How to make WordPress Secure

How to secure your WordPress Website

How to make WordPress Secure

How to make WordPress Secure
5 (100%) 1 vote

WordPress has become the content management software of choice for blogging and non-blogging websites. It has a great interface and it is very easy to use. Adding new blog posts, pages, images, etc. regularly is a cakewalk and can be done quickly. It also offers advanced security features that prevent hackers from accessing your site.

In spite of the fact that WordPress is the most secure software used by the world’s most reputable companies such as Facebook, NASA, Mozilla and eBay, it has continued to remain vulnerable to hackers. WordPress sites are among the most frequently hacked.

Whether you like it or not, a determined hacker will always find a way to compromise your system. It is a terrifying scenario. You go to your site only to see a disgusting message from a hacker boasting about attacking your site. You will notice that content is gone and you can’t even access your dashboard. Your website will end up being shut down. That is exactly the situation that you will find yourself in.

The good news is that there are several measures that one can implement to protect their WordPress sites. Here are a few ways to make your site or blog less vulnerable to hackers.

  1. Setup Google Search Console(Webmaster Tools)

  2. Setting up Google Search Console(Webmaster Tools) is very important. Google gives out warnings if your site is compromised with sample compromised URL’s. If your site is compromised, you can submit a reconsideration request once your site has been cleaned through the “Security Issues” section.

    google search console security issues

  3. Add a new user account

  4. It is strongly recommended to create another username and delete the default admin. Right now, most hackers are taking advantage of default usernames to attack WordPress sites. Changing it will increase your protection.
    Just remember that this is not enough. Hackers can track down usernames quite effortlessly from posts or somewhere else. That is why you will need to protect it with a strong password.
    While switching to a new user account, be sure to give it the complete authority of an admin. Before deleting the default admin account, transfer all your posts to your new user account.

    wordpress login screen

  5. Choose a Secure Password

  6. The best approach, and one that is often recommended, is to use a strong password. Your password must not only be difficult to guess, but must also be more difficult for hackers to crack. The ideal length of password should be at least eight characters. Most people think that passwords with fewer characters are easy to remember. Nevertheless, smaller passwords are pretty easier to break.

    The most secure and strongest passwords are those which have a unique combination of symbols, special characters, numerals and alphabets. Most of us prefer to create passwords that are entirely numeric or alphabetic. But such passwords are very easier to break.

    Also, do not use one password for multiple accounts. I suggest creating a unique password for each account. In addition to this, keep changing your password on a regular basis. Do not stick to the same password for a long time. Ideally, change your password after every three months.

    secure password

  7. Avoid Exposing Your Username by setting a nickname

  8. Never ever use your username as your author name. If your username is your WordPress author name, then you are letting hackers know almost 50% of your login information. So, choose a new nickname and use it as your author name. You can go to settings and search for the “Nickname Field” under “Your Profile”.

  9. IP address

  10. Restrict WordPress login page to your own IP. Block all other IP’s.

    ## Restrict WordPress Login Pages to Your Own IPs ##
    <Files wp-login.php>
    order deny,allow
    deny from all
    allow from 192.168.1.1
    allow from 192.168.1.2
    </Files>
    <Files login>
    order deny,allow
    deny from all
    allow from 192.168.1.1
    allow from 192.168.1.1
    </Files>
    
  11. Move the login page

  12. The default installation of WordPress uses wp-admin and wp-login.php to login to WordPress. This is very easy for the hacker to guess. You can change the default login page to something more secure like domain.com/newloginpage by using HC Custom WP Admin URL

  13. Limit Login Attempts in Your Site

  14. You can have as many failed login attempts in WordPress site as you want. This wouldn’t be an issue if there is no hacker trying to access your account. Sadly, hackers exist. Hackers sometimes may think they know your password or might use software to guess your password. So, it is imperative to limit login attempts. This will prevent the hacker from making more attempts in case they entered the wrong password more than the stated times. You will also get notified if someone tried to access your account. So, you can choose to block the IP address that tried to hack your site.

    You need to install and activate plugin “Limit Login Attempts” in order to monitor failed login attempts. Alternative to this is “BruteProtect” plugin. It also identifies and blocks IPs that attempts to access your site.

  15. Block Bots From Accessing Your Login Info

  16. Hackers are not the only one visiting your website. There are also invisible visitors that crawls your site and most of them are out for no good. These visitors are sent to exploit security loopholes, and steal vital login information. They are normally referred to as bots. Blocking evil bots is fairly harder. But it is possible to block them.

  17. Do not allow Guest Accounts on your site

  18. There are sites that let guest users to submit posts. This means that you will need user registration. The registered users can login to your site and use the WP admin area to submit their content or posts. Allowing guest-user registrations is highly discouraged. It may leave your site at the mercy of hackers. Therefore, ensure that “Anyone can register” option under “Settings” is disabled.

  19. Disable Pings

  20. Many WordPress bloggers use trackbacks and pingbacks to get notifications whenever someone links to their post. However, pingbacks can compromise your site’s security. Enabled pingbacks can be used in the Distributed Denial-of-Service (DDoS) attack. Currently, there is no solution. The only thing you can do is to disable your pingbacks from your WordPress.

  21. Harness the Power of WordPress Security Plugins

  22. There are several security plugins that are designed to help keep WordPress sites secure from attacks. These plugins are effective and offer peace of mind to website owners. Better WP Security, for instance, attempts to prevent hackers from knowing too much about your site, such as by removing error login messages. Also, they prevent you from creating weak passwords, assist you perform regular security scans and prevent bot traffic.

    Download and install plugins that are from trusted sources or marketplaces. Remember, these plugins vary in quality, meaning some are better than others. Then again, many of the WordPress plugins were created by regular individuals, which mean some are not worth the money and some are perfect.

    wordpress security plugins

    Here are a few plugins which can improve your websites security.

  23. Keep Your WordPress Updated

  24. The major reason why WordPress sites get hacked is because their owners do not keep up with updates. Older versions of WordPress might have known or obvious security loopholes. The loopholes are normally fixed by the updated software. If you do not update your site, your website becomes vulnerable to attackers.

    These updates are not only released to patch security holes. They are released to introduce new features and fix bugs. There are no excuses not to regularly update your website. This holds true with themes and plugins as well.

    Sure, many people fear updating their WordPress sites as there are certain risks involved. For example, some people think that updating will do away with their current theme. Some things are likely to go wrong, yes. However, they can be minimized. An upgrade is necessary and should be done. The website security is more important than the theme.

    wordpress update available

  25. Beware of Malicious Plugins or Themes

  26. Some plugins and themes contain malicious or buggy codes. This malicious code is not easily noticeable because it is hidden using encryption. That is why it is always advised to download them from trusted sources. Never download and install pirated plugins or themes. Avoid the free themes if they are not from the official WordPress themes source. Malicious themes or plugins can add hidden backlinks to your websites. They may even steal essential login information and compromise your site’s security.

  27. Back up your site

  28. If a hacker is determined enough to access your site, then he or she is going to access it. A 16 year old boy from London hacked American military systems and a 15 year old hacked NASA computer. So if you think your site isn’t vulnerable to hackers, think twice.

    In order to avoid becoming a target of such attacks it is important to back up your site. In case it is hacked and everything wiped clean by the hacker you will be able to restore everything. You need to backup media uploads, plugins, theme files and database.

    Do not leave your backup inside public_html folder with the name backup.zip. The backup file will have your database connection details and if someone downloads the zip file, they can easily gain access to your site.

    wordpress backup

  29. Use secure hosting

  30. You need to use a host that considers security as the top priority. Avoid free hosting packages. They do not have the money to spend on security. However, this should not mean that all expensive host companies spend lots of money on security. It is your responsibility to find a secure hosting company that takes security of your site very seriously.

  31. Hide Indexes

  32. Make sure public access to indexes is disabled. If unauthenticated users are allowed to access files in your website’s directory, it is easier to break into your site through plugin weaknesses. If your servers runan operating system that uses .htacess files or Apache, it is simple to do it.

  33. Report Vulnerabilities and bugs

  34. If you ever notice security vulnerabilities, be sure to send a comprehensive email the WordPress community. Their email address is security@wordpress.org.

  35. Delete old plugins and themes

  36. Delete all themes and plugins that you are not using. This is especially true if they aren’t updated. Cleaning and organizing your site will keep you safe. A clean site also makes it much easier for security specialists to operate in the event your website is compromised.

    wordpress plugins

  37. Disable file editing through the WordPress Admin

  38. The default installation of WordPress allows you to go to Appearance -> Editor or Plugins -> Editor and change the template or plugin files. If your site is compromised, the hacker also can get access to your template or plugins. You can block access to the editor by adding the code below to wp-config.php

    define( 'DISALLOW_FILE_EDIT', true );
    
  39. Sensitive Files

  40. WordPress by default generates the version number in the source code. The version number looks something like this

    <meta name="generator" content="WordPress 4.0.1" />
    

    You can remove this version number from the source by adding the code below to your theme’s function.php file.

    function remove_version() {
    return '';
    }
    add_filter('the_generator', 'remove_version');
    

    Block sensitive files which show the WordPress version or Plugin versions. Hackers can gain access to your site if they know the version numbers and if there is a known vulnerability with that version of WordPress or Plugins.

    Options All -Indexes
    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files license.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files wp-config.php>
    Order allow,deny
    Deny from all
    </files>
    <files error_log>
    Order allow,deny
    Deny from all
    </files>
    <files fantastico_fileslist.txt>
    Order allow,deny
    Deny from all
    </files>
    <files fantversion.php>
    Order allow,deny
    Deny from all
    </files>
    
  41. Remove Spammy Query Strings

  42. Sometimes spammers will append their own query strings at the end of the URL to try to gain access to your site. A simple 301 redirect can solve this issue.

    <ifModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} enter|separated|query|strings|here [NC]
    RewriteRule .* http://www.%{HTTP_HOST}/$1? [R=301,L]
    </ifModule>
    
  43. Protect from spam bots

  44. Automated bots trying to post comments to your blog can be stopped by using the code below.

    <IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
    </IfModule>
    
  45. SQL Injection

  46. SQL injection is the most common method used to hack a website. You can block the SQL injections using the code below.

    <IfModule mod_rewrite.c>
    RewriteBase /
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^(.*)$ - [F,L]
    </IfModule>
    
  47. Monitor your Server and Login logs

  48. Keep an eye on who is visiting your site. Is it a crawler, bot or human?

  49. Monitor your file changes

  50. WordPress plugin CodeGuard will send you emails whenever your WordPress files are changed. The plugin also allows you to roll back any changes made.

  51. WIFI and Hotspots

  52. Avoid logging into your website using public WIFI’s or Hotspots if your computer doesn’t have a good firewall and an antivirus program.

    free wifi

  53. Change your password periodically

  54. Changing the password every 3-6 months is a good practice.

    If your site is already compromised, you can contact sucuri.net and ask them to scan for malwares. They even clean the website for you for a small fee. Click here for more information on sucuri.net.


Final Thoughts

Do not think that the chance of getting attacked by a hacker is low. It happens more than more than you think. The 27 steps above are not the only security measures you need to consider. Even if you implement all of them you can never be completely protected. But the above points should be enough to minimize the chances of getting hacked.

  • John Rueth

    Hi Shounak, awesome post! I’ve started using WordPress in 2009 and had already half a dozen attacks and hacks on my websites – that would have not been the case by following the steps here:D Another good thing I find is to protect the admin-area additionally via .htaccess

Close