How to Implement Basic WordPress Security Measures

Basic WordPress security measures prevent the most common simple breaches. WordPress-powered websites are far from being immune to hackers, although the latest release/s do address many earlier security issues. WordPress, like all other popular content management systems and forums such as phpBB, vBulletin, is a major target for hackers and spammers. Basic prophylactic measures need not be complicated or expensive.

Those involved in hacking WordPress usually want to use the sites as concealed (cloaked) link farms. It’s rare that actual damage is done to your site, and often the site owner remains blissfully unaware that there’s been any interference. Some of the link injection systems are extremely sophisticated! Testing for enemy action can be as simple as opening your site and choosing View / Source and reading through the content of the <Head> section down to, and including, the tag. The link injections I’ve seen are usually in there. Is there a long string of HTML code containing links to dozens of sites you know nothing about? If there is, you’ve been had and should contact a WP Tech Support expert!

This article is not about fixing security violations. It’s about simple prophylactic measures most “non-technician” site owners take. This is not a slick and professional security strategy, and there are some who will scoff at using “security by obscurity” as a primary tactic. However, even on a tight budget, the following 10 zero-dollar steps can and should be taken to minimise the possibility of attack.

Hardening WordPress

1 – Always Use the Current WordPress Version

Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a mere button click! The community of authors work extremely hard and surprisingly quickly to address known security problems

2 – Remove WP Target Identifiers

Remove the Powered by WordPress credit details in the footer of your website’s theme – e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it – do a search on Google for “Powered by WordPress” and you’ll get the picture… At the time of writing, there are 106 million competing page opportunities out there for hackers!

By all means, give WordPress the credit they deserve – but you could do it on your links page, or make it a graphic/image link instead of text…

WordPress themes may also come with a giveaway WP version HTML tag in the Head section which you may see in View / Source.

Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you’ve just told the hackers where they are best to start their evil work…

Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that’s outputting the Meta Generator tag.

RSS Feed: There is another version identifier tag in the RSS Feed output, e.g.: v=2.8.4 Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for “function the_generator”

The line immediately below that statement commences with echo apply_filters(‘the_generator’…… Place a # character in front of the word echo, as per #echo apply_filters(‘the_generator’ etc

Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to “Log In” from the current theme’s footer. There are 3.8 million competing page opportunities for a Google search for “wp-login.php” and it’s probably a good thing to not be on that list either.

WordPress also adds two easily accessible files in the directory into which it’s installed; licence.txt and readme.html. Renaming or removing those is important because they also contain WP version information!

3 – Don't Use Default Admin ID

If you recklessly use “admin” as the default user ID, you’ve given the hacker half the pieces of the puzzle and they only have one item left to crack – the password.

4 – Don't Use Easy Passwords

Don’t make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies to the hosting account control panel, FTP access AND WordPress administration access. Ideally, high-exposure sites should use different passwords for each of those areas.

Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they shouldn’t be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy-to-use plugins available for this – those that do exist appear well past their WP version use-by date. It’s also far too easy to end up locked out of your site while trying to make them work!

5 – Implement a Firewall & Login Security

There’s an excellent “plug and play” firewall called Block Bad Queries… Then install one of the Limit Login Attempts plugins… and also block XML RPC, there is a plugin for that too!

6 – Ensure File & Directory Permissions Are Secure

File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit files, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you’ve left a door ajar… Pull it shut and lock it again!

7 – WordPress Plugin Integrity

As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation! At a basic level, your WordPress security measures should avoid non-official plugins like the plague…

8 – WordPress Theme Integrity

Ok, you can go anywhere and get free themes and make them work… but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I’d rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.

9 – Automate Your Backups

One of the most fundamental WordPress security measures is using one of the backup plugins that automate the process of backing up your WordPress database and storing the files in a secure Cloud Storage location – GDrive or Dropbox etc. Install and use a reputable backup plugin! They can be a lifesaver, for a variety of other reasons.

10 – Server, Network and PC Vulnerabilities

Be aware of the configuration of your hosting company’s web server. Is it running old versions of PHP, MySQL, cPanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up-to-date tools and services running.

Never access your WP installation from a non-secure network such as internet cafes, coffee shops or hotel WiFi systems.

Another common-sense measure is to ensure your PC you post from uses current and reputable anti-virus software that also detects malware, spyware and key-loggers. The best option is to request a technical SEO audit and get a full site health check.

Stop WordPress being hacked

Page last updated on Thursday, October 12, 2023 by the author Ben Kemp