Is for you a priority it security in WordPress? Probably yes, but are you really doing everything you need to keep your web page or blog very secure in this CMS?
Your website or blog is your home on the net, a precious site and sure don’t want anyone outside you enter without invitation.
The friends of it alien in the network each time used technical more sophisticated to do is with the control of a blog or a web.
Therefore, are never enough all the more measures of protection that we can adopt them or himself?
What I can do to improve the security in my WordPress?
Sure that you already know some good practices on these issues, such as making WordPress backups regularly or set a very strong password.
However, even carrying out these actions in your site, may not be enough to be well protected. And then, is necessary to implement them next to others but of a mode much more advanced.
If a time created your blog or web page in WordPress like to keep it safe, need take you it more in serious.Apply measures more advanced that the standard, that by standard general you recommend all or have read in many sites.
Is by this that, in this 71 ° post invited have with Luis Mendez of Webempresa (my own provider of Hosting), that as specialist in the matter we goes to provide a CHECKLIST very advanced of all those aspects that must have in has.
You leave already with this great guide to get a greater security in WordPress, to make foolproof your page.
Everything you need to know about security in WordPress!
All program by nature tends to be vulnerable or unsafe. And WordPress not is an exception.
Is by that that today we are going to speak of security in WordPress.
While is very safe (although not is infallible) is the user and their good practices who it turns in a strong impregnable.
In this article I am going to reveal to you some tricks and give you recommendations on how to make WordPress safer and better protect your site against possible attacks or infections.
Checklist of security in WordPress:
Along this article will see them following 16 actions to perform to cover those elements basic of security in WordPress:
- Protect the form of access to the dashboard.
- Change the name of user (username) to avoid enumerations.
- Use two-factor authentication, preferably with physical token.
- Use passwords more robust and less predictable.
- Avoid the listing of directories sensitive of WordPress.
- Protects the file wp-config.php
- Use protocol SSL so that the transfer of data is more secure.
- On sites with multiple users, force the passwords change periodically.
- Audit the changes made by different administrators.
- Change the prefix of the tables of the database by default.
- Make copies of security in WordPress manual and automatic of form constant and programmed.
- Use passwords robust also for the database.
- Always access to the web securely (SFTP, SSH, cPanel from VPN).
- Disable the listing of the file .htaccess
- Keep always plugins updated to versions stable.
- To stay is always with suppliers of Hosting that ensure the safety overall of our web sites.
As a whole, this is as do a good salad. If you buy a quality oil, to be possible Extra Virgin, if the Greens are fresh and green and tomatoes are at their point of color and texture, is only necessary your master touch to combine them and create the perfect salad.
Do you dare to do it? Because we are going to do this!
WordPress is undisputed leader of audience worldwide with a market share in Internet 26% approximately, what makes it a tempting cake for malicious users.
Let us review these points so that you can better understand each of them and implement extra measures in those sections of your website need a reinforcement to ensure stability and security in WordPress.
Remember that you not all are necessarily applicable in the majority of cases, nor is it matter of bundling the blanket to the head and apply paranoid levels of protection on your website.
Looking for the balance between safe and usable. Those who have access to your web in a way legitimate are real users of flesh and bone wanting to mainly focus on the time spent on your site read, learn or improve skills and not pass a master on safety measures.
1 # protects the form of access to the dashboard
There are several ways to bring more safety to the form of access to the “dashboard” of WordPress, especially taking into account that it is one that more attacks on average receives on any existing web site.
Do not forget that still a large number of users still using the same password to access different sites.
Some forms of protect the dashboard can be:
- Implement reCAPTCHA (preferable not CAPTCHA reCAPTCHA).
- Add a second method of authentication (double authentication) with token physical.
- Obfuscate or change access wp-admin or wp-login.php to other custom classic.
- Enable traditional federated access: Facebook, Twitter, Google 
- Enable authentication to level Hosting protecting the directory / wp-admin
In this sense I want to leave you this phrase that took from an interview that did to Chema Alonso(not need presentation) to the with regard to 2FA and access Federated:
For this reason, this not should become a standard solution by standard.
It could expose other extra measures, but they are somewhat more technical and she is beyond the focus of this article.
Some plugins that can be you useful to protect the dashboard are:
2 # modifies the user name (username) to avoid enums
The most common name and that by default is set to install WordPress is Admin, and this is Vox populi.
Knowing as already know that this also it know them bad, and to make your life a little more complicated, is good that change the name of user usual todmin by one less predictable and that have some capital.
Much better as well!
If you don’t want to bundle learning to change your current ‘username’ called admin for one different, less predictable and more safe, you can ask yourself do it manually (prior backup in WordPress) if only to have a user in your Blog.
How to change the admin username manually?
- Access to the “dashboard” of WordPress.
- Go to the section “User” ⇒ “Add new”.
- Creates a new user with privileges for administrator and more personalized.
- From “inputs” assigns all the posts to the user administrator created.
- From “pages” assigns all the pages to the user administrator created.
- From “Users” ⇒ “All users”, you can now delete the user “admin”.
From the dashboard you can create new users “Administrators”.
Example of post assigned to the new user administrator.
Example of pages assigned to the new user administrator.
With this simple process you’ve last of use the predictable and enumerable user “admin” to use another more unknown and something more secure.
3 # uses two-factor authentication token physical best!
Is true that on this already have commented something on the point dedicated to “protects the form of access to the dashboard”. Even so, I wanted to put a little more of an emphasis by the low use which is made at a general level of this additional security measure in the form of WordPress access.
Many users, by ignorance, or by fear to not know implement a 2FA (second factor of authentication) have just postponed to “never” the activation of this type of measures that are very safe and recommended.
Now that is more than fashion the fingerprint as a second factor of authentication in mobile devices, you may be easier to understand the important thing may be to implement similar measures.
You can do it up with a mobile device so that access to the dashboard of WordPress can only be performed by those who have access to random codes provided by Apps like Google Authenticator, LastPass Authenticator or Latch.
There are plugins for WordPress that are extremely easy to install and configure, and that together with Apps for iOS, Android or Windows Phone, give a twist to the safety of the WordPress login form.
- Google Authenticator: Plugin WordPress – iOS – Android – Windows Phone.
- Latch: Plugin WordPress (mentioned above) – iOS – Android – Windows Phone.
4 # uses more robust and less predictable passwords
Until makes some months (perhaps a year) was of which thought that a password robust, alphanumeric, that included characters special and that had a length minimum of 8 characters and that not was associated to dates outstanding of my life, names of family or pets or places family would be the solution against any try to of violating it.
Unfortunately it is not so.
Although I am not going to put detail in this article why, the truth is that maximum temperatures to which we are accustomed on passwords lost more and more strength and credibility with the amount of new less fallible methods to guess them.
To this you it’ll explain more below.
5 # avoids the sensitive directory of WordPress listing
Becoming is less common, especially in installations of WordPress that are hosted on servers that work with Apache and which allows to avoid the list of files and folders from the browser.
This is why it possibly many users don’t need arise this security measure.
By rule general, avoid the list of directories from the browser is something that is makes simply adding a file index.html in those folders susceptible of being listed.
Or in all less in those in which has a file index.php responsible of loading a web, since the file index.html could cover the execution of the file index.php.
In addition, to avoid of form global the listing of files in directories of your Hosting, it ideal is edit the file .htaccess and add to the principle the directive of Apache: Options-Indexes.
Without this directive in .htaccess Apache module mod_autoindex would return a list of the contents of a consulted directory of your Hosting.
6 # protects the file wp-config.php
As it is possible to prevent listing of files and folders in the Hosting, it is good to protect in addition certain files from WordPress against prying eyes.
Check if you post “delicate” file as wp-config.php in the eyes of strangers via browser.
Come get the test and type in your browser the url of your domain followed by the quoted file name!
If it returns a ‘Forbidden’ error then you can sleep peacefully, the installation of WordPress associated with that domain is protected from prying.
If on the contrary it shows on screen the contents of the file wp-config.php , it is important that in your .htaccess file add the following code to protect yourself against such attacks:
7 # uses SSL to make more secure data transfer
Or that say has that install a certificate SSL in your Hosting, for one or several (wildcard) domains or subdomains, is every time more important and necessary if your installation of WordPress is focused to the trade electronic with plugins as WooCommerce.
Google and other search engines give you more and more importance to the use of SSL (https) in web sites (also in WordPress).
In addition to help you to offer transactions encrypted, any data that is generate between the client and the server of the web will travel more secure thanks to the use of this Protocol.
Currently can do you with a Certificate SSL free using for example that Webempresa offers to all its customers.
Despite this, each time more suppliers of Hosting are offering Let’s Encrypt as option to add a layer extra of security in WordPress and pass easily from HTTP to HTTPS without have knowledge specific on SSL.
Not you hot the head with what you have by there on the “loss of speed of load of your web by using SSL”, since is minimum and well worth for what get to change.
8 # in sites with multiple users, change passwords periodically force
Many blogs in WordPress work with one or more users, with different roles, whether “Administrator”, “Editor”, “Author” etc.
You should pay attention to the security of the passwords that these people use so they end up not being the weak link in the chain that ends jeopardizing the security of WordPress.
Make it ideally every 6 months is an additional measure that will help these users to see is necessarily forced to change passwords.
A password can always be vulnerable, known or be exposed on other sites that have possibly used the same.
Is possible that if administer sites of WordPress that work with plugins such as BuddyPress and have 100 or 1200 users registered, need run measures expeditious.
You will have to do so if, for example, there has been a vulnerability in your site and you don’t know if a weak password has been the cause.
For these cases there are plugins such as Bulk Password Reset that you will help to change 5 or 300 passwords of hit.
With interesting options such as:
- Change all passwords for registered users.
- Add a message further to the message of mail electronic.
- Send a mail to change the password or change it systematically.
- Choose what group of users will be the affected by the change of password.
Take a look at this plugin, secure that will of some other trouble and will help you improve your security in WordPress.
9 # audits changes made by different administrators
This is a more common case than you can imagine…
Multiple administrators working in a website and once in a while one of them takes the initiative to prove a certain plugin, delete a “registered” user, modify a post, or change the settings of the plugin’s cache of the day.
Then come the problems and nobody has been responsible for the change, and it can only resort to the server logs, if you have access to them, or think that waste is might change if it used any plugins that keep a record of changes that occur in the dashboard.
If it happens something strange in your WordPress installation, even if you are your only the site administrator, will be also very useful to monitor suspicious activities.
Between them are some as, for example, the change of certain files of form malicious, taking advantage of any vulnerability point of your installation of WordPress.
With plugins like WP Security Audit Log can have a control of changes quite full without need of resorting to plugins heavy as Wordfence or similar.
At the same time, you will get a listing in the very full dashboard with interaction on stored records, to know what has been happening at each moment in WordPress.
Record of activities highlighted with WP Security Audit Log
This plugin provides additional functionality “of payment”, but the free version is more than enough for the majority of web sites that work with one or several administrators or users with specific roles that perform tasks in the dashboard.
10 # change the prefix of the tables of the database by default
By default in WordPress database prefix is wp_ , and while it is true that you can modify it when you install it, there is a very high probability that don’t do it, you miss it.
And then that “wp_” ends up becoming a vector over attack on your website, by simple deduction that the bad guys know also which the prefix of “by default” database.
Prefix of the database default configured in the file wp-config.php
It ideal is think in the prefix of the database when it installs WordPress. If is you spent by high in that time, perhaps now is a better time to change the prefix of the database and thus improve it security in WordPress.
Plugins as Change DB Prefix you allow performing this change of form simple, after making a “backup” WordPress (clear!).
This process is more fast that do it manually, especially if not you wear still well with phpMyAdmin and the consultations SQL.
11 # backs up in WordPress in a consistent and programmed
Many copies of security beams to the year of your web? And to the month? And weekly?
Not good! Too bad… This can be very harmful to your security in WordPress.
I would say that a good policy of copies of security in WordPress passes by:
- Perform a backup automatically daily your web WordPress.
- Make a copy of security in WordPress weekly (a day fixed) and if is programmed better.
- Make a monthly backup, the first day of each month.
- Performing manual copies on demand before upgrading WordPress or try themes or plugins.
If these backup also upload them to the cloud (DropBox, Google Drive, MEGA, etc) better. So you will have less space occupied in the Hosting, on your computer and you’ll always have them available anywhere when you need them.
What you can do, for example, is to automate backups in WordPress to send to some CDN (cloud) automatically and programmed.
- WordPress Backup to Dropbox
- UpdraftPlus WordPress Backup Plugin
- Backup & Restore Amazon S3
- My WP Backup
And this by cite some that work quite well.
12 # uses passwords robust also for the database
May be that is a topical, but believe me: to the end the passwords not let of be a value binary predictable.
Explained what you up when he spoke of “protects the form of access to the dashboard”do remember?
There will be who I crucify by this that I am saying, but is the truth.
Each time are less reliable the access subject only to passwords that there is that write (or fill with LastPass) because each time is more easy break the security of these passwords.
On the other hand are “keyloggers”-related issues, those little programs or scripts that take good note of all your keystrokes and that are increasingly difficult to detect… Mainly if they are seasoned in a rootkit, so there to detect them is complicated.
And if, also those there for devices mobile (unfortunately).
Against all this there are many forms of combat it, but the more effective is that “in addition to use passwords safe or robust” implement a second factor of authentication (2FA) so has a co-dependency of a device mobile, YubiKey, etc., that validate them access physically.
If now like to read what all the world has about the passwords safe, here goes the topical:
And if you’re’s the temptation or the terrible habit of store in the browser, because of comfort and not have to be reminding it constantly… Bad idea that store them in your browser usual if you think in terms of security in WordPress.
If really you care to protect your sites with passwords, take the least some precautions:
- Length and complexity: this value more and lose more weight, but better long and difficult cutting and easy.
- Performs changes regular of password.
- If your site has been committed change immediately the passwords!
- Uses secure applications to store them never in your browser! (the post-it either is worth).
- A password for each access, not the same for all.
- Never share them so unsafe. (LastPass has a feature to share them without revealing them.)
Your password is safe? ⇒ check it out!
13 # enter your web always securely (SFTP, SSH, cPanel from VPN)
It is not usual to give importance to the way as access to the dashboard of WordPress.
You can access:
- With the wifi of the bar from the corner.
- At the airport while we wait an airlift.
- With the wifi of the neighbour.
- In the main square of the city that gives the City Council’s free wifi.
- From mobile phones through an insecure network or open wifi.
This is more common than you think, and just creating real problems security not only to individuals, but to companies whose employees have a sense of security a bit lax.
Working with a virtual private network or VPN (Virtual Private Network) would be the best option, since this way you will be generating a tunnel encrypted between your machine and the remote machine (the Hosting that hosts your WordPress).
Regardless of whether the connection is the WIFI bar or from the airport, and in this way by applying a robust security layer to your data traffic.
You don’t have excuses, VPNs prices are today of laughter and but there are also Apps for iOS, Android etc. for that purpose. Navigate safe not is a limitation for nobody, mainly if you live of your Blog or web commercial.
Them other protocols, as SFTP or SSH van to depend of your provider of Hosting and of if you it allows and as consult is it!
14 # disables the listing of the file .htaccess
The file .htaccess or file of configuration distributed is a file hidden (the point in front of the name indicates that is is of file hidden).
It is used in servers that work with Apache to add custom user, mainly policy if this does not have access to the file php.ini of Hosting.
Just as we protect us from the list of files and folders, it is good to protect this file from prying.
Since it is usually a file that sometimes can contain directives for redirects that could be manipulated to force the redirection of disreputable sites.
Add the following code to the beginning of the file you will help in this task:
15 # always keep your themes and plugins updated to stable versions
Needless to say it working with the latest version of WordPress, your theme in use and 18 or 36 plugins you have installed.
And not to say that you are the last, but to enjoy the new features, fixes, etc, but mainly to… do not leave your site.
These are some of the reasons why there are to keep the CMS and the plugins and themesalways updated.
It should be for reason of force majeure why don’t you update them, and you’ll have to argue it.
Otherwise, it is not feasible to keep WordPress versions from months or years ago and over expect to work with the latest version of the Divi “responsive” issue because it will not balance.
It is important to keep the core of WordPress to date, primarily for safety, because although it is very safe there are days in which something happens and then we remember that we forgot to update.
This is extensible to plugins and themes in use, because for what like WordPress 4.6 or superior with a mega-flamante theme responsive if then you use plugins of makes 3 years to show tables of prices in home.
Insurance is going to descuadrar everything!
Care the harmony, and this necessarily happens to have everything up to date.
What you can not update?
Put you then seriously to analyze the why, perhaps has arrived the time of break you of that plugin that both you like, or the theme of Genesis that you took a paston and give a step forward and evolve.
Or find something that combine with them versions current or not constrict you in versions obsolete and vulnerable by fault of a craze.
You so I can explain of 20 ways different, but the conclusion is always the same:
- Updates always the core of WordPress to the version stable available without excuses!
- It uses plugins from reliable sources and stable versions compatible with your version of WP.
- There are thousands of themes for WordPress, but by what more you want, to be responsive and compatible with the stable version of WordPress.
- Yes no what you use remove it! Why you like 20 tracks and 72 plugins installed that you don’t use?
- Get copies of security before upgrade and if you can test before in a sandbox them updates.
I’ll give you a real example:
Plugins W3 Total Cache and WP Super Cache, very popular and used long ago, presented code execution vulnerabilities. An exploit allowed his execution.
New versions of these two plugins were released on April 18. Hundreds of users (thousands) were affected by this vulnerability, mainly by not update when had corrected versions, updates that were clearly visible in the dashboard, although then overlooked.
An action as simple as applying, previous backup, the updates available from the dashboard, is immediate and expeditious solution against potential security vulnerabilities in WordPress.
Ignore them notices of updates of themes or plugins or postpone this task to “when have time” only will help to your site is exposed and can finish being grass of them scripts-kiddies or users malicious that want to exploit the vulnerability of shift, by fun, by interest economic or simply to appear in Zone-H you decide!
New versions of plugins available in the dashboard, updates.
16 # stay always with Hosting providers who guarantee the overall security of your web sites
Of little serves that work with the version stable of WordPress and have plugins and themes updated, as well as 20 measures of security additional if then going and you alojas in a Hosting that not apply measures of security global to avoid attacks of force gross, injection of code in your database, or something as simple as not make copies of security regularly.
Is important that check to your supplier of Hosting by them measures of security global that is apply to level server, both to prevent them attacks of force gross as to alleviate another type of attacks that can affect to your Hosting and them websites that stays.
If is is of a provider of Hosting optimized for WordPress much better.
To the end it important not is duplicate efforts but add them, and supplement with measures additional of security from the user those that do not are covered by the server.
It’s a sum of your efforts and those of your Hosting Provider for together to rowing in the same direction, which is none other but the guarantee the stability and the uptime of your website to 99.99%.