Imagine for a minute that you are a professional house burglar, and you are scouting for the right house in the neighborhood to rob. For obvious reasons, you will always choose a house that is low in security measures like burglar alarms or surveillance systems, right?
Similarly, hackers always target those WordPress sites that are the easiest to break into – it does not matter to them how large the website is or how much business data it has. They want to illegally access and damage (or steal) your website data.
As an owner, you want to tighten your site’s overall security so that it becomes hard for hackers to break into. Among the many WP security measures, you can also harden your website or, in other words, fortify your website from hackers.
How does WordPress hardening work, and what is the easiest way to implement this measure? Let’s find out in the following sections.
What is WordPress Hardening?
WordPress hardening is a set of 12 website security measures recommended by the WP team. These hardening measures aim to protect commonly vulnerable areas in a WP installation that hackers usually exploit.
Hardening ensures that even if hackers do manage to gain a foothold into your website, they will not be able to easily gain control of your backend files and data.
What are these 12 hardening measures as recommended by WP? Here is the complete list:
- Implementing 2-Factor Authentication
- Limiting the number of login attempts to your accounts
- Blocking PHP execution in untrusted folders
- Disabling the File Editor tool
- Changing the security keys
- Using strong passwords mandatorily
- Disabling plugin installations
- Maintaining a security audit log
- Automatically signing out inactive users
- Setting up alerts for any suspicious logins
- Setting up a web application firewall
- Installing an SSL certificate for your website
Let us first discuss each one of these 12 hardening measures in further detail.
Measure 1: Implementing 2-Factor Authentication
Hackers typically use a form of attack called “brute force attacks” to target the login pages. These attacks are used to try different user credentials (username and password) to access WP accounts. Once they gain access, hackers can take control of the site and inflict maximum damage.
One of the effective modes of stopping brute force attacks on your website is implementing 2-Factor Authentication (or 2FA), a recognized security standard for any site. By implementing 2FA, any user – who tries to log in to their account – must first enter their correct user credentials, followed by entering a unique code (or one-time password) on the next page.
This unique code is only accessible from the user’s registered mobile number, making it hard for hackers to penetrate your login page.
Measure 2: Limiting the Number of Login Attempts
This is another hardening measure aimed at protecting your login page from unauthorized access. By limiting the number of failed logins to a maximum of three, you can virtually stop a successful brute force attack.
The best way of limiting login attempts is by installing the CAPTCHA protection tool. The CAPTCHA tool can distinguish between an “automated” bot and a “genuine” human user – thus preventing illegal access.
Measure 3: Blocking PHP Execution in Untrusted Folders
Any WP installation contains multiple files and folders that contain PHP files or PHP functions. PHP code is typically used to execute a specific function. Hackers can also insert their PHP code into new (or existing) files that are then executed to damage your website.
To prevent this, you can use the hardening measure of blocking PHP execution in any unknown or untrusted folder.
How do you implement this hardening measure? One way of implementing this measure is through the File Manager tool in your cPanel.
You need to insert the following code into the .htaccess files (located in the wp-includes, wp-admin, and wp-content folders of your installation:
<Files *.php> deny from all </Files>
Measure 4: Disabling the File Editor Tool
How do hackers add their malicious code or modify installed plugins/themes on any installation? They can do that in several ways – including using the File Editor tool in your installation.
If they gain access as an admin user, they can easily add their scripts or functions to deface your website or redirect your users to other sites.
SEO spamming and SQL injections are common types of hacks that make use of file editing capabilities.
An effective way of preventing this is by disabling the file editor tool. How can you implement this measure? Access the wp-config.php file in your installation to add the below code:
define ('DISALLOW_FILE_EDIT', true)
Measure 5: Changing the Security Keys
WordPress often stores your user credentials in a safe and encrypted form to simplify the login process so that you do not need to enter your credentials each time you wish to sign in to your account.
To ensure that your credentials are protected from hackers, WP encrypts the passwords and stores them in random variables, commonly referred to as security keys.
Like your login password, you are advised to change your security keys not to be easily deciphered.
How can you go about changing your security keys? First, you need to generate a fresh set of security keys from the secret key page. Next, you need to copy the new secret keys into your wp-config.php file.
Measure 6: Disabling Plugin Installations
Thanks to the increasing numbers of plugins, many users install plugins from untrusted sources. Hackers often exploit this weakness by damaging websites installed with unsafe or insecure plugins. Plus, they can also install malicious plugins of their own into the website.
The best guard against this is to disable the installation of plugins. How do you implement this? You can add the following code to the wp-config.php file:
define ('DISALLOW_FILE_MODS', true)
Measure 7: Setting up Alerts for any Suspicious Logins
Hackers keep coming up with new and innovative ways to access your account illegally. As a security measure, you can set up notification alerts if there is any suspicious activity, such as a login from a different device.
How can you implement this measure? You can use a plugin that performs automatic scanning of your website for any malware variant and immediately notifies you through email if there is any security breach. Two of our favorite plugins for are iThemes Security and Wordfence.
Measure 8: Setting up a Web Application Firewall
Among the most effective website protection modes, a firewall secures your website from any “bad” or suspicious IP requests. It does this by tracking the device’s IP address, sending the request, and blocking those known to be hackers.
As a result, a firewall can successfully block any malicious requests even before they reach your website.
Measure 9: Using Strong Passwords Mandatorily
Hackers often exploit weak or easy-to-guess passwords to gain illegal access to login pages. If multiple users are working on your site, you need to ensure that each one must mandatorily use strong passwords, and periodically keep changing their password.
A strong password is defined as at least 8 to 10 characters in length and has a combination of alphabets (upper and lower case), numbers, and special characters. As an admin, you can ensure that every new user being created is configured with a strong password.
Additionally, you can use a plugin, such as Expire User Passwords, to ensure users change their passwords over time. Check out our “Ensuring Your Site’s Passwords Stay Secure” article for more tips on hardening passwords.
Measure 10: Maintaining a Security Audit Log
In simple language, a security audit log helps you keep track of everything on your website. In other words, you can monitor what your users are doing, or which WP files are being modified. Additionally, you can detect if there is any suspicious activity on the site.
How can you implement this measure? Install a plugin like WP Activity Log that is a real-time user management and monitoring tool. This tool also maintains an audit log that records every change made on your website. You can also use this tool to sign out or block any user forcibly.
Measure 11: Signing Out Inactive Users
You can also protect your user account from unauthorized access by automatically logging out any inactive users or terminating any idle sessions. This is a standard and effective measure used in transaction-based accounts like banking or financial websites.
Measure 12: Installing an SSL Certificate
This brings us to the final website hardening measure – and that is to install an SSL certificate on your site. Short for Secure Socket Layer, an SSL certificate enables you to move your website from HTTP to HTTPS (or Secure HTTP).
HTTPS websites are more preferred today as every data transferred between the user’s browser, and the website is highly encrypted – so that any hacker cannot intercept it during transmission.
How do you install an SSL certificate? You can obtain one from your web hosting company or install a third-party SSL plugin like Let’s Encrypt.
The above-mentioned hardening measures can be effective – when each of these 12 measures is implemented. To make it easier for you, we advise using a security plugin, like MalCare or Wordfence, which is best equipped to execute most of these measures rather than you having to do all these manually.
With a few easy clicks, you can sign into the dashboard and select each of the following options:
- Block PHP Execution in Untrusted folders
- Disable File Editor
- Block Plugin/Theme Installation
- Change Security Keys
- Reset all passwords
Even better, many of the security plugins also have built-in features like 2-Factor Authentication, CAPTCHA protection, firewall, and unauthorized user access alerts.
While hardening measures are no guarantee against a successful hack, they can make life harder for hackers. What do you think of these measures? Have you implemented any of them for your website? We’d love to know your thoughts on this one!