There’s been so much news about WordPress websites being hacked lately. And, many people have started questioning the safety of WordPress due to the recent attacks.
Therefore, if you own a WordPress website, you must act on these 15 WordPress security techniques that I will teach you in this guide.
Before we jump right into it, let me warn you ahead.
While you are here busy reading this article, some script kiddie might be trying to hack into your website (WordPress or not).
Seriously?
Yes.
“Why would some guys waste their time on me? It’s not like I am a big business.”
Well, I don’t want to bump up your worries, but hackers like small websites because they are an easy target.
Why is Website Security Such a Big Fuss?
Okay, someone is trying to break into my website, but why should I care? Especially, since I have a backup of everything. I could just delete the WordPress and re-install it.
Your question is valid. But, what if the hacker has gained access to your backup and web-host?
Also, there are other risks if a computer pirate gains control over your website, some of them are…
- Hackers might steal yours and your visitor’s information, and use it for illegal purposes.
- If you are just starting to get visitors, downtime will affect you in the long run.
- People will start to question the quality of your website.
- Attackers might post something offensive or illegal on your website, for which you might have to face consequences (legal or otherwise).
But, why would anyone put up all the effort just to give trouble to a small website like mine?
- A small website is easy to hack.
- Hackers test their tools on small websites for a bigger project.
- They can use your web host to send spam emails.
- Intruders use resources of small websites to attack “big guys”. Your web server can be part of a botnet for DDoS attacks.
- Hackers can use your website to spread malware. Thousands of small websites is a good way to spread malware because small websites owners cannot afford security experts to check for security.
- Hackers may use your website for increasing traffic and Google rank of their own website by posting backlinks.
Therefore, even if you are just starting to set up a website, you must be very careful about security. It isn’t just about you. Your carelessness might affect others too (DDoS attack).
WordPress was hacked, Should You Seek Other Platforms?
First of all, no system (website or personal computer) is secure. People have even found ways to hack into air-gap systems (isolated computers).
Whichever platform you choose, hackers will find a way into it.
The reason why so many WordPress websites get hacked is because WordPress is very popular. About 27% of the websites use WordPress, and it is growing. So, WordPress has become a goldmine for hackers and spammers.
Cyberpunks consistently attack WordPress because if they manage to find a vulnerability, they could take control of 27% of the Internet.
Another reason why WordPress sites get hacked is because it is an open environment. Users can code and modify the websites themselves. They can add third-party plugins.
So, should you find another CMS for your website?
No.
The issue is not with the core code of WordPress, it’s the plugins and themes you install. But then, as I said earlier, no system is completely secure.
If WordPress itself was not safe, why would 27% of the web use it?
Many volunteers take special care to maintain the core system and the WordPress repository. The themes and plugins that are available in the WordPress repository are tested thoroughly for security and reliability.
Also, WordPress team tackle every security issues very skillfully. They release updates with security patches constantly. So, you can trust WordPress for your website.
However, you, as a website owner, should also be extra careful. You should always monitor your website regularly.
Here are 15 WordPress security measures that you should follow to minimize the risk of your website getting hacked!
Pro Tip: Always backup your WordPress files including database before making changes to your files, and installing security plugins.
Note: Some of the links in this guide are affiliate links. We earn a certain amount of commission if you buy services/products through the links, without any extra cost to you. That being said, we don’t recommend products that are not worth.
1. Use Unique Username and Password
When you install WordPress, WordPress automatically creates a username called “admin”. I think it is a great feature because it saves me from the tedious task of entering my own username. I can focus on other really important stuff. Thanks, WordPress!
I know, I know. That’s a stupid excuse. But, did you change the default “admin” username while installing WordPress? Welcome to the club!
When hackers try to log in to your admin panel, they first try “admin” as the username.
What’s the big deal about username when you have a strong password?
Well, I know having a strong password is a good thing. But, if you still use “admin” as your username, you are reducing the hacker’s effort by half. The permutations are reduced.
Hackers can just try the combination of different passwords since they already know your username.
But, the bummer is, you can’t change usernames in WordPress!
Although you can install some plugin to change the username, I don’t recommend using plugins for simple tasks.
Therefore, simply create a new user with administrative privilege, and then delete the old admin user. Don’t worry, WordPress will ask you what you want to do with the posts that the user created.
While creating a new user, use username that’s not too obvious, like “myname” or “mysitename”.
As for the password, the simple rule is that your password should be complex, long and unique.
Complex: Your password should contain at least 1 number, 1 capital letter, and 1 special character.
Long: Your password should be at least 10 characters long.
Unique: Your password should not contain common words or phrases. And, you should use different passwords for every website.
After you apply the above password rules, your password should look like this: LTwYgrsewDhw@ertzK9#M!K%
That’s a strong password. But the problem is, we are human beings, and that’s hard to remember.
Therefore, utilize tools like LastPass and KeePass. They are free, and you can use them on multiple devices.
If you still think that you can get away with simple passwords because you are creative, I hope this changes your mind.
2. Use Two-Factor Authentication
You have now used a unique username and a strong password for your WordPress admin panel.
Great!
That’s a step towards better WordPress security.
But, no matter how strong, passwords can be broken! Hackers use brute force attacks (we will talk about it later) to penetrate your website. A strong brute force attack can crack any password.
That’s why you should start using two-factor authentication on your website. It will enhance security.
Two-factor authentication requires you to input a security code besides username and password for logging in. Once you activate two-factor authentication, you will receive some code (single use) on your smartphone. You will be able to log in only after you enter the code.
I know, this is a hassle, but, remember, better safe than sorry. Unless security gurus find some DNA login options, two factors is the best security method out there.
Unfortunately, WordPress doesn’t have inbuilt settings for adding two-factor authentication. You will have to use a plugin called Google Authenticator.
If you are not familiar with Google’s 2-step verification, Evanto tuts+ has great tutorials about using Google 2 factor authenticator with WordPress.
3. Verify the User as a Human
Hackers use botnets to attack systems with brute force. And, one way of really giving trouble to hackers is by using a reCAPTCHA form.
Generally, botnets cannot validate the reCAPTCHA, so hackers have to manually try to enter usernames and passwords. That, my friend, is a pain in the…you know where.
But, the old reCAPTCHA, the one that uses distorted text, is not efficient. We all have been there when you have to make a wild guess about some letters.
To make the reCAPTCHA experience more human-friendly and bots repellent, Google introduced the new “No CAPTCHA reCAPTCHA”. The new invisible reCAPTCHA can even detect a human automatically.
You can add the reCAPTCHA on your WordPress login, comment and/or registration form manually or by using a No CAPTCHA reCAPTCHA plugin.
But, first, you need to get your reCAPTCHA key from Google. After you get the keys, enter it in your codes if you are doing it manually, or in the plugin settings if you use a plugin.
4. Update WordPress
You should always update WordPress. WordPress updates are not just for adding features. The updates are released, most importantly, to fix bugs and security holes.
But, what if I run into compatibility issues with my themes and plugins after I update the WordPress? Well, usually, good themes and plugins release updates as soon as the core WordPress is updated.
If the plugins or themes you use haven’t been updated, then it’s time to find alternatives to them.
Majority of websites that get hacked use outdated WordPress or plugins or themes. The out-of-date versions of Plugins might put your website at risk.
So, update your themes and plugins asap! If there are no updates available, change them. You can find plenty of up-to-date themes and plugins in the WordPress repository.
You can also try out our WordPress themes. We update them regularly so that you don’t have to worry about security issues from the themes.
How to Update WordPress
Updating WordPress is easy. WordPress automatically displays notifications on Dashboard if there are any updates for the core system, themes or plugins.
Go to Dashboard> Updates and click on the update buttons.
You can also enable auto updates so that your core WordPress, plugins, and themes automatically update themselves for minor releases. You will get email notification when your website is automatically updated.
5. Disable File Editing
You can easily customize your website with inbuilt code editor in WordPress.
However, imagine, hackers somehow managed to log into your website. Now, they can also easily edit your website using the editor. Therefore, it is a safe practice to disable editing WordPress via the editor.
To disable the editor, backup your WordPress first. Then, locate the wp-config.php file on the back-end of your website. You can find wp-config.php in the root folder of your website along with other folders like wp-admin and wp-content.
You can use FTP-client to connect to the back-end of the website. Or, if you have cPanel access, you could use the File manager available in cPanel.
Now, add the following line of code in the wp-config.php file and save the file
// Disallow file edit define( ‘DISALLOW_FILE_EDIT’, true ); |
After the file is updated, you won’t be able to edit the theme templates using the WordPress dashboard. You can still modify the themes using FTP or cPanel’s File Manager.
6. Limit Login Attempts
When you install WordPress, WordPress ask you whether to install limit login attempts plugin or not.
Limiting login attempts is a great way of protecting your website from brute force attacks.
Hackers will try to log into your website with different login combinations. However, if you enable limit login attempts, you are allowing users to try logging in only for a certain number of times, after which the user gets blocked.
If you forgot to check this option during WordPress installation, don’t worry. You can find the plugin in the WordPress repository.
Go to Plugins> Add New from your WordPress dashboard menu. Search for “Loginizer”, and then install and activate the plugin.
After activating the plugin, go to Loginizer Security> Brute Force from the WordPress admin menu to setup login protection.
7. Brute Force Attack Protection
Hackers use Brute Force attacks to gain access to the admin panel or FTP accounts of your website. Basically, a brute force attack is a trial and error method. It’s like trying different key combinations to open a lock. Intruders can use botnets to automate the attacks.
To protect your website from becoming the target of brute force attacks, follow instructions 1, 2, 3, and 6.
You can also change the default login URL (www.mywebsite.com/wp-admin/) so that hackers have a hard time finding login form in the first place.
You can create custom login URL using a plugin called All In One WordPress Security & Firewall. After you install the plugin, go to the Brute Force section to enable custom login URL. This plugin has so many features that you won’t even need any other WordPress security plugins if you install this one.
8. DDoS Attack Protection
With so many Internet-enabled devices, the frequency of DDoS attacks has been increasing.
DDoS is a method of overflooding a website/service with fake traffic with the intention of bringing down the service. Hackers use infected systems (that has malware) to perform DDoS attacks. In 2016, hackers crumpled DYN putting many famous websites like Twitter, Amazon, Reddit, and Netflix offline.
Therefore, you should always be ready to tackle DDoS attacks.
By following the above-mentioned security measures (1, 2, 3, 4, 6 and 7), you are already prepared for DDoS attacks.
In addition to that, I would also recommend using cloud services like CloudFlare or MaxCDN. They can help you mitigate DDoS attacks.
Similarly, caching your website can also help you protect your website from traffic overload. You can cache your website using plugins like WP Super Cache.
9. Scan for Malware and Remove Them
Since you are reading my security tips so carefully (I really hope you are), let me tell you something scarier, if you haven’t panicked yet!
Hackers are sneaky! They might have already placed some malware on your web files.
Therefore, you need to scan your web server for malicious files asap! And, remove them.
How to do that?
Plug-in a security plugin. Sucuri Security is the best free plugin for detecting and removing malware on WordPress.
If you don’t like to add plugins or want to do complete server-side scanning, subscribe to Sucuri. This service costs you.
If you can’t afford Sucuri (I know it is expensive), there’s a freeway. Because I have been preaching to you about all this techy stuff, I think you deserve a treat.
Here’s how to scan and remove malware from your website for free!
First, download the public_html folder from your server using an FTP client of your choice. Then, scan the downloaded folder using antivirus software (Norton, Kaspersky or something else) on your computer. Make sure the antivirus program is up-to-date.
After that, replace the old public_html file with the newly cleaned one using FTP. As easy as that!
10. Good Webhost
Web host plays an important, very important, role in the website’s security.
A good web host provides you support and tools to tackle DDoS attacks, Brute-Force attacks, and malware. Therefore, I recommend SiteGround hosting because they keep security at high priority.
Generally, a shared hosting plan is more vulnerable because the server is shared with other websites. Hackers can use other websites on the same server to attack your website on shared hosting. This concept is called cross-site contamination.
It is often considered best to get dedicated hosting or VPS hosting, but they are expensive. As a starter, you may not have the budget for it.
Does that mean you risk yourself? No. Even shared hosting can be protected.
A good web hosting companies like SiteGround install firewalls like ModSecurity, even in shared hosting plans. Also, they limit the number of websites on a server, and scan servers for malware regularly.
Similarly, if your web host can provide you Sucuri Security, it’s a plus point.
11. Choose Plugins and Theme Wisely
Well, choose plugins and themes wisely. That is all you need to know on this topic.
The option to install third-party plugins and themes is what makes WordPress vulnerable to hackers.
Plugins and WordPress themes available on the WordPress repository are safe. But if you need to add some plugins or themes manually, always check for malware, using antivirus software, before you upload them on your WordPress.
Also, before installing plugins or themes, check for reviews and the last updated date.
12. Remove Unnecessary/Outdated Themes and Plugins
Always keep your WordPress clean.
If you are not currently using any plugins or themes, and they are outdated, remove them. They might be inviting hackers.
Similarly, go to the back end of the WordPress, and check if you have any unnecessary files by comparing it with default WordPress files.
Or, you could just do a fresh installation of WordPress.
First, backup your databases and WordPress. Then, remove WordPress. And, install a new updated WordPress.
Make sure you inform your visitors during maintenance by displaying a maintenance page.
13. Secure .htaccess and wp-content.php
Only the Almighty knows what hackers can do if they access your .htaccess or wp-content.php file.
So, you should always hide .htaccess and wp-content.php file. Even if you don’t know how to code, you can easily secure .htaccess and wp-content.php by inserting some codes in the .htaccess file.
Please keep a backup of the .htaccess file before making changes to it.
Locate the .htaccess file from the root of your website, and add the following lines of code to it.
Code to hide wp-config.php
<Files wp-config.php> order allow, deny deny from all </Files> |
Code to hide .htaccess file
<Files .htaccess> order allow, deny deny from all </Files> |
14. Hide Sensitive Information
Make sure you remove (or at least rename) readme.html file after you install WordPress. Readme file will tell hackers what version of WordPress you are using.
Also, if you have created a phpinfo.php or i.php file, I recommend you to delete or rename it. This file contains all the information about your server.
Furthermore, disable directory indexing. Attackers can see the structure of your folders and files with directory browsing. You don’t need to be tech-savvy to do it. Just go to the .htaccess file, and add the following code at the end of the file.
Options -Indexes |
15. Stay Ahead and Updated
Hackers are always a step ahead of all the security experts. Actually, a security expert wouldn’t even know about a security hole until someone breaks into a system.
Therefore, always keep yourself informed and updated about security news and issues. Follow security companies on Twitter or Facebook, or even subscribe to their newsletters.
Kerbsonsecurity is a great blog to keep yourself updated about security issues.
Conclusion
Make the guessing game hard for hackers!
You cannot stop hackers from hacking. All you can do is become prepared for the attacks.
The good guys are working hard to protect WordPress from hackers, but mistakes happen.
Always keep a backup of your website, just in case hackers take over your website. Keep the backup in a safe place(s) (multiple places if possible).
Finally, follow all the aforementioned 15 tips for securing a WordPress site. And keep yourself, themes, plugins, and WordPress updated!
May the force be with you.
Hello Raushan. I read many blogs on WordPress security but this one has some really great tips. Most of the blog posts regarding the WordPress security said to change the username, install a plugin, change default login page URL etc. But, tips like hiding .htaccess and wp-content.php files and DDoS attack protection are very unique. Thanks for the unique tips.
Nice Post Raushan, I enjoy your blogging, thanks for sharing with us.
Hi Raushan as I am already a huge Fan of yours… and love your all article’s you serve us ( the layman) with the in depth knowledge about the tools and systems we are using but don’t know the story behind.
I also love the straight forward approach about informing about the affiliate link that if someone wants can buy and no compulsions. Hat’s off sir …. keep writing and updating us with the vast knowledge you have.
A Good webhost is very very important!
Infact it is the first and foremost thing one should consider before anything else..
Great Share here