Once your website is up and running successfully, you managed to get lots of traffic to your website success and popularity you also become a target.
WordPress is a successful and popular open platform for website and with that brings the attention of the hackers and bad guys, it’s important to secure wordpress website from hackers.
The bad guys looking to build a network site will look to the most widespread applications and attack their vulnerabilities, because of low stumbling blocks and ease of use which is written is php. People who are tech savvy who knows everything about wordpress as it is easy to understand and write php code can utilise wordpress without recognising the full security involved in wordpress.
Install WordPress Security Plugins
You need to install sucuri or wordfense or any other security plugin to avoid ddos attack, sql injection, htaccess malware redirection or any other type of attacts.
Measures to Take
Lets cover some preventative measures that you need to put into place & basic security principles you should employ, apply and handle, when using WordPress. Some of them seem like common sense, but surprisingly are not put into practice on the average site. These are all preventative measures that you need to put into place before you really need them.
1. Stay Up to Date: To Secure WordPress Website From Hackers
Keeping your wordpress website updated along with installed plugin not only makes your website run smoothly, but also secures your wordpress website from hackers. Simplicity of keeping the WordPress core updated, which is of utmost importance, and with keeping the web root security intact. Always update your wordpress with latest release and stay up to date so that you can secure wordpress website from hackers and be more secure, and stable. This is one of the key advantages to open source software.
Before Updating your wordpress, always make sure you are taking backup of your website, If you update your wordpress website with latest version released, then there will be less chances of your website getting hacked.
Because with the latest updates security fix concerns will be fixed and hackers target all outdated wordpress versions, so that code will be stable and easy yo exploit. Website which is not updated with the latest version of wordpress will be hacked sooner or later, so keep updating your website to secure wordpress website from hackers.
WordPress came up with new features in dashboard section and it will trigger you notification directly in wordpress dashboard when there is a new version available. Another new feature is the ability to upgrade WordPress directly from the Dashboard.
2. Secure your wordpress website from Hackers:
This feature lets the site administrator update the WordPress core right from inside the web interface. If your web server has the ability to write to the files in your WordPress directories, then the automatic upgrade functionality works. If not, WordPress prompts for your FTP credentials to update the files for you.
Both of these situations are of concern. In general, your web user should not have write permissions to your entire web root. This is just asking for trouble, especially on a shared hosting platform, excepting, of course, certain directories such as the uploads folder that must be writable by the web user in order to function.
3. Keep Your FTP Details Secure:
It is not clear how FTP credential details are stored and users are not encouraged to key in FTP (an unsecured protocol at that) credentials into any form that asks for it. However, if you do decide to go this route, you can set some WordPress configuration variables in your wp-config file that will further automate the FTP process.
4- Hiding WordPress Version Information
This will be the second step to make your wordpress website secure from hackers. Hackers hack wordpress websites with little known information. its strongly recommended not allowing or hide which specific version of WordPress you are running from the public eye. It is an easy way for wordpress hackers, if they see which version of WordPress you are running and easily find vulnerable site.
With the wordpress installation the version number is shown in the HTML source code as a meta tag for anyone to view the source and see. However, if you want to remove this meta tag, there are several plugins that can do it for you. Or you can edit your functions.php file and at the bottom add the following:
Remove_action('wp_head', 'wp_generator');
Also look out for the other themes and plugins which include information in head section.
5 – Limit Login Attempts:
Limiting the number of login attempts on your WordPress control panel as next precaution to secure your wordpress website from hackers. This can prevent or discourage bad guys from brute-force attacking your site.
By default, WordPress will allow unlimited invalid login attempts, meaning that an automated script could be whacking away at your site all day long. The Limit Login Attempts plugin by Johan Eenfeldt looks to remedy that. After a configurable number of invalid login attempts, that IP address is locked out for a specified period of time.
This slowdown reduces the attractiveness of your site to an automatic attack script. You can find more information about Limit Login Attempts at http://wordpress.org/extend/plugins/ limit-login-attempts/.
6- Using Good Passwords:
Furthermore, use good passwords for your account. Not just your WordPress accounts, all of your online accounts. Yes, we all have hundreds of passwords to remember, but there are tricks to using good passwords, including mnemonics and password safes.
WordPress has a nice JavaScript indicator when you are setting your password to let you know the quality of it. Remember that you can pick a good password that is something you remember, or use a secure password-safe application to store it. Your password is your key to your kingdom, so make it a good key with strong querystring passwords.
7- Change your Table Name Prefix:
This is another method to obscure the default attack vector. By default, new WordPress installations have a table prefix of wp_. That means every table in your WordPress database has a very predictable name, making it easier for attackers to form an assault on your site. If you are deploying a new site, set something unique for this prefix.
If you are already on an existing site, plugins are available that can handle renaming your tables for you. Make sure you make a database backup before performing this task because the implications if it does not work are quite severe.
8- Moving Your Configuration File:
By default, the WordPress configuration file is located in the root of your website. In the event that PHP stops functioning on your web server for any reason, you run the risk of this file being displayed in plaintext, which will give up your passwords and database information. You can safely move the wp-config directory up out of the root directory. This will stop it from ever being accidentally served. WordPress has built-in functionality that will automatically check the parent directory if it cannot find a configuration file. In some situations on certain hosts, this is not an option. An alternative is to set your .htaccess to not serve up the wp-config file. Add the following line to your .htaccess fi le in the root directory:
deny from all
9- Moving Your Content Directory
Related WordPress Articles
1. Overview of WordPress Folder and File structure and its Core Files
2. Debug Mode WordPress: Disable and Enable Debug Mode in WordPress
3. WordPress Disable Comments Sitewide: how to disable comments in WordPress on all posts
To secure your website from hackers and automated tools, you can move your wp-content directory, by moving this way, you can take a large portion of your WordPress installation and move it to a non-default location, this makes hard for the bad guys to jump-in through your wordpress website.
Add below lines to your wp-config file:
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/mysite/wp-content'); define('WP_CONTENT_URL', 'http://example.com/mysite/wp-content');If you are using plugins, few plugins may have difficulty with nonstandard directory structure. If you are experiencing problems with certain plugins, you can add the following lines to your wp-config file for compatibility:
define(‘WP_PLUGIN_DIR’, $_SERVER[‘DOCUMENT_ROOT’]. ‘/mysite/wp-content/plugins’);
define( ‘WP_PLUGIN_URL’, ‘http://example.com/mysite/wp-content/plugins’);
Moving your content directory does not in and of itself make your site more secure.
10- Using the Secret Key Feature
In your WordPress config file there are secret key values for encrypting user cookies. There are four keys (since WordPress 2.6) to establish the secret, or private, key used by WordPress to protect session information stored in user cookies. Each key also has a “salt value” that is used by the cryptography functions to reduce the likelihood that a directory-based attack would discover a password through brute-force.
A potential attack would have to start with both the guessed password and the salt value. If you don’t specify salt values, WordPress generates them. You should set both the secret keys and salt values to make the encryption of user session data for your site stronger.
Either make them up or visit https://api.wordpress.org/secret-key/1.1/ salt and get randomly generated ones. You can change these keys at any time, but it will force anyone who is logged in to log in again.
11- Forcing SSL on Login and Admin
You can force your visitors and administrators to log in via an SSL-encrypted page, assuming you have that set up already to secure your wordpress website from hackers.
Edit your WordPress config file and add the following flag:
define('FORCE_SSL_LOGIN', true);
You can also force the entire WordPress Dashboard to be served over HTTPS. Again, edit your config file and add the following line:
define('FORCE_SSL_ADMIN', true);
Please do not just blindly enable these features. This can be problematic if you are using a self signed certificate on your site.
Note that WordPress likes to build internal post links using the URL that you are accessing the Dashboard with. So, if you forced SSL on the Dashboard and are using a server self-signed certificate, the internal post URLs will do the same and your visitor will be have to accept the certificate also.
Generally, this is not a good practice. Work with your hosting provider to obtain a certificate from a respected certificate provider
12 – Apache Permissions
Permissions will vary depending on your configuration, but a good Apache rule to set files to 644 and folders to 755. If you cannot upload to the uploads folder, adjust those privileges alone. Generally, the files are set to be in the same group as the web server and owned by the local user.
If you set this, it likely break some of the cool functionality such as one-click upgrades, and theme and plugin installations from the control panel. In this case, you may have to provide WordPress with the FTP credentials to your site for this functionality to return.
13 – MySQL Credentials
Set your MySQL login and permissions correctly, do not connect your WordPress site to your database with the MySQL root user. Set up a special user for each WordPress site. Make sure it only has access to the database it needs, and make sure it only has the privileges it needs. For example, your WordPress database user never needs to grant access to another user.
14 – Secure your WordPress Login URL from Hackers:
To secure your wordpress login url you should make necessary arrangements as per requirement to make your wordpress secure from hackers.
1- Secure Admin username – remove default admin username.
2 – Limit login attempts
3 – Change wordpress login url, wp-admin
4 – Protect login with htaccess authentication
5 – Audit Login failures
6 – Login wp-login with ip-address in htaccess file.
7- Add Security Questions to Login Screen
8- Use Login Lock Down
9 – Add 2 factor Authentication for Login
10- Disable xml RPC Login Attempts
11- Automatically Logout Idle users.
15 – Disable Directory Listing for Users
To make your wordpress website secure, first you need to hide your directory listing which will be visible for users. Example, if users tried to access your wp-content folder, by default it returns the files from browser. Its very easy to get hacked by making these folders visible for users and others. To get rid of this problem and make your wordpress website secure from hackers, you need to add below line in your .htaccess file. Now folders will not be visible to other users.
By adding Options -Indexes
16- Enable Web Application Firewall
You can enable firewall in two ways:
Enable CDN application level firewall through cloud proxy levels, and also from server level web application firewall via wordpress firewall plugin.
17- Move WordPress from httP to httpS.
To make your website secure from hackers always make your website secure by moving having ssl certificate installed on your website, and it also helps your website indexed in search engines as well.
18- Don’t Use Nulled Themes
Don’t download and install themes from any other third party websites or free download themes websites .As these themes are nulled themes and contains malware, virus and your website can be hacked in minutes as soon as you install null wordpress theme.
20- Disable File Editing.
To secure your wordpress website from hackers, disable file editing from back end. If a hacker somehow gets in to your admin dashboard, from admin dashboard under appearance -> theme editor he will be able to access and edit files from admin dashboard. It’s always safe to disable file editing from admin dashboard. You can do that by adding a simple code in your functions.php file.
21- Hide your wp-config file:
Wp-config is the main configuration file where all your details of your website user name, password, security keys, database ip, database username, database password are present. If a hacker tries and get to manage wp-config file then he can easily hack your website. To make your website secure from hackers hide your wp-config file or change the location of wp-config file.
You can hide your wp-config file by adding below lines of code in your htaccess file:
order allow,deny
deny from all
22- Disable PHP File Execution:
It is always safe to make your files not executable on server level. It is another way to Harden the security of your wordpress website from hackers.
You need to add the below following lines in your htaccess file For disabling PHP file execution.
deny from all
23 – Scan your website daily:
To make your website secure from hackers it is always recommended to scan your website daily and have a backup of your WordPress website And scan for Malware.
You can scan your website by the following security plugins available in WordPress.
1- Securri
2- Wordfence
3 One wordpress security and firewall
4- Defender
5- Vaultpress.