As explained elsewhere, a CMS is a type of software that runs on a web server and is accessed through a web browser that are used to create and manage digital content. Among them WordPress is the top rated and widely used CMS.So let’s get started on how to secure a wordpress site in 12 different ways.

We all know that majority of websites run on WordPress.

Website security breaches not only steal data from your server and mess with your website or its layout, but they can also use your server as an email relay for sending spam. There are certain other common ways to abuse compromised machines, which include using your servers to mine for Bitcoins or even hits by ransomware. A hacked WordPress site can cause serious damage to your data, revenue and business. Hacker’s main intention is to steal user data, passwords, install malicious softwares, and can even distribute malware to your existing users.

WordPress security is a great aspect for every WordPress website owner. Don’t be too late to do anything about security. In this article we are discussing few simple tricks that can help you secure your WordPress website from malware and hacks.

1. Keep WordPress Up to date

Every good software provides support from its developers and gets updated regularly. Mainly these minute updates are meant to fix bugs and sometimes they may have vital security patches along with that. Hackers could find backdoors to your website with the outdated, vulnerable WordPress application, themes and plugins.

To prevent this from happening we need to update the WordPress application to the latest stable version. Upgrading WordPress to a stable version will be crucial for the security and stability of your WordPress website. WordPress also comes with a lot of plugins and themes that you can install on your website. These plugins and themes are updated and are managed by third-party developers with regular updates as well. Always make sure that your WordPress, plugins, and theme are up to date. Whenever you login to the WP dashboard and see “Update available” banner, click on it and update your WordPress and plugins. You can also use plugins which automatically updates the outdated versions and also provides you email notification about the outdated software. If you are worried about any new changes please make a backup before updating/installing it.

2. Adjust WordPress Database Table Prefix

While you install WordPress, it is very important to change the table prefixes which will be wp_ by default. Most of the hackers use automated tools that can work out your database structure. Changing the prefix to some other value becomes more difficult to run SQL injection queries. Thus this will be a smart move to keep hackers away from your WordPress sites.

Before you install WordPress, while configuring the wp-config.php configuration file navigate to the wp-config.php file and scroll down until you find the section

/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';

Add a string to the existing prefix i.e. ‘wp_’, and you are done. For instance, you could go with something like ‘wp_sysally’ so the whole line of code looks like:

$table_prefix = 'wp_sysally_';

Please make sure that you’re only allowed to use letters, numbers, and underscores because you are changing a database table’s name.

Once your changes are made save the wp-config.php file and continue installing WordPress to your website.

3.Change the WordPress Login URL

By default, all the WordPress sites uses the same URL structure for this page. If your WordPress domain name is www.sysally.com, for example, you can log in by visiting www.sysallytestblog.com/wp-login.php or www.sysallytestblog.com/wp-admin.

Any hacker can easily get started with brute force attack knowing that the WordPress admin URL is default. We can easily reduce the risk of getting hacked by changing that URL so that hackers won’t be able to guess it.

Additionally, there is another benefit in changing your login URL because it can reduce a lot of resource-wasting bot traffic to your website.

There are various plugins available for doing this, among them WPS Hide Login is one of the simplest and most common plugin for doing that.

4. Always Use Strong Passwords for Users

The most commonly used WordPress hacking attempts are stolen passwords. Always make sure that use use stronger passwords (Alphanumeric) that are unique for your website. Use strong passwords for WordPress admin area, FTP accounts, databases and email addresses.

Beginners don’t like using strong passwords. They often use small passwords which are very easy to remember, but you are inviting a threat by doing this. The advantage of using a password manager is you don’t need to remember passwords.

Instead of saving in browser, try to remember and use your passwords and also change them regularly to secure your WordPress website. Using long passphrases is a very good idea to keep hackers a little bit away. It is nearly impossible for hackers to predict such long passphrases than a group of random numbers and letters.
If you manage a large team then make sure that you understand user roles and capabilities before you add new users to your WordPress site.

5. Change the default username

It is easier to remember if you keep your WordPress site’s username as the default “admin”, but by doing so, you are setting yourself up for a serious security breach.

Many hackers will use “admin” as a login because attackers hope that site owners won’t change it for any reason. If you change your username to something else, that will protect your website immensely. It will be a good decision if you make this critical change by creating a new user via Users > New User, and then give your new login administrator rights. Afterwards, login with your new administrator account and delete the old default “admin” account.

6. Use email address instead of Username

By default we use username to login to WordPress admin panel. Instead of using a username we can also use email address. I guess not many people are aware of this secure approach. As we discussed earlier in the above session, all are aware of the fact that the default username is “admin”. Hackers often try these type of default usernames for eg : admin,wp_user,user1,user2 and so on. These usernames are easy to predict, while email IDs are unique and they may not be able to guess what your email id is. Also, we can use a unique email address for installing WordPress user account with a valid identifier for logging in. There are also security plugins which allow users to use their email addresses for login with WordPress.

7. Secure wp-config.php

Using a .htaccess file we can restrict wp-config.php. This is the file which holds a critical set of data regarding your database, username, and password.

To deny access to this wp-config.php file, you should add the below code at the top of your .htaccess file:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

8. Delete unwanted Plugins

Delete all plugins that you are no longer using on your wordpress installation. If you are occasionally using any plugins make sure that it is properly updated because even a minor update is very important.

Never deactivate an unused plugin, instead delete it completely.

9. Turn off file editing on WordPress

You can disable file editing by adding a single line text to your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

Make sure that you have made a copy of wp-config.php before editing the original one.By adding this line of code on wp-config.php, you can prevent hackers from making changes to your site via the editor in WordPress.

10. Hide WordPress version number

In the WordPress admin dashboard select updates and at the right bottom we can see the current version of WordPress.This can cause serious issues, because some versions of WordPress are vulnerable to malicious attacks.There maybe backdoors for certain WordPress versions and hackers can easily crack into it. To remove this version number from displaying on the page, we can edit functions.php file by adding the following code.

add_filter( 'the_generator', '__return_null' );

Make sure that you have made a copy of functions.php before editing the original one.

11. Use Plugins and Themes from Trusted Source

Always use Plugins and themes from trusted developers or reputed sources.

To auto-update WordPress Plugins add the following code in wp-config.php file:

add_filter( 'auto_update_plugin', '__return_true' );

To auto-update WordPress Themes add the following code in wp-config.php file:

add_filter( 'auto_update_theme', '__return_true' );

12.Schedule Backup of Your Site

One of the most important thing is to keep regular backups of your WordPress site. In case of an exigency a backup of WordPress data can play a major role in restoring your website. Starting again from scratch is a kind of losing all the current progress.

UpdraftPlus is a very widely used plugin to schedule backups of files and databases to your Dropbox, Google drive or Amazon S3.s

So a wordpress website should be the easy to maintain eyes and nose of your business if its been properly taken care of, the real challenge being handling the security aspects.

The proactive measures you take to tighten your website’s security at the right time, will protect your website well in the future. By setting up the above-mentioned security measures and regular backups, you can reduce the chance of hacking to a large extent.

Do you need any expert advice on how to secure a wordpress site in different complex sitaution?

We have an expert team to guide you

Thanks for dropping by. Ready for the next blog?

How To Stop XML-RPC attack on WordPress site

Joseph Antony
Author : Joseph Antony
Written on : 2 Jan, 2019

Who we are ?

Founded in 2010, we are a team of a sysadmins with super awesome server management skills who likes to give super quality support at super affordable price.

Services