Categories
WordPress WordPress Security

90K Attacks Per Minute on WordPress Websites! Are you Secure?

WordPress is probably the best thing that ever happened to many of us who are using it.

For those who don’t know what WordPress is – it is an open-source (free to use & modify) website building & content management tool – developed & managed by some of the most dedicated folks in the World.

But despite being such a powerful & popular CMS tool, it is also the most hacked.

According to statistics from 40,000+ popular WordPress websites, more than 70% of WordPress installations are vulnerable to hacking attacks.

WordFence, a popular WordPress security plugin once reported that there are over 90,000 attacks per minute on WordPress.

These stats are extreme & clearly indicates the importance minimizing your risks of getting attacked or -hacked!

If you’re serious about your WordPress website, stick to this article to understand some common WordPress security vulnerabilities & how to prevent attackers from targeting your website:

Common WordPress Websites Security Issues/Vulnerabilities

While WordPress is very secure & is audited regularly by top developers, hackers can still find a way to exploit weak security points.

Below are some commonly-used security exploitation attempts by hackers on WordPress websites:

SQL Code Injection Attacks

Every website has some open paths that hackers can exploit & use to inject malicious scripts to your database or core website files. Any WordPress website that fails to filter user-submitted data before processing & saving it into the database, is vulnerable.

Since WordPress uses MySQL language for database, SQL code injection attacks are the most common attacks on WordPress websites.

Such malicious scripts can be injected to your website through some common user-submission forms like:

  • Contact Form
  • Website Search Bar
  • Comments Section
  • Upload Documents
  • User Registration
  • Newsletter
Contact forms in websites can cause security vulnerabilities if data is not properly sanitized & filtered - hackers can inject malicious SQL commands to your wordpress website

To avoid any kinds of script injections from these open paths, you would need to apply data filtration/validation on such forms.

Take this screenshot below for example, it rejects any other data than email:

example of form that uses data sanitization to avoid SQL injection wordpress attacks

This is how a data validation must be in place & working if you use any form or feature that allows users to submit information from the frontend.

If hackers found a way to inject any malicious data, then possibly they will further find a way to execute these scripts inside of your database & execute certain functions – eventually, you will be locked out of your WordPress website.

Brute Force Attacks

In general, a brute force attack means trying multiple & random usernames + password combinations until a successful combination is found.

Hackers create a database of some commonly used passwords & program automated scripts to attempt different combinations.

Did you know that “Brute Force” attacks have success rate of 10%.

If your WordPress login credentials are weak, there are high chances that these automated bots will finally crack a combination that works & breaks into your website.

File Inclusion Exploits

A file inclusion vulnerability allows attackers to include files on a web server through a browser. This exploit can occur when your website allows users to submit inputs into files (in file format) or upload files to the server but fails to sanitize the file before accepting.

There are two types of file inclusion vulnerabilites in WordPress:

  • Local File Inclusion – When attackers find a way to read and sometimes execute files on a website’s server.
  • Remote File Inclusion – When attackers find a way to submit a remote file in your web server

If you’re curious to know more, here is a detailed guide on WordPress file inclusion vulnerabilities.

Cross Site Scripting (XSS) Vulnerabilities

Did you know that 84% of total security vulnerabilities on the whole internet are cross-site scripting?

This is a process wherein hackers try to find ways to exploit weak websites that can be manipulated by executing malicious Javascript code within a victim’s web browser – it mostly targets the functionality of a web page.

Cross-site scripting attacks are one of the most popular attack types on websites worldwide & pose major risks to both your business & its visitors/users.

Remember that these attacks do not take over your website, instead, a malicious piece of code is inserted as an additional element with your website into the browser – which is then executed & displayed to the user.

XSS attacks can harm your website visitors by showing them a link to malicious websites or misleading them with a contact form to steal their information.

XSS attacks are & most commonly used to:

  • Take over user accounts
  • Trick your website visitors into giving out personal data by showing them a misleading form
  • Capturing login credentials
  • Stealing session cookies
  • Defacing websites
  • Injecting trojans
  • Showing disguised links to malicious websites

In WordPress, cross-site scripting (XSS) vulnerabilities occur mainly because of plugins & themes – so it is important to choose plugins & themes wisely & keep them updated.

Secure Your WordPress Website From Getting Hacked

While no technology is 100% secure & WordPress security team also works on improvising the security, as a website owner, you are also responsible to keep your website safe by following security best practices.

Below are some informative & actionable steps to prevent common security exploitations & attacks on your WordPress website:

Outdated Technology Puts You In Danger

Whenever any plugin, theme, or WordPress core update is released, it often comes with increased security by eliminating vulnerabilities & strengthening the code against malicious attacks.

Release notes are also pushed with the updates for users to read the information on what comes with the update, like feature enhancements, UX improvements, security & bug improvements.

Because attackers also keep an eye on these release notes – it could be sometimes useful for them to learn & exploit vulnerabilities that are available in the older versions (of plugins, themes, or core-updates)

WPBeginner says, 86% of sites are hacked due to outdated plugins, themes or WordPress core.

Now you might have understood why it is important to keep the plugins, themes & core WordPress updated as soon as the updates are released – it reduces the risk of your website being attacked or compromised in some other way!

Plugins Can Become The Biggest Culprits: Use Them Wisely

Since plugins are a piece of code that adds functionalities to your website, some plugins have deep access to your website, so it’s vital to be careful with these culprits that may invite hackers.

Below are some security measures to keep in mind before you choose & use plugins:

Install Plugins Only When Required

Not all features that you think good are actually good, or required!

What happens with most WordPress beginners is that they try to integrate more & more features into their website – using plugins.

However, you are liking those features because you are new to WordPress & website building. Over time, you will realize that it is best to stick with minimal & simple features.

On the top of that, there are many cons to using unnecessary plugins.

Sometimes we end up installing plugins that are not frequently updated & maintained by developers. As we have already above in this article, plugins can cause many security vulnerabilities to your website.

Not to mention, the more plugins you use, the heavy your website will be – high loading time – negative effects on SEO.

Remove Inactive Plugins

WordPress websites with more inactive plugins are tempting target for hackers.

It is recommended to remove all inactive plugins as soon as you don’t need them anymore. This is because any of these unnoticed plugins can cause security exploitations – prevention is better than cure.

removing inactive plugins keep your wordpress website more secure as these plugins if gets outdated & left unnoticed - can be used by hackers

Don’t worry, you can reinstall it anytime you want in a fraction of minutes, but website security should be the utmost priority.

Verify Plugins Before Installing

Just because plugins are freebies does not mean they are worth using. It is very important to know your plugin before you install it on your website.

things to look for before installing a plugin on your wordpress website.

As we already discussed above, plugins have deep access to your WordPress website – and so is the importance of choosing plugins only from trusted developers & businesses.

Keep Plugins Up To Date: Enable Auto Updates

Outdated plugins are dangerous as the older versions might contain security flaws. It is important to keep your plugins up to date as soon as the latest version is released.

The best practice is to enable auto-updates for Plugins directly from plugins section in WordPress admin

image to show how you can enable plugins auto update feature on to avoid security vulnerabilities caused by outdated plugins

Strict “NO” to Nulled or Torrent Themes & Plugins

What could be more foolish than using untrusted, nulled & torrented versions of plugins or themes on your website, just because you get premium benefits at no cost?

Such pirated products are primarily used to distribute malwares & contain malicious scripts.

Since plugins & themes have deep access to your WordPress core directory & database, installing their torrent versions means nothing useful but inviting hackers by yourself to gain access to your website.

These pirated plugins/themes can also contain scripts to steal information from your website – which then could be circulated on the dark web.

Securing a website isn’t a joke. Your website is like a folder available on the internet that you need to protect from unwanted/unauthorized access that can get deep into this folder, i.e into root files.

Use strong & unique passwords at vulnerable areas

Using weak passwords make your website prone to brute force attacks, so it is important to create strong and unique passwords that minimize this risk.

A strong password consist of:

  • At least 10 characters
  • Uppercase & lowercase numbers
  • Numbers
  • Symbols

Using a complex combination of different characters create a strong password.

WordPress also has a strong password generator – go to profile section in users from the left navigation & click on “create new password”

You will also find a password strength indicator there.

wordpress inbuilt strong password generator for website security
wordpress inbuilt strong password indicator for website security

It would be a good practice to use such strong passwords at every step & potential areas that connects with your like:

  • WordPress user account
  • FTP accounts
  • WordPress database password
  • Your hosting account
  • Primary / Secondary Email addresses

Avoid Commonly Used Demo Usernames

Hackers create automated bots/scripts to commit scans on the internet & attempt brute-forcing. When these bots find a WordPress admin login page, they start guessing numerous usernames & passwords combination until they guess the best.

Using commonly used usernames (as well as passwords) makes your WordPress website one step closer to a successful brute force attack.

Keep usernames that are hard to guess & avoid using commonly used ones like:

  • Admin
  • Root
  • User
  • test

Use security bridges (Firewall) to protect the WordPress admin area

To keep attackers away from brute-forcing or compromising your website security in other ways, it is recommended to create a strong firewall that prevents access of unauthorized traffic to your WordPress login panel, below are some ways to do it:

Change Default WordPress Access URL

By default, WordPress websites use the URL string: www.yourwebsite.com/wp-admin to log in inside the WordPress admin area.

But using this default URL to access the admin area makes your website one step closer to getting attacked.

C’mon, they are hackers! This is the basic thing we need to protect from them because they are well aware of this.

One quick way to secure this stage of your WordPress website is by using WordPress security plugins.

Almost every WordPress security plugin has this feature to change custom login slug

Be Cautious: It’s common to get locked out of your website if you try changing the login page slug. I would recommend you shoot an email to your hosting provider first & let them know what you are about to do.

Password Protect Admin Directory

If you don’t want to change the default WordPress access URL “wp-admin”, then you should password protect this directory from your hosting cPanel.

Just login to your cPanel account & locate the Directory Privacy icon. From here, the password protects the directory “wp-admin” & saves changes.

Password protecting this directory adds one more layer of authentication before logging in to your WordPress panel.

password protecting your directory enables a security firewall that asks for user name & password before getting the wordpress login page

Enable Two Factor Authentication

Two Factor authentication is an ultimate firewall every WordPress should use.

Many times, hackers manage to steal your exact login credentials. In such a case, using a two-factor authentication help you minimize the security risks.

Even if someone has the right credentials, they can’t log in to the admin area until a second code is provided to successfully log in.

You can enable two factor authentication based on many factors, some most common approaches are:

  • OTP via Email or SMS
  • Security Questions
  • QR Code Authentication
  • Push Notification on Other Devices
two factor authentication example for improved wordpress security

Two popular plugins for two-factor authentication are Google Authenticator & miniOrange 2 Factor Authentication to secure this vulnerability.

Limit Login Attempts

limiting login attempts using plugin can help better secure your website

You can use a plugin to limit the number of wrong password attempts to secure yourself from brute forcing.

Conclusion

It’s not just WordPress, but any other open source resources are vulnerable to all sorts of attacks.

As a WordPress website owner, you should know that in addition to WordPress’s own core security, you have to take some security measures to keep hackers & malicious scripts/bots away from your website.

I would also recommend you read this article – Try Hacking Your WordPress Website Before Hackers Do! – to dive deeper into WordPress security best practices by implementing some advanced security tactics on both WordPress core as well as server files.

I hope the article helped you understand some of the WordPress website security exploitations & how you can prevent them.

Did I miss something to add? What do you think is the most effective way to secure your WordPress website & keep hackers away?

Categories
WordPress WordPress Security

Try Hacking Your WordPress Website Before Hackers Do!

If you use WordPress, it is really important to get yourself familiar with some security measures to keep your website safe from potential hacking attacks.

There were over 90 billion malicious login attacks from 57 million unique IP addresses at a rate of 2,800 attacks per second targeting WordPress, says WordFence.

WordPress, being a powerful & open source CMS, invite potential security threats as well.

There has been a long history of WordPress websites being targeted by hackers because of security issues.

News about WordPress websites getting hacked

Here are some of the WordPress security vulnerability stats you should look at:

  • 41% of WordPress attacks are caused because of vulnerability on the hosting platform. [Souce: Unknown]
  • 61% of infected WordPress websites were out of date. [Souce: Sucuri]
  • 8% of WordPress websites are hacked due to weak passwords
  • Over 30% of Alexa’s top 1 million websites were using outdated WordPress, making them vulnerable to hacking attempts. [Source: WPWhiteSecurity]
  • 52% of WordPress vulnerabilities are due to WordPress Plugins [Source: WPScan]
  • In a study, over 4000 websites were infected by malware due to a fake SEO plugin [Souce: Unknown]
  • There are almost 90,000 attacks per minute on WordPress websites. [Source: WordFence]

Aren’t these stats shocking?

Who are these hackers? Well, we are not here for this answer!

After reading this piece of content, you will understand how hackers can find a way to exploit security vulnerabilities in your website, & what you can do to avoid any such security exploitations.

Moving ahead, we will execute some basic & initial techniques used by hackers use to find potential weak WordPress websites.

Finally, we will see some fixes to protect your WordPress website from hacking or similar attacks.

How Hackers Hack Your WordPress Website?

The Anatomy of WordPress Hacking

It all starts with Reconnaissance & Scanning. Hackers use various techniques to scan & shortlisting WordPress websites with security vulnerabilities that can be exploited.

They can do this in many ways, like executing browser-side automated scripts, creating automated bots to scan the world wide web & many more.

Once they shortlist weak websites, they further execute advanced hacking steps (like brute-forcing, injecting malicious scripts & more.

Most of the part is automated.

Enumeration

With WordPress default configuration, there are several ways hackers can find sensitive information about your website, which can be then exploited to gain administrative access to your website.

Unless you take some steps to hide some critical WordPress information about your website, you are vulnerable to hacking attacks, especially brute-forcing (trying out numerous combinations of some commonly used passwords until the right combination is guessed.).

For instance, if a hacker knows the exact username of your WordPress admin account, he is one step closer to brute force attacking your website.

Similarly,

There are various other information that becomes public with WordPress default installation, hence, making your website vulnerable to hacking attacks.

SQL & PHP Injection Attacks Through Database

An injection attack is a process of submitting malicious functions & scripts via input form fields or other open fields/path opportunities in your Website.

Since WordPress is written in PHP & uses MySQL/MariaDB for database, hackers try to enter malicious PHP/SQL scripts to be saved & processed into database.

Such scripts can be inserted via open form fields available throughout our Website like contact us form, newsletter, comments, etc.

SQL injection vulnerability is the one of the most critical security vulnerability in WordPress.

If your WordPress security failed to filter & identify such malicious data before saving it to the database, it becomes easy for hackers to eventually send scripts that request back confidential information or may execute certain functions.

Man In The Middle Attacks

Man in the middle (MitM) attacks are reffered to attacks wherein the hacker position themselves as intermediator between the process of sending & receiving data.

In simple terms, this means trying to steal information while data communicates/travels from one point to other.

WordPress websites that are still running on HTTP, are prone to man in the middle attacks.

This is because HTTP (Hyper Text Transfer Protocol) is basically a communication between your web browser & website server.

When you put in a website URL, browser send request to the website server & fetches required data.

Since HTTP is not an encrypted protocol, hackers can easily intercept in-between the information shared between web browser & web server.

This means, even the passwords are not secure. The straight forward solution to preventing MiiM attacks is enabling HTTPS protocol on your website.

Hacking Your Website: Testing Out If Your Website Is Vulnerable To Hackers

While no website is secure across the Globe.

SO here’s the catch: Reveal as least information about your website as possible, you will be on a safer side.

Hiding your website potential information means, preventing yourself from falling in the shortlisted website list after their reconsinnance & scanning phase.

SO you might be wondering,

What are these kind of potential information that hackers are looking for to shortlist weak website?

  • Admin Username
  • Websites without HTTPS
  • Websites with outdated themes or plugins
  • Websites with potential open paths to inject malicious scripts

The best way to understand this is by doing some scanning on your WordPress website that real hackers are trying out there using automated bots:

Test 1: WordPress enumeration via REST API

WordPress installation by default includes a rest API that can be used to get active user details on a specific website.

REST stands for Representational State Transfer & it is a client server protocol that makes your website available as web server.

In simplte terms, REST API helps other applications/websites in retrieving information available on your website without having to use a browser to access the website.

To get the requested data, REST architecture uses many formats including plain text, HTML, JSON, XML, YAML, etc.

If we talk about the data in Json format, ,

To check this, enter this URL string after your website URL: /wp-json/wp/v2/users

Example – www.yourwebsite.com/wp-json/wp/v2/users

similarly, https://sureshbhatt.net/wp-json/wp/v2/posts

What did you see? Did you see a blank page or 404 page?

When hacker send a Json request (www.yourwebsite.com/wp-json/wp/v2/users) on your website to get sensitive information, it should return a 404 error

or did you see this kind of information?

an image to showcase how REST API can be exploited & used to hack your WordPress website

If yes, you need to protect this information ASAP.

Don’t take this lightly. As you can see, this string can help hackers get information on registered users.

Here’s the fix, you can directly jump to this fix or continue reading this article to fix everything, including this.

Test 2: Monitoring WordPress Behavior

In this step, we’ll look for minor differences in how your WordPress login page is responding to particular requests.

We will perform this step to help you understand what minor informations hackers try to gather & how costly leakage of these minor information can help hackers gain access to your website

Step 1: Go to your WordPress Login page & try entering a wrong username & dummy password.

See how WordPress responds to this & returns this error message

Step 2: Now Enter right username but wrong password

WordPress response security testing against brute force attacks

As you can see, this returns a message: invalid username & password, this means, WordPress does not indicate that username is correct but password is wrong/

However, hackers have one more way to confirm this, they will try resetting your password.

Not to actually reset your password, but to keep your website in list where usernames are confirmed so they can execute further steps.

Wordpress forget password response testing to check security vulnerabilities helping hackers to get the exact username

But once the right username is guessed, this password reset form will confirm this to hackers.

WordPress response to forget password bruteforce testing when right username is guessed

However, in this case, hackers needs to make sure that they execute things real fast as soon after this step

Because this will also send you a forgot password link

If you ever receive any such forget password email, don’t take it lightly.

Create a new & very strong password again immediately.

Depending on this response, the attackers can determine the exact user name that can be potentially used to execute next larger hacking steps against your website.

This makes hackers one step closer to brute force attacking your Website.

Test 3: Checking If any Directory is visible publically Wp-Content & Wp-Plugin Indexing Status

We will attempt this test to list the directory contents of the uploads & plugins folders to determine if directory Indexing is enabled by default on your WordPress website.

This can lead to information leakage vulnerabilites that can also reveal sensitive information regarding your website configuration.

Screenshot to show enumeration (plugin, content) vulnerability in wordpress

Test 4: Playing With Some Free WordPress Website Security Vulnerabilities Scanner

In this check, we will test our Website vulnerabilites using some pugins.

This test is to see if our website requires attention, because hackers use these tools or similar codes to detect potentially weak websites

WPIntel Chrome Extension

Wp Intel - WordPress Vulnerability Scanner Plugin Free

Pin this extension to your Browser & whenever you visit any website, this tool will scan websites & turn green if it detects any WordPress CMS.

You can use this tool to scan for possible vulnerabilites in your wordpress website & get it fixed as soon as possible.

Some things you can check for using this tool:

  • Version & Vulnerabilities
  • Themes & Plugin information
  • Username Enumeration
  • Scan for registered users details
  • Scan for path disclosure
WPIntel Tool

This is one of the most famous tools used by hackers to find vulnerabilities to your website

This tools helps them in their reconissance phase when they are on their firrst step of gathering data from

There are other popular tools too you can easily find.

Test 5: Finding PHP or SQL Injection Vulnerabilities

Any input field in your website with submit button is vulnerable.

In this test, we will check for any open paths in our frontend that does not filter data before processing & saving into the database.

Create a list of all the available options on your website from where a data can be sent to be stored on our website database , sent by a user from frontend.

This could be:

  • Newsletter Form
  • Custom HTML form you might have created
  • Comments Section

Now test if your website is filtering this data before sending to database or not.

Didn’t get what I mean?

What you need to do is try improper format for entering data,

such as in the phone number field, try entering texts & phone number greater than 10digits, if the website accepts this data, this means, data is not getting filtered properly & hackers can inject malicious scripts to your database which can be executed in their next hacking steps.

How Can I Protect My WordPress Website from Hackers?

You’re not alone in this fight!

Hide Rest API

As we discussed above, REST API in WordPress can be used to get potentially sensitive information about your website.

TO prevent this, you need to insert the following code to functions.php file.

add_filter( 'rest_authentication_errors', function( $result ) {

  if ( ! empty( $result ) ) {

    return $result;

  }

  if ( ! is_user_logged_in() ) {

    return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );

  }

  if ( ! current_user_can( 'administrator' ) ) {

    return new WP_Error( 'rest_not_admin', 'You are not an administrator.', array( 'status' => 401 ) );

  }

  return $result;

});

Add Security Headers

When it comes to WordPress security, adding security headers to your website block malicious attacks like script injecting or Man-in-the-Middle attacks.

For example, there are many scripts that hackers can use to access your website in HTTP even if you’ve configured SSL properly.

Below are some important security headers that we need to add to our Website at server level.

  • HTTP Strict Transport Security (HSTS) – Prevent your website from loading on HTTP
  • X-Frame-Options – Prevents cross-domain iframes or click-jacking
  • X-XSS-Protection – Blocks cross-site scripting
  • X-Content-Type-Options – blocks content mime-type sniffing.

We need to add these headers on the website server level, on .htaccess file

To do this, login to your cPanel & using File Manager, go to public_html > .htaccess

Add this piece of script inside this file & Save Changes.

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule> 

Keep Everything Up To Date

Be it plugins, theme files, WordPress core update or anything else on your website.

Keep everything up to date. This is most important.

Outdated technology is very dangerous & you should enable auto updates for your WordPress website, for themes, plugins.

Choose A Reliable & Trusted Hosting Partner

Did you know that security vulnerability issues by Hosting services accounts 41% of hacked WordPress websites?

This news is around 6-7 years old & the original author of this post has deleted the page.

But let me tell you why choosing a reliable hosting services are important:

  • Website Security – A reliable business means you are in the best hands, a good host will have a security firewall & other means to protect your website from getting hacked.
  • Just in case your WordPress website gets hacked, a good hosting provider will prioritize this situation to help you the best way they can
  • While performing certain functions to strengthen your website security, you would need to edit core files. Just in case something goes wrong & you lose access to your website, a reliable web host will not only make sure to fix the issues, but also educate you on what you’ve done wrong & what you should avoid in the future.

Cybersecurity is one of the biggest concern in the tech world.

Let the professionals manage server security & other critical security measures while you focus on strengthening your WordPress website.

I personally use HostGator & have been associated with them as an affiliate partner.

Meaning, the hosting is reliable & if you sign up from here, I will get some commission that will help me keep this blog live 🙂

The tech support staff is really helpful & willing to provide you the best customer experience.

Bluehost is also good, but might be expensive for beginners.

Password Protect WordPress Admin Directory

This is kind of two factor authentication to login to your admin dashboard.

Just like your WordPress dashboard is protected with a password, you can add another layer of security by password protecting this directory itself.

That is, protecting the URL www.yourwebsite.com/wp-admin by asking a prompt before accessing the login page

This is how a password protected WordPress admin page looks like, this adds an extra layer of security to your wordpress website

To do this, you need to login to your hosting cPanel account & locate Directory Privacy icon

How to enable password on Wp-Admin page, password protect Wp-Admin directory

Locate wp-admin directory inside public_html & click on edit as shown below

Demonstration on how to enable paswword protection on Wp-Admin

Final steps to password protect wordpress admin & improve security

Now save this & try logging into your dashboard in incognito mode.

Seeing “too-many-redirects” or “404” error after setting up password on wp-admin directory?

Try adding this piece of code to your .htaccess file inside cPanel of your hosting account:

public_html > .htaccess

ErrorDocument 401 default

Add this code before WordPress rules start

Click save & try now.

Seeing Admin ajax issue?

This means Ajax functionality is broken.

Locate wp-admin .htaccess file (This is different .htaccess file, not the one that we edited above) inside hosting cPanel

public_html > wp-admin > .htaccess

& paste the following code into it:

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any 
</Files>

Hide /wp-admin URL & keep hackers away

The default WordPress installation settings invite security vulnerabilities to your Website.

One such vulnerability it the default login page URL, i.e, /wp-admin

You just need to add this at the end of website URL to get to the login page.

Hackers already know this & you must change this URL slug to keep hackers away from this page, which is a gateway to the core of your Website.

While this can also be done manually, you can also use WPS Hide Login plugin

Caution: It is important to backup your website before changing /wp-admin/ login URL, this is because in some cases, you may end up losing access to your website & locked out.

Limit Login Attempts

As the term suggests, limiting login attempts to our WordPress website keep it secure from hackers trying to brute force attack your website.

By enabling this feature, you will be able to limit the number of failed login attempts.

Since brute force attacking needs a lot of combinations to be tried before guessing the right password, limiting login attempts make sure that no bot can try more than three wrong credentials to your website.

WordPress Installation does not include this feature so we need to use a plugin for this.

Enable Two-Factor Authentication

Enabling two factor authentication adds an extra layer of security to your website.

Just in case an automated script is able to brute force login into your WordPress, your website will still be secure until hackers find a way to disable/exploit that specific plugin used for two factor authentication.

Almost every WordPress security plugin allows you to enable two factor authentication

Block Script Injections – PHP & SQL

As we know, WordPress is written in PHP & uses MySQL or MariaDB database.

This means hackers can potentially inject malicious SQL & PHP scripts to your website.

This can be done via sending requests from your website frontend or using global PHP functions.

We’ve already done this test to see if hackers can get a way to inject scripts.

However, there is one more step that needs to be done, we need to prevent any kind of global PHP requests from outside of our website.

TO do this we need to add this script to our .htaccess file

# BEGIN Protect Against Script Injections, Thank you Suresh

Options +FollowSymLinks 
RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] 
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) 
RewriteRule ^(.*)$ index.php [F,L] 

# END Protect Against Script Injections, Thank You Suresh

You will find .htaccess file inside File Manager in your website cPanel.

Once you save this code to .htaccess file, your website will block any request or scripts which can be used to hack your website.

Just by adding this code, you are taking your WordPress security to next level

Disable Frontend Debugging Messages

Some WordPress theme comes with debugging messages enabled on the frontend.

While developers use this feature to detect bugs, hackers can potentially use this feature to gather information which will then be used to trick your WordPress system & gain unauthorized access to your website.

If you spot any debug messages on the frontend, place this code into the wp-config file:

define( ‘WP_DEBUG_DISPLAY’, false );

Disable File Editing – Theme Editor & Plugin Editor

WordPress comes with two useful features named “Theme Editor” & “Plugin Editor”.

This allows you to edit theme files & plugins directly from the WordPress dashboard, rather then manually editing from the cpanel.

However, this is a huge security vulnerability & if you are non-tech savvy, it is recommended to turn it off.

To disable these features, you simply need to add the below piece of code to your wp-config.php file

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Use Recommended Security Plugins

Though I don’t want you to rely on plugins because plugins can be exploited easily & also slows down your website.

But still, I am not an ethical hacker or security evangelist, so I would say install some security plugins that experts recommends on the internet.

But rest assured, if you wish to not use plugins, you can totally skip them, I’ve mentioned some good preventive measures to save your website from hackers.

Conclusion

As we all know, no security solution works 100%, this means, we need to do the best part as we can.

TO best protect your website against hacking, I would recommend you to not just install plugins/firewalls etc, but understanding how actually it works.

If you get to know only what I’ve explained in the post above, then it will be easy for you to make smart decisions in future related to your website security.

Another important reason to understand this is that you don’t have to rely on plugins everytime.

What’s important is to make hackers lives hard by not giving them the initial information their bots need about our website.

Rest everything is being done by some great minds working behind to keep WordPress a happy place for all of us 🙂

I hope this article helped you understand WordPress security flaws & their fixes.

Do you think I missed adding any WordPress security vulnerability that hackers can potentially use to gain access to our website? Please let me know in the comment section 🙂