WordPress Security and Hardening Guide

First, let’s define WordPress for WordPress security measures. WordPress is a content management system (CMS) system that enables you to produce and manage all kinds of content without any coding knowledge. After a few installation steps, you can easily deploy your website with a content management infrastructure. All you need is a domain and hosting with PHP and MySQL support.

WordPress is one of the most preferred open-source CMS structures in the world. According to recent statistics, 30% of the websites worldwide are built on the WordPress platform. You can see that global corporations, government institutions, newspapers, and many similar companies prefer the WordPress platform.

WordPress Security Measures This system has achieved great success and popularity. However, one of the factors that come with its popularity is attracting the attention of cyber attackers. Cyber attackers generally follow popular systems, especially open-source systems. It is an inevitable fact that some of the cyber attacks are directed towards this CMS management system since one-third of the websites worldwide have a WordPress infrastructure.

In this article, we will discuss the security measures that need to be taken after WordPress installation. By taking these security measures and hardening steps, you will have taken the necessary steps to protect your WordPress infrastructure against cyber attackers.

Note: This guide is written based solely on the WordPress management system. Hosting-related issues, personal computer problems, and other similar sources are not included in this article.

WordPress Security and Hardening Guide

After WordPress installation, you can make your system secure and stay ahead of cyber attacks by taking the security measures outlined below.

If you have a WordPress infrastructure, you must take this issue seriously and take your basic security measures against evolving and constantly changing cyber attacks. Otherwise, you may become the target of cyber attackers, or your content management system and data may be compromised.

Security is a process and must be managed correctly. It is important to remember that security cannot be 100% guaranteed, and managing this process can reduce your risk level.

Securing your personal or company computer, online behaviors, and internal operations is one of the first steps to take to protect your WordPress infrastructure.

Security consists of three main areas: People, Processes, and Technology.

Each of these must be in synchronized harmony with each other. Vulnerability in one area can affect the entire system. Therefore, when considering WordPress security, you should not overlook your personal errors, vulnerabilities in hosting and similar hosting systems, processes, and the development of technology.

How to Ensure WordPress Security?

Below are the WordPress security controls and security measures you need to take. By taking these measures, you can make your system secure and tighten security.

WordPress General Security Controls Access Restriction: You can strengthen your security by minimizing the number of accounts with access to your WordPress site and correctly adjusting the permissions of those who will access it. Remember that having multiple “Administrator” privileges in a system will increase your vulnerabilities.

Plugins and Themes: Remove all unused plugins and themes on your WordPress site. These help maintain privacy, usability, and integrity with at least privilege principles. This way, you will not be affected by vulnerabilities that may arise in unused themes or plugins.

Isolation: You should configure your system to minimize the amount of damage that may occur if your system is compromised. If possible, avoid having multiple different websites on a single hosting account. If multiple websites are hosted on one hosting, note that the entire system will be affected through the vulnerabilities of other sites.

Secure Backup: Host verified backups in secure locations. Periodically verify the integrity of backups to ensure that you can restore your website if it is damaged. After cyber attacks that could compromise the security of your website, you should have an emergency recovery plan.

Don’t Forget Updates: Do your best to stay up to date with your WordPress installation, including plugins and themes. You must make updates to themes and plugins installed on your site. At the same time, we recommend that you make WordPress version updates without delay.

Security Updates: Security vulnerabilities are a concern affecting all software. A vulnerability can be identified and exploited on any system. This can affect not only all software and hardware but also the WordPress content management system. 

Use Trusted Sources: Do not install, download, or use plugins/themes from unreliable sources! If you want to install a plugin, make sure to upload them to your system via WordPress.org. Stay away from plugins and themes distributed by third-party websites. Especially on illegal sites distributing paid themes or plugins for free, there are significant vulnerabilities, viruses, or malicious hackers. Remember that these illegal sites distributing themes or plugins for free may hack your system by inserting malicious code into your themes or plugins!

Post-WordPress Installation Security Steps

After completing the WordPress installation, you can perform post-installation hardening by following the guidelines below.

Securing wp-config.php

The most important file in the WordPress infrastructure is the wp-config.php file. By making some adjustments in this file, you can enhance system security. First, we need to verify the security of the wp-config.php file.

To secure the wp-config.php file on Apache servers, add the following code to the .htaccess file content. With this code, the content of the wp-config.php file cannot be called from the outside and access from the outside will be disabled.

<files wp-config.php>
order allow,deny
deny from all
</files>

Additionally, moving the wp-config.php file outside the HTML folder using different plugins will provide added security value. This file is the most crucial file in WordPress logs. The wp-config.php contains the necessary information for database connection.

Encrypting wp-config.php File

Another way to restrict access to another wp-config.php file is to encrypt its contents. You can use ionCube, Zend Guard, or the simplest and free tool available on phpr.org for encryption. This way, only those with access to the encrypted data can view it, keeping your database connection information confidential.

Changing the Location of wp-config.php File

Because the wp-config.php file is crucial, we cannot rely solely on encryption. Encryption methods can eventually be cracked by professional attackers. If we change the location of the wp-config.php file, we will take another important step in terms of access control.

We can change the directory where the wp-config.php file is located or directly change the file’s name. To do this, we need to open the wp-load.php file in the root directory of our site and change the places where wp-config.php is written according to our folder name.

Note: You can use plugins that make these settings permanent as they will revert to their old settings after each update.

Blocking Access to wp-load.php File

Another step in securing WordPress is to block access to the wp-load.php file. Like we blocked access to the wp-config.php file from the outside using the .htaccess file, we can restrict access to the wp-load.php file for potential unauthorized accesses.

<files wp-load.php>
order allow,deny
deny from all
</files>

Protecting the WordPress Plugins Directory

Vulnerabilities can also arise in the plugins you use in your WordPress system. Attackers can gain unauthorized access to your system by exploiting vulnerabilities in these plugins. Therefore, we must take security measures for the WordPress “Plugins” folder as well. Under normal circumstances, the contents of this directory should not be listed when accessing it. However, in some versions or due to user error, this directory may be open, and the folders inside it may be listed. This way, attackers can gain information about the plugins installed on the system. If you want to prevent outsiders from seeing your plugins, you can create an empty file named index.html in this folder to prevent directory listing.

Note: In up-to-date WordPress versions, there is a default empty index.php file.

Blocking Access to WordPress .htaccess File

The .htaccess file is very important for WordPress on Apache servers. This file usually contains WordPress’s standard redirection content. On the other hand, as mentioned above, it can also be used to block unauthorized access. If we add the following code to our .htaccess file, we ensure the security of our .htaccess file:

<files .htaccess> order allow,deny deny from all </files>

Turning Off WordPress Debugging Mode

You can prevent potential vulnerabilities by turning off WordPress error messages. You can turn off debugging mode by adding the following code to the wp-config.php file. Debug mode is used to view possible WordPress errors, and developers usually activate this mode to investigate errors in the system. You can turn off the mode by changing the “false” value in the code or by changing it to “true” to reactivate debugging mode.

define( ‘WP_DEBUG’, false );

Forcing WordPress to SSL Publishing

We recommend that your WordPress site be published over SSL. To publish over SSL, you must have an SSL certificate. SSL certificates can be sold for a fee or available in free versions. You can have a free SSL certificate by using Let’s Encrypt or Cloudflare. Having your site published over SSL will have a positive impact on Google and will also be an important step against attackers. After setting up SSL publishing for your site, you can force SSL by adding the following code to the wp-config.php file:

define(‘FORCE_SSL_ADMIN’, true);

Enabling WordPress Automatic Updates

As vulnerabilities arise in other software, they also emerge in WordPress, and these vulnerabilities detected continuously by the WordPress team are patched through updates. You can perform these updates manually or automatically by adding the following code to your wp-config.php file:

define(‘WP_AUTO_UPDATE_CORE’, true);

Defining the WordPress Temp Folder

Just like in WordPress updates, operations are performed on a TEMP folder for plugin and theme updates as well. This folder needs to be writable. You can ensure that updates are completed correctly by adding the following code to your wp-config.php file, specifying the upload directory. The code should indicate the upload directory and the file path should be specified exactly. The following code is the default WordPress Upload folder path in the CentOS operating system:

define(‘WP_TEMP_DIR’,‘/var/www/html/wp-content/uploads/’);

In some cases during plugin and theme updates, WordPress files may not be fetched correctly or may produce errors. You can ensure that updates with errors are done correctly by adding the following code to your wp-config.php file:

Disabling Scheduled Tasks

One of WordPress’s features is scheduled tasks. However, scheduled tasks can overload your system in some cases. On the other hand, when attackers infiltrate your system, they can use WordPress’s CRON function to stay persistent. You can stop WordPress’s scheduled tasks by adding the following code to your wp-config.php file:

define(‘DISABLE_WP_CRON’, true);

Disabling the File Editing Editor

You can manage theme files using the code editor in the WordPress admin panel. However, this feature can pose a vulnerability. Especially, we’ve seen instances where attackers inject malicious code into your theme files through a vulnerability in your system. You can disable WordPress’s theme file editing feature by adding the following code to your wp-config.php file. This will further enhance your security:

define(‘DISALLOW_FILE_EDIT’, true);

Changing Unique Authentication Keys

WordPress’s unique authentication keys are a set of random variables that improve encryption of the information stored in the user’s cookies. A total of four security keys are created after installation:

AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

WordPress Authentication Keys are used to encrypt permissions on WordPress, contributing to the security of your website and making it harder to crack. These keys affect various aspects, from encrypting cookies to security keys used as “Nonces” for AJAX operations. In a standard installation, you’ll encounter them as follows:

define(‘AUTH_KEY’, ‘place your unique character set here’);
define(‘SECURE_AUTH_KEY’, ‘place your unique character set here’);
define(‘LOGGED_IN_KEY’, ‘place your unique character set here’);
define(‘NONCE_KEY’, ‘place your unique character set here’);
define(‘AUTH_SALT’, ‘place your unique character set here’);
define(‘SECURE_AUTH_SALT’, ‘place your unique character set here’);
define(‘LOGGED_IN_SALT’, ‘place your unique character set here’);
define(‘NONCE_SALT’, ‘place your unique character set here’);

Configuring WordPress File and Directory Permissions

The default permission scheme for WordPress should be as follows:

Folders – 750 / Files – 640

You can make your site secure by giving 750 permissions for your folders and 640 permissions for your files. You can use FileZilla or a similar FTP tool for this adjustment, or you may need to contact your hosting provider. Before making permission changes, it’s recommended to discuss with your hosting provider as it may negatively affect your site’s performance and usability. Also, ensure that no file or directory has 777 permissions as it creates a vulnerability.

Secure the Upload Folder

You should secure WordPress’s upload folder, where images and other files are uploaded, against potential vulnerabilities such as executing executable files (e.g., Shell scripts). Attackers can exploit vulnerabilities they find in your system to upload malicious files to the Uploads directory and gain Shell access. To prevent this, you should create a .htaccess file inside the /wp-content/uploads/ directory and add the following code to the /wp-content/uploads/.htaccess file. This will prevent attackers from downloading and executing malicious files in your upload folder.

# Kill PHP Execution <Files ~ “\.ph(?:p[345]?|t|tml)$”> deny from all </Files>

User Account Policy

During WordPress installation, an administrator account is added. If you completed the WordPress installation as default, you will have created an administrator account. However, we recommend changing the username of this account to protect against brute force attacks. Also, having multiple administrator accounts increases vulnerabilities. We recommend using a single administrator account and assigning editor, author, or user roles to other users on your system. Users often use their names as usernames, which can be predictable and create vulnerabilities. Therefore, we advise against users or administrators using such usernames.

Passwords and User Information

WordPress applies a default policy for complex passwords to users you create. However, some users may create unreliable and predictable passwords such as “12345678”. We recommend urging users to create complex passwords to secure their accounts. Otherwise, there is a high probability that attackers could guess these passwords and gain access to your system. Additionally, periodically changing passwords is important for security.

Preventing WordPress Pingback Attacks

WordPress’s Pingback feature can be abused by attackers to create excessive load on your system and can be used in Distributed Denial of Service (DDOS) attacks. To prevent this, we recommend disabling WordPress’s Pingback feature if you’re not using it. You can disable the Pingback function by adding the following code to an appropriate place in your theme’s functions.php file.

// Disable Pingback function remove_x_pingback($headers) { unset($headers[‘X-Pingback’]); return $headers; } add_filter(‘wp_headers’, ‘remove_x_pingback’);

Disabling WordPress XML-RPC Access

WordPress’s XML-RPC file has been exploited multiple times in the past. Attackers commonly exploit two major vulnerabilities in this file. First, it’s used in brute force attacks to gain unauthorized access to your site by attempting username and password combinations. Second, attackers can use the XML-RPC file to launch Denial of Service (DDOS) attacks on your system.

To protect against these attacks, we recommend adding the following code to your theme’s functions.php file to disable the XML-RPC function.

// Disable XML-RPC add_filter(‘xmlrpc_enabled’, ‘__return_false’);

You can also disable XML-RPC access via .htaccess. Add the following code to your .htaccess file in the root directory, replacing “123.123.123.123” with your actual IP address to only allow access from that IP.

# Block WordPress xmlrpc.php
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Disabling WordPress REST API Feature

If you’re not using the REST API feature introduced in WordPress 4.4, we recommend disabling it to prevent potential abuse by malicious actors, leading to system overload and possible service disruptions. To disable the REST API feature, add the following code to your theme’s functions.php file.

// Disable REST API
add_filter( ‘json_enabled’, ‘__return_false’ );
add_filter( ‘json_jsonp_enabled’, ‘__return_false’ );
add_filter( ‘rest_enabled’, ‘__return_false’ );
add_filter( ‘rest_jsonp_enabled’, ‘__return_false’ );

Pay attention to the code block to remove “info” information from requests, preventing attackers from gathering information.