How do I secure a WordPress website?

Name: How do I secure a WordPress website?
Brand: OVHcloud
Rating: 4.8 (476 reviews)

Securing a WordPress website

Objective

WordPress is one of the most widely used content management systems (CMS) for building websites. However, its level of exposure (more than 40% of all websites online are built on it) — as well as its ecosystem of free and paid plugins and themes — can result in it containing vulnerabilities. There are a number of potential consequences to these vulnerabilities being exploited, ranging from data theft and website defacement (modification of its content) to service interruptions.

This tutorial will show you a range of actions that you can perform quickly to secure your WordPress website.

Requirements

A Web Hosting plan
The plan must be set up
Access to the administration interface (via the username and password provided during setup)

Instructions

When should WordPress updates be applied?

Firstly, it is essential to always use the latest versions for your CMS, your theme and your plugins. Updates can be used to fix any potential security vulnerabilities. To do this, you can follow the information provided on the CMS website, and query databases that list security vulnerabilities found on tools like Exploit Database.

The rule to follow is simple: as soon as an update appears on your WordPress, apply it. Did you know? You can also enable automatic updates for your themes and plugins.

Important: Make sure you have enough storage space on your server before you perform the updates (at least 1GB is required). If your storage becomes full and you apply updates, your CMS may not be able to finalise them completely. This could result in your website becoming unavailable.

Even if you have enabled automatic updates for your themes and plugins, it is important to check when they were last updated. In addition to the risk of being incompatible with a new version of WordPress, a component that has not been updated for several months may no longer be maintained, and might have security vulnerabilities as a result.

How do I configure automatic updates for my WordPress theme?

Automating a theme update is a simple process. In the left-hand column of your WordPress dashboard, click “Appearance”, then “Themes”. Select your theme, and click “Enable auto-updates”.

How do I enable automatic updates for my WordPress plugins?

In the left-hand column of your WordPress dashboard, you can configure automatic updates for your plugins in the “Plugins” section:

Why is it important to keep my Web Hosting plan’s PHP version up-to-date?

It is also important to use the latest version of PHP available (provided that your installed themes and plugins support it). Many performance and security patches are provided during each update. You can check the supported versions of PHP here: https://www.php.net/supported-versions.php

Below, you will also find the recommended configuration for your OVHcloud Web Hosting plan:

Runtime environment: Stable64
PHP version: 8.1
Engine: PHP
Mode: Production
Application firewall: Disabled

If your WordPress website has been set up and configured on a PHP version that is no longer maintained, ensure that the plugins you use are compatible with the new version of the language you want to configure. Otherwise, you may need to change the plugin.

How do I update PHP on my OVHcloud Web Hosting plan?

You can do this directly via the OVHcloud Control Panel. Below is a screenshot of the final step for this action. When you do this, you can select the PHP version you want to use:

Important: You will need to update your WordPress configuration, its themes and plugins before you make any changes.

More information is available in our guide: https://help.ovhcloud.com/csm/en-gb-web-hosting-change-php-version?id=kb_article_view&sysparm_article=KB0053007

Are there any plugins I can use to secure WordPress?

The WordPress plugins presented in this tutorial are among the most popular. They are updated regularly, and have already proven to be popular and effective. Please note, however, that other plugins not listed in our examples may be equally useful and powerful.

How do I set up my WordPress website entirely in HTTPS?

“Really Simple SSL” automatically detects your settings and configures your website to work with HTTPS protocol (the protocol preferred by search engines).

Important: You need to have installed an SSL certificate on your Web Hosting plan in advance, and it must also be enabled. Don't have an SSL certificate? Read our guide to find out about the steps you need to take: https://help.ovhcloud.com/csm/en-gb-web-hosting-ssl-certificates?id=kb_article_view&sysparm_article=KB0041230

In your WordPress dashboard, click on “Plugins”, then “Add”. Enter “Really Simple SSL” in the search bar, then click “Install now”. Wait a few seconds, then click “Enable”.

All you need to do now is activate your SSL certificate! This step is easy — simply click on the “Activate SSL” button, which will then appear:

The SSL certificate is now active by default on your website. You just need to make a few adjustments, such as enabling 301 redirection via .htaccess:

Then install the recommended security headers for HTTPS connection, by modifying the .htaccess file via FileZilla.

You can also do this via FTP Explorer: https://help.ovhcloud.com/csm/en-gb-web-hosting-ftp-storage-connection?id=kb_article_view&sysparm_article=KB0052696#1-log-in-via-ftp-explorer

Once you are logged in, right-click on the .htaccess file, then click “View/Edit”:

Once the file is opened in a text editor, simply copy and paste the following lines of text at the end:

# Security Headers
Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header always set X-Frame-Options: "SAMEORIGIN"
Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"
# End Security Headers

This will return the following result in the .htaccess file located in your website’s root directory:

Important: Once you have copied these lines, make sure you remember to save by clicking “File”, then “Save”. Next, go back to FileZilla to confirm the pop-up asking you to return the file to the server. If you do not confirm, your changes will not be saved.

How do I set up two-factor authentication?

The standard use of a username and password alone may not be sufficient for security purposes. Potential vulnerabilities are commonly known: simple passwords, which are sometimes identical across several accounts, can significantly compromise security. Passwords may rarely (or never) be reset, and they may be stored on unsecured mediums (e.g., notepad applications, on paper). However, even accounts with complex passwords can fall victim to successful hacking attempts.

Setting up a two-factor authentication process (2FA) will increase the security of access to your administration interface. The operation is simple: in addition to the standard use of a username and password, you will also be asked to authenticate with an additional factor (a limited-time code, smartphone authentication, SMS, passphrase). This way, you can protect and secure your admin access, and avoid compromising your website’s security.
Even if a malicious user somehow manages to obtain your password, your access security will not be compromised.

You can use the Google Authenticator app (or any equivalent app) as part of your 2FA procedure.
When you create your account, a QR code will appear on the screen. Simply scan it with your smartphone via the Google Authenticator app. A new entry will appear in your application, generating a code (6-digit by default) that will refresh every 30 seconds. You will need to provide this code when you log in to the administration interface.

With a full plugins, you can manage multiple authentication methods on your website. This is useful for administrators and users with an account. The miniOrange plugin for Google Authenticator is available here: https://wordpress.org/plugins/miniorange-2-factor-authentication/

Here is how to enable two-factor authentication for the administrator account (accessible with a non-paid account).

Log in to the dedicated interface with your admin account.
Click on the “miniOrange 2-Factor” plugin.

Click “Configure” under the “Google Authenticator” authentication method.

In the first step of the configuration process, select the application you will use on your smartphone to generate the series of numbers. Once you have selected this method, scan the QR code with your smartphone via the Google Authenticator app.

Assign a name, then proceed to step 2 of the verification by entering the code generated on your mobile app.
If the operation is successful, you will see a window confirming that access to your account via 2FA is effective.

How do I measure my website’s health?

In the left-hand column of your WordPress dashboard, select “Tools”, then click “Site Health”. This section is not a plugin. It is included with WordPress by default, and can alert you to any performance or security problems on your website.

You can also test your security headers here: https://securityheaders.com/

How do I configure Wordfence for my WordPress?

Wordfence includes a firewall and malware scanner that were originally designed to protect WordPress.

You will need to register your plugins by clicking “Activate”. If you do not have a Wordfence account, click “Get Your Wordfence Licence”. You will then be redirected to the plugin publisher’s website to create your account:

On the publisher’s website, select the “Free” version. Next, click “Get a Free Licence”. A modal window will then open. Click “I’m OK waiting 30 days for protection from new threats”:

A new modal window will then appear, with the URL of your WordPress website. Enter your email address, and tick the box for accepting the General Terms and Conditions of Use:

You will then see a message confirming that you have been sent an email:

Open the email, and click on the link to finish creating your account (the link will send you directly to the WordPress administration interface). You can then validate the licence key entered in the forms:

You can also do this manually by copying the key from the registration email.

The firewall, also known as the Web Application Firewall (WAF), enters into learning mode. This step may take several minutes.

In the meantime, click “Click here to configure”.

Download the backup of your .htaccess file to your computer, then click “Continue”.

How do I optimise my settings for protection against brute-force attacks?

In the “Firewall” section on the left-hand column of your dashboard, click “Manage firewall”.

Then click on “Manage Firewall”, then “Brute Force Protection” (at the bottom of the new page).

We recommend focusing on the following settings:

Lock out after how many login failures (set the maximum number of failed login attempts before a user is locked out): 2.
We recommend using a password manager.
Lock out after how many forgot password attempts (set the maximum number of password reset attempts before a user is locked out): 2.
Amount of time a user is locked out (set the time for which a user is locked out): 2 months.
Immediately lock out invalid usernames (instantly block users attempting to log in with a non-existent WordPress username).

If you accidentally log out of your dashboard yourself, an email will be sent to the address you entered in Wordfence. You can then end the ban, and try to log in again.

If you need equivalent protection for your websites (other than WordPress), we recommend referring to this page, which covers the features of our CDN Security option.

In conclusion, here are some best practices to remember

Keep your CMS, its plugins and themes up-to-date.
Configure WordPress to automate these updates.
Please ensure that all pages are accessible in TLS/SSL, and that your certificate is valid.
Set up two-factor authentication for critical accounts.
Check your website regularly.