EasyWP: How to improve WordPress website security

This guide will provide you with a number of steps to be followed to keep your WordPress website safe:

NOTE: Before proceeding with any changes, make sure that you generate a full backup of your website in your EasyWP dashboard.



1. Introduction
2. Making backups regularly
3. Updating WordPress, themes and plugins to the latest version
4. Using trusted sources
5. Using a secure username and password
6. Changing WordPress Admin URL
7. Using secure FTP (SFTP)
8. Hiding the WordPress version
9. Limiting the number of failed connections
10. WordPress Security Plugins
11. Account and external security
12. Enable HackGuardian tool
13. Use MalwareGuardian tool


1. Introduction


Nowadays we face a lot of security issues with different content management systems (CMS) and web applications. WordPress is not an exception as it's one of the most popular and powerful blogging content management systems.

There are several reasons for it:

• CMS uses typical files for passwords and settings located in the same directories for each account (wp-config.php, wp-admin/ directory, etc.) so they are very easy to locate and modify after gaining partial access.
• The admin panel (wp-admin) runs under the same domain and uses the same codebase/permission as the rest of the application.
• Admin users can install a plugin/theme, which can then modify any file or change anything in the database (this is related to corrupted, non-official, non-updated, self-modified or fraudulent themes or plugins).
  

This article provides you with a list of tips and instructions that can improve a security level of your WordPress installation.


2. Making backups regularly


Making regular backups of your WordPress site is the first and the most important step. Before you apply any changes, make sure you back up your entire WordPress installation or databases.

For creating a backup, you can use the Backup section in your EasyWP dashboard.

It is recommended to create regular backups of your WordPress website using the Backup section.


3. Updating WordPress, themes and plugins to the latest version

 
The latest version of WordPress is always available on the official WordPress site. The official release is not available from other websites or resources, thus, NEVER update WordPress from third-party resources. Also, you can easily update WordPress from the Admin Dashboard directly. While maintaining a WordPress site is not rocket science, it’s still a task that requires focus and ongoing attention-something that many site owners do not have to spare. Consider a WordPress maintenance service to help you keep up with various scheduled and urgent tasks such as fixing DNS issues or sorting out plugin compatibility problems.



Make sure that your blog's version is up-to-date. WordPress team works on creating patches for fixing security 'holes' and backdoors on a constant basis. That's why it is very important to have the latest version of WordPress.

It is strongly recommended to update your plugins and themes to the latest versions too, as a bug in one of these can affect your whole installation. You can update both plugins and themes via Admin Dashboard > choose Plugins or Themes menu and click Update now next to the necessary plugin or theme:





NOTE: Please update the plugins only one-by-one to avoid resource overuse and any issues. Also, it is recommended to create backups of your WordPress files and database before applying any changes.


4. Using trusted sources


Many custom 'free' WordPress themes included base64 encoding, which is often used to hide malicious code. So, with such themes or plugins you can easily upload malware into your account. This is how most of the ‘hackers’ get access to your files and site.

We recommend using content only from the official resource like http://wordpress.org/ as it's the safest place to get themes and plugins.


5. Using a secure username and password


The default WordPress login is 'admin', and most hackers know that. It should be changed to a custom one with a strong password which includes upper/lower keys, numbers and symbols. Also, it is not recommended to use passwords or email addresses similar to your accounts from other web resources.

It is possible to change your WordPress admin username through the website database following these steps:

1. Open the database, select the table wp-users and click on Edit next to the admin user:

2. On the next page, type in your new WordPress admin username into the user_login box and click Go:

You can change your Admin Password using different ways, you can find the corresponding instructions here.
 


6. Changing WordPress Admin URL


Every day, a number of websites undergo brute-force attacks where hackers try to guess the username and password of the WordPress dashboard. In order to prevent your website from being hacked, you can hide a WordPress login page by creating a unique login link that only you know.

The WPS Hide Login plugin hides default /wp-login.php and /wp-admin WordPress admin links, and substitutes them for a "secret" link of your own choosing. You can find a more detailed guide on how to change WordPress Admin URL here.

7. Using secure FTP (SFTP) access

Uploading files via SFTP is a quick way to make a new site up and running or add new files to your account. Also, it is secure, and your passwords are encrypted to help prevent hackers from learning it. You can find a more detailed guide on how to upload your files via SFTP here.


8. Hiding the WordPress version

Another good idea is to remove the generator meta for WordPress. This meta shows the version of your WordPress site. You may open your website and check your source code by pressing CTRL + U on Windows or Option+Command+U on Mac. If the WordPress version is visible for hackers, it’s more easy for them to target the vulnerabilities of the specific version to hack into your website.

In order to hide your WordPress version, navigate your current theme at /wp-content/themes/yourtheme/ and insert the code below into the function.php file:

/* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */ function fjarrett_remove_wp_version_strings( $src ) {             global $wp_version;             parse_str(parse_url($src, PHP_URL_QUERY), $query);             if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {             $src = remove_query_arg('ver', $src);             }             return $src; } add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' ); add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' ); /* Hide WP version strings from generator meta tag */ function wpmudev_remove_version() { return ''; } add_filter('the_generator', 'wpmudev_remove_version');

9. Limiting the number of failed connections


It is recommended to limit the number of login attempts to your WordPress Dashboard with the help of Login LockDown plugin. It records the IP addresses of every failed login within a certain time period of time. If more than a certain number of attempts is detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This allows preventing brute force password discovery.


10. WordPress Security Plugins

One of the most important steps for making your WordPress site well protected is to use security plugins:


Wordfence Security:



Wordfence Security is a free WordPress security plugin that allows scanning your website looking for malicious code, backdoors or shells that hackers have installed, showing website analytics and traffic in real time, setting up automatic scanning and much more.


Sucuri Security plugin:



Sucuri Security plugin is a security suite meant to complement your existing security posture. It offers a set of security features for the website, each designed to have a positive effect on the security posture: security activity auditing, file integrity monitoring, remote malware scanning, security notifications, etc.

All In One WordPress Security plugin:




All In One WordPress Security plugin is a user-friendly plugin that will bring security of your WordPress site on a new level. It provides with user accounts and login security, database and file system security, brute force login attack prevention, website scanning and much more.


11. Account and external security
 
Here are the tips and general recommendations that will help you to increase account and external security:

• Keep your local environment updated and clean from viruses.
  
• Use secure passwords and SFTP connection.
• Change your WordPress admin password regularly. Try to use strong passwords (with high and low register Aa-Zz and special symbols) and we recommend you to change the password for your WordPress admin user email address as well.
  
• Do not store passwords in places where they can be obtained easily (e.g., a passwords.txt file on the desktop is not very secure).
• Update all third-party scripts to their latest versions.
• Always have a backup copy of your entire website and its databases.
  

The tips provided above do not guarantee 100% security of your WordPress website, however, they drastically decrease chances of getting hacked. We sincerely hope this article helped you enough in securing your online business and becoming a trouble-free and happy customer.

12. Enable HackGuardian tool

NOTE: The tool is available only on Islands 2.0.

HackGuardian is a free security tool that makes WordPress sites more resistant to cyberattacks by allowing users to switch the WordPress file system to a partial, read-only mode.

When HackGuardian is active, it locks down the WordPress file system in a partially read-only mode. This doesn't alter file permissions or ownership. Instead, HackGuardian operates seamlessly in the background, providing robust protection without disrupting the site's functionality.

While HackGuardian provides significant security enhancements, it’s important to recognize its limitations.
HackGuardian tool should be disabled when you:

• Access SFTP files;
• Install a WordPress theme or plugin;
• Perform manual or automatic WordPress updates;
• Edit files directly via certain file managers within the WordPress admin panel.

It can be enabled in the EasyWP Dashboard >> Security tab or in the WordPress admin panel.

13. Use MalwareGuardian tool

MalwareGuardian is a robust anti-malware solution that enhances security and protects customers against cyber threats. It provides you with an effective solution to detect, prevent, and mitigate the impacts of a wide range of threats like web shells, adware, phishing, and many more.

Also, it has an Autoclean protection option that automatically removes malicious software, ensuring the system`s safety without manual intervention.

It can be enabled in the EasyWP Dashboard >> Security tab.


That's it!

              
                      Need any help? Contact our HelpDesk