Webmaster seems to be struggling with security issue since the along with the popularity of the platform of WordPress it also becomes a potential victim of hackers. You know that developing a complete site for professional representation of any organization takes huge time. It also needs lots of efforts and obviously huge money to invest for it. Therefore, when you find your website is hacked, we know it’s like blot from the blue to you as this event makes you lose your website in a while, we lose your vital resources and apart from this your reputation is diminished.
You might have heard about some plugins and such other things that have some level of protection capabilities against hacking to fight such complications. Unfortunately, this is not just enough to make a protective environment according to recent observations of several security teams working out there.
We are about to focus some classic strategies that could help you greatly to secure your site’s admin.
Beginners Should Know
Today we are not supposed to mention the commonly referenced security solutions. We have another article on this on the blog. However, for the beginner, in brief, we would like to mention some of them.
- Keep your site updated with any new improvement the community was done. Never forget to update your site with a recent version of WordPress. The option ‘Update available’ will appear on the dashboard and you need to click on it, to be updated. Before you start you should have a backup of your site so that you can restore your site if any error occurs during the process.
- Keep the theme and plugins of your WordPress updated. Whenever you have any update don’t forget to update your theme and plugins with that. Otherwise, your site may risk of vulnerability. Unless properly secured plugins and themes are like an open door to your personal info.
- Only download and install plugins from trusted and recognized source. Delete or uninstall if your theme is currently bearing any plugin that is totally unnecessary. Try to buy premium themes and avoid free themes since most of the time they are provided by hackers.
- Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.
- Changing password frequently could be a good practice. Random strings of letters and numbers are best. You can add two-step authentication systems. This is really a good way to prevent brute force attacks.
- Never create username as ‘Admin’ or something so normal like that. You can change it by inputting an SQL query in PHPMyAdmin.
- Installing firewall is another step which will provide extra support against hackers and security breaches. Some popular firewall software is available in the market including Comodo, Norton Internet Security, and ZoneAlarm Free Firewall.
- A good rule of thumb is to only grant access to those who absolutely need. Access to your site should be limited to few people who are really worthy of that. So bare minimum of permissions to complete their assigned tasks.
- You need to have a schedule to back your site. To be honest scheduled backups are an essential part of any site’s security strategy. It let you restore it to a version prior if any damage occurs. You can have the automated solution like VaultPress, BlogVault, BackupBuddy, or WordPress Backup to Dropbox for simple backups regularly.
- Moreover, you should integrate a scanner into your WordPress theme. The security scanner will check for malicious plugins, core files, or codes. Lots of scanners exist on the web that you may like to include Sucuri Sitecheck, CodeGuard, Theme Authenticity Checker, and AntiVirus.
Now we are about to start the main part of the article 10 ways to secure WordPress site that usually overlooked. Make sure that you have a child theme before you start any modification of the functions.php file of your live site.
- 1. Reduce Dependency on Plugins
At the very first time when you launch your site, you should start with a very limited number of plugins. Moreover, you need to be scrupulous to select the total number of plugins you install in the first place. If you use a limited number of plugins it will help increase speed and user experience of your site in addition to the security issue. If you have fewer plugins you have less chance to be hacked.
- 2. Avoid Free Plugins
Several webmasters claims that legitimate plugins are often corrupted with malware and these premium themes are usually found on illegal download sites which are actually not the real things. So if you get such premium plugins without any cost there is a possibility that when you will install them on your site hacker will get a direct line into your site’s backend.
- 3. Eliminate the Plugin and Theme Editor
If you are not in the practice of making tweaks to plugins then it is better to disable the theme editor in the WordPress dashboard. If the site is hacked editor is used to take down the code found here. You can remove it by using the following code:
define( ‘DISALLOW_FILE_EDIT’, true );
- 4. Eliminate PHP Error Reporting
Security options are checked in the backend but if the site got any error in the code it might be a possible threat to security. The error messages actually contain the path of the server and it creates holes or week points. Most of the skilled hacker uses this error messages to find out the access to back end. So it’s a better idea to disable it altogether by using the code snippet to be added to wp-config.php.
- 5. Protect Your Most Pertinent Files Using
Do you know about the .htaccess file? This file occupies the heart of the WordPress and it regulates the structure of the permalinks and the security as well. You can insert many different code snippets into the .htaccess file anywhere outside the #BEGIN WordPress and #END WordPress tags. This file is oriented to security of the site and any change into the file could have a huge impact on the sites entire security.
Hide the wp-config.php by adding this small of code to .htaccess:
deny from all
Admin access can be limited by creating a new .htaccess file and uploading it to wp-admin directory. Use the following file for it :
order deny, allow
allow from 192.168.5.1
deny from all
Add your IP in the shown area. You can limit the wp-admin by adding more IP by listing them out as allow from IP Address.
Similarly to restrict the wp-login.php insert the code into .htaccess:
Deny from all
# allow access from my IP address
allow from 192.168.5.1
If you just want to block specific access to wp-admin or wp-login.php, you can do so by blocking those IP addresses using this bit of code:
deny from 4184.108.40.206
allow from all
To make your sites directory invisible to others use the following code:
Options All –Indexes
- 6. Keep An Eye On Dashboard
If access of your site is on the hand of many people it is better to track their activity as because if any of them do any wrong this practice will let you retrieve from the condition. Keep an eye on the dashboard activity is so useful in the way that it allows you to make certain action against a wrong doing of the admin. If a specific file contains any harmful malicious code it can be identified from the log.
The log file is generated automatically but to use the scattered data in an organized way you will need to have a plugin. WP Security Audit Log is good one in this purpose. This plugin keeps a log of the action happens in the backend. So you can guess if there any unethical activity of hacker.
- 7. Don’t Compromise The Need of Best Hosting
Always try to buy best within your capacity. If you buy a hosting with the lower cost it might have a less secure state. The good hosting provider usually has a solid shield against hacking. It is seen that many sites hacked as because the site stands on the security vulnerable host. A managed hosting provider includes a WP firewall, up-to-date PHP and MySQL and regular malware scanning by default.
- 8. Hide the Login Page
Making some of the elements obscure is a part of the overall security issue and it is alone is not enough. It is good to hide some the elements for other would make your site less vulnerable to the hackers. Too hard the way of accessing the login page, you can simply be relocating or renaming your login page. A different login than www.websitename.com/wp-admin or www.websitename.com/wp-login.php is good enough to prevent brute force attacks. Lockdown WP Admin can serve the purpose of changing the login page.
- 9. WordPress Core Update Automatically
Regular updating the WordPress version, as well as plugins, are how much important I have mentioned earlier. But many of the beginners fail to keep the site up due to their unconsciousness for them automatic updates could be a great option in the approach to site management.
You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically. If you insert this into the code it will make major core updates in the background and you don’t need to provide time for approval at all:
# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );
- 10. Hide Author Usernames
Several Security experts have given their opinion about the issue that authors name should be hidden to make the job of hackers harder. It can be done simply by putting a bit codes:
wp_redirect( home_url() ); exit;
Just copy and paste the following into your functions.php file:
From the above discussion, it is apparent that security issues should not be confined only to installing a security plugin at all. Maintaining a complete security comprises a lot of other things need to do. Therefore, we can conclude by saying that WordPress security is nothing but a set of strategies that should be followed strictly.