WP Security Essential Part 1
How Do Hackers Compromise Your Website?
It is important to understand how hackers gain entry into a WordPress website and have their wicked way. Although there are many different ways in which a hacker can break into a WordPress website, the main techniques can be grouped together into four categories. In an article last year, WP WhiteSecurity reported the following statistics about hacked websites:
- 41% were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password
As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change (e.g. your password), retrieve, or delete data (i.e. delete all your posts and pages).
A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam). They may also leave a backdoor somewhere on your website. This is a technique they use to get access to your website in the future, even when you believe you have deleted all malicious files.
Last on the list is a weak password. Hackers continue to gain access in this way by using automated scripts that continually guess passwords until they gain entry; a technique that is known as brute force.
WordPress Security Best Practices
Hackers are not looking for a long battle to gain access to a website. They specifically go after WordPress websites that are vulnerable because of security holes. You can therefore effectively block 99.99% of attacks on your website by simply addressing these security issues.
I would like to walk through techniques that you can apply to your website in order to make it more secure. It should not take you more than 20 to 30 minutes to apply all of these techniques. All you have to do is modify a few key files such as .htaccess and wp-config.php. I will also speak about security best practices and recommend WordPress plugins that will help you make your website more secure.
Remember that prevention is better than the cure. If you follow the advice given in this section, a hacker will find it very difficult to gain access to your website in the first instance. Things to keep in mind related to Security while Developing the WordPress Site:
1. Website Hosts Often, a good place to start when it comes to website security is your hosting environment.
Today, there are a number of options available to you, and while hosts offer security to a certain level, it’s important to understand where their responsibility ends and yours end. Here is a good article explaining the complicated dynamic between web hosts and the security of your website. A secure server protects the
privacy, integrity, and availability of the resources under the server administrator’s control.
Qualities of a trusted web host might include:
- Readily discusses your security concerns and which security features and processes they offer with their hosting.
- Provides the most recent stable versions of all server software.
- Provides reliable methods for backup and recovery.
- Support for the latest versions of PHP and MySQL
- Is optimized for running WordPress
- Includes a WordPress-optimized firewall
- Has malware scanning and intrusive file detection
- Trains their staff on important WordPress security issues
Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.
1. Try to avoid free themes
We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
2. Create Custom Secret Keys for Your wp-config.php File
WordPress Security Keys were first introduced in WordPress versions 2.5, 2.6, and 2.7. The keys improve encryption of the information that is stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure.
The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:
Eight keys and salts can be generated through the WordPress Salt Keys Generator. Once the code has been generated, you simply replace the code above with the uniquely generated phrases.
* Note that the above code is just an example. You should generate unique codes for your website.
3. Change the Database Prefix
A lot of the basic setup stuff for WordPress is the same across lots of sites, especially if you use a one- step install wizard through your webhost. This is super convenient, but lots of common setup values like your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who is trying to hack your site.
4. Protect Your wp-config.php File
As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it’s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
order, allow, deny, deny from all
5. Protect Your .htaccess File
We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
order, allow, deny, deny from all