Have any questions?  +380 44 390 7457 (UA)

Case Study: WordPress Site Security

WordPress Site Security

Wordpress is known to be one of the most popular CMSs in the segment. The ability to build nice and functional web-site within hours is why users choose WordPress over other options.

On the other hand WordPress is also known for its lack of security. Basic WordPress site configuration is very vulnerable to outside threats. There are multiple ways to hack WordPress website if its security was not configured properly.

Let’s go through several steps you need to take in order to protect your WordPress website.

Update your current version of WordPress manually from the latest release archive

Every other WordPress version has updates that cannot be installed automatically. For example, next available automated update for version 4.7 will be version 4.8, but between these two builds there are subversions like 4.7.1, 4.7.2 … 4.7.5 etc. These subversions will not show up in your admin panel as automatic updates, but they contain crucial improvements to the current version, security fixes and bugfixes. You can always download an archive with all necessary update files for these subversions from the WordPress web-site. The only thing is that you will need to install these updates manually.

Keep plugins up to date

Plugins allow to extend your WordPress functionality, but it is important to keep them up to date. Plugin manufacturers release updates to develop their product adding more features and fixing bugs. Check for plugin updates in the admin panel or on the developer’s site. Make sure to check the plugin for vulnerabilities at WPScan Vulnerability Database before installing or updating it.

New user registration configuration

Disable user registration from WordPress Admin login screen to prevent mass registration and DB overflow. If someone needs to get access to WordPress admin part, it’s better to have an administrator to create a new user.

User nick and login configuration

Wordpress default configuration matches user nicknames with user login name. This makes easy to find out admin user login name and then hack them. Make sure to make a change in the database so that user_nickname is different from user_login.

Install security Plugin

As mentioned earlier, WordPress plugins can add up to your site functionality. They can also protect your site. Plugin that you should install to your site is “All In One WP Security & Firewall”.

With over 600 000+ installs it can be considered to be one of the the best security tools for WordPress.

Plugin needs to be configured properly to get maximum out of its features:

  • Add permission 755 to your folders and ‘/’, 644 permission to files, and 777 permission only to uploads (recommended permissions);
  • Disable “user enumeration”;
  • Hide WordPress version from DOM;
  • Change Login URL for WordPress Admin page;
  • Add captcha;
  • Add security from Brutforce (timeout, if input more than 3 times with wrong login he will be blocked by IP. All IP’s and Login history can see in Plugin);
  • Turn on firewall to:
    1. Protect your htaccess file by denying access to it.
    2. Disable the server signature.
    3. Limit file upload size (10MB).
    4. Protect your wp-config.php file by denying access to it.
  • Block access to debug.log file;
  • Add logout from WP Admin after 2 hours;
  • Turn on Spam Prevention;
  • Prevent website from Being Displayed in a Frame;

Of course the plugin has much more settings you can work with, but the settings mentioned in this article belong to “must have” section.

If you have any question or need any assistance with your web-site security configuration, feel free to contact us anytime.