About 45% of websites powered by WordPress made it a popular target for malicious actors. Hackers usually target e-commerce WordPress sites for financial gain and other WordPress sites to spread malware or spam. Hackers are differently motivated to attack WordPress websites. How can someone harden the WordPress website? Let’s explore!
Note: We are developing a comprehensive guide so everyone can harden their WordPress site without installing too many plugins. Get an early copy:
Wisely choose the Right Themes and Plugins
WordPress is popular because it is highly customizable. Perhaps installing your favorite theme and multiple plugins is your first step to customizing it. And this is one of the top reasons most WordPress websites get compromised by hackers. Developers need to apply best practices for security while creating WordPress themes and plugins. Failure to do so can make your WordPress vulnerable by installing these plugins and themes. To minimize the risk, you can follow the below steps:
- Choose the themes and plugins that care about security.
- Check their existing review.
- Use a child theme to manually apply more security features.
- Only install a few plugins.
- Regularly update WordPress Core, Themes, and plugins.
Hide WordPress Version and Disable XML-RPC
For a hacker, the first step to finding known vulnerabilities in a WordPress website is to look at its version number. Once hackers find the exact version number, they search for existing exploits. Hiding the version can make it difficult for them to find known vulnerabilities. XML-RPC can also be used for password brute force and DDoS attacks. Disabling it is recommended to enhance the WordPress website’s security. With some technical knowledge, you can easily hide the WordPress version and disable XML-RPC. For example, you can add the following lines to your functions.php:
remove_action('wp_head', 'wp_generator'); //Remove version from header
add_filter('the_generator', '__return_empty_string'); //Remove version from RSS Feed
add_filter('xmlrpc_enabled', '__return_false'); //Disable XMLRPCStop WordPress user Enumeration
WordPress website is top on the list for brute force attacks because enumerating the username is too easy. Once attackers have the username, they can brute force to crack passwords. There are three different ways hackers can enumerate usernames. Three ways you can stop username enumeration.
Limit Rest-API username enumeration
An endpoint in the Rest-API lists all users on your WordPress website.
You can disable the user endpoint to prevent username enumeration using Rest-API with this code:
Customize the Username in the author permalink
Malicious actors that target your WordPress website can enumerate usernames by looking at the author’s permalink. Customizing the author permalink can add an extra layer to prevent enumerating usernames. WordPress website’s admin can achieve this with .htacess:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* - [F]But it is also possible to change the author’s permalink by modifying functions.php.
Change the default login error message
Another way is to enumerate WordPress usernames by sending thousands of usernames automatically and manipulating WordPress’s default error messages.
If you enter the correct username but the wrong password, we get the error The password you entered for the username admin is incorrect. That means an attacker can now be sure that the username is correct and go ahead with password brute forcing. You can even customize this error message with the following code:
function login_error() {
return 'Wrong credentials';
}
add_filter('login_errors', 'login_error');Use Strong Password
By default, WordPress doesn’t have any brute-force password protection. If you use an easy-to-guess password, the attacker will easily crack it. It is hard to guess that a password is still a significant factor in hardening your WordPress security. Never use a password something like “MyName1942.” Instead, use something like “UkaL#0Bae(1337)”.
Ban IP After Several Failed Login Attempts
Banning IP after several failed login attempts is another effective method to limit the brute force attack against your WordPress website’s login page. For example, if you ban an IP after three failed login attempts for 5 minutes, it will take much longer to attempt 1000 failed attempts. Banning IP is not a bulletproof method to prevent brute force attacks as the attackers can use the IP rotation method to bypass it, but prohibiting IP can help harden your WordPress website.
Implement Captcha for The Login Page
Banning IP after several failed login attempts and implementing a custom captcha can help harden WordPress websites from password brute-forcing attacks. You can use third-party plugins or by adding some codes in your functions.php.
Use Two-Factor Authentication
If you followed the above methods to harden the security of your WordPress website, The security is already 70% increased. But if you want more security, using a two-factor authentication plugin like WP 2FA or Two Factor Authentication can add another layer of protection. Two-factor authentication will prevent the attacker from accessing the dashboard even if he has the correct credentials, as the secret code will be sent to your email address.
Use Web Application Firewall(WAF)
Use a firewall plugin like WordFence or a third-party service like CloudFlare to harden WordPress security from OWASP’s Top 10 vulnerabilities. A web application firewall monitors and filters malicious web requests and blocks suspicious requests automatically.
Perform Regular Security Audit
The best method to protect your WordPress website from hackers is by thinking like a hacker. Penetrate your website to discover and remediate vulnerabilities before a hacker takes advantage of it.
Making WordPress Security Simple with Bytium
Hardening WordPress is a technical task that requires knowledge of programming and security. It may be an appropriate task for some. Multiple steps are involved in hardening WordPress security. Bytium is here to take care of the security of your WordPress website in the following methods:
- Conduct a comprehensive security audit to find the current security posture of the website.
- Apply necessary code for functions.php(Child theme) or .htaccess.
- Harden in every possible including the features discussed above.
We have also developed a plugin for our clients to make it easier to configure some parts and harden the WordPress security automatically. We don’t sell the plugins, but it is just a part of our services to buy some time. Features of the plugin include:
- Standard hardening practices such as hiding the WordPress version and disabling unnecessary features that pose security risks.
- Custom error login message.
- Advanced method of preventing user enumeration.
- Custom captcha.
- Limiting login attempts and banning IP.
- Directory protection(Best practice).
- Sending notifications to admin automatically
- And some more features.
There is no impact on site performance.
You don’t even need to touch the plugin settings. Everything is done in the background.
After a security audit, our client chooses to install a plugin. Our WordPress Security Hardening can be customized as follows:
- We harden your WordPress completely manually without installing the plugins.
- We conduct the security audit, and you apply code and best practices by following guidance. The benefit is that you don’t need to give us admin access to the website.
- You can also request different features.
Why install dozens of plugins to secure your WordPress site instead of hardening it systematically? We can ensure your WordPress website’s security will be promoted to a next level you have never seen before. Please don’t wait until the data breaches occur. Order WordPress Security Hardening service today.
