Do you know that a WordPress website can easily get hacked because of its vulnerability and lack of basic security? In this article, we are sharing some of the common forms of vulnerabilities and measures you can take to harden a WordPress website. 

Easy way to harden your WordPress site

Let’s begin with changing the basic settings of the website that would make you feel confident about its security.

#1 Set strong passwords

The easiest way to harden your WordPress website is by setting a strong password. We understand that passwords are hard to remember, and if they are complex ones (having a mix of letters, numbers and symbols), it is more confusing to recall.  

Password managers like LastPass that help you by storing your passwords across all the devices without sacrificing security. Also, using an automatically generated password can help you keep your account safe. 

#2 Implement least privilege permissions

WordPress website offers 6-predefined roles of Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each of them having a different set of permission and authority to perform some tasks. These tasks are known as capabilities. 

For a multisite, the super admin role is important, while for a single website, the administrator role is the most powerful. For a single website, you need limited administrators. Have as few administrators as you can manage. It will reduce the risk of admin credentials getting hacked by hackers.

#3 Install SSL

Secure Sockets Layer or SSL are cryptographic protocols designed to transmit data securely over a computer network over an encrypted connection. Not only is it a good security practice but also a requirement by Google. As a result, your website will reflect a “Not secure” message on the browser if it has not been installed. 

https://www.blogzine.online/2021/03/16/5-must-have-free-wordpress-plugins-for-bloggers/

Medium way to harden your WordPress site

The list ahead consists of measures that include installing a plugin. You should be careful while installing a plugin as it often contains vulnerabilities and can lead to an entry point of infection. Make sure to install a plugin only while following all the precautionary measures.

#4 Two-factor authentication

The login page is one of the most common ways where hackers break into websites. Therefore, hackers use the brute attack technique where a bot guesses the credentials to log in. Also, they can get your data if it was leaked from a different website. Hackers know that many people use the same password for multiple websites, making it easier for them to hack other accounts.

To secure yourself, you can add a two-factor verification for every user role. For this, you need to enter login details first and then enter a real-time generated password (generally, you will receive a one-time password on your registered mobile number). It will make it difficult for hackers to gain access to your website.

#5 Limit login attempts

You must have seen that after a limited attempt of username and password, thereafter, websites especially banks provide you with an option of ‘Forgot password’ or lock you out of the account. This process restricts brute force attacks and minimizes the success of hackers and fraudsters.

Furthermore, WordPress generally allows unlimited login attempts by default. If you enable limited login attempts, it will increase the website’s security by ensuring hackers can use a minimum combination to hack your website. You can limit this by either installing a plugin like Limit Login Attempts Reloaded or manually inserting code in the functions.php file.

#6 Keep an audit log

Though this is not a method to harden a WordPress website, it is still a must-have security measure. To achieve this, you will have to just install a plugin like WP Security Audit Log that tracks the happening on your website. It will allow you to know when and what the users are doing. Also, it keeps the track of logins, creations, changes made, additions, deletions, updates, modifications, logouts, etc. 

If a hacker gets through access to your website, you can go through the activity log to find out who made those changes. These plugins will also send you a notification when someone does a critical change on your website. It also gives you the ability to block a user or log them out with just a click.

#7 Auto logout inactive users

This feature is specially used by banking apps and websites that will log you out after a certain duration of inactivity. It is used by them to make sure that unauthorized access does not take place. To add this feature to your website, you can use a plugin with an idle session logout feature.

#8 Set up alerts for suspicious logins

You must always be vigilant when it comes to access to your website, as hackers are always finding ways to bypass it. Setting up alerts on your website for any suspicious activity will help you in making your website secure. Security plugins like MalCare can help you with such notifications by constantly scanning your website and alerting you if they detect anything suspicious.

#9 Set up a web application firewall

The web application firewall makes sure to block any hacker from visiting your web page. They track IP addresses, and if that IP address has carried any malicious activities in the past, it will be traced and blocked from accessing your website. To enable this, you can set up a firewall by using a security plugin, and it will protect your website in the best possible way.

Complex WordPress hardening methods

The following methods need development and coding. You must be careful as mistakes while implementing these measures can cause a website breakdown or crash. Therefore, It is advisable to only proceed with these steps after having a backup of your website:

#10 Block PHP execution in untrusted folders

It is a technical process for which you need to know about the PHP language. When a hacker hacks your website, he can create a new folder or insert PHP functions into your existing ones. To secure your website from such a hack, you need to block or disable the execution of functions from any unknown folder. If you are not confident with coding, you should consider taking an expert’s help for doing this.

To achieve this, you should:

  1. Go to your website cPanel > File Manager OR use an FTP client like FileZilla.
  2. Go to public_html where you will see three folders called wp-admin, wp-content, and wp-includes.
  3. Look for the .htaccess file or create one on a text editor and save it as .htaccess.
  4. Copy the following code to your .htaccess file
  5. <Files *.php>
  6. deny from all
  7. </Files>
  8. If you have created a new file, you need to upload it to wp-content/uploads and wp-includes.

The above process will change the permission of the file, preventing the running of any PHP file in these directories.

#11 Change security keys

To make the log-in simpler, WordPress saves your credential. It is to make sure that you don’t have to enter credentials every time you want to log in. You must double-check that these credentials are stored in an encrypted form.

If your data is stored as plain text, the hacker can get hold of your data and read it. But, if the data is encrypted, they won’t be able to use the data as it will be random text. To encrypt this data, WordPress uses security keys and salts. Keys are random variables that encode your username and password, and salts help in improving the encryption. 

The catch is, if hackers get your security keys and salts, they will decipher the encrypted data and hack your account. So, you must make sure to replace your keys and salts every few days. This process requires amending the code, hence, we advise you to take the help of professionals to make this change.

#12 Disallow plugin installations

At times, a user or client might install a plugin without checking its credibility or compatibility. It can result in many problems on the website. Therefore, removing it completely can help you in making the website secure. To disable the plugin, you can either:

Add this line of code to your wp_config PHP file

define(‘DISALLOW_FILE_MODS’,true);

Use a security plugin where you need to first enable the function and then disable it.

#13 Separating databases 

If you have multiple websites with separate WordPress installation, it is sensible to keep the database separated and stored in different locations. It will minimize the chances of getting all the websites hacked at once. Hackers will be only able to access a single website if they get through your login. Even though this must be accomplished during installation, you can also do it later. For this, you might require some help, if you are not familiar with MySQL and its configurations.

Best Practices of On-Page Optimization

#14 Securing wp-admin

To take the login security to the next level and harden a WordPress website, you must force the logins to be transmitted over SSL. You should install an SSL, and it should address any mixed content issues. Then navigate to the wp-config.php file and add 

define(‘FORCE_SSL_ADMIN’, true);

Conclusion

We are sure that there are many ways to harden your WordPress website and secure them from hackers. Mentioned here are just a few of such security measures. Based on your technical knowledge you can take help from a technical team or take care of the changes by yourself.