With the expanding usage of the internet, cybercrime is a looming reality for website owners. Be it a one-page site or a multipage site, “hacking” is a threat leveraged by criminals from any part of the world with a devious plan against your online entity. Your website is your decisive magnet to draw people to you rather than you having to go out looking for clients or partners. So, if you are relying on your WordPress security, you should be on guard. Considering the old saying, “Prevention is better than Cure”, here in this blog we are presenting a complete guide to secure WordPress site.
You will be amazed to learn how easy it is to keep WordPress site safe without having coding knowledge!
Among all of the CMS (Content Management Systems), WordPress is always praised for its security. Where many experts claim WordPress is vulnerable, we have found most of the security issues are caused by the users and external factors. In fact, the WordPress team is always alert to fix any issues experienced by the users. The WordPress team launch update version twice in a year (average)!
So far, we have detected most of the security-related issues are introduced by various external factors, which may include insecure servers, user inexperience, and unauthorized third-party plugins. Hence, in this article, we have focused on reducing risks that are mostly caused by the external factors.
Remember that security is not a one-time setting thing. You have to check and change security settings time to time. It is always better to scrutinize the security setting after every update is completed. However, you could never have a 100% secured website.
Popularity of WordPress
If you are selecting WordPress as your website platform, you must be falling for it because of its popularity! Yes, indeed WordPress is the most famous CMS among all of them, 35% of the total website users are now powered by WordPress.
Following is the overview of WordPress popularity that will surely move other CMS users to change their website platform:
#1: It’s Free and Open Source
WordPress is widely popular for its “free” availability. Anyone can download WordPress from its official site from anywhere around the world and create a website.
WordPress comes with lifetime validity at “zero price”, hence most of the website developers and WordPress support providers recommend this CMS platform. Besides, most of the hosting companies offer one-click installation link for WordPress. Hence, consult with your hosting providers and enjoy a free CMS platform for a lifetime!
#2: Create Multipurpose Websites from Single Platform
WordPress is an open source platform that allows users to create diversified websites like blog websites, e-commerce websites, membership websites, a question-answer forum, photography website, classified ads posting website and online magazines.
WooCommerce is the free plugin to create an e-commerce website using WordPress platform.
#3: Create 99% SEO Friendly Websites with WordPress
WordPress is considered as SEO ready WordPress website. According to Google, WordPress is 99% SEO friendly. Today, everybody is trying to improve their SEO strategies. Having an SEO ready site will be definitely advantageous. The good news is, WordPress takes SEO responsibilities very seriously.
The fast loading pages of WordPress is an SEO boosting feature. Besides, the WordPress developers are always updating the coding standard. You can optimize images, especially for SEO purposes. However, the advantageous part of using WordPress is – hundreds of well-tested SEO plugins.
#4: Easy to Customize
When it comes to WordPress, you can customize WordPress like anything. From simple fonts to color and design, you have the power to customize every single aspect of your website! Thanks to GUI enable customization panel in the dashboard which allows the changes without altering the codes. The interface of the dashboard is truly user-friendly which simply indulges the WordPress users with little coding knowledge to customize their own sites.
On the other hand, you can also customize the site via code customization, but in that case, we strongly recommend you to take help from the WordPress maintenance services providers.
Well-informed navigation pane of WordPress makes it easily customizable. In fact, one of the main reasons of WordPress’s growing popularity is its easy-to-use nature. Most of the WordPress support providers will give you one-click opportunity to download WordPress and install it. Besides, there are inbuilt facilities to publish blogs, control user management, and RSS feeds. Auto grammar check of contents, SEO friendly structure for images and easy comments checks make WordPress easier to handle than other CMS.
#6: It Supports Multimedia
WYSIWYG is the rich text editor supports WordPress. WYSIWYG helps in inserting audio, video and images easily in the blog post. You can insert any media with a single click in your content that can make your website more interactive.
#7: Thousands of Tested Plugins
WordPress offers 47 thousand + plugins and all of these plugins are well-tested and trustworthy. The diversity of plugins you can find for WordPress is impressive and you can hardly find in other CMSs. Although WordPress maintenance providers accused third-party plugins of most of the WordPress security issues, you will feel blessed using hundreds of excellent SEO plugins. There are also some security plugins that can help you to enhance website security.
#8: Large and Reliable Community
WordPress has a large and growing community of active users and developers. The support forum for WordPress is well maintained and offers answers to millions of queries as well as solutions for troubleshooting problems. If you have any query regarding WordPress maintenance and WordPress security, just post it on the forum page and you will receive 100% fruitful solutions.
Apart from the WordPress official forum, you can also find several WordPress dedicated groups and forums in different platforms run by WordPress developers. You may also find WordPress experts on popular social sites like Facebook, Twitter and LinkedIn, giving free advice.
While WordPress is the easiest open source CMS that attracts most of the website builders to choose this platform to build their first website, WordPress is has become the easiest target for the hackers. The WordPress website developers are becoming more dependent on the lucrative third-party plugins and themes, which are in most cases, turning into welcoming loopholes for hackers.
The owners of the WordPress website users are mostly filing reports for security bypass vulnerabilities due to themes and plugins, failure of access restrictions to the sensitive data/files, admin user hacking, XSS (cross-site scripting) vulnerabilities and the default WordPress tag.
However, you can always fix these issues through simple steps (may need help from the WordPress support services), which will be discussed throughout this blog.
Recent WordPress Security Releases:
According to the security category archive of WordPress, the WordPress team has lately released 5.3.1 Security and Maintenance Releases. Before that, they have released 5.2.4 security release. Most of the WordPress users are now using either WordPress 5.2.4 version or WordPress 5.3.1 version.
WordPress 5.4 version is available since 31st March 2020 and the WordPress team is continuously pushing the users to update their sites so that they can overcome major security issues detected in the earlier version.
Following are the updates that you can find in the new version WordPress 5.4, which is named “Adderly” in honour of Nat Adderly.
- Two new blocks added: In the new version you will find two brand new blocks Social Icons and Buttons.
- Color gradients: Now you will get color gradients in the cover block as well as in the Buttons. Also enjoy color options in the group and Column blocks.
- Cleaner UI and navigation: Clearer block navigation with 14% faster editor loading.
- Privacy: Now export personal data including users’ session as well as location data all in a better and cleaner look.
- For the developers: Now you can add custom fields to the menu item with two new actions. In the menus wp_nav_menu_item_custom_fields fires before move buttons of a nav menu item in the menu editor. In the Customizer wp_nav_menu_item_custom_fields_customize_template – this action fires at the end of the menu items. Also, from now the developers can register blocks collections (if you build plugins) by namespace across categories – improving your brand visibility!
Here are some important links you may want to check:
- Installation information WordPress Version 5.4
- WordPress 5.4 Announcements
- WordPress 5.4 Field Guide
WordPress Security Attack Report 2020
Although the WordPress team is trying their best to find and fix all of the loopholes, current security releases already prove that they are failing to offer “100% security.” Here are some statistics that will clarify you, why in this blog we are pressing for WordPress security tips and WordPress maintenance services instead of using handfuls of security plugins.
#1: CMS Infections Comparison (2018/2019)
This graphical presentation reflects the infection comparisons between four popular CMSs WordPress, Joomla, Drupal, Magento in past two years (2018 and 2019). This data is collected from Sucuri. From the graph, it can be easily concluded that WordPress was the most favorite CMS to the hackers between whether it is 2018 or 2019, which elaborates the significance of current security updates WordPress 5.4.
#2: Types of computer attacks in 2016
From the above data collected from Sucuri, it can be said that 56% of all infections took place because of out of date CMS applications. Henceforth, WordPress team is continuously pressing the users to update to the latest versions.
#3: Website Reinfections
As monitored by Sucuri, it is recognized that most website reinfections occurred due to malware (18%) and SEO Spam (15%).
#4: Top Detected Malware 2019
Here is the graphical representation of detected malware distribution as data analyzed by Sucuri in 2019.
#5: PHP Version Distribution
The above chart clearly depicts that PHP 5 is still the winner when it comes to popularity. As the data collected by Sucuri shows that almost 54.13% of PHP users are still on 5.x, we must enlighten you that PHP 5.X has already reached the EOL (End Of Life) mark. It simply means that the 5.x users will no more receive any security updates making the website more vulnerable to the hackers.
WordPress Security Hacks 2020
What we can do is to eliminate maximum risk factors and have smooth WordPress maintenance. In this blog, we will introduce you with 25 simple security hacks. By following these hacks you can reduce WordPress security risks by 90%.
Most of the hacks mentioned here are followed by the reputed WordPress support services.
- Do Nothing
Security of a WordPress site is hugely dependent on how users are accessing and treating their websites. If your WordPress site is running on the best personal hosting service and a secured server, then your website is already in safe hand. On the other hand, if you are 100% sure about the themes and third-party plugins, you made a stronghold.
So, as you can see, it is always better to do “nothing” to be safe. Besides, without a heavy theme and plugins, your website will speed up like anything. Less page loading time is now an important factor for ranking in Google SERP. If you are not much familiar with WordPress maintenance services, then keeping site simple and plugin-free is the best way to have a secured website.
2. Use SFTP not FTP
Using FTP (File Transfer Protocol) is no longer safe. When you are using FTP it delivers your data and credentials in plain text. It means your valuable data, especially the connection information and password are not encrypted. Therefore, when you are sending files through FTP, anyone can make little security breach, access your valuable data and exploit them.
On the other hand, using SFTP (Secure File Transfer Protocol) is similar to that of the FTP but with encrypted data. While using SFTP your data will be encrypted and won’t be vulnerable towards the cyber attackers.
If you are not sure about the SFTP protocol to take advice from your hosting service provider or reliable WordPress maintenance services provider. Converting from FTP to SFTP is an easy process and you won’t require any coding knowledge for the conversion.
3. Use SSL/HTTPS
If you are still using HTTP (Hypertext Transfer Protocol), you are not in safe hand. If you want to secure WordPress site, you have to buy an SSL (Secure Sockets Layer) certificate and convert to HTTPS. While using HTTP all of the data that are transferred between browser and server are not encrypted. Hence, it is wise to avoid HTTP. For the e-commerce site, it is more sensitive because the buyers entrust sellers with their confidential personal details and bank/credit card details. If the e-commerce site is using HTTP, it means the hackers have access to all of these valuable and sensitive data. You can just imagine the consequences!
The hacker can easily intercept the confined data of the customers as well as their account passwords. No doubt Google and other well-wishers are motivating website owners to switch into HTTPS (Hypertext Transfer Protocol Secure) from insecure HTTP. While using HTTPS, the data transferred between the browser and the server will remain encrypted. It simply protects your valuable data from exploitation by unwanted people.
Converting from HTTP to HTTPS is little more difficult than converting from FTTP to FTTPS. However, it is doable with little help from the WordPress support providers. To make the switching from HTTP to HTTPS, you need to buy an SSL certificate from an authentic source. The best thing is, now most of the Website hosting comes with free SSL certificate. This certificate should be implemented on your site properly.
Don’t forget to run your WordPress website in an online SSL checker to check whether it is working properly on.
4. Secure Hosting
Having a good and authentic hosting provider is the best way to get rid of most of the WordPress related issues. The server is considered as the foundation of a website. Hence, make sure that the hosting provider is trustworthy and has a reputation to offer stable and secure servers.
While selecting an ideal web host for your website never go for a “cheap” one. There are several booby traps in internet offering free website hosting or super website hosting service at a minimum price. Never fell into these traps. Remember that you can get what you pay for.
Try to have a private hosting service (the best) or a shared hosting service. A shared hosting service means you are sharing your server space with the other website owners. In that case, a security breach in one site can also cost your website. Besides, shared hosting service often go to maintenance or just slowed down that can cause white screen of death to your website.
Use VPS (Virtual Private Server) hosting, where the hosting provider will dedicate one entire server only to your site! It makes you secure from the “neighbor fights.” With VPS your site security will never be dependent on the security of other websites.
To find the best hosting providers make your own research. But, what should you look for? You should look for reputation, work history, supportive, reliability, and responsiveness. An ideal web host provides properly configured a server and latest versions of software (PHP, Apache, etc. They should offer reliable WordPress back up services. However, for WordPress backup, you can also rely on the expert WP support providers.
5. Strong Passwords
Selecting a password is no doubt a critical task. Select a strong password- is written in almost everywhere when you asked to create an online account. Unfortunately, most of the people are still very reluctant about their password strength despite being hacked for several times.
If you want to secure your WordPress site, you can’t entertain such reluctance. While watching network traffic we have confronted ruthless hacking attempts. 99% of these attacks were on the site’s login page. They want unauthorized access and a chance to exploit your website. Fortunately, you can just use an ultra-strong password for every login page/account to prevent them. Creating an ultra-strong password for WordPress is not everything, you have to create a strong password for SFTP, database connections, email and anything that is significant to your account.
According to WP Codex:
Hackers thrive on predictability. They predict that many peoples passwords are in fact ‘password’, or that their username is probably their real name or some default value such as ‘admin’. Be unpredictable.
As you can see, the WordPress team is also very concern about security breaching through password assumption. To help the users, WordPress team now added a built-in password-strength meter (new feature) on the profile screen of the users. With this, you can generate ultra-strong passwords effortlessly. However, generating strong password is not enough if you can’t keep it secret. So, our advice is not to write the password “anywhere” or share it with anyone.
Here are some tips to create strong passwords:
- Select a long password with random alphabets, numerical and special characters
- Never entrust anyone with the password, always keep it to yourself
- If, for technical reason you are bound to share the password, then change the password right after the task has been done
- Try an online password generator to create rocking strong passwords
6. Stay Current
Update your knowledge as well as your WordPress site. Yes, the latest version of WordPress is the safest one. The WordPress team is continuously working to fight against the glitches and fix issues. Whenever they are repairing any issues, it means either they are repairing the loopholes that are the gateway to hackers or improving users’ experience. In fact, WordPress launches an updated version of the CMSs twice (almost) in a year!
Updating WordPress site is an easy task. You can manually update it when update version come or just rely on the auto-update button of WordPress. If you are not comfortable with the technical stuff then you can take help from the WordPress maintenances services provider. However, only trust the reliable sources as you have to share account credentials with an external party.
7. Clean Up Rogue Files
Never store rouge files as they only increase your liabilities. Start deleting “excess” files to reduce the burden of liabilities. Take your time and scrutinize the files in director and immediately remove any file that you think is “not wanted” anymore. Here are the sample file names that you might feel unnecessary and want to remove as soon as possible:
- Inactive plugins
- Inactive themes
- Testing or version control files
- Other unwanted loose files
Although you have identified some of the junk files, you may feel to keep them for some time. In that case, you have to make sure that those files should remain protected from any unauthorized or unwanted access. You can secure these files in two different.htaccess techniques:
RedirectMatch 403 /filename\.ext
RewriteRule /filename\.ext – [F,L]
Change the file name to match it with your file extension and the update it to your .htaccess file and refresh your server. In either case, it will show “403 – Forbidden” error. If you have little or no coding knowledge then take help from the expert WP website designers.
8. Keep Good Backups
Accidental data loss is one of the frequent yet crucial issues. You might feel, how it is possibly losing data accidentally? Yes, it happens and when it happens you may feel destroyed if there are no backup files! It mostly happens while migrating hosting services or experimenting with any plugins or themes. Hence, while integrating new plugins/themes it is always wise to keep a backup or test them first on a WordPress Staging site.
Besides, anything could happen these days and hacking is one of them. Keeping a backup of the current website could save the day for you. According to the WordPress maintenance service providers, always take backup of your site before making any changes, even if it is a simple task like integrating plugin. Try to have more than one copies of the backup file.
Note that an ideal backup should be secure, current and well-tested. It is important that you should keep backup of your database along with the files. Now, you can either manually take backup of the files and database or just use out of the box plugins for the same. Best WordPress backup plugins are BackWPUp, Duplicator, and BackUpWordPress. The procedure of WordPress manual backup is little critical and may require WP experts’ help.
9. Stick with Trusted Sources
This one is probably the easiest but most important step to secure WordPress websites. What we want to state here is only trust the authentic sources while downloading themes and plugins that you very dear for your website. Stay away from clicking on the pirated or shared version of plugins and themes that are scattered all over the internet at a cheaper price.
Most of the underrated plugins and themes (pirated and cheap) actually contain “bad codes” or viruses. At first, it may work fine and everything will look good but under the hood, it may be hacking your sensitive data or messing with your codes. Be alert before it is too late to recover. Select only genuine and well-rated sources to download themes and plugins.
10. Use Quality Plugins
We are all fascinated with plugins. Plugins help us to set up best WordPress sites that offer excellent user experience. Besides, most of the WordPress website developers recommend using some good plugins that are essential for security and backup of WordPress. But, as you know, cheap plugins may not be well-coded or reliable. Hence, we strongly recommend using quality plugins for your website.
While selecting a plugin you need to check the following signs:
- Current plugins tested in latest WordPress version
- High rating or good feedback
- Active number of users
Recent updates or frequency of update
11. Know what You’re Doing
Knowledge is the key to run a process smoothly. Being an owner of a WordPress website, you should have basic knowledge of what you are doing. Only then you can intercept the consequences of your decisions. So educate yourself now and gain a basic knowledge of WordPress maintenance, common issues occurred in WordPress, threats towards a WordPress site and plugins/themes.
When you have a fair knowledge about every aspect of WordPress, you will automatically know how to use this software and extract the best performance from it. Understanding WordPress will also help you to detect the possible security threats and you can easily mitigate them without consulting with any expert WordPress service providers.
12. Know where You’re Doing It
Is your wi-fi connection secure? Always ask yourself this question before logging in to the WordPress admin panel. It is amazing how a large number of people use insecure wi-fi connections while accessing their valuable online accounts. Most of them find any free wi-fi zone or just walk into any café shop and connect to the free wi-fi and access valuable data or account. Is it a good idea? No! Never entertain yourself with such reluctance. While using local free wi-fi signals you are also giving that “unknown” public source a passage to your computer data. According to the ideal WordPress maintenance services, try to use only private wi-fi or own data balance to avoid unnecessary risk of welcoming hackers.
13. Don’t Hack the Core
Never touch the WordPress core files. Touch the core files and the disaster will be triggered. Same disaster story goes for the WordPress themes and plugins. Stay away from the core files of your WordPress database, theme, and plugins as it can convert your WordPress site into a mess.
However, you may need to default functions in that case you can do the following steps without the core files.
- Modify the core default functions with a plugin
- Use a child theme to customize or modify plugin functions and theme appearances
You may use functions.php to make changes to the theme.
14. Ensure Proper File Permissions
Your WordPress files and folders should be built with proper permission if your server is configured and running smoothly. According to the general rule. The permission level is 644 for the files and 775 for folders. However, it is complicated and different configurations could be done. As you can see, there are some difficulties to determine file permissions. Therefore, we strongly advise the users to contact the WordPress maintenance services providers. You may also need help from your hosting provider.
15. Disable Error Display
While you are working on behind the website, it is absolutely ok to display an error message on the front-end of the site. But, when the site is online (active), it is unwise to display error information. It is really a bad idea as doing so you are about to reveal sensitive information about the PHP setup, server configuration, and other sensitive data. Broadcasting such significant data could make vulnerable your website towards the website hackers.
Therefore, after completion of website development find few minutes to disable error display on the website. You can easily fix WordPress errors by opening wp-config.php. First, open the wp-config.php and then paste the following.
If you find another similar line that consists “true” value, change value as “false” and you are all set.
You may require in-depth PHP knowledge to generate and disable the error message on the website. Therefore, if you feel uncomfortable, ask help from the professional website developers or WordPress maintenance services providers.
16. Keep Spammers at Bay
Spam comments are the most irritating thing you will confront while running blogs on your website. Although spam comments do not hurt the website security directly, the load of spam comments is unbearable. Besides, spam comments mostly consist of spam website URLs, which are not linked to the blog/content topic. Hence, having lots of spam comments can hurt your SEO strategy and the reputation of your site to Google leading to decrease of your position in Google SERP. You can use different plugins to prevent the spammers to post comments in your website. You can also use WordPress’ built-in spam-control features. Eliminating spam comments is really helpful to improve site’s ranking, reputation, security, and value.
17. Run a Clean Machine
Are you using a personal laptop or a rented computer from the local cafeteria? The security of your local machine does matter when it comes to the security measures of your WordPress site. Most of the tricks we have discussed here involved modifications of files, codes, and passwords. But here we will discuss the security importance of the local machine to secure WordPress site.
According to WordPress Codex:
No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
It is hard to go through all of the steps that could be taken to secure local devices or machine from viruses, spyware, and malware in this short article. But, you can surely find lots of information online.
However, all of us have some basic idea of keeping the computer safe from malware. The best thing is to learn more about the topic. You can also discuss this topic with the WordPress service providers and learn how you can work on the machine security. Here are some basic tips that you can follow anytime:
- Always use a secure router while connecting to the Web
- Always update the software and use only current version to minimize cyber threats
- Try to use a reliable and trusted firewall
- Do not click pirated warez or shady sites
- Do not allow any third party and untrusted devices or networks in your machine
Of course, this is a very short list and need to be more cautious to secure your personal computer (or any other working environment). So, take expert’s suggestions and have a good research to tighten the security of your work setup.
18. Monitoring and Logging
When you are concerned about the security issues investigation and troubleshooting errors, logging and monitoring could be your best friend. Most of the servers take a note every time a login attempt take place. Therefore, the error logs consist valuable information about login request, login error takes place, IP address, date/time, requested URL and much more. Examining the error logs may be confusing and overwhelming for you at the beginning. However, when you start understanding the structure of your log files, you will be able to resolve most of the issues. If you are not sure how to take care of the files then contact ideal WordPress maintenance services for guidance.
So far we have discussed the security tricks that could be followed by anyone with or without basic coding knowledge. Now, it’s time to discuss the matter in more details and take a further step towards the critical discussion.
Security techniques that you are selecting and changing your site accordingly require consideration of “return on investment.” For example, you can protect /wp-admin/ directory using .htaccess. It sounds a good investment as it offers some extra security. However, the use of plugins may cause other issues that you want to avoid desperately. Some plugins and themes are so trouble making that using them for security purpose just aren’t worth it.
Therefore, we should select methods that simply don’t add potential risks while providing security values. So, we mostly advise methods that are easy to implement, there is no additional risk and not overly invasive.
Let’s check the following security techniques that can offer additional security layers for your WordPress security without potential risks.
19. Authentication Keys
Authentication Keys can add an extra layer of security to your WordPress if you can use it wisely. First, open the wp-config.php file and find the section called “Authentication Unique Keys and Salts.” In the Authentication, section add random and ultra-strong security keys. Addition of such strong security keys is highly recommended by the WordPress Security services providers.
Addition of the random and strong keys will strengthen the security walls around your WordPress site. The best part is, you can add, delete or change these security keys anytime without harming the existing cookies and database.
The worst thing that could happen during this process is that the logged in user may be asked to log in again. Surely, it’s not a big deal.
If you are confused and unable to select random and strong keys, try the official page: https://api.wordpress.org/secret-key/1.1/salt/. Copy and paste the generated random keys into the configuration file. Upload the server and you are done!
20. Disable Directory Views
Directory views help you to see directory files while no index files are available in the directory. While files are not available in the directory you can view a sort of generic list. Sometimes it looks like useful (while sending videos and photos), but in general, it should be disabled for the security purpose.
By default, WordPress consists blank index.php files in different directories. Many themes and plugins have the same as well. So, disabling directory views is some really good deed. However, many themes and plugins don’t consist any index file. It may lead to the expose of files and make them vulnerable.
If you want complete security for your WordPress site, you will be asked to disable Directory Views by the WordPress maintenance services providers. If, you want to disable Directory Views manually, include the following code to the site’s .htacess file:
You may find detail information about the customization and disable of directory views available in Perishable Press.
21. Change the Default Database Prefix
While installing WordPress, as per default protocol the database tables are set up with the default prefix wp_. This value is embedded in the wp-config.php file. However, you can customize this file easily before the installation of WordPress. If you want, you can also change it after WordPress installation, but in that case, you will feel difficulty. If you already have a WordPress website with default database prefix, you may need to consult with the WordPress developers or WordPress maintenance services providers to change default database prefix.
When you change the database prefix to anything from default one, you create an extra security layer against the SQL related attacks. These types of attacks directly target database by default prefix “wp_”. So, whenever you change the default prefix, it fails to locate their target and automatically eliminated from the threat list. For example, you can eliminate 99.9% threats of attacking database by adding an extra underscore, “wp__”…as simple as that.
In future, before installing a WordPress site, open wp-config.php. Here, you can locate the variable $table_prefix. After that, change the prefix to something different and random like _wp_ or sitename_wp_ or anything but wp_.
22. Protect the Login Page
Brute-force login attack is probably the most common yet devastating security threat experienced by the WordPress website users. By default, WordPress login page enables the users to enter credentials and make a login attempt as many times as they need. Countless failure in login attempt doesn’t matter for WordPress login page as you always have another chance or as many as you need. This openness is good when a legit user is making false login attempt in certain circumstances. Unfortunately, this facility is exploited by the WordPress hackers.
If you have an ultra-strong password (as discussed before), then maybe you are protected from the brute-force login attack. However, most of the WordPress users may not have such strong password. Whatever it is, if you are not 100% satisfied with the current password protection, you should check the followings:
- Try a plugin for the login page
- Introduce HTTP authentication
- Use two-factor authentication
- Whitelist IP address
Create a whitelist for the login IP addresses, which means that the IP addresses enlisted in the whitelist will only be allowed to make login attempt. Login attempt from the other IP address other than enlisted in the whitelist will be counted as unauthorized. To create such system, add the following code to your root .htaccess file:
Deny from all
Allow from 1**.***.**9
Now, copy paste your desired IP address in “Allow From”. Repeat “Allow From” line in the code to add multiple IP addresses.
23. Protect wp-config.php
wp-config.php is one of the most sensitive files found in WordPress installation. This is because the wp-config.php file contains database connection credentials. If, the attackers get their hand on this file can actually destroy the entire site. In a properly configured WordPress database, the wp-config.php is inaccessible to any third party access.
However, if it still doesn’t feel secure, add the following snippet to your .htaccess file.
Deny from all
It will surely add an extra layer of protection. But, here is another one:
Deny from all
Paste either of these snippets and you will certainly feel safer than the other WordPress users. If you feel uncomfortable while accessing the .htaccess file, seek help from the WordPress maintenance services providers.
24. Disable File Editing
By default WordPress allows the admins to edit themes and plugins whenever they access the WP Admin Area. It is not a direct threat to the security, but what if a security breach took place and the hacker is controlling the admin panel?
It is always a good idea to disable the power of admin to edit all files from the admin area. How? Add the following line to website’s wp-config.php file:
While adding this code to a wp-config.php file, you are automatically restraining the power of admin (any user) from editing edit_files, edit_plugins and edit_themes. For more suggestion don’t forget to consult with the WordPress support providers.
25. Add a Strong Firewall
Probably the last thing that you can do is adding a firewall plugin to your website. Here are the best WordPress Firewall plugins you can add to your website and enhance security:
- Sucuri ($199.99/years): This is probably the best security providers for the WordPress websites. Sucuri prevents brute-force attacks, malware and offers DNS level firewall along with blacklist removal services. You can either take their services directly or sign up for any WordPress maintenance services providers for a cheaper price ($19/month) who have tied up with Sucuri.
- Cloudflare ($200/month): Cloudflare is mostly popular for their free CDN services. They offer both free and pro plans. For WAF you have to buy their pro plan. Like Sucuri, it also offers DNS level firewall.
- All In One WP Security & Firewall (Free): This easy to use plugin can add extra firewall and security to your website. It checks vulnerabilities and protects WordPress websites from potential threats. This plugin offers complete user accounts security, user login security, database security, user registration security, .htaccess and php files, file system security and blacklist functionality.
- ShieldSecurity (Free): This new security has a Pro version, which is launched in 2017. This free plugin could be the best option for you to mitigate potential threats. The super admin security protection and brute-force login protection are the best things offered by this plugin for free.
WordPress security is probably the most important thing when you are operating your business through a WordPress website. In this blog, we have discussed 20+ steps to keep WordPress site more secure. An extra layer of security is always useful, but we found most of the security breaching is caused by the lack of knowledge of the WordPress user. No extra layer security could help you if you don’t have the basic knowledge to keep the WordPress site secure. Hope, the techniques we have discussed here will help the users become more cautious and knowledgeable.
We have tried our best to discuss everything in detail. However, if you still have questions, just let us know and we will answer our best.
- WP Codex: Hardening WordPress
- Why You Need To Stop Using FTP
- WP Codex: File Permissions
- WP Codex: Brute Force Attacks