WordPress is an extremely popular content management system because it is open-source and provides you access to a ton of useful tools thanks to its extensive library. This popularity, however, comes with a trade-off that makes it a popular target for malicious attacks.
Although WordPress is secure, it isn’t without its vulnerabilities. Third-party developers write its themes and plugins – hackers can easily exploit poorly developed plugins and themes and inject malware into your site. Even the web hosting service the users choose can also be compromised if it is insecure.
WordPress patches these vulnerabilities as they’re found by releasing updates. To protect yourself from these attacks, you can install those updates, avoid flooding your site with plugins and limit yourself to plugins that are evaluated and regularly updated, more on that shortly.
Improving your website security might seem like a daunting challenge if you are not a web developer, but taking simple steps like the ones mentioned earlier can drastically improve your website security and go a long way in earning the trust of your users.
WordPress site login pages can be accessed by using the default login address in the URL bar, and hackers can brute force this page to access the backend of your site. This makes your login page one of the most vulnerable pages on your website and hackers are known to target it most commonly during an attack.
Securing the login page should be the starting point of fortifying your website security. You can start by hiding the login page, and transferring it from the default location – domainname.com/login.php – to a different one on a different URL address that only you know.
If only you know it, a hacker can’t access it. In addition to the login.php page, you should consider hiding the wp-admin directory too. It’s pretty straight forward, but a plugin like WPS hide login can do the job for you also.
If the hackers somehow figure out your login URL, they will attempt to brute force it to find out your username and password. Weak passwords and common usernames are painfully easy to brute force. Fortunately, this can easily be remedied by using a strong password and a difficult to guess username and changing them both frequently.
It is also crucial that you don't use the same login credentials elsewhere. If you have trouble choosing and remembering strong passwords, you can use one of many password managers that will generate and remember a strong and secure password for you.
Another way to combat brute force attacks is to limit the number of login attempts. After a specified limit of wrong guesses, you will get an alert of malicious activity, and the site will lock itself down. Again, there's a useful plugin which does exactly that – iThemes security lets you limit the number of failed login attempts.
Instead of using an obscure username to login, you also have the more secure option of logging in using your email. There are plenty of plugins out there which let use email addresses for log in purposes.
If you have come across error messages, such as “error establishing database connection,” “no such file/directory,” and “Post/xmlrpc.php HTTP” on your WordPress site or server logs, you fell victim to an XML-RPC attack.
Xmlrpc.php is a file that lets you communicate with your site remotely with a device, say your smartphone. Said in another way, when you don’t have your computer handy, xmlrpc.php would allow you to interact with your site using your phone or any other device for that matter.
Back in the early days of WordPress, users wrote the post in an offline client, which connected to their site and published the post. XMLRPC would serve as an intermediary between the website and offline client.
XMLRPC becomes a vulnerability to website security because hackers can use it to brute force their way in. They exploit one of the vulnerabilities in XMLRPC to access the site and go under the radar of your website security plugins, undetected. They can also use it to crash your site and thousands of others using DDoS attacks.
For these reasons, you need to disable XMLRPC. There are several different ways you can go about doing that. You can use a tool called XML-RPC validator to check if you have it disabled or not. If it is enabled, don't fret because disabling it is a walk in the park.
Simply install Disable XML-RPC and run it, and it will turn off the XMLRPC. If you don't want to disable it altogether, use plugins like Stop XML-RPC attack to retain some functionality of the file you require.
Another option, if you are comfortable, is to modify the .htaccess file in the root folder of your website. Be aware that modifying this file can stop your website from working. So make sure you have ftp or file manager access to the folder and take a backup/copy of the .htaccess file first.
Edit the .htaccess file with a text editor like notepad or sublime then scroll to the bottom and add this text. Save and close the file. Refresh your browser to test your website is still running.
<Files xmlrpc.php> order deny,allow deny from all </Files>
With the new programming interface or WordPress, XMLRPC will become redundant. This new API can be used via a plugin.
By default, a file called wp-cron.php loads up every single time someone visits your website. This file is essentially a task scheduling tool; it publishes scheduled posts for you, checks for website security updates from WordPress, updates for your installed plugins and themes, and sends you email alerts.
As the traffic to your site starts increasing, wp-cron.php hogs more resources from your server and significantly slows down page loading times. Conversely, with little to no traffic, more the scheduled tasks will build up leading to even slower loading, next time the website is visited.
Not only does it slow down your site, but a cronjob can also be exploited by hackers to inject malware into your database and run it making it a risk to your website security.
Fortunately, fixing this problem couldn’t be easier. Access the File Manager in your cPanel, navigate to the wp-config.php file and edit it. Add this code after the PHP tag at the beginning: “define('DISABLE_WP_CRON', true);”
Now you might not need the task scheduler to run every time the site is visited, but you do need it to run at least twice a day. You can do this by setting up a manual cron job. Navigate to Cron Jobs section in your cPanel; then in the common settings, select 12 hours from the hour drop-down menu. To finish up, add this code: "cd /home/username/public_html; PHP -q wp-cron.php" and add a new cron job. Then, you’re all set.
If the same cPanel has multiple sites, set the Cron jobs to run in a sequence one after the other.
As crucial as they are to a WordPress site, themes and plugins can be exploited, so they pose a website security risk. WordPress patches vulnerabilities and releases security updates frequently. If you don’t stay up-to-date with the website security patches, you’re in trouble.
Hackers depend on the vulnerabilities that have been patched, but the users may not have updated them yet. Poorly developed plugins are at a higher risk of getting hacked for the lack of proper website security measures.
So, you need to limit the number of installed plugins as much as you can and restrict yourself to only plugins that have a good reputation and are curated continuously for better website security.
Luckily, keeping track of and updating your installed themes and plugins is a piece of cake. Every time WordPress rolls out an update, you receive an email alert as well as a notification prompting you to update on your dashboard. On a related note, to improve your website security and to gain your visitors' trust in submitting their personal information, consider getting SSL certificates on your website.
This post is by no means a comprehensive guide, but it will serve to point you in the right direction. Following these steps and doing more research on cybersecurity can save you from the headache of getting hacked. All in all, besides your site's design and performance, you need to make website security a priority too.