If you own or manage a WordPress website, you know very well how security should always be your first and foremost priority.
Besides the serious risk of losing your business, hackers can also steal private or sensitive data from your users and logs.
This may have severe repercussions for your brand’s reputation and credibility and may even leave you with legal repercussions.
Whether it’s a DDOS attack, a malware injection, or a brute-force credentials hijack, chances are an army of people (and bots) are always hunting for a target.
Taking all necessary action to secure your perimeter is critical to minimize all these risks. In the case of WordPress, there are many simple things you can do to significantly reduce the chances your website’s safety is violated.
Let’s have a look at them.
How to Protect Your WordPress Website From Cyber Threats
1. How to Install WordPress Plugins
Before we delve into the various ways you can improve your website’s security, knowing how to install plugins in WordPress is a requisite. Many of these security tips involve installing one or more of these simple tools, and the entire procedure is relatively straightforward.
From your site’s Dashboard, go to the Plugins: Add New Plugin page.
Here, you have two options:
The first is to manually search the plugin, click on it, and install it.
Otherwise, you can manually download the plugin from any website and then upload it on your WordPress dashboard.
When you upload the plugin from an external website (such as the WordPress Plugins repository), it will come as a .zip file. Click on the Upload Plugin button at the top of the screen, select that file, and then click Install Now.
Disclaimer and Words of Advice
Please note that while all the plugins we listed in this article are safe and secure, there’s always a chance they might lead to internal conflicts.
This can happen more frequently if you have installed multiple plugins or incorporated some custom scripts in your website.
As general advice, if you do not like a plugin or are unsatisfied with its functions, do not install another one with similar functions.
Many plugins serve the same role, especially those with multiple functions, such as spam filters that act as firewalls.
Two plugins serving the same purpose will likely get in each other’s way, so pick the one that suits your needs best and uninstall or at least deactivate the other.
You can do so from the Plugins: Installed Plugins page by clicking on the Deactivate function in the plugin description you want to deactivate.
You can permanently activate them again later unless you delete them.
In any case, ensure you always back up your database before installing anything on your website so you always have a safe recourse if something unexpected happens.
If you don’t want to install another plugin to back up your WordPress site, you can do that safely from your web host dashboard. The exact steps to back up your site may vary depending on your hosting services. You can also work through your respective File Manager, such as cPanel, Plesk, or Webmin.
2. Protecting Your Website from Brute-Force Attacks
One of the most dangerous situations you may face is having your entire website stolen by some cybercriminal. Hackers will try to brute-force their way through your login page to steal your credentials and gain access to your database.
Since, by default, all WordPress logins are placed in the same two subdirectories (/wp-admin or /wp-login.php), it’s straightforward to find them and start an attack to illegally gain access to the site.
The default login URLs for WordPress sites are usually the following ones:
- sitename.com/wp-admin
- sitename.com/wp-login.php
How Can Brute-Force Attacks Damage Your Site?
Once hackers find your login page, they will start a brute-force attack to force their way inside. Once they successfully guess your admin login credentials, they can do whatever they want with your website.
A stolen website can be transformed into a spam page or ransomed for money, or your database of private customer data can be stolen.
Or a hijacker may install some malware for phishing purposes, track your customers’ activities, steal credit card data, etc.
Even if they do not manage to steal your website, armies of bots constantly attacking your website will waste precious WordPress resources and bandwidth.
How Can You Deal with Brute-Force Attacks?
Securing by obscurity is, by far, the most efficient method to reduce this risk.
In other words, you must ensure cybercriminals do not find any easy access points and monitor your entry points.
Change Your Login Page’s URL
First, change your login URL to something no one can guess. If the login page is hidden, it will be much harder for human hackers to find it and nearly impossible for bots, which will significantly reduce unwanted login attempts.
Even a straightforward change such as /wp-login-hidden/ would reduce the rate of casual, bot-driven brute force attacks to near zero.
Still, you can do better than this: change your login page to something challenging to guess, such as a long string of letters and numbers, and change it again every few months or so.
Many plugins allow you to change your login page rather quickly. Below are a few free ones, but don’t forget that changing the login URL is a function that is found in many of the significant all-around security plugins, so make sure to avoid conflicts:
However, that’s not the only step you want to take since there’s always some workaround that cybercriminals can find to correctly guess your login URL.
Limit Login Attempts
The next step is to monitor the logins and limit the number of attempts. No brute-force attacker can guess your credentials on the first try.
This means that if you start monitoring a very high number of login attempts, that’s almost certainly some hacker trying their way in.
Monitoring individual logins will help you spot if your users had their usernames stolen.
As a direct consequence, limiting the number of login attempts to just a few (say, three or four) will save your website from brute-force attacks, even when your hidden login URL was found.
And if one of your admins got locked out because they forgot their password too many times… well, it’s time for them to change it!
Some of the plugins that allow you to limit the number of login attempts and monitor them at the same time include:
Ensure Maximum Password Security
All we said and done so far is not particularly helpful if your credentials are surprisingly easy to guess, like:
Username: admin
Password: password
Password policies must be set to ensure a good level of complexity, a limited expiration time, and the inability to recycle them repeatedly. If you are the sole manager of your website, or if your team is small enough, just ensuring a few team best practices on password strength are followed may be enough.
For larger websites, or when the amount of users is exceptionally high, you may want to use a password manager. Even better, you might want to enable two-factor authentication (2FA) to avoid automated password-guessing attempts. Some of these plugins can provide better password security, although not all of them include more advanced functions (such as 2FA) in their non-premium versions:
- Password Policy Manager
- MelaPress Login Security
- Solid Security
- miniOrange’s Google Authenticator
- WP 2FA
Our recommendations: 9 BEST PASSWORD MANAGERS REVIEWS
3. Protecting Your Website from Spam Link Injections
Spam links are malicious links forcefully injected into your website’s database, generally through the comments section. Black Hat search engine optimization (SEO) “experts” inject these links to artificially manipulate the rankings or domain authority of one of their low-tier websites or to send people to one of their malicious websites.
Multiple redirects and invisible injections are often used, and sometimes spam link injection goes as far as sending phishing emails to your customer database or even displaying banners and ads of their phony products on your site.
How Can Spam Link Injection Damage Your Site?
Spam links can seriously damage all your SEO efforts since Google may read all these outgoing signals from your website to manipulate your search engine result page (SERP) positioning.
You may be affected by a site-wide spam or unnatural link-building penalty, get your Google ads disapproved due to malware, or even have your Google AdWords account suspended or blocked.
In extreme scenarios, your entire website can end blacklisted as deceptive by Google or suspended by your host, especially when multiple invisible links containing malware are left unattended.
How Can You Deal with Spam Link Injection Threats?
Probably, the simplest way to deal with spam link threats is to block comments altogether. This solution is, by far, the most efficient and has fewer repercussions on your entire site. You need no plugins to do that. From your site’s Dashboard, just go to your Settings: Discussion page and make sure no one can comment without prior approval:
All comments will be held in moderation and never published without your authorization. This may quickly lead to words accumulating in the thousands in no time. The simplest way to get rid of them occasionally is by using one of the many cache cleaner plugins available, such as WP Bulk Delete or a plugin to manage comments specifically.
However, on some websites, blocking comments is simply not an option. In this case, you might want to apply a filter.
In the Discussion page, you can reduce the number of links in each comment to one since many spam comments usually contain more than one link. However, you cannot reduce them to zero, or all comments will be held for moderation.
Another possible alternative is to enable a reCaptcha plugin. This is inefficient since it will stop only bots (most of these attacks) but not human hackers.
Last but not least, is to install an anti-spam filter. These plugins perform various tasks that will ensure that all comments that will appear on each one of your pages are clean ones.
They use specific algorithms to detect suspicious comments, block activities from particular countries, or add filters to limit certain comment types.
Here’s a list of some of the most popular anti-spam plugins, but remember: there’s always a chance for some malicious link to slip through the cracks:
4. Protecting Your Website from DDOS Attacks
A distributed denial-of-service (DDoS) attack is a less common risk than the others we have discussed.
However, when that happens, the consequences can be dire, significantly if your website’s downtime is directly associated with a loss of finances or reputation (such as for websites that must always stay up).
DDOS attacks generally exploit vulnerabilities in WordPress, the themes, or the installed plugins. Therefore, the best way to avoid them is to reduce the attack surfaces and plan ahead.
How Can DDOS Attacks Damage Your Site?
DDOS attacks will overwhelm your server with massive requests, causing the website to slow down and even crash.
If your company relies on web traffic or continuity of services for income, a DDOS flooding can have severe consequences.
Even if the website doesn’t outright crash, slowdowns and downtimes can lead to customer dissatisfaction and loss of brand reputation, especially since some DDOS attacks can last for days or weeks.
How Can You Deal with DDOS Attacks?
As usual, prevention is the best defense. Removing any potential vulnerability from your WordPress website, its themes, and plugins is mandatory, and when it’s not possible, obfuscating them can go a long way toward reducing the number of automated attacks.
WordPress Vulnerabilities: Getting Rid of the XML-RPC API
As its name suggests, XML-RPC is a protocol that uses XML for communication purposes (RPC stands for “remote procedure call“). It uses HTTP as its data transport mechanism, but today, it has lost its usefulness to the point it is often considered outdated or deprecated.
However, XML-RPC can be exploited for remote code injections, and it represents a vulnerability for both DDOS and sometimes even brute-force attacks. For the vast majority of WordPress users, XML-RCP can be disabled with no adverse effects whatsoever to prevent unwanted attacks.
You can disable XML-RCP manually or by installing a plugin such as Disable XML-RPC or Disable XML-RPC-API. If you want to do it manually to avoid installing another plugin, you need to edit the .htaccess file, so you must go to your host’s File Manager (such as cPanel).
If you’re operating on cPanel, make sure that you can see hidden files by clicking on the Settings button on the top right of the screen and then selecting the appropriate option:
Now search for the .htaccess file via the Search function on the left of the Settings button, or go directly to the /public_html directory to find it. Right-click on the file and then edit it:
You need to add the following code snippet:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny, allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
Note that the string allow from xxx.xxx.xxx.xxx is used if you want to grant access to XML-RPC to a user or a service and should be substituted with that user or service’s IP. If you want to disable XML-RPC altogether, then you can simply delete this whole line.
WordPress Vulnerabilities: Disabling the REST API
The WordPress Representational State Transfer (REST) API is a tool developers use to turn a website into an available web service. It sends and receives JSON (JavaScript Object Notation) objects so that it can be used as a backdoor for potential attacks by malicious actors.
READ MORE:
Similarly to the XML-RPC API, it can be disabled relatively safely by most users. However, it may be necessary for the correct functioning of some plugins and WordPress themes. Because of that, it is better to try disabling it in a staging website first to ensure it doesn’t cause any disruption whatsoever.
Once again, you can turn off the REST API to reduce your attack surface by installing a plugin such as Disable WP REST API or Disable REST API, or you can do it manually. The procedure is similar to the one described above for the XML-RPC API. However, this time, you must navigate in your File Manager to the /public_html/wp-content/themes directory. Then, you must locate the name of your current theme and open the respective directory.
Once there, find the functions.php file inside it and edit it to add the current code snippet at the bottom of it:
function qode_disable_rest_api( $access ) {
return new WP_Error( ‘rest_disabled’, __( ‘The WordPress REST API has been disabled.’ ), array( ‘status’ => rest_authorization_required_code() ) );
}
add_filter( ‘rest_authentication_errors’, ‘qode_disable_rest_api’ );
You can check if you correctly disabled the JSON REST API by clicking on your website’s/wp-json folder, such as:
If you get an error message saying, “The WordPress REST API has been disabled”, then the pro REST API has been successfully disabled.
Themes and Plugin Vulnerabilities: Making Sure They Don’t Show
Hackers always exploit any potential vulnerability in plugins and themes to break into websites.
Because of this, a best practice is to get rid of unused plugins rather than just disabling them and ensure everything is constantly updated regularly.
However, there are known security issues that cybercriminals can easily spot just by checking which version of a plugin, WordPress, or theme you are using.
You can remove your WordPress version number quite easily. Navigate again to the functions.php file and add this code snippet at the bottom:
function remove_version_info() {
return ”;
}
add_filter(‘the_generator’, ‘remove_version_info’);
Reducing Server Load: Using a CDN
Content Delivery Networks (CDNs) are servers that store cached copies of your website in their data centers.
They distribute data across multiple servers, acting as middlemen between you and your website’s customers. CDNs reduce the load on your website server, increase the loading speed of your website, and improve its performance.
More importantly, CDNs are much harder to attack than a single server and act as a firebreak in case of DDOS attacks. Some CDNs can also act as reverse proxies.
There are many CDN providers; some are free, some require a monthly fee, some provide just essential CDN services, while others offer a broader range of additional services such as image lazy load and resizing, CSS optimization, and more. Here are a few of the most popular ones:
Another Layer of Security: WordPress Firewalls
Firewalls are software that acts as a barrier between your website and users, ideally blocking unwanted accesses from potential hackers. They are a valuable additional layer of security, although they are not always strictly necessary.
Many WordPress firewalls tend to go overboard with the changes they force onto your website, often impacting performance more than you want. Because of this, they should be enabled only for websites where maximum security is paramount.
Usually, an excellent way to ensure that firewalls only filter out malicious bots without blocking out everyday users or standard crawlers is to tweak their rate-limiting features. If this number is set to a reasonable amount, the firewall will block most DDOS attacks without affecting user experience. The more prominent names in the WordPress Firewall industry include Sucuri, Wordfence, and AIOS.
The Bottom Line
This guide can help you ensure a higher level of security for your WordPress website.
However, remember that no solution is always final, and whatever layer of protection you may establish, there’s always a way to circumvent it.
Try to always stay ahead of the curve by looking for the latest vulnerabilities, and make sure you always keep yourself informed about every new cybersecurity threat that could emerge.