WordPress permissions
Finally, to drastically reduce risks, you should not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, we highly recommend that you assign the corresponding roles to the users. For example, there’s no need to give admin permissions to your copywriter as he is simply writing and editing posts.
Giving someone access to the administrator WordPress account essentially gives someone complete control over your website, so it’s important to avoid that at unless absolutely necessary.
There are several other steps you can take related to logins and user credentials however since they require additional plugins or configuration, we will come back to that later on.
How important is Hosting in the security of your WordPress?
Your WordPress hosting service plays the most important role in the security of your WordPress site. We have taken extra measures to protect your WordPress website and fight against any kinds of cyber attacks.
At UKHost4u, we:
- Constantly monitor our network for suspicious activity.
- Have tools in place to prevent large scale DDOS attacks.
- Keep our server software and hardware up to date to prevent hackers from exploiting known security vulnerabilities in old versions.
- Have ready-to-deploy disaster recovery and accidents plans which allows us to protect your data in case of major accident.
On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.
Using a managed WordPress hosting service provides a more secure platform for your website which comes with automatic backups, updates, and more advanced security configurations to protect your WordPress website.
We recommend you our fully managed hosting package for your website. Feel free to look at our cheap WordPress Hosting plans here.
2. Step-by-step guide to securing your WordPress
Backup your WordPress Website
Backing up your website is not only a good way of protecting against hackers, it also helps you get your website back online quickly if you’ve been the victim of hacking. Backups should be taken as regularly as possible, because you never know when a hacker will strike!
These days you can backup your WordPress site quickly and easily, so there’s no excuse not to!
Plugins can be used to backup your WordPress website more conveniently, but just make sure if you’re going down this route that you use a trusted plugin.
Manually backing up your WordPress website will involve taking backups of the website’s core WordPress files, theme files, and plugin files, as well as any additional content such as images, Javascript, or static web pages.
When backing up you also need to take backups of your WordPress website’s databases, including all posts, users, comments, categories etc.
How can I save a backup of my website and hosting account using Plesk?
If you are using Plesk control Panel, saving a backup of your current site is a easy and simple process.
1. Log in your Plesk control Panel and click on the “Backup Manager” button on the right side. (See below)
2. From there you can choose to:
- Create a backup and save your website’s files, emails, etc.
- Upload a backup previously saved.
- Remove a backup from your account.
- Schedule a backup on a weekly, monthly and yearly basis.
- Access your remote storage settings.
3. Click on the “Back Up” button and select the content you want to save, the settings for this backup, then click “OK”.
That’s it!
How can I save a backup of my website and hosting account using cPanel?
Here are few simple steps to take backup of your website and hosting account:
1. Login to your cPanel interface
2. Choose “Backup” from the system menu
3. Click the link which reads “Download A Full Account Backup”
4. One pop-up window appears; select the place to save your backup files locally for safekeeping
That’s it, you’ve saved a backup.
Install a Security Plugin
Get the best WordPress Security Plugin
Security plugins are among the most common and popular plugins available for WordPress. As we advised you earlier, if you decide to start a WordPress Website or if you already have a WP website, then installing a security plugin is a must.
We have made a short selection of security plugins you can install:
- Wordfence Security – possibly the widest used security plugin, with over 2 million installations. This free plugin provides comprehensive protection against most kinds of common WordPress attacks.
- All In One WP Security & Firewall – another very popular plugin with over 800,000 downloads, this plugin is also free and provides a great extra layer of security for your WordPress website.
- iThemes Security – this popular and easy-to-use plugin provides ample protection against most WordPress attacks with features including brute force protection, file change detection, and database backups.
- Sucuri Security – this premium security plugin provides complete protection for your website with WAF protection, monitoring, and incident response features
One piece of advice if you’re installing a security plugin. Just make sure to download it from a trusted source, and try to read the reviews first so you install a legitimate plugin.
In our cheap WordPress Managed plans, we offer you one of the best control panel: Plesk Control Panel. And with the WordPress Toolkit (see below) you can install and manage completely your WordPress instances from one simple and easy-to-use interface.
Enable a Web Application Firewall (WAF)
A WAF is an application level firewall which applies a set of specific rules to each HTTP interaction, with the purpose of blocking any malicious traffic before it hits the website itself. Generally these rules prevent against common attacks such as SQL injection and cross-site scripting.
Similar to security plugins for WordPress, a WAF can help divert attacks before they reach your website.
Here below some of the best WAF plugins we recommend:
- Wordfence – Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available.
- Sucuri – gain peace of mind by securing all your websites – Sucuri fixes hacks and prevent future attacks. A cloud-based platform for every site.
- Cloudflare – this robust web firewall also acts as a a performance optimisation tool as well as a content delivery network (CDN), to further help users in different geographic locations load the website more quickly.
- SiteLock – another well known security company providing a WAF which operates at the DNS level to block malicious traffic well before it hits your website and the server that your website is hosted on.
Install a SSL Certificate and force HTTPS
Forcing your website to load through HTTPS with an SSL certificate is a great way of protecting your website. This should be a minimum requirement for every website you have . HTTPS has many benefits, not just limited to security.
HTTPS encrypts all communications between the visitor and the website, so hackers can’t intercept and snoop on the data being transmitted. Ensuring a secure connection can minimise the options hackers have for attacking your website, so it’s always advisable to install an SSL certificate and force it to load through HTTPS.
Having a HTTPS connection will especially help with your login pages. Since the data being transmitted will be encrypted, hackers won’t be able to obtain your login details.
Once you’ve installed an SSL certificate, you first need to configure your site’s URL to load through HTTPS. This is done in Settings > General, through the WordPress dashboard:
Next, you need to add the following code to the .htaccess file (replacing yoursite.com with your website’s URL):
RewriteEngine on RewriteCond %{HTTP_HOST} ^yoursite.com [NC,OR] RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC] RewriteRule ^(.*)$ https://www.yoursite.com/$1 [L,R=301,NC]
Finally, if you want to also force your dashboard pages to load through HTTPS, add the following line to the wp-config.php file:
define('FORCE_SSL_ADMIN', true);
Change your “Admin” username
For several years now WordPress has stopped forcing users to have an administrator account named “admin”. Plenty of users still don’t change their administrator username which can make it easier for hackers to gain entry.
When installing WordPress we strongly recommend you to change the default “admin” username for your administrator account.
Disable PHP File Execution
To strengthen your WordPress security you can disable the PHP file execution in directories where it’s not needed such as /wp-content/uploads/.
Simply open a text editor like Notepad and paste this code:
1 <Files *.php> 2 deny from all 3 </Files>
Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.
For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories.
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.
Limit Login attempts
By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. In others words, hackers can try to crack a password by trying to login with different combinations.
How to counter this? You can easily limit the amount of failed login attempts a user can make. If you’re using the WAF (Web Application Firewall), then this is automatically taken care of.
However, if you don’t have a WAF set, then simply follow the below steps:
1. Download and install the Login LockDown plugin.
2. Activate the plugin
3. Once activated, go in Settings -> Login LockDown page to setup the plugin.
Add Two Factor Authentication
You may have already encountered two-factor authentication, or 2FA. In short, it’s a technique that requires users to log in by using a two-step authentication method.
- The username and password
- A separate authentication via another device or app.
Most popular online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
Simply download and activate the Two Factor Authentication plugin. Then click on the ‘Two Factor Auth’ link in your WordPress admin sidebar.
Next, you need to install and open an authenticator app on your phone. There are several of them available like:
- Google Authenticator
- Authy
- LastPass Authenticator
We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.
Set up your 2FA authenticator on your phone following the recommended steps.
That’s all, your authentication app will now save it. The next time you log in to your website, you will be asked for the two-factor authentication code after you enter your password.
Open your app on your phone and enter the code given.
That’s it. You have now a 2 factors authenticator set up.
3. How to restore your website
Earlier in this post we explained you how easy it was to download a full account backup. This way if your website gets hacked, you can restore a recent version of your website and get back online as fast as possible.
Restoring a backup is certainly easy and fast but you should be careful to not re-upload a backup that contains the malware which previously infected your website.
If you have any doubts, feel free to contact our 24/7 Support team. They’ll gladly help you out. However, if you wish to do it by yourself, find below our step-by-step guide to restore your account from a backup.
Restore your WordPress site from a backup with Plesk
1. Log in your Plesk control Panel and click on the “Backup Manager” button.
2. Click on “Upload”.
3. You will be invited to select the backup file you want to upload onto your account.
If you had set a password to protect your backup, fill in accordingly.
4. Click OK.
Congratulations! You’ve successfully uploaded your backup using Plesk Control Panel.
Restore your WordPress site from a backup with cPanel
To restore a backup using cPanel, simply:
1. Log in your cPanel interface.
2. Click on the “Backup” feature icon
You can chose to upload you home directory or a database backup.
3. Select “Choose File” then click on “Upload”.
That’s it!
To Conclude
Now you have all the keys to protect your WordPress Website – however this doesn’t mean your website will never get hacked or attacked. Once the plugins have been installed, once you’ve made sure your hosting provider offer a secured environment to host your WordPress, once you have set up a 2FA and installed a SSL certificate you’ll need to keep all those up to date.
You see, to maintain a secured and safe website from hackers, you’ll need to continuously keep your security measures up-to-date.
It’s important to remember that no matter how many plugins you install, or how much software you install, you still run the risk of getting hacked unless you understand that security is a state of mind that you need to adopt.
Host your WordPress website today with our cheap WordPress Hosting plans in a secured environment and keep your plugins updated with the easy-to-use control panel Plesk and stay safe from hackers.