Security is of paramount importance for any website. One tiny loophole may cripple a years’ old popular website. Do you know that over a quarter of the websites on the internet use WordPress? This fact is very impressive but also put WordPress at high risk of attack by notorious hackers. One security bug in the CMS put millions of sites at risk; it is like an open backdoor.
Using an unpredictable password and staying up-to-date with the latest version are all cliched security tactics. However, there is an array of security practices which seasoned WordPress users already know. So, instead of re-inventing the wheel let's discuss a topic which has not been fairly covered. Today, you are going to learn about hosting related security tweaks which must be ensured while subscribing to any hosting plan.
WordPress Hosting Services
A web host is a backbone for any WordPress site. Their job is a little beyond than just keeping your data. They provide a secure environment and prevent hack takeovers. If hosting companies are not safe, then the chances are that different vulnerabilities are eating up your resources; because the biggest issue associated with poor hosting is a slow website.
So, a web host must provide secure services starting from their data centers to protection against sophisticated exploits and up to customer separation at the kernel level.
Basic Security Tweaks
At the beginning of this article, I said no common security tweaks, but it'd be unfair to the beginners who are reading this post. For them, here is a brief round-up:
- Do not use 'admin' as username.
- Stay up to date with WordPress latest version.
- Update plugins and themes regularly.
- Avoid downloading plugins from unofficial sources or malicious looking marketing platforms.
- Use a strong password (you can use resources like Random.org Password Generator and LastPass Generate Password).
- Limit login attempts to put an end to brute force attacks (WP Limit Login Attempts).
- Do not install plugins that are not updated recently.
Even if you are a veteran WordPress user, this is a good list for future reference. Now, let's get straight to the real deal i.e. What are the hosting related security measures in WordPress?
Eliminate PHP Error Reporting
PHP rendering or parsing errors can tell a lot. If a WordPress theme or plugin does not work as expected, it might generate an error message. Developers can get through this by employing different troubleshooting techniques. However, these errors should never be public in your production environments.
One of the major security techniques WordPress offers is to disable error reporting. By default, WordPress does not allow CMS-related errors, warnings, and bugs to appear on the frontend and backend. But, PHP error reporting is still enabled, and I think, for the right reasons.
Everything that a hacker needs is your server's full path. This is like rewarding a hacker with a manual detailing of all the ins and outs of your site. That would be absurd, right? So, it's a lot better idea to disable this error reporting for public sites. To disable PHP error reporting, add the following code to wp-config.php:
Only Use SFTP & SSH
File Transfer Protocol (FTP) is the commonly used protocol for transferring files over the internet. It works in the same way as HTTP utilizes Internet's TCP/IP protocols to enable data transfer. You can connect FTP through an FTP client like Filezilla or Transmit and upload or download files to your server. Most web hosts provide FTP and SFTP (Secure File Transfer Protocol).
Both are used for the exchange of data between client and server. You should use SFTP protocol because it ensures that the file transmission is secure and efficient. To connect via SFTP protocol, get in touch with your host and let them guide you.
Another way to connect to the server is through Secure Shell (SSH). You can do that by default terminal on your Mac or with PuTTy (Windows). Use same details as SFTP to connect. SFTP and SSH are inherently more secure, so it's a good practice to use them. I do NOT remember when was the last time I used FTP. SSH is what I prefer, but you can rely on Secure SFTP as well.
File Permissions Must Be Proper
File permissions can be tricky. They are important because they decide who can read, write and execute files on your server. Some major WordPress features are only possible by allowing certain files to be written to the web server. This can be possibly dangerous especially if you are hosting in a shared hosting environment.
It is a great practice to utilize strict file permissions. However, if plugins require certain file permissions, you can change these later.
WordPress recommends following file permissions:
- Folders/Directories: 755
- Files: 644
To check your file permissions, use SFTP or SSH. The .htaccess file in root directory needs automatic rewrite rules from WordPress so that you can set its permission to 644. Check changing file permissions and advanced concepts if you are a developer and want to read more about this topic.
Disable File Editing From WordPress Dashboard
The default WordPress editor (Appearance > Theme Editor) allows you to edit the theme files. It is a nice, time-saving shortcut to access files. But with great power, comes great responsibility. Allowing files to be edited through dashboard can be hazardous if hackers get access to the dashboard.
They can inject malicious scripts very easily which may potentially allow them to access the database or, the entire server for what’s it worth.
Not only this but as a developer you should never try to cowboy code on a live website.
If you understand how dangerous this can be, here's how to disable file editing feature. Go to your wp-config.php file. Here, you'll find a comment i.e.
/* That's all, stop editing! Happy blogging. */
Just paste the following code right below this commented line:
define( 'DISALLOW_FILE_EDIT', true );
This code disables the option for theme and plugin editing like before. BTW you can also do that with messing around with code through iThemes Security plugin.
Prevent Directory Browsing
Directory browsing allows visitors to browse the contents of folders on your website. A WordPress installation contains many directories and subdirectories like wp-content and wp-includes. Directory browsing if enabled allows a hacker to visit any directory and view which files exist.
With this technique, anyone can examine your entire site's structure. Hackers can even see what plugins you are using, what WordPress version is it, what theme are you using and a lot more. We do NOT want that.
Most web hosts disable directory browsing for obvious reasons. But plenty others do not.This can be a massive security breach. To prevent directory browsing, follow these steps: Open .htaccess file (this file can be hidden, you might have to show the hidden files) in the WordPress root directory and add the following code at the end of this file:
# Disable Directory Browsing Options All -Indexes
As a precaution, keep a backup copy of the .htaccess file as well. As I said before, this can also be accomplished by iThemes Security plugin.
The wp-config.php is the most critical file in a WordPress installation. Here, you add all the database credentials and important stuff like that. Also, it contains many configuration parameters which may improve site's security. Since this file should not be accessed by anyone with malicious intent, you can block access to the wp-config.php file via .htaccess .
Add the following lines to your .htaccess file:
# protect wpconfig.php <files wp-config.php> order allow, deny deny from all </files>
Some folks recommend moving the wp-config.php file outside the web root, but that’s pretty much debatable. Since wp-config.php file only defines a bunch of constants and never prints anything on the screen, moving it might not help at all. What you should do is restrict the access to it. You can read more details about what I am talking about here.
Block or Remove license.txt, etc.
WordPress offers many files. Most of them are integrated at the time of installation. Others are redundant. These are license.txt, readme.html, and wp-config-sample.php files, which sit aimlessly in the root directory. Anyone can access these files and learn important things about the installation. For this reason, it's better to remove these files.
The readme.html file contains introductory text and installation instructions. It also reveals the WordPress version you are using, which may or may not be a critical bit of information for hackers. The license.txt contains the software's GNU General Public License details. You can remove these files by going to cPanel > File Manager > Root Directory. Or restrict access to them by changing their permissions to be not readable.
Get a Reliable Web Host
Nobody has greater control over your site than the web host. They maintain the server on which your site is hosted. A web host is responsible for keeping its servers 24/7 on and updated to latest technologies.
Security, by default, also falls under their belt. It does not matter how many security tactics you put in place, if your server is compromised, all is lost. Now who would want that? No one, I assume.
A good web host must have the following qualities:
- It is reliable
- It maintains regular backups
- It is airtight and serious about security
- It uses latest technology and server software
- It runs malware scanners regularly
Most of all, a good web host takes care of your data like it belongs to them. On our hosting page are a few web hosts who meet the criteria mentioned above. Choose any of these hosts and you should be safe.
No matter how many time those hosting solutions claim to be "100% secure!", Security can never be 100%. It is an issue of constant care. However, taking precautions and being vigilant, makes you more and more close to being 100% secure.
Even with the implementation of these hosting-related security measures, you won't be entirely safe. But it's a good start.Which hosting services do you use? What are your views about hosting security in WordPress? Share your feedback with us!
Finally, you can catch all of my articles on my profile page, and you can follow me or reach out at Twitter @mrahmadawais; to discuss this article. As usual, don’t hesitate to leave any questions or comments below, and I’ll aim to respond to each of them.