This post is part of my guide about starting a blog from scratch. Read the full guide to learn all the steps involved in creating a new blog.
The security of your site is vital for your business. Your WordPress site is your virtual home, the place where your customers can find you, and the center of your business.
There are many aspects that should be taken into consideration concerning the security of a website.
A website can be hacked in many different ways. The hackers will exploit the security holes of your web hosting server, the weak points of the software your website is built upon, or can even hack your site by installing a virus on the computer you use to access the site.
This guide is going to teach you how to secure a WordPress site from hackers with the help of the iThemes WordPress Security plugin.
- WordPress Security
- How To Secure WordPress Site From Hackers
Many WordPress sites are hacked every day across the world.
– Is WordPress secure enough to use it for powering my blog or my company’s website?
WordPress has been released to the public on May 27, 2003, and has been continuously updated and improved since then.
The fact that it’s Open Source and everyone can see the core script has facilitated hackers to find the vulnerabilities in the main script easier and use these to attack the sites powered by WordPress.
It’s true that WordPress had some major security issues from its initial release date, but all the known security breaches have been fixed in the updates.
Even though from time to time new security vulnerabilities are found in the newly implemented features, WordPress has become way more secure than it was initially and it’s probably safer than many other scripts and content management systems.
– Then how are many WordPress sites still hacked?
Nowadays, the majority of the WordPress sites are not hacked because of the WordPress core script.
WordPress poor coded themes and plugins
Most of the weak points of WordPress sites are found in poor coded themes and plugins. Some of the themes and plugins even contain harmful code added intentionally by their authors to allow them gaining access to the site’s administrator functions, database, FTP, etc.
It’s very important to choose your themes and plugins carefully. Also, make sure you always update these to their latest versions.
Get the WordPress theme I use for my blog. Click here for more details.
Administrator account hacked
Another well-known way the WordPress sites are hacked is by an attacker gaining access to a user account that has administrator privileges.
At installation, WordPress now asks you what username you want to have your administrator account. In the older versions of WordPress, this was automatically set to “admin,” increasing the chances for a hacker to find the right password combination for this username.
Many people just set this password to “1234”, “11111”, “000000”, “admin”, their first name, last name, username, etc. These are all very weak passwords, and very often, hackers will use a software that tries hundreds of password combinations per minute.
Vulnerabilities of the web hosting
Sometimes, sites are hacked through the vulnerabilities of the web hosting server where the site is hosted.
Having your site’s web hosting from a reputable web hosting provider is mandatory.
The big companies usually take very seriously the security of their web servers. These companies keep their servers secure by updating the software they use for their web servers periodically, their specialists install various security software and configure the servers in the best way possible to avoid any security breaches.
If you are looking for a reliable web hosting providers, I recommend Siteground.
If you are not a techy guy and you want to have to deal with the WordPress installation, performance, backup, and security issues, I recommend you getting a managed WordPress hosting.
A managed WordPress hosting will be already optimized for the best performance and security for WordPress. You will also receive extra support and WordPress specialists will always make sure your site is in good conditions.
These managed WordPress hosting plan will usually also include a free website migration service if you want to transfer an existing site to them.
The disadvantages of a managed WordPress hosting is that is more expensive than a regular web hosting plan (somewhere between $20-$30 per month), but if you are a beginner and you want to receive more help with WordPress, a managed hosting plan deserves every extra dollar.
Another reason why many sites are hacked is that their owners forget to update the software they use for their sites.
WordPress has a large community of developers and contributors which update the software regularly. You can see all the WordPress updates since its initial release here.
It’s essential to always update the WordPress core script, the themes, and the installed plugins to the latest version. WordPress has made this process extremely simple and you can update the main script, the plugins, and themes installed from the official WordPress site directly from the WP dashboard.
WordPress has even a built-in function that enables the software to self-update in the case a security issue has been detected for the version your site has currently installed (this feature has been introduced in WordPress version 3.7).
How To Secure WordPress Site From Hackers
Now that you know the most common ways a WordPress site can be hacked, it’s time to teach you how to secure your WordPress site against hackers at site’s level.
To secure my WordPress blog, I use a free WordPress security plugin called iThemes Security.
While there are many other free and premium plugins, like Wordfence, BulletProof Security, Sucuri Security, Acunetix WP SecurityScan, All In One WP Security & Firewall, etc.
I’m not claiming that iThemes Security is the best WordPress security plugin, but that’s what I use and like. I’ve been using iTheme Security for a few years now, and I’ve never had any of my WordPress sites hacked. I also like the fact that this plugin doesn’t slow down my site, unlike other plugins that consume a lot of web server’s resources.
Install iThemes Security Plugin
If you haven’t installed the iThemes Security already, log in to your WordPress site admin area and install the plugin.
Go to “Plugins–>Add New.”
Type “ithemes security” in the plugin search form from the top-right of the page.
The first plugin that shows up on the list should be called “iThemes Security (formerly Better WP Security).” If so, click the “Install Now” button.
Wait a few seconds till the plugin is installed and activate the plugin.
Once the plugin is active, a new “Security” menu will appear.
Head to “Security–>Security Check” to perform a security check for your site. This feature will basically just check which modules of iTheme security are enabled and activate the recommended ones.
If you haven’t configured the settings of the plugin yet, should see the following screen.
Click the “Secure Site” button to enable the recommended modules.
The following modules will be enabled:
- Banned Users
- Database Backups
- Local Brute Force Protection
- Network Brute Force Protection
- Strong Passwords
- WordPress Tweaks
At the top of the page, there will appear a button “Activate Network Brute Force Protection.” If you enable this feature, you allow the plugin to contribute to the improvement of the iThemes Security network by sending information whenever your site detects a threat. Other sites that use the iThemes Security plugin will also contribute to this network and your site will benefit from the data collected by this network.
The plugin won’t send your personal information, only information about the attacker. Contributing is a nice way of giving something back to the community, so I recommend you to enable this option.
Above this button, you will see a form with your site’s email address pre-populated. You can select whether you want to receive updates about the iThemes Security plugin on email.
After you activate the “Network Brute Force Protection,” that option will turn green as well.
Congratulations! Your site is now protected by the iThemes Security plugin.
I keep most of the iTheme Security plugin options to their defaults. I usually only edit a few settings.
If you want to follow along, go to “Security–>Settings” and click on “Configure Settings” button from the “Global Settings” module.
I like to change the “Host Lockout Message” from the default “error” text to something more explanatory.
You have been blocked from accessing this site by our security protection.
The next thing I do is to whitelist my IP address.
This option is useful when you have a static IP address (your IP address doesn’t change after you reconnect your internet). This feature will stop the plugin to lock you out from your own site if you enter the wrong password multiple times.
To add your IP address to the White List, just click the “Add my current IP to the White List” button below the form.
Scroll down to the “Log Type” option.
The plugin allows you to store the log entries in your site’s database, or in a .log file that’s stored on your disk. The logs will keep track of every blocked IP address and every hacking attempt.
The advantage of storing the log in the database is that you can view the log at any time under “Security–>Logs.” See the example below, where someone (or most likely a bot) has tried to log in to my site with the username “admin.”
The disadvantage is that if your site is attacked, the log entries will add up quickly and because this feature uses the database, your site might become slower.
If you save the log in a file, your log’s records won’t be available under the “Logs” menu, but only accessible via FTP. However, this option is faster because it doesn’t use the database. Therefore, won’t affect the performance of your site.
If you choose to store the logs in the database, then you can also lower the number of days until the records are automatically cleared. If you save the logs in a file, then the logs won’t be deleted automatically but kept on the disk until you clear them manually.
You can see the full path to the directory where your logs file will be saved in the “Path to Log Files” option.
Leave everything else on this page to the default value.
Next, go to the settings of “Database Backups” module.
This module enables you to receive a scheduled or manual database backup on your email address or save it on your web server’s disk.
I only like to receive the database backup file on email, so I just leave “Backup Method” option to the default value.
The only thing I do on this page is to enable the “Enable Scheduled Database Backups” option.
If this feature is enabled, the iThemes Security plugin will make a database backup automatically at the time interval set at the “Backup Interval” option and send it to your email, or save it on your server.
If your server runs on Linux OS, then all the files and folders uploaded to your web host will have a set of permissions.
I won’t try to explain in detail what these permissions are for since can be hard to understand for a person without knowledge about web server management or programming.
You just need to know that if some of our website files have the wrong permissions, this will allow an attacker to take advantage of this and do some bad things to our site.
The iThemes Security WordPress plugin comes with recommendations for the permissions that some our site’s files and folders should have for the best security.
First, let’s analyze the current permissions of our site’s files and directories.
To do that, click the “Show Details” button from the “File Permissions” module.
If you haven’t scanned the permissions of your site yet, you should see the following screen.
After the plugin checks the current permissions, you should see something similar to the screenshot below.
The “Relative Path” represent the folder and file location, where the “/” is the root directory of your site (usually a folder called public_html or www).
The number you see under the “Value” column are the current permissions of the file or folder.
The recommended permissions are under the “Suggestion” column.
The “Result” and “Status” columns notify you if specific files and folders have the right permissions, or if you should change the current value.
If you see an “OK” message under “Result” and a green color under “Status,” there is nothing you should change. Otherwise, if you see “Warning,” you should change the current permissions of the listed files and folders to the suggested values.
Unfortunately, these permissions cannot be modified automatically by the plugin and you also cannot change these from the WordPress dashboard.
You’ll have to change the permissions with the help of an FTP client.
If you’ve never used an FTP client, read the instructions from the section “Installing an FTP client” of my post on how to install WordPress.
After you have installed FileZilla FTP client and added your site, then connect to your host and go to the root directory of your WordPress site.
To change the permissions of a file or folder with FileZilla, right click on that file or directory and choose “File Permissions” from the list of options.
Replace the current “Numeric value” with the value suggested by the iThemes Security plugin for that particular file and click “OK” to save the new permissions.
Repeat the operation for each file listed by the plugin.
Go back to the “File Permissions” module of iThemes Security and click the “Reload File Permissions Details” button at the top of permissions list.
The old permissions should be reloaded and if you have set the correct permissions, every file should now have “OK” under “Result” and a green color under “Status”.
Local Brute Force Protection
Next, look for the “Local Brute Force Protection” module and click on “Configure Settings.”
This feature will ban the people or automated software that try to hack your user accounts by trying to guess the password using multiple password combinations.
Leave the defaults for all the options, and only enable the “Automatically ban “admin” user” option.
This will ban the host of everyone who tries to log in to your site with the username “admin.” If you use this username for your administrator account, just create another account, give it the administrator privileges and delete the account with the username “admin.”
That username was the default value for the administrator account registered by WordPress in the past, and a lot of people just set a very weak password for it. Nowadays, WordPress will ask you to set your desired username for the administrator account at installation.
Many automated bots are still trying to hack into your WordPress site by finding the password for this account.
Fortunately, the iThemes Security plugin can ban the people or bots who try to hack your user and administrator accounts.
An SSL certificate will add another layer of security to your site by enabling the “https” protocol and allowing secure connections from a web server to a browser.
You should only enable this module if your site is accessible with “https://” in front of the domain name (see my domain name).
If you don’t have an SSL certificate installed yet for your site, do not enable this module of the iTheme Security plugin.
If you want your WordPress site to be more secure, I really recommend you to install an SSL certificate.
I usually just purchase this certificate when I register a domain name.
You can also get a very cheap PositiveSSL certificate from SSLS.com.
Once you have an SSL certificate installed and the “SSL” module is enabled, you should click the “Configure Settings” buton.
Next, enable the “Redirect All HTTP Page Requests to HTTPS” option.
Click the “Advanced” link from the top-right of the page.
Locate the “Hide Backend” module and click on “Configure Settings.”
This section enables you to hide your WordPress admin and login URL by changing the location of the default WordPress pages.
If you change the location of this page, the evil intended bots that try to use brute force to hack into your users’ accounts will have a hard time finding your site’s login page.
Enabling this option, shouldn’t break the well-coded WordPress plugins and themes.
Tick the “Hide Backend” option and more options will appear.
Enter the new location of the login page in the “Login Slug” option. Use only letters, numbers and underscores.
For example: “customlogin“.
Then, your site’s login page will become available at www.yoursite.com/customlogin.
You have now secured your WordPress site from hackers and your blog is now protected by the iThemes Security plugin.
If you like, you can also enable other modules and options. I usually just leave everything else to the default values set by the plugin.
It’s vital to have a secure WordPress site. Your website is an important pillar of your business and online presence.
If you do not pay enough attention to the security of your site, it might get hacked and you can put your entire business at risk. In the case you also store customers’ details on your server, you put their info in danger as well.
It’s not easy to ensure that your site is entirely safe from hackers. Your website can be attacked through the vulnerabilities of your web hosting server, a user account, through poor coded WordPress themes and plugins, or even through the computer that you use to access your site.
Hopefully, the tips in this post will give you a better understanding of how to secure your WordPress site from hackers.