website security tutorial

Very Simple Tips to Protect your WordPress Site from Attacks

WordPress is an Open Source CMS driven and extended by an incredibly large community. This has a lot of advantages:

– Free or affordable access to a large variety of plugins, themes and tools to add “super powers” to your site.

– Bugs are found and fixed fast.

– Being as simple to use as it is, anybody can learn to update their own site without relying on developers.

The down-side of this has to do with security. When a vulnerability is found on WordPress or one of it’s plugins, the whole Internet literally knows about it right away. Which means bad guys, girls and robots can crawl the Internet trying known hacks in outdated sites.

There are a few simple things you can do to incredibly enhance the security of your site.

1. Only install the necessary themes and plugins

Remove any plugin or theme that you are not using. The more modules you have, the more likely one of them could have a vulnerability.

2. Keep WordPress, themes and plugins updated

Updates that fix security issues are released often, but users forget to keep their sites updated. You can either do this manually or using command line thanks to the wp tool.

Our preferred option at ZENVA is to setup a cron job using the wp tool to keep our sites up to date.

3. Install a firewall or security plugin

There are comprehensive security plugins that take care of different types of attacks:

– Brute force attacks (people trying to guess your password)

– Directory traversals (people trying different URL’s finding known security holes)

– Injecting SQL or PHP code via request parameters

– Uploading executable files instead of images

If you want very comprehensive ones you can try iThemes or Wordfence. Keep in mind that they might cause issues with existing plugins or themes, also those plugins will be writing files (see 4.). For a simpler minimalistic solution try Simple Firewall which doesn’t need write permissions and takes care of all the main issued indicated.

4. Don’t let the web server user write files

This one can be a bit more controversial. WordPress allows you to upgrade itself, install themes and plugins within the WordPress admin area. This basically means, the “web server user” (Apache or Nginx) usually called www-data is allowed to write files on the server.

If your admin account was to be compromised (or a new admin account was somehow injected in your database), the hacker could modify files in your WordPress install (like inject malicious code on the PHP files – something very common in these attacks).

The definitive solution for this type of attacks is to disable the www-data user from writing files altogether (except for the upload folder).

This means, if you want to update WordPress or it’s plugins and themes you’ll have to enter FTP or SSH credentials, as it will tell you it doesn’t have permissions.

Otherwise you can make a cron job for the wp command line tool which will update it for you.

5. Force SSL access for the admin area

This can be done either by purchasing an SSL certificate, or by using a self-issued one (which will bring a browser security warning that you can safely ignore). Since this is just for the admin area, your visitors will not be getting the security warning unless they try to go to the admin area (which they shouldn’t).

After you’ve installed and configured your SSL certificate (if you buy one, instructions will come along. To self-issue one there are plenty of good tuts depending on your OS), you can force it on the WP admin by adding this code to your wp-config.php file:

define(‘FORCE_SSL_ADMIN’, true);

Want to learn how WordPress works, inside-out? Check our comprehensive course on WordPress Plugin Development

Published by

Pablo Farias Navarro

Pablo is a web + mobile app developer and entrepreneur. Pablo is the founder of ZENVA. Besides teaching online how to create games, apps and websites to over 85,000 students, Pablo has created content for companies such as Amazon and Intel.ZENVA runs four development communities featuring game, web and mobile app development tutorials: Zenva Academy, GameDev Academy, HTML5 Hive (also known as "the hive"), and for Spanish speakers, De Idea A App.Pablo holds a Master in Information Technology (Management) degree from the University of Queensland (Australia) and a Master of Science in Engineering degree from the Catholic University of Chile. Specialized in web, mobile application and game development.

Share this article

  • I tried the self-hosted SSL on the admin area idea. It worked okay, but I think a couple times I had people try accessing my site with SSL (maybe they were using HTTPS Everywhere or something?) and it would throw warnings and whatnot. May try it again, with a purchased SSL cert… only like $10 anyway.

    Thanks for the links to the firewall plugins. I’ll have to check them all out. The ratings for the Simple one and the Wordfence one are pretty much off the chart, considering some low ratings I see for other security-related plugins.

  • Hi Grant, glad to hear you found this helpful. If you are using self-signed SSL then you have to be careful not to share links with https, as it’s only meant for the admin area. You don’t want your visitors to reach that security warning.

    Paid SSL’s are a lot more than $10 a year, I think around $60, but yes then you can share all your links with https (and it seems Google likes that too).

    Definitely check and install a security plugin. I prefer the simple firewall one for it’s minimalistic approach, but I understand there are other good ones (although they do require write access which I try to avoid).