Lets ‘Talk Talk’…About WordPress Security Hardening: how to prevent hackers?

Although TALK TALK  probably don’t use WordPress,  if they did, one can safely say that it probably wouldn’t be the most secure wordpress installation in the world!

WordPress  in itself (in the year 2016) is actually very secure – it’s the plugins that cause the potential security flaws and laying down the red carpet for the likes of esoteric hackers.   That’s why specialised wordpress hosting companies like wpengine don’t allow the use of all plugins.

So why does WordPress get hacked a lot?  Well lets get this straight!  The wordpress platform is a lot more secure than it used to be back in 2009, when it took a few dents from some security vectors that were exploited.  I spent a lot of time then fixing and restoring wordpress sites back to normal operation.   Since then, the core wordpress code base has been well nurtured with regular security patches, and is about as secure as Julian Assange in the Ecuadorian embassy.

So what is the problem with WordPress?   Well nothing – the vulnerabilities are in the main, from customers and wordpress web masters not keeping the wordpress core files, plugins and themes up to date.  Not using strong passwords for wordpress and database users  is also a problem –  if secured correctly, this can prevent brute force attacks on your website.


How to Make WordPress  as Secure as Fort Knox?

  1. Now a days, wordpress updates itself automatically unless you manually turn it off in the wp-config file.  Make sure wordpress core is updated regularly.
  2. Update your plugins all the time or better set them to update automatically.
  3. If possible, keep your themes up to date.   If you are concerned about losing some of your wordpress settings and styling, then ensure you take a backup and use child themes to hold custom CSS styles and modified page templates.  Ask you web developer and get qualified advice from a wordpress professional.
  4. Remove unwanted themes
  5. Removed unused plugins
  6. Add a firewall to your server.  
  7. Rename the ‘admin’ username.  Most automated brute force software will target the admin username –  if it doesn’t exist then it is unlikely to get hacked as they have to guess the username as well as the password.
  8. Enable auto updates to wordpress
  9. Disable PHP Error Reporting
  10. Protect your .htaccess file
  11. Remove the wordpress version.
  12. Delete sensitive files
  13. Create secret keys in wp-config file.
  14. Change the wordpress admin dashboard url  to say  www.mysite.com/dash/ 
  15. Enable strong password enforcement
  16. Protect common wordpress files
  17. Disable Directory Browsing
  18. Filter Request Methods
  19. Filter Suspicious Query Strings in the URL
  20. Filter Non-English Characters
  21. Filter Long URL Strings
  22. Disable PHP in Uploads
  23. Disable XML-RPC
  24. Replace jQuery With a Safe Version
  25. Enable Ban Users
  26. Ensure wordpress file permissions are correct and not open to all.
  27. Enable a 2 step verification login process.  There are a number of plugins available like mini orange that allow mobile phone or email authentication.
  28. Add a SSL certificate and make your whole site secure  – there are SEO benefits in securing all your websites pages.
  29. Finally,  always monitor activity and review your security settings on a regular basis.


Many of the above changes can be implemented using the iThemes security plugin.   If you want your wordpress installation to be even more secure,  then there are other measures that can be taken in securing the database environment and your apache web server. 

Get in touch if you need any assistance are are worried about how secure your wordpress site is.