How to make your Wordpress site secure?

Chris Worner · May 4, 2016

One of my WP sites got malware and I had to reinstall wordpress cms and plugins but I still couldn't find out where it came from. Everything is fine now but how to avoid getting malware again? do you guys share any tips to make Worpdress site secure?

ZenHosting · May 4, 2016

Hi Chris,

Sorry to hear your Wordpress site was infected with malware.

I'd recommend you install the Wordfence, Clef and Codeguard plugins. Wordfence will harden your site's security, Clef will lock access down and with Codeguard, you can get backups automatically taken so if your site does become infected again, you can restore the files or databases, at any time. You would have to sign up to a Codeguard plan, though.

This guide is excellent: http://codex.wordpress.org/Hardening_WordPress

RDO Servers · May 4, 2016

Honestly, if your concerned about security, I would recommend moving away from WordPress. It is so commonly used, it is the ideal target for hackers. When they find a way to hack the new version, they have essentially hacked thousands of websites since the same exploit can be applied to all WP sites running that version.

If you want to stay with WP, then you need to be very diligent with updating WP and all of your plugins as soon as new versions are released.

VirtuBox · May 4, 2016

Using something else than wordpress :smart:

To be more serious, the first problem with wordpress is plugins & themes.
- What plugins or theme do you use ? Some nulled ?
- Who code them and does he know to code (
- When is the last update -> plugins and theme : are they totally compatible with WP 4.5

There is a lot of sites which report all security issues with WP themes and plugins and I can only say there is a lot of issues.

But before starting to investigate, check your server security :

- Do you have CSP ? -> http://content-security-policy.com/
- Check your HTTP headers to see if you have XSS protection, Xframe protection etc : https://tools.keycdn.com/curl
- Analyze your logs to understand how you got the malware. What does it do ? Is it wordpress the problem ?

Localnode · May 5, 2016

The basics:
Make sure the computers you use are free of spyware, malware, and virus infections.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
Use long passwords for your WordPress login. Preferably hard to guess, with numbers.
Keep your WordPress and plugins up-to-date.
If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
When connecting to your server you should use SFTP encryption.

Restrict access to your WordPress admin area

Code:

# BEGIN RESTRICTION
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
# END RESTRICTION

Place this in your .htaccess replace "xx.xxx.xxx.xxx" with your IP.
Also replace the wp-login bits if you have your backend hidden.

Don't use the "admin" username.
Consider two-factor authentication.

Plugins like iThemes and Wordfence definitely help.

Always make sure Wordpress and plugins are up to date!

Maxoq · May 16, 2016

leto12 said:
.....
- Analyze your logs to understand how you got the malware. What does it do ? Is it wordpress the problem ?

I also heard of analyzing log files to find out error on your web hosting or websites but I don't know where to start and how to find errors.

Localnode said:
The basics:
If you have an SSL certificate, connect to your WordPress admin login using HTTPS.

I have not ever used SSL for my sites. Does it really help in secure your site? how?

For SSL, how much can I pay for a year or it's free?

noorucn · Nov 1, 2016

First of all, the most important thing to do is to change your default Wordpress login page. Its so common knowledge for any hacker to know to add wp-login.php after domain name to reach your login page. I use plugins to change my login page to some anonymous links so that hackers dont get any chance of coming near my website.

stackstar · Nov 22, 2016

Doing things like adding recaptcha to login forms, disabling unused or unnecessary plugins and doing external audits with tools like wpscan are good baseline efforts.

Choosing a web host that offers managed wordpress or are experienced in wordpress security are the next thing to consider. After you take precautions securing your site, you have to ensure the environment through which it is hosted is also secure to the best of their abilities.

Julio · Nov 23, 2016

I use wordfence on my blog and it works great but I also look for other means of securing my blog with plugins and htaccess code.

Julio · Nov 23, 2016

I read about that but I really did not understood what they meant about 30 days community patch.

When I installed it almost 2 weeks ago I did not look at it until yesterday I might upgrade to the premium.

Julio · Nov 24, 2016

Thanks VirtulBox,

I'll look into getting a vps server then since i'm already paying about the same of a vps server.

Colombiawebs · Dec 15, 2016

Good day

I recommend the following plugin for wordpress

Wordfence.com

It protects you from attacks, malware and many other threats

If the security of your website is compromised

Install the plugin, run a scan and indicate where the threat is, to remove it and secure your web

Blessings

HostXNow · Dec 16, 2016

It's best for the provider to secure everything at the network/server level thus saving resources used by hundreds or thousands of customers all running the same security plugins. Using many security plugins for WordPress just slows everything down. Sure the odd one of two may help for very high traffic sites which are more likely to be targeted, but the majority of the commonly used plugins aren't needed, and attacks are usually best stopped at the network/server level using CSF, mod_secuirty rules, LiteSpeed/Nginx/Varnish etc.

nitaish · Dec 28, 2016

Wordfence is recommended for securing Wordpress. I have been using it since long and it does a tremendous job. Also, make sure to keep your wordpress, plugins and themes updated with latest versions otherwise even Wordfence may fail.

Laurence Flynn · Dec 31, 2016

To be honest all you need is vigilance. You have to make sure your core, plugins and themes are up to date and you have to ensure your plugins have active development. That plugin you installed 5 years ago? Go its wp.org plugin page and if it said Last Updated: 3 years ago you probably want to find something else that does the same job. Try and use as few plugins as you can and remove any themes you don't use. Your host should do the rest with (1) mod_security rules, (2) firewall rules and (3) malware scanning. Since we beefed up security years ago we went from seeing multiple malware tickets per day to maybe 1 a week. On 5000 sites with half running WP.

Laurence Flynn · Dec 31, 2016

Your host should be doing a basic scan every day and a deep scan once a week. A basic scan just scans new files and a deep scan scans all files. On Linux this is easy with Maldet. If your host doesn't scan you should buy a malware detection scanner. This is just a web crawler usually and should only take a few minutes. However, there are many options and many are super pricey (like Detectify at $60/mo!). There are others like SiteLock, GeoTrust Anti-Malware but their basic packages scan limited pages. There's Sucuri at $200/yr. If your host doesn't have you covered then you should have something, especially running WP.

StrangeDays · Dec 31, 2016

Rename your mysql Wordpress tables from wp_* to something obscure.

rankmyhub · Apr 3, 2017

How to secure wordpress is a good topic, let me add my inputs as well.

1) Get SSL on front end and back end as well
2) Install a wordpress firewall or security plugin. If you are new to WP then stick with wordfence, or else iThemes wordpress security or iControl WP simple firewall are more advanced.
3) change the wordpress prefix from wp_ to something else
4) Restrict strong password to subscriber role, this is the least role on WP.
5) Use third party commenting systme like Disqus or something else, this will eliminate users from becoming memebers on your wordpress installation
6) Do regular scanning
7) Avoid pirated or nulled or cracked plugins and themes
8) If you are on windows computer or laptop, make sure that your system is clean and safe. Most malwares get into wordpress from your own system
9) Disable directory indexing on your CPanel.
10) Always have regular backups of your wordpress website, the plugins suggested above will do that job.

Most important thing is, you need to harden wordpress and manage it. Lot of people say that wordpress gets hacked easily, its true only if we are not managing it. We have dealt with lots of wordpress websites and our sites never got malware or hacked, because we manage things in proper way. So not matter whether you follow 10 points or not management is important.

Hope this time, you will take care of things, happy blogging.

vinaya · Jul 1, 2017

If you have SSL certificates on your website it protects your sites from malware and other attacks. You can also use security plugins. The one that I can recommend is called Word Defense, which is available as free. This plugin stops unauthorized access to your websites. Since it provides IP of the person who is trying to hack your website, you can block the IP so that there will be no problem in the future.

24x7serverman · Oct 12, 2017

Here are some tips to make your website secure -

1. Always make sure you will not share the root password with anyone using the email or chat, same for the database passwords.
2. Always patch the scripts with the latest update which is available for your website.
3. Make sure to check the access logs of your website periodically so you can check the IP addresses from where your website is getting accessed. If you will find the IP suspicious then block those IP addresses.
4. Install the security plugins which are available for your WordPress website.
5. Check the scripts,codes periodically so you can find if there is any malicious script or code uploaded.
6. Download the backup of the website periodically to avid the loss of business. It should be taken on your local system.
7. Make sure the systems from where you are accessing the website should have the updated antivirus.
8. Make habit to update the password of your control panel, administrative panel, databases periodically.

How to make your Wordpress site secure?

Well-known member

Member

Well-known member

Well-known member

Well-known member

Well-known member

Member

Member

New member

New member

New member

Active member

Well-known member

Member

Well-known member

Well-known member

Member

Well-known member

Well-known member

Well-known member

Sponsors

Tag Cloud