Similar to other non-WordPress websites, a WordPress built website seeks constant security checks & implementations.From a newly set up WP site to existing running website, everyone can become a victim of a security breach and hacking attempts.

6 Advanced WordPress Security Tips Which Noone Will Tell YouIn this post, we will discuss and execute some advanced WordPress security tips and security plugins which can help you secure your website.

Before digging down to the second level of securing WordPress website, let us first take an overview of basic security tips which every WordPress beginner should implement.

You can consider it as a basic guide to WordPress security and should follow it as mentioned.

Basic WordPress security Tips to implement for beginners

It begins with the moment you download WordPress from .org domain of WordPress.

Everyone knows default values and elements of a WordPress and can try to exploit it a different way to gain access to the website.

No one can stop a hardcore chess player from playing

No one can stop a hardcore chess player from playing | image credit

Basic steps of WordPress Security

## While submitting entries at second and third screen of WordPress installation, avoid usingwp_” as table prefix and admin as username (admin login credential).

NOTE: In case you have “wp_ “ as table prefix you can change it by following the instructions here.

## After setting up the whole website, it is recommended to regularly update core and plugins and take regular backups.

  • To enable automatic core and plugin updates, open wp-config.php and add this line.
    define( 'AUTOMATIC_UPDATER_DISABLED', false );

    for enabling automation.  

  • It is not mandatory to enable auto updating of core, themes and plugins.
    Often developers tweak theme and plugins to achieve desired look and functionality.
    See these instructions to modify auto update instructions for your website.
  • To enable automatic backup, go through WordPress plugin directory and choose a plugin.

## Hide WordPress admin URL and other default URLs so that automatic registrations and login attempts can be disarmed. Read more here.

## Limit Login attempts to stop brute force attacks. Download the plugin here.

## To enable protection from DDoS attacks, Bad Bots, Spam, SQL Injections etc. firewall is a must. Cloudflare (Freemium) and Sucuri  are companies providing this firewall solution along with other benefits.

Advanced WordPress Security Tips

After acknowledging basics of WordPress security, most owners gain a sense of security, which unfortunately is a layer of cloud between their perception and the bitter truth.

Hackers know way around things and how to execute/exploit to takeover websites or perform unauthorized actions and even take them down.

Before proceeding forward in this topic, I would like to shed light on WPScan Vulnerability Database and WPScans which are great resources to know about latest WordPress vulnerabilities and scanning your WordPress website for any vulnerabilities. Do try them!  

Now let us discuss some advanced security tips for your WordPress website and make it more secure.

1. Remove WordPress version from website

WordPress can track your website with the help of footprints it leaves within the software. It also allows the access to version of WordPress, which your website is currently running on. It is publicly accessible by anyone.

Upon visiting wpvulndb.com you will see list of vulnerabilities along with the WordPress version number.

In case you haven’t updated your WordPress or have been waiting for the newest update, you can easily become victim of script kiddies and automated tools which are programmed to search and exploit specific WordPress versions.

The WordPress version number appears in three main areas of website.

  • Generator Meta tag in header  
    <meta name="generator" content="WordPress 4.7.1" />
  • On Stylesheets and Scripts in form of queries
    If a Stylesheet or Script doesn’t specify a version number when enqueued, the current version of WordPress is used instead.

    custom.min.css?ver=4.7.1
  • In RSS Feeds (Generator Tags)
    <generator>http://WordPress.org/?v=4.7.1</generator>

To remove the WordPress version from above three areas, add this code in functions.php file:

* Hide WP version strings from scripts and styles
 * @return {string} $src
 * @filter script_loader_src
 * @filter style_loader_src
 */
function social9_remove_wp_version_strings( $src ) {
     global $wp_version;
     parse_str(parse_url($src, PHP_URL_QUERY), $query);
     if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
          $src = remove_query_arg('ver', $src);
     }
     return $src;
}
add_filter( 'script_loader_src', 'social9_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'social9_remove_wp_version_strings' );

/* Hide WP version strings from generator meta tag */
function s9bg_remove_version() {
return '';
}
add_filter('the_generator', 's9bg_remove_version');

 

2. Limit XML-RPC functionality:

By exploiting XML-RPC vulnerability, DDoS attack can be initiated. Read more about this vulnerability here.

What is XML-RPC?

XML-RPC on WordPress is actually an API. It gives developers and other services the ability to talk to your WordPress site.

The XML-RPC API that WordPress provides gives developers a way to code applications that can do numerous things that you can perform while logged into WordPress via the web interface.

Here is a full list of the WordPress API functions available to developers via XML-RPC.

You can disable XML-RPC by installing Disable XML-RPC plugin or by adding these entries in .htaccess file.

Disable XML-RPC using .htaccess.

# Block WordPress xmlrpc.php requests

order deny,allow
deny from all

Practically it is not worth disabling this functionality. Commonly this functionality is used by Jet Pack, tracking Pingbacks, WordPress mobile app and IFTTT and disabling XML-RPC can hamper their functionality.

So it is recommended to be selective on allowing and disallowing, rather than disabling it.

You can optionally disable and enable XML-RPC for services using .htaccess or by using plugins.

Optionally enable XML-RPC using .htaccess

# Allow specific WordPress xmlrpc.php requests

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx //service ip address which you want to allow. 

To disable XML RPC for plugin

To disable this service for a plugin, add this line in plugin code.

add_filter('xmlrpc_enabled', '__return_false');

 

3. Use WordPress security keys

Salt keys wordpress

Some of you have seen this before but with different values. They are WordPress Security Salt Keys and are found in wp-config.php file.

They are  set of random variables that improve encryption of information stored in the user’s cookies while they are on a WordPress website.

These security keys complicate password cracking attempts, which increases WordPress website’s security.

To use these keys on your WordPress installation or change default key set, generate a random set of keys online by visiting here. It is recommended to use WordPress’s random salt key generator and avoid creating your own.

Go to wp-config.php file, search for “AUTH_KEY” and replace the values with newly generated key set.

You can generate another pair by refreshing the page.

NOTE: If your website was previously hacked and restored, or you are experiencing something fishy with your WordPress site, then it is recommended to change your WordPress salt keys.

4. Disallow file editing

If a user has admin access to your dashboard, then they can edit any file which is part of WordPress installation which includes plugins and themes.

Nevertheless, disabling editing functionality for plugin and theme can prevent unauthorized access (hacker) from modifying theme and plugin files.

Disabling editing of theme and plugin files in WordPress

Add the following code to wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

NOTE:

  • Place this code at the end of config file.
  • Disallow it when site is completed and does not require any further modifications in theme and plugin.

 

5. Block malicious URL Requests

It is a very popular method of hacking by requesting certain parameters which are direct queries to database. Queries like CONCAT, base64, eval(“) etc. can bring out certain sensitive information which can then be utilized to gain access or extract information from the website.

To block such type of URL requests use BBQ: Block Bad Queries plugin; which checks all incoming traffic and quietly blocks bad requests.

6. Hide/Protect wp-config.php and .htaccess

Hiding/protecting fulfills a unique goals of protecting unauthorized access to wp-config and .htaccess file.

If anyone has remote access to these files, they can turn off security and compromise the website.

Protecting/Hiding wp-config.php in WordPress

Add this code to .htaccess file to block unauthorized access to wp-config.php file.

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Protecting/Hiding .htaccess in WordPress

Similarly this code can be used to block unauthorized access to .htaccess file.

<Files .htaccess>
order allow,deny
deny from all
</Files>

I hope this article upgrades your knowledge about advanced WordPress security tips and will help you in further securing your WordPress website.