Many people ofthen refere to WordPress as unsafe… i do not agree with this since in my opinion it is all up to the user in what degree your WordPress website is safe. The process of keeping your WordPress website safe is like adding reinforcements to your castle. It’s all about bolstering the gates and putting lookouts on every tower.
To start of did you know that 73% of the popular sites that use WordPress are vulnerable? And that of the top 10 most vulnerable plugins 5 of them were available for purchase…
In this articel I will start of with some basic improvements and lateron go more in depth on how to make your wordpress website secure.
Something so simple can have a big impact on site security. Whenever you login to the dashboard and see that “Update available” banner, click it and update your site. If you’re worried about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.
Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your site’s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like an open door to your personal info.
Along the same line of thinking as what’s listed above, getting rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. If you’re not using them, you’re not going to want to update them, so it’s a much better idea to delete them. Read: Deactivating plugins isn’t enough; you must actually click “Delete.”
When you can, downloading plugins and themes from WordPress.org is actually your best bet since they will have been thoroughly scanned before being admissible to the Theme Directory or Plugin Directory. If you want a premium theme or plugin, only download them from reputable sources like Themeforest or from a highly respected developer’s website.
Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.
If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin or by following the instructions laid out in our latest post on the subject.
It’s all fine and well if you create a good username and password but if your users don’t, your personal efforts won’t matter and your site will be just as vulnerable.
A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including Clef, Google Authenticator, and Duo Two-Factor Authentication.
It’s one extra step, yes, but easy to do. And once installed offers another layer of protection from hackers and security breaches. A few firewall software providers to check out include Comodo, Norton Internet Security, and ZoneAlarm Free Firewall.
The brute force attack is tactic #1 for hackers. If you let them, they’ll try to login to your site over and over again until they crack your password. That’s why it’s called “brute force” because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time. Login LockDown is great for offering this feature but other plugins that offer a whole set of security features often include login limiting like iThemes Security and Sucuri Security.
Sometimes site security is run through the wringer because of something very simple: granting too many people access. A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks. Giving all of your contributors administrative permissions is just asking for trouble.
I don’t just mean every once in a while. I mean predictably on a schedule. Scheduled backups are an essential part of any site’s security strategy because it ensures that if your site is compromised, you’ll be able to restore it to a version prior to the damage with ease. Choose an automated solution like VaultPress, BlogVault, BackupBuddy, or WordPress Backup to Dropbox for simple backups and with built-in restore options.
Just as you install an antivirus software on your computer to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri Sitecheck, CodeGuard, Theme Authenticity Checker, and AntiVirus.
If you’re into WordPress security at all, you’ve heard of the .htaccess file before and have likely accessed it. Still, the changes you make in this one file can have such a huge impact on your entire site’s security, I can’t leave it off the list.
Why is this file so important? It’s at the heart of WordPress and directly affects how your site structures permalinks and how it handles security. You can insert many different code snippets into the .htaccess file anywhere outside the #BEGIN WordPress and #END WordPress tags to modify what files are visible within your site’s directory. These snippets are sourced directly from the WordPress Codex.
For starters, you’ll want to hide wp-config.php because it’s a central hub for your site and includes your personal info and many other details related to security. Hide it by adding this bit of code to .htaccess:
You can also restrict admin access by creating a new .htaccess file and uploading it to the wp-admin directory. You’ll then insert the following code:
Insert your own IP address in the appropriate spot. You can allow access to wp-admin from multiple IP addresses by listing them out as allow from IP Address, each on a new line.
You can restrict access to wp-login.php in much the same way. Just add the following code into .htaccess:
If you don’t want to block every IP but your own and instead wish to just block specific people attempting to access wp-admin or wp-login.php, you can do so by blocking those IP addresses individually using this bit of code:
Another way to prevent people from viewing your site’s directories is to make them non-browsable. This simple bit of code will do the trick:
There are many other ways to modify .htaccess to heighten your site’s security as well—we’ve written on them extensively here—but these are just a few of the more important ones you should implement.
If WordPress defaults are left intact, it’s really easy to find out each author’s username for your site. And since more often than not the main author of a site is also the administrator, it’s also easy to find out the admin’s username. Which isn’t good. Anytime you’re giving away info to hackers, you run the risk of seeing your site compromised.
According to DreamHost, it’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier. To do this, all you need to do is add some code to your site. Once inserted, this code will make it so when someone inputs ?author=1 after your main URL, they won’t be presented with the administrator’s information and will instead be sent back to your homepage.
Just copy and paste the following into your functions.php file:
If you have many users on your site, it might be a good idea to keep track of what they’re doing on your dashboard. Not that you suspect them of any wrongdoing, but sometimes when you have a lot of people involved in your site, a simple misstep can cause something to break. That’s why logging dashboard activity is so useful – it allows you to retrace your user’s steps up to the point of site breakage. You can even retrace your own steps.
This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.
Yes, WordPress logs this information automatically but it’s not easy to use. It’s a much better idea to use a plugin to organize all of that data. So you can see if installing a certain plugin, making a specific code change, or uploading a file caused the issue you’re dealing with. But even if you’re not handling a site issue, being able to see what your users are doing on your site at all times can offer some peace of mind.
According to Pagely, a good plugin to check out is < href=”https://wordpress.org/plugins/wp-security-audit-log/” target=”blank”>WP Security Audit Log. This free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.
If that plugin doesn’t do it for you, there are others available including Activity Log and Simple History that are well worth checking out.
Though security that focuses on obscurity isn’t complete, it’s still an important part of your overall strategy. After all, hiding certain elements of your site won’t prevent hackers from accessing them, but it’ll make it harder for them to get to. And that’s good, right?
Relocating or renaming your login page is a quick way to make a hacker’s job harder. Brute force attacks are typically automated, so if your login page is anything different than www.websitename.com/wp-admin or www.websitename.com/wp-login.php then they’re going to have a really difficult time attacking. Many plugins are available that make this simple change for you including Lockdown WP Admin as well as several of the major WordPress security plugins.
An other ineresting plugin is Wordfence.
This plugin makes your wp-admin page extreem secure. If a user logs into your backend more than lets say 10 times (you can adjust this your self) the user or bots IP is blocked now.
Turned out to be quite an article but WordPress security is an important topic.
Please leaf your comments below thank you.