CarmaBlog

 Version française disponible

WordPress is one of the most popular CMS (Content Management System). That popularity also means that it is a target of choice for hackers.
In this article, I will give you some tips to keep your website secure and avoid being attacked.

1. Use latest versions

This is true for WordPress itself but also for all your extensions. There are new versions available regularly. If a plugin has not been updated for a while, it is probably not maintained anymore and you might need to remove or replace it. This is also applicable for your theme.
The version of PHP is also important, check with your hosting provider that you are running the latest version of PHP (7.X), especially the versions 5.X won’t be supported by the end of the year.
Also, note that the more extensions you have installed, the more risk you are taking, as your WordPress configuration will rely on more 3rd party code. You should only keep the plugins that you really need. If a plugin is disabled, don’t keep its source code and remove all its associated files.

2. Use secure login details

Never use the default admin user. If you do, disable this account and create your own account with a personalized username.
Choose a strong password. If several users are managing your website, make sure the permissions are valid and avoid giving the admin permission to everyone.

3. Scan your website

This is an easy and quick way to find vulnerabilities and see if one of your plugins is vulnerable or not. You can use these 2 online tools:

• WordPress Security Scan (my favourite with a detailed report)
• WPScans

4. Use .htaccess files to protect your directories

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow.

For example, in /wp-content/uploads, I have created the following .htaccess:

# Deny access to everything by default
Order deny,allow
Deny from all

# Allow access to media files
<FilesMatch "\.(jpg|jpeg|png|gif|bmp|zip|rar|pdf)$">
    Allow from all
</FilesMatch>

This config ensures only media files are accessible from the browser, any JavaScript, PHP files will be discarded. It is not 100% bulletproof as only the extension is checked, but it is better than nothing.

To avoid execution of malicious PHP in some folder (e.g. in /wp-includes), you can create another .htaccess file with the following content:

<Files *.php>
Order allow,deny
Deny from all
</Files>

5. Review file and directory permission

Make sure the critical files (wp-config.php, php.ini…) are not writable publicly, only readable. Only owners should be able to write.

6. Use security headers

You can check which security headers you currently use with this online tool.

At the root folder, update the .htaccess file and add:

# Extra Security Headers
<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "sameorigin"
	Header set X-Content-Type-Options "nosniff"
	Header unset Server
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
</IfModule>

In wp-config.php, add:

/** Extra Security */
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
header('Referrer-Policy: no-referrer-when-downgrade');
header('Content-Security-Policy: upgrade-insecure-requests');
header('Feature-Policy: autoplay \'none\'; camera \'none\'; encrypted-media \'none\'; fullscreen \'none\'; geolocation \'none\'; microphone \'none\'; midi \'none\'; payment \'none\'; vr \'none\'');
header_remove('X-Powered-By');
header_remove('Server');
header_remove('X-CF-Powered-By');
header_remove('X-Mod-Pagespeed');
header_remove('X-Pingback');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

7. Do not expose too much information

At the root folder of your website, in php.ini, add the line:

expose_php = Off

Your current version of PHP will not be exposed.

8. Backup your website regularly

Last but not least! You don’t need a particular software or extra plugin to achieve this.

• With your favourite FTP tool (e.g. Filezilla), save all the files available on your server.
• For the database, use the available MySQL backup feature. Many hosting companies provide access to phpMyAdmin, an online tool.

I recommend doing a backup every month, and keep the history of the last 6 backups somewhere safe. Of course, it depends on the volume of articles you are writing and how critical is your data.

That’s it! If you have done all the above, your website should be more resilient to attacks. In the worst case, you should be able to recover easily.

Happy safe blogging!