How to Secure Your WordPress Website from Hackers

Website security is often a top concern for WordPress site owners and its visitors. Whilst WordPress rule 26% of all websites across the Internet, hackers target sites due to its popularity in CMS. Well, it does not mean that a site has to be a victim of malicious behaviour often. Whereas no system is hack-proof today, certain measures can prevent your website from getting hacked. Disastrous DDoS attack or brute-force attack is most concerning security threat that needs you to be proactive. Find the simple tricks below to secure your WordPress website-

Step1: Ban users or set up website lockdown

Login Lock Down Plugin

A huge problem can be solved by including failed-login attempts. Repeating attempts using wrong password can lock your website and notify you about the unauthorized activity. At the same time, you can use Login LockDown plugin to solve this problem.

Step2: Use 2-factor authentication

Introducing 2 factor authentication at login page is one of the important security measures. It provides login details for two different components, which are regular password followed by a secret question or set of characters, codes etc. WP Google Authenticator plugin allows website owners to get authentication in just a few clicks.

Step3: Use email as login

Commonly username is used for login. Using email ID instead of username is more secured way. Non-predictability is quite impressing reason behind using email-ID, as email-IDs are unique and make sense as valid identifier for login. WP Email login plugin works well in this matter and requires no configuration at all right after activating it.

Step4: Rename your login URL

Adding only /wp-admin/ or /wp-login.php at the end of your domain name shows you the way to login. Hence, it is highly advised to customize your login page. As, everyone knows this standard WordPress login page URL to access the backend of website and this is what makes the way for face brute force attack. Try to log in with Guess Work Database (GWDb), which is a database of guessed passwords and usernames.

Step5: Go for password adjustment

Keep revolving your website’s password often. Improve your password strength by adding lowercase, uppercase and special characters. Password generator is a useful resource to generate strong password.

Step6: Secure wp-admin directory

It is the heart of WordPress and the entire website can get damaged if it is breached. The owner of the site can enhance the security by using two passwords for login page and WordPress admin area respectively. You can use a plugin named AskApache Password Protect to secure the site. It encrypts the password, configures correct file permissions and automatically generates a .htpasswd file.

Step7: Encrypt data using SSL

Secure Socket Layer (SSL) is a smart move to protect the admin panel. It makes sure that the data transfer between the server and user is difficult to breach. You can easily obtain SSL certification for your web page. It not only secures your site from the hackers but also can help in enhancing your website’s Google ranking.

Step8: Add Users with care

Security threats increase eventually when your website is a multi-author blog where multiple people access your admin panel. In this case, your site is more vulnerable to spoofing and data breach. To minimize threats to your website, you can use a plugin named Force Strong Passwords for the users to make sure that the passwords used by them are secure.

Step9: Change the username

During the time of installation of WordPress provide a different username for the administrator account. Choosing admin as your username might make the job of hackers easy, as the only thing then they need to guess now is password. A plugin named iThemes Security cleverly bans any login attempts with the username admin.

Step10: Keep track of your files

You can never be too careful and safe in the virtual world. Even with strong passwords, your website can be breached by a hacker. To implement extra security, you can keep track of the files with the help of various plugins such as iThemes Security, Wordfence and Acunetix WP Security.

Step11: Change the prefix of WordPress database table

If you have already downloaded WordPress on your computer, you are aware of the wp-table used in the database. Most of the users do not change and save it with the default name. It makes the site prone to SQL injection attacks, to save from any threats use terms such as mynew-, mywp-, etc. In case you have already saved the database with the default prefix, use plugins like iThemes Security or WP-DBManager to increase security.

Step12: Regular site backup is crucial

Even a tightly secured website has chances to improve its security measure. But, it is more important to take off-site backup of everything on your site at regular intervals. Routine and regular backups will help restoring your WordPress website any time, overcoming every problem. Smart and easy-to-use plugins are available that also checks sites for malwares to make your task easier.

Step13: Set strong passwords to safeguard your databases

Secure your databases with strong passwords that are hard to crack. Use a combination of uppercase, lowercase, special charectors and numerals in your password, so that unauthorized access to your WordPress site becomes difficult. As a smart approach, you can use “password generator” for the purpose.

Step14: Carefully preserve the wp-config.php file

All crucial information about your WordPress installation is stored in the wp-config.php file. By safeguarding this file, you protect the base or the foundation of your WordPress blog. Breaching your site’s security becomes difficult for hackers, when its wp-config.php file stays out of their reach. This can be done easily by just moving the file to any level higher than the root directory.

It is possible for the server to access this file, even if you save it at a different location other than the root directory.

Step15: Do not allow file editing

Remember, if a user has access to your WordPress site’s admin, he or she can edit any file related to your WordPress installation, even including the themes and plugins. You never know when a hacker may break into your site’s admin and so, it is better to disallow file editing to safekeep and safeguard your site.

Step16: Make proper connections with the server

While setting up a site, you should always connect the server through SSH or SFTP only. Considering its improved security features, SFTP is a better choice over FTP. Making server connection only through SFTP or SSH ensures secured transmission of all the files.

Step17: Be careful while setting directory permissions

If you are working in a shared hosting environment, you just cannot afford to set a wrong directory permission. The rules of the game are that simple. You should change the file and directory permissions to enhance security of your WordPress site right at the hosting level. Remember, setting all directory permisions to “755” and those of the files to “644” enable you protect the entire file system, including the directories, sub directories and individual files. You can do this manually, through the File Manager in the hosting control panel. Otherwise, it can also be done through the terminal, using “chmod” command.

Step18: Impair your directory listing using .htaccess

When you have not put an index.html file in your newly created directory, you will be surprised to see your visitors getting a complete directory listing with all its content displayed. Take for example, a directory named “data” is created by you and a person can see its content just by typing in the browser. There is no password or security questions required for the purpose. This can be stopped by adding a code line in the .htaccess file, such as “Options All – Indexes”.

Step19: Update regularly to secure your WordPress themes and plugins

No doubt, every other software is updated by its developers from time to time. However, a WordPress website needs more frequent updates. The updates focus on fixing bugs and important security patches. Now, what if you don’t get it updated regularly? It can lead you to serious trouble of getting your site hacked. So, if you are a WordPress product user, make sure to update everything from themes to plugins.

Step20: Discard your WordPress version number

Hackers can reach to your WordPress version number very easily as it is right there on your source page. They can customize an identital view and have a perfect attack at your website. By securing your plugin, you can hide the version number. So, the root point is maintaining proper security of themes and plugins.

For beginners, this was enough information to grasp. The overall information given in this article teaches the ways of securing your WordPress website. This is what you must know as a website owner in order to restrict hackers get an unauthorised access to your account.

28 Feb, 2017


Comment Here