Tips for WordPress security improvements on a VPS Server

Hello there, this is my first tutorial, it will be about the security section of the WordPress, and if you're interested, I will be making more tutorials about the WordPress for different sections.

Today, our focus is the security, as well known, the WordPress is an open-source and free to use, and among the most used between the other available CMS (Content Management System), makes it represent ~25% of the web.

Talking about the WordPress and security, there are two major factors you should always consider when talking about the security of a website

Hosting platform side: The server where the website will be hosted must be optimized and secured, shared hosting plans are more often the less secure, depends on their reputation in the market that reflects their efforts in keeping their servers secure, by having a powerful infrastructure, I mean, the softwares and hardwares that empowers the security even for shared plans, use your shared hosting provider wise, or go for a VPS.

Website application side: Talking about the WordPress, it's core is so secure, it might be a free application, but being open-source and having that massive community helps this application to get better, beside the available updates, plugins, tips and solutions, makes it more secure at the end, while the non-trusted and non-supported plugins and themes could harm your WordPress website by making it vulnerable.

Improve your login informations

Username: Having a username as "admin" and "administrator" for your WordPress website would be a serious problem, makes it easier to target, while using a username that is hard to guess, would be your first step to harden your security. Apply this when installing your WordPress, and in case it's already installed, no worries, l ogin to your dashboard, go to: Users > All Users, create a new account with the role of Administrator and delete the old "admin/administrator" account. The username could be changed but not in the WordPress dashboard, you'll need to do it manually by editing the 1st username in the database.

Note: Make sure to add a Nickname and apply it in Display name publicly as instead of the Username.

Password: Having a guessable password for your WordPress dashboard is not a wise decision, make sure you use a strong password. Note: You can use a strong password generator[1] and also force strong passwords[2] to all your WordPress users if you activated the registration option.

Keep your WordPress up-to-date

A new version of WordPress doesn't only include additional features and bugfixes, it addresses the known security issues so make sure not to skip them, especially the minor updates (x.x.x)

Be aware of the used themes and plugins

According to the statistics, it represents 51% of the hacked WordPress websites, due to the security issues of themes and plugins (29% and 22%). It means that every installed theme and plugin is a potential security risk in case it is poorly coded or otherwise not up to date. For that reason, you should limit the number of active plugins on your WordPress, and to get rid of the inactive plugins and all what you can go without, limiting the used plugins will improve not only the security of your WordPress but will make it load faster. And about the theme, don't keep more than two themes, if possible, keep one theme only and it better be a premium one.

Check your theme for potentially malicious code

It’s a good idea to scan new themes of malicious code if you’re not 100 per cent satisfied that the code is clean. Luckily, there was a few great programs to help you out – and they’re all free, no less. Theme Authenticity Checker (TAC)[3]

Check your WordPress exploits

Exploit Scanner[4] searches the files on your site, as well as the posts and comments tables of your database, for anything suspicious. It also examines your list of active plugins for unusual filenames. This plugin is also easy to use – just install and activate it and go to Tools > Exploit Scanner to run a scan.

Backup your WordPress regularly

If your website goes down, you'll be in a better position with the backup in your hands, here are some available plugins to help you with this: UpdraftPlus WordPress Backup[5] VaultPress[6]

You might also want to look into the type of backup service your hosting provider has in place. Many offer daily backups, which can really save your skin (I’m speaking from experience).

Limit login attempts

A good way to avoid the brute force attacks is to limit the number of login attempts users are allowed to perform before WordPress shuts them down. Plugins as WP Limit Login Attempts[7] track failed attempts by IP and prohibit further ones if necessary.

Taking advantage of two-step authentication

To make these kinds of attacks even more difficult, you can install a two-step authentication process. That way users will have to input additional credentials, for example, that have been sent to their mobile phone. Here are two plugins for this: Duo Two-Factor Authentication[8] Clockwork SMS[9]

Change the WordPress database prefix

The WordPress by default creates databases with the wp_ prefix, as of every well known fact about the WordPress, it could be helpful for the hackers. You can change the prefix after the WordPress installation, manually by going to the wp-config.php file and scrolling down to: $table_prefix = 'wp_'; By changing the prefix name from the wp-config.php file, the database name should be edited by phpMyAdmin or any similar services. This is a helpful plugin about that matter: iThemes Security[10].

Setting the correct files permissions

By choosing correct file permissions on your server, you can avoid non-permitted upload or changing of files. Permissions can be changed via an FTP client such as FileZilla. As for what they should be changed to:

755 or 750 for directories 644 or 640 for files wp-config.php should be set to 440 or 400 More information can be found here: WordPress Codex - Changing files permissions.[11]

This is the end of this tutorial, I hope it provided you with helpful tips, if you have any questions, or anything you want me to cover the next time about the WordPress, please let me know in a comment, thank you so much for your attention.

[1]: https://privacycanada.net/strong-password-generator/
[2]: https://wordpress.org/plugins/force-strong-passwords/
[3]: https://wordpress.org/plugins/tac/
[4]: https://wordpress.org/plugins/exploit-scanner/
[5]: https://wordpress.org/plugins/updraftplus/
[6]: https://vaultpress.com/
[7]: https://wordpress.org/plugins/wp-limit-login-attempts/
[8]: https://wordpress.org/plugins/duo-wordpress/
[9]: https://wordpress.org/plugins/clockwork-two-factor-authentication/
[10]: https://wordpress.org/plugins/better-wp-security/
[11]: https://codex.wordpress.org/Changing_File_Permissions

comments (3)

  • Ade

    - 6 years ago

    Iyz

  • eera5.com

    - 4 years ago

    Interesante artículo, pero me parece que hace falta una actualización.

    Como principio de seguridad se debe mantener WordPress con la versión actualizada (al momento, la 5.3.2 a la espera de la 5.4 en marzo 2020 de acuerdo al roadmap oficial disponible en: https://wordpress.org/about/roadmap/ ). De manera consistente, se debe evitar la instalación de plugins que aún no hayan sido probados con la versión de WordPress , o que al menos hayan sido actualizados en los últimos 12 meses.

    La última actualización de Theme Authenticity Checker (TAC), fue hace más de 3 años; así como la de Exploit Scanner.

  • eera5.com

    - 4 years ago

    Interesting article, but it seems to me that an update is needed.

    As a security principle, WordPress must be maintained with the updated version (at the moment, 5.3.2 waiting for 5.4 in March 2020 according to the official roadmap available at: https://wordpress.org/about/roadmap/) . Consistently, you should avoid installing plugins that have not yet been tested with the WordPress version, or that have at least been updated in the last 12 months.

    The last update of Theme Authenticity Checker (TAC), was more than 3 years ago; as well as that of Exploit Scanner.