Each month, Google blacklists around 80,000 websites for malware and around 2,00,000 for phishing.
If you want to make your website secure, then you need to pay attention to the WordPress security best practices to make it hack free.
In order to keep your WordPress website hack free to make sure at least install one of the reputed security plugins and also implement other methods, we discussed below.
In this article, we will share the top ten WordPress security tips to help you protect your website against hackers.
1 Install A WordPress Security Plugin
There are many premium & free security plugins available to secure your WordPress installation. All of them secure your site in a different way.
I know, what you want to know? __ What is the best security plugin?
Well, it’s little complicated
I would suggest Wordfence & All in one security Plugin. Both are very popular plugins.
While there are other amazing security plugins which may offer similar functionality but these two plugins never turned me down.
Wordfence includes an endpoint firewall and malware scanner.
- In-depth scanning for malware which runs manually or automatically once per day.
- Live traffic display (including bots, crawlers, etc)
- Firewall which blocks botnet attacks and other common security threats
- Options to repair core WordPress theme(only if the theme is on WordPress repository), Plugin files if they have been changed
“All in one Wordpress Security ” is A COMPREHENSIVE WordPress Security Plugin.
It offers so many features that it’s almost impossible for me to list all of them here. There are three different categories of settings in this plugin, namely Basic, Intermediate and Advanced
Some of the security features plugins offer is Firewall Security, Brute force protection, Honeypot field on registration/login pages, monitor failed login attempts, Change file permission, disabling file editing from the WordPress administration area, add a simple math captcha and so on…
You really need to try this plugin to experience everything yourself.
2 Never Use Nulled Themes & Plugins
Have you ever thought, Why many sites offer you to download premium themes and Plugins for free?
Utmost of time nulled themes and plugins include malicious code which can be executed remotely and easily take over your site before you even realize.
Such malicious code can also affect visitors computers or Mobiles and You will end up risking your brand for trying to some few dollars.
If you are running an e-commerce store they can capture credit card and other sensitive data. Again, not a good thing for your business and you may face criminal charges.
Best case scenario adds malicious links to boost their SEO at the cost of yours.
3 Backup Your Website Regularly
The most important thing when you manage your website is to ensure that you have a regular backup of your website.
By backup, I mean backup of everything including database, theme, plugins and media and other files.
This will ensure that if your site gets hacked, you can recover it easily.
When you choose your hosting company always make sure if they offer Daily backup for your website/s.
Also, check with your hosting company if these backups are stored offsite ( not on your own servers) otherwise in most cases this backup is of no use because there is no guarantee this backup will not be affected in case something wrong.
Alternative you can use services, such as Vaultpress to backup yourself.
4 Update Your WordPress Installation
Updating WordPress is more Important than you think.
Wordpress regularly fix security flaws with pretty much every release and Not updating your installation is not even an option (sorry boi),
If your website falls behind on these updates it will only be a matter of time before a hacker or bad boys(maybe girls) takes advantage of the previous updates security flaws.
5 Keep Plugins & Themes Up To Date
Each WordPress plugin and theme that you install is a potential threat, as those with vulnerabilities could provide backdoor access to your website’s admin.
This is especially relevant when using popular templates or plugins.
So regularly look at the plugins and themes you have installed and consider whether they are necessary.
Also check whether they have been updated recently, or are still being maintained by the author. If not you are best to delete them from your install.
6 Use the Best Hosting You Can Afford
It has been said that 41% of all hacks were due to security flaws with the host themselves, so it is important to know that your website is being looked after by the best.
I am most comfortable trusting hosting that specializes in WordPress, as when hacks occur they are always quick to find the security hole and plug it – their whole business depends on it!
A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.
7 Hide Authors Usernames
In a default WordPress installation, anyone(let alone hacker) can easily find the main admin username by simply adding “?author=1″ to the main websites URL. for example http://example.com/?author=1
Now, Hacker knows the username and it’s just matter of brute forcing the password
Many great WordPress hosts hide this by default, but if you are on a shared hosting plan that does not specialize in WordPress it is unlikely.
You can choose to hide this by simply adding the following code to your functions.php file.
add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}
This code will redirect anyone to the homepage instead of showing username in URL.
8 Restrict Access To Admin Area Using .htaccess
It is quite easy to restrict access to your administration area by simply only allowing logins from selected IP addresses. You can do this by simply creating a separate .htaccess file and uploading it to the /wp-admin/ directory.
Note: Do not edit your Root .htaccess file, don’t paste these codes in there. It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.
You can add a single IP:
order deny, allow
allow from 192.168.5.1
deny from all
Or multiple IP’s:
order deny, allow
allow from 192.168.5.1
allow from 123.456.7.8
deny from all
Please, make sure to change the IP address’ to your own IP address. If you wish to access your website from elsewhere you will need to login to your hosting and alter the .htaccess file.
Some Internet providers only provide dynamic I.P address which keeps changing and not the static I.P address. Make sure you have Static IP address.
9 Protect Your wp-config.php File
wp-config.php is the file in your root directory that stores information about your site as well as database details, you would definitely not want someone gaining access to this file..
You can protect this by again adding code to your .htaccess file – except this time you will want to add this code to the .htaccess file in your root directory (public_html/.htaccess/)
<Files wp-config.php>
order allow,deny
deny from all
</Files>
So your .htaccess file may look something like this:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
<Files wp-config.php>
order allow,deny
deny from all
</Files>
10 Limit Login Attempts
Most of the advanced WordPress hosting providers often provide this as default, though there are also a number of good plugins that can help you protect yourself from a brute force attack.
These plugins basically limit the number of attempts that any user has to log in, and if they get their login credential wrong repeatedly (a sure sign of a brute force attack) the IP range will be blocked for a predetermined amount of time.
The best thing about these plugins is that they provide a record of the IP address trying to breach your security – and therefore given you time to block them indefinitely using .htaccess.
Two popular free plugins that you can use for this functionality if Login Lockdown & Login Security Solution.
If you want to ban IP’s indefinitely simple add the following code to your .htaccess file (changing the IP addresses to those that you wish to block), these people will then not be able to view your site.
<Limit GET POST>
order allow,deny
deny from 202.090.21.1
deny from 204.090.21.2
allow from all
</Limit>
11 Limit Access To Your wp-content Folder
Your wp-content folder contains all your websites images, themes, and plugins and is a good folder to add extra security too. The following snippet will allow users to view the contained files, but will allow users to view CSS, images etc, but will block access to core PHP files.
This will require its own .htaccess file in the /wp-content/ directory – simply create a file called .htaccess and add the following code.
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
12 Protect Your .htaccess File
.htaccess is one of the most Important files for the Apache-based server.
Hackers can pretty much control the whole server with this file. We used this file to cover some vulnerabilities in order to protect server and WordPress site –
So, it makes sense to protect this file, so that it cannot be breached.
This snippet fundamentally stops anyone viewing any file on your site that starts with hta. This will guard .htaccess File and make it moderately safer.
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow, deny
deny from all
satisfy all
</Files>
You can either insert your code before # BEGIN WordPress or after # END WordPress. This will ensure that future WP updates can still update the code within these parameters.
Above code must be applied within the top level .htaccess file in your root directory
Make sure you make a copy of your current .htaccess file before implementing any changes.
13 Hosting File Permissions
On computer filesystems, different files and directories have permissions that specify who and what can read, write, modify and access them. This is important because WordPress may need access to write to files in your wp-content directory to enable certain functions
If you manage your own hosting always make sure to set your file permissions properly.
WordPress and security experts always suggest that you need to avoid configuring directories with 777 permissions and should opt for 755 or 750 preferably.
While you’re at it, set files to 640 or 644 and wp-config.php to 600.
Conclusion
It’s messy to sorting websites that have been hacked, and believe me you don’t want to risk your reputation by infecting your visitors’ computers with malware – the backlash can be more than your business can handle.