WORDPRESS SECURITY GUIDE

Secure your wordpress Website

Developed By : Fihil Services Private Limited

 Wordpress Security guide

Contents
1. Secure WordPress Hosting .............................................................................................................. 2
2. Use Latest PHP Version ................................................................................................................... 3
3. Use Clever Usernames and Passwords ........................................................................................... 4
4. Always Use the Latest Version of WordPress, Plugins, and Themes .............................................. 5
5. Lock Down Your WordPress Admin ................................................................................................ 6
6. Take Advantage of Two-Factor Authentication .............................................................................. 7
7. Use HTTPS for Encrypted Connections – SSL Certificate ................................................................ 8
8. Harden Your wp-config.php file ...................................................................................................... 8
a) Move wp-config.php ................................................................................................................... 8
b) Update WordPress Security Keys ................................................................................................ 8
c) Change Permissions .................................................................................................................... 8
9. Disable XML-RPC ............................................................................................................................. 9
10. Hide Your WordPress Version ..................................................................................................... 9
11. Add Latest HTTP Security Headers ............................................................................................ 10
12. Harden Database Security......................................................................................................... 10
13. Check File and Server Permissions ............................................................................................ 11
14. Disable File Editing in WordPress Dashboard ........................................................................... 11
15. Prevent Hotlinking .................................................................................................................... 12
16. Always Take Backups ................................................................................................................ 12

Fihil Services Private Limited 1

 Wordpress Security guide

1. Secure WordPress Hosting

When it comes to WordPress security, there is much more than just locking down your site, although
we’ll give you the best recommendations on how to do that below. There is also web server-level
security for which your WordPress host is responsible. We take security very seriously here at Fihil
and handle a lot of these issues for our clients.

It’s very important that you choose a host that you can trust with your business. Or if you are hosting
WordPress on your own VPS, then you need to have the technical knowledge to do these things
yourself.

Server hardening is the key to maintaining a thoroughly-secure WordPress environment. It takes

multiple layers of hardware and software level security measures to ensure the IT infrastructure
hosting WordPress sites is capable of defending against sophisticated threats, both physical and
virtual.

For this reason, servers hosting WordPress should be updated with the latest operating system and
(security) software as well as thoroughly tested and scanned for vulnerabilities and malware. A good
example of this is when Fihil had to patch NGINX for OpenSSL security vulnerabilities that were
discovered.

Server-level firewalls and intrusion detection systems should be in place before installing WordPress
on the server to keep it well-protected even during the WordPress installation and website
construction phases. However, every software installed on the machine intended to protect
WordPress content should be compatible with the latest database management systems to maintain
optimal performance. The server should also be configured to use secure networking and file
transfer encryption protocols (such as SFTP instead of FTP) to hide away sensitive content from
malicious intruders.

Fihil Services Private Limited 2

 Wordpress Security guide

2. Use Latest PHP Version

PHP is the backbone of your WordPress site and so using the latest version on your server is very
important. Each major release of PHP is typically fully supported for two years after its release.
During that time, bugs and security issues are fixed and patch on a regular basis. As of right now,
anyone running on version PHP 7.0 or below no longer has security support and are exposed to
unpatched security vulnerabilities.

Sometimes it does take businesses and developers time to test and ensure compatibility with their
code, but they have no excuse to run on something without security support. Not to mention the
huge performance impact running on older versions has.

Don’t know which version of PHP you are currently on? Most hosts typically include this in a header
request on your site. A quick way to check is to run your site through Pingdom. Click into the first
request and look for a X-Powered-By parameter. Typically this will show the version of PHP your
web server is currently using. However, some hosts will remove this header due to security reasons.

We only recommend using stable and supported versions of PHP, including 7.2,
and 7.3

Fihil Services Private Limited 3

 Wordpress Security guide

3. Use Clever Usernames and Passwords

Surprisingly one of the best ways to harden your WordPress security is to simply use clever
usernames and passwords.

The core WordPress wp_hash_password function uses the phpass password hashing
framework and eight passes of MD5-based hashing.

Some of the best security starts from the basics. Google has some great recommendations on how
to choose a strong password. Or you can use an online tool like Strong Password Generator.

It is also important to use different passwords for every website.

The best way to store them is locally in an encrypted database on your computer. A good free tool
for this is KeePass. If you don’t want to go down this route there are also online password managers
such as 1Password or LastPass. Even though your data is hosted securely in the cloud, these are
generally safer since you aren’t using the same password across multiple sites. It also keeps you
from using sticky notes.

And as far as your WordPress install goes you should never use the default
“admin” username. Create a unique WordPress username for the administrator
account and delete the “admin” user if it exists. You can do this by adding a new
user under “Users” in the dashboard and assigning it the “Administrator” profile

Fihil Services Private Limited 4

 Wordpress Security guide

4. Always Use the Latest Version of WordPress, Plugins, and

Themes

Another very important way to harden your WordPress security is to always keep
it up to date. This includes WordPress core, plugins, and themes (both those from
the WordPress repository and premium).

These are updated for a reason, and a lot of times these include security enhancements and bug
fixes.

Unfortunately, millions of businesses out there running outdated versions of WordPress software
and plugins, and still believe they’re on the right path of business success. They cite reasons for not
updating such as “their site will break” or “core modifications will be gone” or “plugin X won’t work”
or “they just don’t need the new functionality”.

In fact, websites break mostly because of bugs in older WordPress versions. Core modifications are
never recommended by the WordPress team and expert developers who understand the risks
involved. And WordPress updates mostly include must-have security patches along with the added
functionality required to run the latest plugins.

It is also recommended that you only install trusted plugins.

Fihil Services Private Limited 5

 Wordpress Security guide

5. Lock Down Your WordPress Admin

Sometimes the popular strategy of WordPress security by obscurity is appropriately effective for an
average online business and WordPress site. If you make it harder for hackers to find certain
backdoors then you are less likely to be attacked. Locking down your WordPress admin area and
login is a good way to beef up your security.

Two great ways to do this is first by changing your default wp-admin login URL
and also limiting login attempts. Another way to lock down your admin is to add
HTTP authentication.

Fihil Services Private Limited 6

 Wordpress Security guide

6. Take Advantage of Two-Factor Authentication

And of course, we can’t forget two-factor authentication! No matter how secure your password is
there is always a risk of someone discovering it. Two-factor authentication involves a two-step
process in which you need not only your password to login but a second method. It is generally a
text (SMS), phone call, or time-based one-time password (TOTP). In most cases, this is 100%
effective in preventing brute force attacks to your WordPress site. Why? Because it is almost
impossible that the attacker will have both your password and your cellphone.

There are really two parts when it comes to two-factor authentication. The first is your account and
or dashboard that you have with your web hosting provider. If someone gets access to this they
could change your passwords, delete your websites, change DNS records, and all sorts of horrible
things.

We recommend you to enable two factor authentication.

The second part of two-factor authentication pertains to your actual WordPress installation. For this
there are a couple plugins we recommend:

• Duo Two-Factor Authentication

• Google Authenticator
• Two Factor Authentication

Many of these have their own Authenticator Apps you can install on your phone:

• Android Duo Mobile App

• iPhone Duo Mobile App
• Android Google Authenticator App
• iPhone Google Authenticator App

After installing and configuring one of the above plugins, you will typically have an additional field on
your WordPress login page to enter your security code. Or, with the Duo plugin, you first log in with
your credentials and are then required to choose an authentication method, such as Duo Push, call,
or passcode.

This method can easily be combined with changing your default login URL, which we went over
earlier. So not only is your WordPress login URL something only you know, but it now requires extra
authentication to get in.

Fihil Services Private Limited 7

 Wordpress Security guide

7. Use HTTPS for Encrypted Connections – SSL Certificate

One of the most overlooked ways to harden your WordPress security is to install an SSL certificate
and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that
allows your browser or web application to securely connect with a website.

8. Harden Your wp-config.php file

Your wp-config.php file is like the heart and soul of your WordPress installation. It is by far the most
important file on your site when it comes to WordPress security. It contains your database login
information and security keys which handle the encryption of information in cookies. Below are a
couple things you can do to better protect this important file.

a) Move wp-config.php
By default, your wp-config.php file resides in the root directory of your WordPress installation (your
/public HTML folder). But you can move this to a non-www accessible directory.

b) Update WordPress Security Keys

WordPress security keys are a set of random variables that improve encryption of information
stored in the user’s cookies. Since WordPress 2.7 there have been 4 different keys: AUTH_KEY,
SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

When you install WordPress these are generated randomly for you. However, if you have gone
through multiple migrations or purchased a site from someone else, it can be good to create fresh
WordPress keys.

WordPress actually has a free tool which you can use to generate random keys. You can update your
current keys which are stored in your wp-config.php file.

c) Change Permissions
ypically files in the root directory of a WordPress site will be set to 644, which means that files are
readable and writeable by the owner of the file and readable by users in the group owner of that file
and readable by everyone else. According to the WordPress documentation, the permissions on the
wp-config.php file should be set to 440 or 400 to prevent other users on the server from reading it.
You can easily change this with your FTP client.

On some hosting platforms, the permissions might need to be different because the user running
the web server doesn’t have permission to write files. If you aren’t sure about this, check with your
hosting provider.

Fihil Services Private Limited 8

 Wordpress Security guide

9. Disable XML-RPC
In the past years XML-RPC has become an increasingly large target for brute force attacks. As Sucuri
mentioned, one of the hidden features of XML-RPC is that you can use the system.multicall
method to execute multiple methods inside a single request. That’s very useful as it allow
application to pass multiple commands within one HTTP request. But what also happens is that it is
used for malicious intent.

There are a few WordPress plugins like Jetpack that rely on XML-RPC, but a majority of people out
there won’t need this and it can be beneficial to simply disable access to it. Not sure if XML-RPC is
currently running on your website? Danilo Ercoli, from the Automattic team, wrote a little tool called
the XML-RPC Validator. You can run your WordPress site through that to see if it has XML-RPC
enabled. If it isn’t, you will see a failure message. To disable this completely you can install the free
Disable XML-RPC plugin. Or you can disable it with the premium perfmatters plugin, which also
contains web performance improvements.

10. Hide Your WordPress Version

iding your WordPress version touches again on the subject of WordPress security by obscurity. The
less other people know about your WordPress site configuration the better. If they see you are
running an out of date WordPress installation, this could be a welcome sign to intruders. By default,
the WordPress version shows up in the header of your site’s source code. Again, we recommend
simply making sure your WordPress installation is always up to date so you don’t have to worry
about this.

You can use the following code to remove this. Simply add it to your WordPress theme’s
functions.php file.
function wp_version_remove_version() {
return '';
}
add_filter('the_generator', 'wp_version_remove_version');

Fihil Services Private Limited 9

 Wordpress Security guide

11. Add Latest HTTP Security Headers

Another step you can take to harden your WordPress security is to take advantage of HTTP security
headers. These are usually configured at the web server level and tell the browser how to behave
when handling your site’s content. There are a lot of different HTTP security headers, but below are
typically the most important ones.

• Content-Security Policy
• X-XSS-Protection
• Strict-Transport-Security
• X-Frame-Options
• Public-Key-Pins
• X-Content-Type

You can check which headers are currently running on your WordPress site by launching Chrome
devtools and looking at the header on your site’s initial response. Below is an example on
kinsta.com. You can see we are utilizing the strict-transport-security, x-content-
type, and x-frame-options headers.

You can also scan your WordPress website with the free securityheaders.io tool. This will show you
which HTTP security headers you currently have on your site. If you aren’t sure how to implement
them you can always ask your host if they can help.

12. Harden Database Security

There are a couple ways to better the security on your WordPress database. The first is to use a
clever database name. If your site is named volleyball tricks, by default your WordPress database is
most likely named wp_volleyballtricks. By changing your database name to some more obscure it
helps protect your site by making it more difficult for hackers to identify and access your database
details.

A second recommendation is to use a different database table prefix. By default WordPress uses
wp_. Changing this to something like 39xw_ can be much more secure. When you install WordPress
it asks for a table prefix (as seen below). There are also ways to change the WordPress table prefix
on existing installations.

Fihil Services Private Limited 10

 Wordpress Security guide

13. Check File and Server Permissions

File permissions on both your installation and web server are crucial to beefing up your WordPress
security. If permissions are too loose, someone could easily gain access to your site and wreak
havoc. On the other hand, if your permissions are too strict this could break functionality on your
site. So it is important to have the correct permissions set across the board.

Here are some typical recommendations for permissions when it comes to file and folder
permissions in WordPress. See the WordPress Codex article on changing file permissions for a more
in-depth explanation.

• All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent
other users on the server from reading it.
• All directories should be 755 or 750.
• No directories should ever be given 777, even upload directories.

14. Disable File Editing in WordPress Dashboard

A lot of WordPress sites have multiple users and administrators, which can make WordPress security
more complicated. A very bad practice is to give authors or contributors administrator access, but
unfortunately, it happens all the time. It is important to give users the correct roles and permissions
so that they don’t break anything. Because of this, it can be beneficial to simply disable the
“Appearance Editor” in WordPress.

Most of you have probably been there at one point or another. You go to quickly edit something in
the Appearance Editor and suddenly you are left with a white screen of death. It is much better to
edit the file locally and upload it via FTP. And of course, in best practice, you should be testing things
like this on a development site first.

Also, if your WordPress site is hacked the very first thing they might do is try to edit a PHP file or
theme via the Appearance Editor. This is a quick way for them to execute malicious code on your
site. If they don’t have access to this from the dashboard, to begin with, it can help prevent attacks.
Place the following code in your wp-config.php file to remove the ‘edit_themes’, ‘edit_plugins’
and ‘edit_files’ capabilities of all users.
define('DISALLOW_FILE_EDIT', true);

Fihil Services Private Limited 11

 Wordpress Security guide

15. Prevent Hotlinking

The concept of hotlinking is very simple. You find an image on the Internet somewhere and use the
URL of the image directly on your site. This image will be displayed on your website but it will be
served from the original location. This is actually theft as it is using the hotlinked site’s bandwidth.
This might not seem like a big deal, but it could generate a lot of extra costs.

To prevent hotlinking in Apache simply add the following code to your .htaccess file.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER}
!^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-
placeholder.jpg [NC,R,L]

16. Always Take Backups

Backups are the one thing everyone knows they need but don’t always take. Most of the
recommendations above are security measures you can take to better protect yourself. But no
matter how secure your site is, it will never be 100% safe. So you want backups in case the worst
happens.

Fihil Services Private Limited 12