Table of contents
The most popular content management system, WordPress, has 64 % of the CMS market share which is more than all other systems such as Drupal, Joomla, etc, combined. Over 75,000,000 websites use WordPress or we can say that almost 40.3% of the internet is powered by them. Known for their unparalleled impact on web standards, usability, and the internet at large, WordPress have spread like wildfire and are still growing. However, widespread reach and growth have also made WordPress sites susceptible to vulnerabilities. Statistics reveal that WordPress accounted for 90 percent of all hacked CMS sites in 2018! This article talks about how as a WordPress user, you could secure your site against hacking attempts.
Before we get into tips for securing our WordPress site, let’s have a look at statistics that reveal the weak spots which hackers targeted.
Our technical experts recommend some of the best practices that are proven to secure a site from the above-mentioned threats.
Presence of a virus and malware scanner on your computer that scans frequently must be a non-negotiable. Install a reliable firewall- possibly that one that was delivered with your OS.
All the tables in the WordPress database of a standard installation, start with the prefix naming convention wp_. This vulnerability can be fixed by changing it into something arbitrary such as 8uh7dsgakm_.
While choosing plugins and themes, go for the ones that have a high rating and appear reliable. Also watch out for when they were updated last. If there’s no update since long, chances are that it’s more vulnerable due to unpatched security loopholes.
.htaccess is an important server configuration that holds the code which enables using pretty permalinks in WordPress. It can also set redirects and increase WordPress security.
For increasing security, you first need to access the file, which is located on your server’s root directory and hidden by default. Therefore, in order to edit it, make sure to set your FTP client to display hidden files (Go to Server > Select Force showing hidden files in FileZilla). After that, take the following measures.
Use the code below to prevent access to critical files like wp-config.php, php.ini, error logs and .htaccess itself.
Keep WordPress versions and plugins up to date. Updated versions of WordPress don’t just bring new features but they also fix security holes identified in earlier versions.
A very common way to protect your WordPress account is using safe and strong login information instead of default username. Make your password as strong as possible.
If someone tries to log into your site with wrong credentials, WordPress will alert them whether the problem is with the username or password. This gives away half of the information, making it easier to hack into an account.
Two-factor authentication serves an extra step for people to log into your site. An example can be the need to enter a validation code delivered to the mobile phone. Though it might add to efforts, it helps to block automatic attacks.
Another way to keep the WordPress login page safe is to hide it. You usually reach the login page via yourdomain.com/wp-admin or yourdomain.com/wp-login.php. Move it to a different URL address instead of wp-admin.
This acronym is the name of a feature that allows connecting to WordPress remotely. For example, blogging clients use it and it’s also used for trackbacks and pingbacks. Unfortunately, it’s also sometimes the target of hackers, which is why you should protect it with a plugin Disable XML-RPC Pingback.
Automatic updates should be enabled to keep the site up to date.
WordPress security keys(SALTs), encrypt information stored in browser cookies. This way, they protect passwords and other sensitive information. These keys are phrases that are used to randomize this information and stored inside wp-config.php
WordPress contains an internal editor for theme and plugin files that allows you to make changes to your site. Even though it can be useful in some situations, it also comes with a risk. The reason is that if somebody gains access to your site’s back end, they can use the editor to take out your website without even accessing your server.
When plugins or themes cause any error on your site, WordPress displays a message on your front end. This message may contain the path to the file that is causing the problem. Hackers can use this information to better understand the layout of your server and attack your site.
By making changes in .htaccess you can restrict access to your WordPress login page to limited IP addresses. This way, only you can access it.
A similar technique is available to block IP addresses that try to break into your website. If you notice such incidents (from your server logs, for example), you can lock them out of your site by configuring the .htaccess file.
The following file permissions should be paid attention to in the WordPress site
If you are concerned about securing your website against hackers, the tips mentioned in this article are a step in the right direction. Apart from following important security measures mentioned above, to best protect yourself from attacks, it is also very important to keep your website up-to-date and to keep abreast of the latest WordPress related vulnerabilities.
Tags: cyber security