Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

If you're using the world's most popular CMS system, you're in the company of a quarter of the world's websites, but you're also at risk. Here are some quick ways of starting the journey towards hardening your WordPress website.
Figures vary on the exact percentage of the world’s sites that are powered by the WordPress Content Management System, but the number is usually given at around 25%, give or take 5%. That is a staggering number. But there’s a very good reason for it – developers love WordPress because it saves them a huge amount of time.
Additionally, amateurs wishing to create their own website find it quick and easy to use – installing WordPress with a handful of clicks is often a feature available on the control panel of web hosting companies.
The WordPress backend is generally intuitive to use (though it does have a couple of quirks) and the modular nature of the platform allows for the easy installation of plugins to provide extra functionality, including surveys, advanced contact forms, scrollable maps, and more. Moreover, adding content is essentially as simple as typing it into a text box (although familiarity with HTML tags does provide much greater control than the WordPress WYSIWYG editor allows).
But of course there is a huge drawback with tens of millions of websites using the same backend Content Management System: if a vulnerability is found, that vulnerability effects a lot of websites! And while WordPress itself may receive a reasonably speedy update to rectify a newly-discovered security hole, the same may not be true of the thousands of plugins as sometimes security problems with plugins are not addressed in a timely manner at all.
As a website owner whose site is powered by WordPress, however, there are a number of things you can – and should – do to harden your site against intrusion and exploitation. 
Change the Administrator Username and Password
The very first thing you should do is ensure that the administrator username and password are solid. It’s easy for attackers to figure out where the administrator login page is on WordPress: they can take an educated guess which will likely be correct, or do a simple directory scan which will almost-certainly pick it up.
Attackers also know that the default administrator username will likely be “admin”, because almost nobody changes this from the default that WordPress sets it as. You absolutely should do this, because it is a simple exercise and it makes the attacker’s job much harder. In fact, it is the very fact that attackers will be assuming the username is “admin” which makes this such an effective step: they may throw hundreds of thousands of password attempts at the login page with the username being assumed to be “admin”. If it’s not, the best password list in the world won’t get them in using this method.
How do you change the administrator username?
Log in as the administrator using the “admin” username and whatever password you’ve set up;
Go to Users → Add New in the side menu;
Create a new user with a more obscure username than simply “admin”;
Choose a good password. Click here to view our post on creating a secure password;
In the “Role” box, choose “Administrator”;
Save the new user;
Log out of the admin account;
Log into the new administrator account just created;
Go to Users in the side menu;
Click “Delete” next to the “admin” user;
You’ve taken the first (and a giant) step toward hardening your WordPress website.
Remove Any Unused Plugins and Themes:
Plugins are a real security issue for WordPress. The best advice is simply to use as few plugins as possible and to completely remove any that are not needed. A common way for attackers to get into WordPress sites is to learn of a plugin vulnerability (which can be done with a simple search) and to scan multiple WordPress sites until they find some using that particular vulnerable plugin, then deploy the attack.
Plugin Vuls
A simple way to ensure you are on as few of these plugin scans as possible is to use as few plugins as possible, and to remove any which are not, for whatever reason, required. That’s not to say that you shouldn’t use plugins, they enhance the user experience on your site immensely, but if they’re not needed (you installed them just to try them and decided against them, perhaps), get rid of them.
How do you remove unnecessary plugins?
Log in as an administrator;
Go to Plugins in the side menu;
Click Delete next to the plugin you wish to remove (if the plugin is currently active and you wish to remove it, click “Deactivate” first and the “Delete” option will appear);
WordPress will ask if you wish to delete the plugin files – click “Yes, delete these files”. 
How do you remove unnecessary themes?
Log in as an administrator;
Go to Appearance in the side menu;
Hover over the theme to delete, in the bottom right, click the “Delete” option;
WordPress will ask you to confirm theme deletion, confirm;
You’ve moved even further toward hardening your WordPress website. 
Keep WordPress and Any Used Plugins Updated
For the same reasons given above for removing any unused plugins and themes, any that are still used should be kept up-to-date. This also goes for the WordPress installation itself. It’s worth considering that, if you have had a developer amend a pre-bought theme, updating the theme may remove that work. Also, updating WordPress itself and some of the plugins may cause them to stop working. However, the annoyance of all this is still much less than you would suffer if your site were compromised.
Ideally, WordPress should be set to auto-update.
How do I Update WordPress and Its Themes and Plugins?
Any WordPress site created since October 2013 will auto-update automatically for “minor” security releases. Because WordPress security releases come in the form of many “minor” updates rather than a handful of “major” ones, this should be sufficient most of the time.
However, we recommend you log in to WordPress as an administrator once a month and action any updates which have not been done automatically. They can be seen at the top of the screen when you log in as administrator, under Updates. A red circle will indicate an update is outstanding.
Similarly, further down the left menu, a red circle will appear next to Plugins if any need updating, and next to Appearance if any Themes need updating.
Blog Harden Wordpress - Updates
Back Up the WordPress Site
As a last resort, your site should be regularly backed up. This way, if it is compromised, it can easily be restored to a pre-compromised state.
There are a number of ways to do this – it may be possible to schedule a regular backup via the website hosting company. However, if you prefer to be in control of this more directly yourself, WordPress backups can be automated via special plugins.
The WordPress Plugins page lists a number of excellent options for this: https://wordpress.org/plugins/tags/backup/ - any with four or more stars over more than a hundred reviews is a good option. One especially good option may be the “Backup & Restore Dropbox” plugin, which not only backs up the WordPress site files and database, but also does this directly into a Dropbox account. So in effect, the backups are themselves backed-up: https://wordpress.org/plugins/dropbox-backup/
Webserver Security:
Your WordPress site can also be compromised via the webserver itself, rather than the WordPress software directly. A good hosting company will ensure that their web hosting servers are updated with the latest security, but you should be aware that if you are on cheap, shared hosting (where multiple sites are hosted on a single webserver), a compromise of any other site on that server could lead to your own site being compromised. We strongly advise paying that extra cost to avoid shared-server hosting if your budget allows for this.
Web-Application Firewall:
Another method of hardening your WordPress site is to use a web-application firewall (WAF). This software blocks malicious traffic before it even reaches your website.
Two well-known web-application firewalls are Sicuri and Cloudflare, with Sicuri being slightly better for WordPress sites due to its improved security monitoring and overall features combined with lower prices. 
Specialised WordPress Security Plugins
There are many excellent plugins for WordPress with the express purpose of increasing security. While these are too numerous to cover exhaustively, some key plugins worth thinking about are outlined below:
Login Lockdown
(This won’t be necessary if you have a web-application firewall as outlined above, as the WAF will take care of repeated failed logins)
This plugin is simple to set up – once installed, simply visit Settings → Login LockDown and you’ll be confronted with three number boxes which are self-explanatory, but which we will outline here:
Max Login Retries: This is the number of login attempts before a login lockdown is actioned. Our advice here would be to set this as 3, which seems a reasonable amount of attempts for someone to make, even if they have typed the password incorrectly initially.
Retry Time Period Restriction (Minutes): After a bad login attempt, how long before the next one can be made? A reasonable figure for this would be 2, so as not to irritate someone who has simply mistyped, but which is enough to seriously slow down an automated attack.
Lockout Length (minutes): If someone has attempted enough failed logins to cause a login lockdown, how long does that login lockout last? A reasonable figure for this would be 60 minutes, as the user has already had the chance to enter the correct login details three times before lockdown has occurred.
iThemes Security
This great security plugin enables several additional security options, of which two key ones are the ability to hide the WordPress version (thus making it far more difficult for the attacker to craft or find an exploit for your particular version), and to change the WordPress backend login URL (see above and how this URL is easily-guessed).
In addition, this plugin can perform 404 detection – if a user is receiving a large number of 404 (page not available) errors from your site, they are probably attempting a directory scan. These users can be blocked (although a cunning attacker would use a VPN or a proxy to change their IP address and would try again).
WP Security Questions
Another simple plugin, this one enables security questions to be added to the WordPress backend login form. This can easily be set to ask questions that only someone from your staff or family would know, and is another barrier against hackers gaining entry.
WordFence is a popular plugin which checks the WordPress site (as well as the webserver it is hosted on) for malicious traffic and known backdoors. Additionally, it scans comments and posts for malicious code, which can help prevent cross-site scripting attacks.
Acunetix WP Security Scan
Acunetix is a well-known web application security company and this plugin, made by the Acunetix team, is specifically coded as a WordPress plugin.
It scans your WordPress site for known vulnerabilities and notifies you if any problems are found.
Google Authenticator
For the security-minded, two-factor authentication is a must. This plugin allows you to either replace the password with a two-factor authentication or add two-factor authentication to the usual username / password combination.
This combines the WordPress login process with a mobile phone app which generates an authentication code which must be provided at WordPress login. This excellent additional layer of security seriously impedes any attempt to guess passwords and completely defeats brute-force attempts.
More Technical WordPress Security Hardening
For those prepared to enter the WordPress PHP files and do some tinkering, some additional security measures can be achieved.
Isolate the wp-config.php file
This is perhaps the most important WordPress file and the one that most attackers will likely go for should they get filesystem access to your WordPress installation, either through a compromised webserver or via another method such as FTP. It contains a wealth of sensitive information which WordPress relies on, such as the database name, user and password and authentication keys.
However, it can be “isolated”, making it impossible for it to be remotely executed, and so much more difficult to access. To action this, find the .htaccess file in the WordPress installation file structure (it should be located in the root directory, along with the wp-admin and wp-includes  directories). Edit the file and add this:
<files wp-config.php>
order allow,deny
deny from all
Disallow File Editing
One weakness of the WordPress backend is that anyone who has access to it can use the backend to actually edit the WordPress files themselves. While this is a feature which is intended to make administration of the site easier, it can be abused.
The feature is never really necessary as the files can be amended using Secure File Transport Protocol instead, but if an attacker were to amend the PHP code in a WordPress file, they could actually get access to the webserver itself rather than just the WordPress installation. They could then potentially delete your WordPress from the server, and possibly anything else on the server! Disallowing this feature is a good idea.
Find the wp-config.php file (it should be in the root WordPress directory) and add the following to it at the very end:
define('DISALLOW_FILE_EDIT', true);
The above security suggestions to harden your WordPress installation are by no means exhaustive (an entire essay or indeed a book could be written on this subject) but they are a few things you might want to try as a starting point. Remember a key security adage: prevention is better than cure! 
If you would like to gain further insight into the level of security on your WordPress website, get in touch today to find out more about our penetration test service.