WordPress powers approximately 17% of all the websites online around the world. This means that it is a very attractive platform for hackers to try and compromise as it gives them the ability to take down or control many websites with just a single exploit.
How do WordPress sites get hacked?
A recent study has shown that WordPress Blogs get hacked for the following reason.
- 41% of WordPress sites are hacked due to insecure hosting (research your potential host before signing up).
- 29% of WordPress sites are hacked due to an exploited or outdated Theme.
- 22% of WordPress sites are hacked due to en exploited or outdated Plugin.
- 8% of WordPress sites are hacked due to an insecure password.
The entire responsibility of WordPress security lies in the hands of you (the web site owner) and the WordPress Core developers. The WP Core developers are great at there job, but you have to do your part as well. An update is no good if it is never installed. Below we have listed some simple steps to take to harden your WordPress Security. We will go over each item briefly to discuss its importance and how to implement on your sites.
Using MainWP to Harden your WordPress sites against potential attacks
- Back up your site (files and database) regularly
- Keep your WordPress core installation up to date
- Keep your WordPress plugins up to date
- Keep your WordPress themes up to date
- Uninstall (not just disable) any unused plugins or themes
- Always use a strong password!
- Restrict wp-login.php access
- Remove WordPress version information
- Prevent listing wp-content, wp-content/plugins, wp-content/themes, wp-content/upload
Back up your sites (files and database) regularly.
With MainWP installed this is a breeze. MainWP offers both one time and recurring backups which can be stored on your Main Dashboard site, or remote destinations such as an FTP Server, DropBox and Amazon S3. Having a recent backup of both your site and your database means that if you were to experience a disaster (server crash, or hacked site) you would have an unaffected version you could restore from making cleanup a painless experience. To find out more about using MainWP to backup your sites click here.
Keep your WordPress core installation up to date.
Visiting each site every time there is a WordPress update can be a necessary yet tedious task. Not running these updates is always a poor decision, but having 10’s or 100’s of sites could mean hours or days of work. Using MainWP can expedite this process for you by offering one click updates or automated updates. These processes are as simple as they sound. One Click updates is a single click in the dashboard to update all WP Core files for all sites. Automated updates is even easier. Set the site as trusted and MainWP will do the heavy lifting while you sleep. Remember WordPress Core files are updated to add new and helpful features or to fix security holes. If there is an update available it is highly recommended you install it.
Keep your WordPress plugins up to date.
As mentioned above over 20% of WordPress sites are hacked due to outdated Plugins. Plugin updates show in both your WP dashboard and your Plugins page. Each plugin update is typically small and takes seconds to run. MainWP offers the same options for Plugins as we offer for Core files, which are one click updates from our dashboard (updates all plugins at once instead of one by one) and our automated updates which is a hands off approach.
To set your Plugins to auto update there are 2 steps.
Keep your WordPress themes up to date.
As mentioned above almost 30% of WordPress sites are hacked due to outdated Themes. Theme updates show in both your WP dashboard and your Themes page. Each Theme update is typically small and takes seconds to run. MainWP offers the same options for Themes as we offer for Core files, which are one click updates from our dashboard (updates all Themes at once instead of one by one) and our automated updates which is a hands off approach.
To set your Themes to auto update there are 2 steps.
Uninstall (not just disable) any unused plugins or themes.
We have seen above that about 50% of WordPress hacks involve Themes and Plugins that have not been properly maintained. A common misconception is that if I disable the theme/plugin I do not have to update it. This is incorrect, many themes and plugins can still be exploited even in a disabled state. There is no reason to take this risk. If you are not using a plugin or theme, don’t just deactivate it, remove/delete it. To do this, you can visit your MainWP dashboard, then the sub-menu themes. In the status menu select inactive. On the right select all to choose all sites. Now click show themes. Remove all inactive themes. Remember some themes will show as inactive even though a child theme is in use. If this is the case or you are not sure DO NOT DELETE THE THEME!!!
This process can be repeated for Plugins. Visit your MainWP dashboard, then the sub-menu plugins. In the status menu select inactive. On the right select all to choose all sites. Now click show plugins. Remove all inactive plugins.
Always use a strong password!
A weak admin password accounts for about 8% of WordPress hacks. A password should be both secure and unique. Secure meaning it should contain Upper and lower case letters, Numbers, and special characters. Remember a password does not have to be just a password. It can be a pass phrase. Instead of having a password of “fido1” you can have a pass phrase of “I Love My dog Fido” while not impossible to brute force the password it will take significantly longer than the original password of fido1. Your password should also be unique. If you have a common password you use for all main accounts, and logins, then there is a good chance that if a hacker is able to get it he will then have access to all other accounts he can link to your name. MainWP includes a function to change your admin passwords. You can do this individually or for all sites at the same time. Go to your MainWP dashboard and then the Admin Passwords sub menu. Use the password strength indicator and the tips above to strengthen your password.
Restrict wp-login.php access
When manually logging in to manage your WordPress site a page named wp-login.php is used to process your request. This is common knowledge and generally used to brute force attack your site. Brute force attacks work based on common usernames and passwords. A username of admin and a password of password1 would be a commonly used and easily exploitable setup. While we do recommend creating pass phrases as mentioned in the paragraph above you can also restrict access to your wp-login.php file preventing users or bots from even attempting to break in.
MainWP circumvents the wp-login.php page using its own secure login. This means you can block access to the page preventing any unauthorized users while still allowing yourself to log in. To do this there are a couple quick steps.
1. Install the MainWP Child plugin and join the site to your Dashboard.
2. Using FTP, access each child site and paste the following into your .htaccess file in the root of your site at the bottom of the file.
# set up rule order
# default deny
deny from all
# Add additional IPs for access here
errordocument 401 default
errordocument 403 default
errordocument 404 default
3. Save and upload the file back to your site.
4. You can now login to each WordPress site from your dashboard by going to the sites sub menu and clicking the admin link.
*** To remove this if you ever need to access the site manually, access the .htaccess file, remove the added lines, and then upload again.
Remove WordPress Version Information
Giving a hacker the version of WordPress you are using is like giving him a map if potential exploits. If a hacker knows your WP version there are many places that will list the particular vulnerabilities for that version. This information can and should be hidden. MainWP allows you to do this with a simple click. If you visit your MainWP dashboard you will notice a section labeled security. Click Show All to show the status of each of MainWP’s security checks. You can click the Fix All button, or click the Site Name and fix each issue at a time or pick and choose which one you would like to fix. To fix the WP version only click the Fix button next to Removed wp-version. More information can be here.
Prevent listing wp-content, wp-content/plugins, wp-content/themes, wp-content/upload
Giving a hacker list permissions of your WordPress directories is also a terrible idea and can divulge potential exploits. If a hacker knows your Plugins, Themes or versions he can find particular vulnerabilities for them. This information can and should be hidden too. MainWP allows you to do this with a simple click. If you visit your MainWP dashboard you will notice a section labeled security. Click Show All to show the status of each of MainWP’s security checks. You can click the Fix All button, or click the Site Name and fix each issue at a time or pick and choose which one you would like to fix. To fix the directory listing issue only click the Fix button next to Prevent listing wp-content, wp-content/plugins, wp-content/themes, wp-content/uploads. More information can be here.