Most website owners hold their websites dearly to their hearts. And why shouldn’t they?. They spend hours and hours of time figuring stuff out, going through different tutorials and articles to make sure that they are able to provide a great user experience to their visitors. They work hard on putting together the content and images and setting up the plugins and the layout. If you have a website or two on WordPress, don’t forget to take these measures for the security of your website. It would be a nightmare to have to deal with security issues and lose all your content and data if your website got hacked.
WordPress security is one of the most important topics that most one neglects to follow on, until there website gets hacked. Believe me letting your website to get hacked is not fun at all. Weather you have or not any precious data on your website, everyone should follow these steps to secure your WordPress websites.
1. Use Strong Username and Password
We know this has been said many times, but usernames like ‘admin’ and ‘administrator’ are still widely used and definitely this is attacker’s first guess.
WordPress also uses ‘admin’ username by default for its installation.
So WordPress 4.3 and on wards, there is a strong password generator along with password strength meter which will tell you how strong your password is. So make sure you select the strongest possible password.
Also, it is recommended to change your username from admin to something else and use strong passwords with symbols, numbers, important characters . etc.
Also prevent using these common passwords
2. Use Plugins to Prevent Some Common Attacks
Plugins plays an important role in preventing the popular attacks like Brute-force, XSS, MITM. As in Brute-force it follows dictionary attack and try every possible combination of keys to crack the password of website and the short length passwords are easily crack-able by Brute-force than the longer one.
So below is a list of plugins to prevent these type of attacks on your website.
- Captcha by BestWebSoft (Display captcha to user login/registration/comments)
- Limit Login Attempts (outdated, but still seems to work fine)
- NinjaFirewall (Adds Web application firewall to your website)
- Rublon Account Security: Two-Factor Auth+ (Simple Two factor authentication)
- use SSL (prevent MITM, use only if your website get user inputs)
- WP Security Audit Log (Keep an eye on WordPress activities)
For most of these features in single plugin you can use
- iThemes Security
- Wordfence Security (Powerful plugin with a lots of security features)
The best part about this plugin is it shows real time activity within WP Dashboard and also has a background scan feature which identifies and highlights the security threats on your website. Some of the other premium features are Country bocking, Firewall, Schedule Scan etc.
3. Keep WordPress up to Date
Something as simple as updating your WordPress version can have an impact on website security. Whenever WordPress update is available, make sure you go for it. Most people will hesitate in updating their WordPress version because they are afraid of losing the custom coding and other modifications. However, if you use the best practices while customization and modification of WordPress core, then you will not need to worry about this.
Mostly, WordPress updates come with a lot of new features and important security updates as well. The people at WordPress are constantly working hard to make WordPress more secure and hack-proof. It comes with security patches, performance improvements and other bug fixes. So it is highly recommended that you follow the news and keep up to date.
4. Keep Themes/Plugins up to Date
Just like the WordPress version your WordPress theme and plugins need to be updated regularly as well. Attackers always target older version of Plugins and Themes and they are more likely to infect your files if you have the older versions.
Here you can find the list of most of the vulnerabilities has found so far an are fixed as well.
5. Never Use Pirated Themes
Don’t use free hacked premium plugins or themes. Because they don’t come from authentic sources, and most likely contain malicious code which could inject virus in your files or create new file and spread into WordPress core. Even if you have uninstalled them after testing/using it, make sure you install fresh copy of your WordPress site in a completely separate directory.
6. Disable File Edits
You should disable file editing from WordPress dashboard, because if an attacker gains access to your dashboard they could inject or erase all your contents from the files.
define( 'DISALLOW_FILE_EDIT', true );
Read more about it if you are concerned about disabling this feature.
7. Shared Hosting
If you are using shared hosting service then you probably are on the top of the list for attackers. Because some shared hosting companies don’t provide sufficient security, the worst thing about shared hosting is that the user accounts are not isolated. There could be a hundred other websites hosted on the same server as yours. If one of those websites got hacked, all websites on the same server will get infected too. Hackers also use this to their advantage by hosting one of their own websites on these servers and then spreading the infection to the entire server.
So you ask how does it affect other accounts?
Well you have separate logins and a cPanel to your hosting account but you are sharing the same operating system with other users who are also using shared hosting package, so if one of the users get affected, their malicious code will traverse up the directory and spread malware to all the users’ website files.
There is no need to be scared. Just contact your hosting provider and confirm if they have the security measures in place to counter these issues. Some hosting providers like Bluehost are pretty reliable and secure.
Securing your WordPress site with recommended permissions will help you prevent public (world) users to write/execute. If you think you are facing permissions issue you can set the default WordPress file/folder permissions here.
9. Auto Update
Automatic background updates were introduced in WordPress 3.7 and is implemented in every versions of WordPress after 3.7. Automatic updates are turned on by default in new versions of WordPress. You can also configure it by using
define( 'WP_AUTO_UPDATE_CORE', true );
WP_AUTO_UPDATE_CORE can be defined with one of three values, each producing a different behavior:
- Value of
true– Development, minor, and major updates are all enabled
- Value of
false– Development, minor, and major updates are all disabled
- Value of
minor– Minor updates are enabled, development, and major updates are disabled
Note that only sites already running a development version will receive development updates. For other sites, setting
true will mean that it will only get minor and major updates.
For development sites, the default value of
true. For other sites sites, the default value of
Okay, so that’s it for now. If you think we have missed anything, please share it below in the comments section.