CLIENTS ON MAP

Top 10 Simple Tips to Secure WordPress Site

WordPress is by far the leading cms for building websites. Depending on which statistics you want to look at it powers anywhere from 30% to 60% of the websites across the whole internet. With such a dominant and widely used platform, it brings its own share of challenges. Hackers try to look for vulnerabilities in WordPress and then use the scripts to hack all the WordPress sites. The number of WordPress sites hacked is on growing.

The main reason of hacking WordPress website is its core system. Here we would like to make it clear that WordPress website is built with 3 different parts.

1) Core of WordPress Library files
2) Plugins
3) Themes

In this article we have shared some basics on how you can secure your WordPress website.

There are many security plugins available in the marketplace which can help, but with plugins, we need to take few additional steps which will help us to prevent from hacking.

Checklist on how to secure the website.

2) Disable Error Reporting for Core System :

Whenever there is an error on the site, WordPress displays a message in front-end. This message may contain the path to the problematic file. Hackers can find & use this information to understand the function of your server and attack your site. It’s a good practice to disable it by adding or updating below line in wp-config.php file

define( 'WP_DEBUG', false);

For WordPress Security, Permission of files & directory plays an important role. So, it’s always recommended using 755 permission for directory and 644 for files to protect your website.

You can use below command to change all recursive directory permission by terminal:

find . -type d -exec chmod 755 {} \;  # Change directory permissions rwxr-xr-x

You can use below command to change all files permission by terminal:

find . -type f -exec chmod 644 {} \;  # Change file permissions rw-r--r--

Some themes and plugins include features that allow users to upload files. However, this feature can be exploited to upload malicious code for site-hijacking. When WordPress access these uploaded files, the code is executed, and site gets damaged or compromised. To prevent from such hacking, you can add .htaccess file in uploads directory with below code, that will lock down PHP execution in uploads.

deny from all

While installing WordPress you can change database table prefix at the same time with a random string-digit strong combination.

If hackers find a security vulnerability, then it allows them to write suspicious code into the site database. Default Table Prefix would be an easy give away. By default, WordPress uses “wp_” as a prefix for all database tables, so it's easy for hackers to guess. It's a good practice to change the database prefix that will help to prevent the database access from hackers.

With the release of WordPress version 3.xx (if you’re still using older version of Wordpress, it’s time to upgrade), it became possible to change the default "admin" username to custom during the WordPress installation. But many people still use the default "admin" username and becomes the victim of WordPress brute force attacks.

Don’t simple password as a sequence of number or qwerty, coz hackers can easily crack this type of password and get access to your website. Also, password should not be the name of someone, like your name or your pet's name or any directory word. A strong password should include both upper and lower case letters with numbers and special characters such as !, $, ?, ( etc.

Generally, all hosting companies provide malware scanner add-ons, which helps to scan files regularly and detect the virus and remove. You should use security plugins which provides malware scan functionality, so if any infected file(s) are detected immediate action can be taken.

Don’t login to your website or hosting via public WiFi or internet cafe. It can be easily tracked by hackers and your site can be hacked. It’s recommended, to avoid logging into WordPress through an unsecured internet connection or network.

Always use File Transfer Protocol Secure (FTPS) instead of FTP which is unsecured to prevent your connection from being controlled or monitored. Alternatively, you can use SSH File Transfer Protocol (SFTP) instead of FTP because it’s more secure.

Apart from the security plugins offered by hosting company, you can add additional layer of security by adding plugins on the website. These plugin(s) works itself so you can easily use this even you are non-technical.

Here are few security plugins we’ve used extensively:

1. Word fence Security – Firewall & Malware Scan

Link : https://wordpress.org/plugins/wordfence/
Active installations: 2+ million

2. Sucuri Security – Auditing, Malware Scanner and Security Hardening

Link : https://wordpress.org/plugins/sucuri-scanner/
Active installations: 400,000+

3. All In One WP Security & Firewall

Link : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Active installations: 700,000+

Disclosure: We’re not reseller or partners with any of the plugins that we’ve suggested here. This is what we’ve used on different projects and we had a good experience with them. We don’t receive any affiliated fees or compensation by suggesting them.

Conclusion:
Always stay updated with WordPress core, Plugins & Themes, which will help you to prevent from hacking.

Hope this article will help secure your website.

cmsMinds is based in the heart of RTP, NC (Raleigh, Durham, Chapel Hill) and works on Drupal and WordPress websites. With an expert WordPress team, we can assist in making your website more secure. If you just need an audit report to ensure everything is set up correctly, please connect with one of our team members.

As always, we would like to hear from you, if you have any comments or any new ideas on this article.

We are recognized as a top New Jersey Web Design Agency on DesignRush

Leave a Reply

avatar
  Subscribe  
Notify of