In our WordPress Security Tips 2020 article we present you with 16 clues that will help you find out if you run the risk of having your WordPress being hacked, and is likely to fall into malicious hands and find solutions that will help you reduce those risks. Without offering a level of total security, their implementation is dissuasive. It puts you safe from the attacks of junior hackers who follow easy-to-access “kitchen recipes” on the darknet, as well as attempts by malicious hackers who favor quick fixes with automated tools.
While it propels 32% of world sites, WordPress is the perfect example. Despite its success, this CMS has some small flaws that can put your digital investments at risk. If the security of this content manager can be significantly improved, in fact, this is rarely the case.
Before you start securing your website, always think about making a complete backup of your site.
- 1 Administrator Account Security
- 2 Standard identification procedures
- 3 Security of your database
- 4 Vulnerabilities of critical files on your server
- 5 WordPress version and updates
- 6 Your theme and its update
- 7 In conclusion!
Administrator Account Security
Hint 1: You use the identifier "admin"
When you install WordPress on your site, your new account is created by default selecting the most common username admin by keeping it, you are simplifying the task for hackers who rely on Brute force attacks to uncover the credentials of a WordPress account. As you can see it is very easy to guess!
Solution: What you can do is change your username to a more complex and unique name and preferably with special characters so it is impossible to guess.
Hint 2: Your admin account has ID 1
By default, the WordPress administrator account has the ID 1. By keeping it, the task of the malicious attackers is greatly simplified since they just have to make the request https://mysite.com/?author=1 to identify the username of the WordPress administrator.
Solution: It is identical to Risk 1. If it has already been deployed, you do not have to do it again.
Hint 3: All your users have administrator rights
Usually, during the early management and construction of a website, there may be a lot of team members working on a website which may include (developers, designers, SEO, editors, etc…). It is not in your interest to have all the users with Administrator privileges, because all it takes is for one of those team members to have their email account compromised and the hacker will be able to access your site freely.
Solution: The ideal action to take would be to review all the user accounts and start by assigning the right user privileges depending on the role of each member, for example, a writer doesn’t need Administrator’s privileges, therefore it is best to assign to him “editor” rights to restrict his access only to the options and area that he needs. If a member has left your team, there is no need to keep his account, so you may delete it when you do make sure to assign all his articles and changes to another user account so they would be under his name. Also, you might wanna think about the users who are temporarily inactive, you can restrict their privileges to a subscriber for example, until they turn up again.
Hint 4: Use of his email administrator as the recipient of the contact forms
When identifying WordPress, the email address attached to his account can be used as an identifier. If you use the email address of your administration account as the recipient of your contact forms, you create a vulnerability that can be exploited by a malicious person.
Solution: Differentiate the addresses you use for your marketing and security. To do this, different techniques exist. One of the simplest for people who do not want to manage multiple accounts is to create an alias or redirection email address. This will allow you to receive all your emails in the same account while benefiting from different addresses.
Hint 5: Your Login is posted publicly
In its standard-setting for displaying user information, WordPress plans to publicly display the account ID. A choice of CMS developers that turns out to be disastrous in terms of security.
Solution: Change the name to be displayed publicly in each account, and first in the administrator accounts. Make sure that the new option is different.
Standard identification procedures
Hint 6: Your login page is still wp-login.php
Standardized access to the identification of WordPress administration is done through the wp-login.php page. This page gives access to the login form to the backend of your site. It retains the default URL, hackers are able to quickly find the location of “locks” to access all of the features of your site.
Solution: Install a plugin that allows you to change the URL of the login page as, for example, the excellent WPS Hide Login extension.
Hint 7: You do not limit the number of access attempts
The principle of attacks by Brute Force is to test one by one the different possible combinations to find a password. By not limiting the number of access attempts, you give the opportunity to the person who wants to fraudulently introduce your site to do so.
Solution: Many WordPress extensions help combat Brute Force attacks. Some only limit the possibilities of access (eg WPS Limit Login), while others also propose to introduce alternative authentication procedures (eg Loginizer Security).
Security of your database
Hint 8: The tables in your database use the prefix "wp_"
During its standard installation, WordPress proposes by default the “wp_” prefix when creating tables in your database. Known to all, this prefix creates a vulnerability in the case of injection.
Solution: The Brozzme DB Prefix plugin allows you to quickly and easily modify the prefix of tables in a WordPress database.
Vulnerabilities of critical files on your server
Hint 9: The wp-config.php file is not safe
The wp-config.php file lists the confidential information crucial to the functioning of WordPress. In particular, it contains to access information to your database as well as the cookie encryption keys. When installing WordPress, this file is not properly secured.
Solution: To secure your wp-config.php file, you must undertake 4 specific actions. The first is to specify SALT keys generated randomly for your site by clicking on this link. The second is to move the wp-config.php file to a higher folder level. The third is to block access to the file in your .htaccess file. To do this, add the following line <Files wp-config.php> order allow, deny deny from all </Files>. Finally, specify restricted access rights to the file with 644 permissions.
Hint 10: The .htaccess file is not secure
With configuration instructions specific to Apache servers, the .htaccess file allows you to manage different ways of accessing the content of your WordPress. It is, therefore, crucial to secure it properly.
Solution: The .htaccess file has the characteristic of being able to contain instructions that protect it. By adding the line <files wp-config.php> order allow, deny deny from all </ files> to your file, you make it inaccessible via a simple browser. After the file is modified, change its CHMOD access rights to 644.
WordPress version and updates
Hint 11: Your site displays the version of WordPress
WordPress is an Open-Source CMS developed by thousands of people. Consequence: the vulnerabilities of each version are public and available to the community. By displaying the version of your WordPress, you allow hackers to identify in a few seconds the intrusion techniques that have the best probability of succeeding.
Solution: Remove the readme.html file from your server and hide the display of the WordPress version by adding the following line of code to the function.php file: remove_action (“wp_head”, “wp_generator”);
Hint 12: Your WordPress is not up to date
Every new update of WordPress fixes new security flaws and bugs. By failing to update your content manager, you increase the number of vulnerabilities in your site.
Solution: Make a backup of your site and start its update. In order to limit your interventions, you can also activate the automatic update of your WordPress. However, we recommend that you only enable minor updates, which are unlikely to be compatible with your site’s configuration.
Hint 13: Your plugins are not up to date
Extensions that you add to your WordPress to increase its functionality carry new vulnerabilities. Risks of XSS or SQL injections to the modification of the privileges, they can put in danger the security of your site. To limit the risks they represent, it is essential to regularly update them.
Solution: Go to the administration interface of extensions in WordPress and update all installed extensions.
First look for plugins that have not been updated for some time. They are easy to identify with the orange alert message similar to “This extension has not been tested with more than three major WordPress updates. It may no longer be maintained or supported and may have compatibility issues when used with newer versions of WordPress. ” Disable these extensions and delete them.
Identify with their white background all extensions that are not activated. Delete any ones you do not plan to use in the coming days.
If an extension requires a license, you will have to decide between subscription and uninstallation. It is unwise to use a plug-in that can not be easily updated.
In general, ask yourself about the real utility of a feature. If it does not really help you or the expected results are not there, you can do it without it.
Once your audit is complete and the number of enabled extensions is reduced, update all extensions.
Your theme and its update
Hint 14: You are using a free theme uploaded on the net
The free availability of themes is a technique frequently used by hackers to deceive Internet users. Apart from the themes developed by WordPress, we advise you to be wary of free themes and, in particular, themes proposed in the themes installer.
Solution: Switch to a standard theme of WordPress, the free theme offered by a reputable provider or buy the license of a premium theme and install it.
Hint 15: Your theme is not up to date
Themes can contain security vulnerabilities. Their update is necessary.
Solution: Update your theme by making sure you have located all your customizations in a child theme.
Hint 16: Inactive themes are installed
When creating your site, you tested different themes without deleting them. Even inactive, a theme can offer a gateway to an attacker. They must be deleted.
Solution: Delete all the themes that you do not use. They are located in the Themes folder (wp-content/themes/).
While some of the solutions are simple to implement, others require a solid technical foundation.
Know that some integrated solutions for securing WordPress sites (see the specialized Siteground WordPress hosting) can manage these different aspects of our WordPress Security Tips 2020 and much more. It is strongly recommended to use it, especially if your website is your main business!