There are few things worse than having your WordPress site hacked, especially if you don’t have a clean backup. That’s every single post you’ve ever written gone and probably some serious damage to your search engine rankings. It could take you months of work to recover.
Don’t be one of those people, secure your WordPress blog! I’ll show you how I secure mine in this article.
Why Would Someone Hack My WordPress Site
Many bloggers are lax about security, probably because they think it will never happen to them. Why would anyone bother to hack a small WordPress blog when there are much juicier sites to target.
People will try and hack your site for a multitude of reasons:
- Just for the sheer hell of it
- A bit of fun and practising their skills
- Because you’re an easy target
- But mainly they want to take over your server so they can use it to host illicit content; porn, software downloads, crypto mining or whatever. They are hoping that by the time you notice there’s an issue they’ve made their money
So don’t get complacent, putting some fairly basic measures in place will help protect your site.
I got caught by ransomware once a number of years ago, it wasn’t my WordPress site but my wife’s MacBook. Once your machine was infected it encrypted every file on it and then gave you a message that in order to recover your files you had to pay a few hundred dollars.
Fortunately, I had set up Dropbox in such a way that it backed up all user files to the cloud so I simply formatted the hard drive and downloaded a clean version of all the files from Dropbox. Even though I had a backup in place it was still a couple of anxious days and emails back and forth to Dropbox to sort it all out. If I hadn’t set up those backups my wife would have lost everything (and as the resident techie out of the pair of us it would have been my fault as far as she was concerned). Lesson learned.
How Do I Secure my WordPress Blog
Fortunately securing your WordPress site is fairly straightforward and does not involve anything too technical. Here’s what I do:
Automated daily backups
Make sure you have some sort of automated backup process in place. If the worst does happen and you get hacked, you can restore all your content.
In my case, my hosting company offers automated daily backups for 4 weeks and this is the best way to do it. If your hosting company doesn’t offer an automated backup service then you can use a plugin such as UpdraftPlus (the free version will suffice for most people).
Backups are not 100% foolproof as sometimes hackers will put their malware or whatever on your site but then wait a month or so before doing any noticeable damage. So you could end up restoring a backup that is already infected, allowing the hacker to get straight back in again. My suggestion is that before you restore your backup you contact your hosting provider and explain that you have been hacked. If they are competent they will be able to scan your files and remove any nasties before you do a restore.
Keep plugins and WordPress Up to Date
Plugin authors and the WordPress team don’t just release updates to add new features, they also do it to fix security issues so it’s important to keep everything up to date. I have all my plugins and WordPress set to auto-update so I don’t even have to think about it.
Use the Latest Stable PHP Version on your Servers
Different hosting companies have different policies when it comes to automatically updating the version of PHP running on their servers, so it is worth checking what version your site is on.
If you discover that you are running on an end-of-life version (pre v7.0 at the time of writing this), then your hosting company isn’t auto-updating at all. In which case I strongly advise you to get a new hosting company, as this is bad practice.
Newer versions of PHP are quicker and more secure and older versions don’t get any security patches when they go end of life.
At the time of writing the latest version of PHP is 8.1. Versions 7.0, 7.1, 7.2, and 7.3 were deprecated as of August 15th, 2022 and they go end of life on February 28th, 2023.
I checked with both WPX.net & Cloudways and their default version of PHP is currently 7.4 which will stop getting security updates on November 28th 2022. So they will both automatically update their/my servers to version 8.0 around that date (the version after 7.4 is 8.0, there was no version 7.5, 7.6 etc.).
Just be careful if doing the update yourself, create a clone of your server (if your host offers this) and thoroughly test that first before pushing your changes to live.
Wordfence Security Plugin
If you don’t have Wordfence or another similar plugin installed yet, go do it. Wordfence is a brilliant plugin and offers a lot of features even in the free version. It primarily provides a Firewall and Malware protection for WordPress but it also offers lots of other security-related features.
I leave most of the Wordfence settings to the default values, but here are some screenshots showing you the areas I do configure.
These settings limit how many times someone can attempt to log into my site. I reduce them from the default values:
This is how I setup Two Factor Authentication (note this is also the screen where you can disable XML-RPC):
Two Factor Authentication
I have two-factor authentication setup both to access my hosting account and to access WordPress Admin (I use Wordfence for the latter). This means that any time I want to log into my accounts I have to enter a number that is generated by my phone using the Google Authenticator App.
This, plus having very secure passwords in the first place, is a major barrier to anyone trying to gain access to your site or hosting.
XML-RPC is basically a way of opening up WordPress so that other applications can communicate with it (Jetpack for example). It has since been superseded by the WordPress API but it is still enabled by default in WordPress.
Unfortunately, XML-RPC opens up WordPress a bit too much and is often used as a route of attack by hackers. So you should disable it. Some hosting providers do this by default, some allow you to switch it off yourself or if your host doesn’t have that ability at all you can switch it off via Wordfence.
Whilst we are on the subject of things you can disable via your hosting company. These are my settings in Cloudways, where I have disabled everything I don’t need (SSH, CORS, XML-RPC & Direct PHP Files Access):
The above is everything I do to make my sites more secure, I think Wordfence and Two Factor Authentication are probably the two most important ones to implement along with automated backups just in case.
In addition to the above, there are lots of other things I’ve seen people do. Hiding various files/directories e.g. wp-config.php and wp-content/plugins directory. Changing the default login URL from wp-admin to something more obscure (you can use a free plugin called WPS Hide Login for this). I personally don’t do any of these, maybe I should, but I do more than most so hopefully hackers will look for an easier target.