There was a lot of news flying around about the WordPress website being hacked. And, now many people had started questioning the sole safety of WordPress and the websites using it due to the recent attacks.
Therefore, if you own a WordPress website, you must know these 16 WordPress security tricks/techniques that will be taught to you in this guide.
Before we start, let me warn you ahead.
While you are busy reading this article, some script kid might be trying to get inside or hack into your website (WordPress or not).
“Why would some script kids try to waste their time on me? It’s not like I am a big business or a personality.”
Well, I don’t want to increase your worries, but hackers like small websites a lot because they are an easy target.
Why Is WordPress Website Security such a Big Fuss?
Okay, someone is trying to break into my WordPress website, but why should I care? Especially, since I have a backup of everything. I could just delete the WordPress and re-install it.
Your question is valid. But, what if the hacker has gained access to your backup and web-host?
Also, there are other risks if a computer pirate gains control over your WordPress website, some of them are…
- Hackers might steal yours and your visitor’s information, and use it for illegal purposes.
- If you are just starting to get visitors, downtime will affect you in the long run.
- People will start to question the quality of your website.
- Attackers might post something offensive or illegal on your website, for which you might have to face consequences (legal or otherwise).
But, why would anyone put up all the effort just to give trouble to a small website like mine?
- A small website is easy to hack.
- Hackers test their tools on small websites for a bigger project.
- They can use your web host to send spam emails.
- Intruders use resources of small websites to attack “big guys”. Your web server can be part of a botnet for DDoS attacks.
- Hackers can use your website to spread malware. Thousands of small websites is a good way to spread malware because small website owners cannot afford security experts to check for security.
- Hackers may use your website for increasing traffic and Google rank of their own website by posting backlinks.
Therefore, even if you are just starting to set up a WordPress website, you must be very careful about security. It isn’t just about you. Your carelessness might affect others too (DDoS attack).
WordPress was Hacked, Should You Seek Other Platforms?
As a matter of first importance, no framework (site or PC) is secure. Individuals have even discovered approaches to hack into air-hole frameworks (secluded PCs).
Whichever stage you pick, programmers will discover a route into it.
The motivation behind why such a large number of WordPress sites get hacked is on the grounds that WordPress is extremely well known. About 27% of the sites utilize WordPress, and it is developing. In this way, WordPress has turned into a goldmine for programmers and spammers.
Cyberpunks reliably assault WordPress provided that they figure out how to discover powerlessness, they could take control of 27% of the Internet.
Another motivation behind why WordPress locales get hacked is on the grounds that it is an open situation. Clients can code and adjust the sites themselves. They can include outsider modules.
So, should you find another CMS for your website?
The issue isn’t with the center code of WordPress, it’s the modules and subjects you introduce. However, at that point, as I said prior, no framework is totally secure.
In the event that WordPress itself was not protected, for what reason would 27% of the web utilize it?
Numerous volunteers take exceptional consideration to keep up the center framework and the WordPress archive. The subjects and modules that are accessible in the WordPress store are tried altogether for security and unwavering quality.
Additionally, the WordPress group handles each security issue skillfully. They discharge refreshes with security fixes always. In this way, you can confide in WordPress for your site.
Be that as it may, you, as a site proprietor, ought to likewise be additional watchful. You ought to dependably screen your site routinely.
Here are 16 WordPress security tricks that you should follow to minimize the risk of your WordPress website getting hacked!
Pro Tip: Always backup your WordPress files including the database before making changes to your files, and installing security plugins.
1. Use a Unique Username and Password
When you install WordPress, WordPress automatically creates a username called “admin”. I think it is a great feature because it saves me from the tedious task of entering my own username. I can focus on other really important stuff. Thanks, WordPress!
I know, I know. That’s a stupid excuse. But, did you change the default “admin” username while installing WordPress? Welcome to the club!
When hackers try to log in to your admin panel, they first try “admin” as the username.
What’s the big deal about username when you have a strong password?
Well, I know having a strong password is a good thing. But, if you still use “admin” as your username, you are reducing the hacker’s effort by half. The permutations are reduced.
Hackers can just try the combination of different passwords since they already know your username.
But, the bummer is, you can’t change usernames in WordPress!
Although you can install some plugin to change the username, I don’t recommend using plugins for simple tasks.
Therefore, simply create a new user with administrative privilege, and then delete the old admin user. Don’t worry, WordPress will ask you what you want to do with the posts that the user created.
While creating a new user, use username that’s not too obvious, like “myname” or “mysitename”.
As for the password, the simple rule is that your password should be complex, long, and unique.
Complex: Your password should contain at least 1 number, 1 capital letter, and 1 special character.
Long: Your password should be at least 10 characters long.
Unique: Your password should not contain common words or phrases. And, you should use different passwords for every WordPress website.
After you apply the above password rules, your password should look like this: LTwYgrsewDhw@ertzK9#M!K%
That’s a strong password. But the problem is, we are human beings, and that’s hard to remember.
Therefore, utilize tools like LastPass and KeePass. They are free, and you can use them on multiple devices.
If you still think that you can get away with simple passwords because you are creative, I hope this changes your mind.
2. Use Two-Factor Authentication
You have now utilized a remarkable username and a solid secret word for your WordPress administrator board.
That is a stage towards better WordPress security.
Be that as it may, regardless of how solid, passwords can be broken! Programmers utilize animal power assaults (we will discuss it later) to infiltrate your site. A solid animal power assault can break any secret phrase.
That is the reason you should begin utilizing two-factor validation on your site. It will improve security.
Two-factor confirmation expects you to enter a security code other than username and secret phrase for signing in. When you actuate two-factor confirmation, you will get some code (single use) on your cell phone. You will have the capacity to log in simply after you enter the code.
I know this is a problem, at the same time, recollect, better to be as careful as possible. Except if security masters discover some DNA login alternatives, two factors is the best security strategy out there.
Tragically, WordPress doesn’t have inbuilt settings for including two-factor confirmation. You should utilize a module called Google Authenticator.
In the event that you are not comfortable with Google’s 2-step confirmation, Evanto tuts+ has incredible instructional exercises about utilizing Google 2 factor authenticator with WordPress.
3. Verify the User As a Human
Hackers use botnets to attack systems with brute force. And, one way of really giving trouble to hackers is by using a reCAPTCHA form.
Generally, botnets cannot validate the reCAPTCHA, so hackers have to manually try to enter usernames and passwords. That, my friend, is a pain in the…you know where.
But, the old reCAPTCHA, the one that uses distorted text, is not efficient. We all have been there when you have to make a wild guess about some letters.
To make the reCAPTCHA experience more human-friendly and bots repellent, Google introduced the new “No CAPTCHA reCAPTCHA”. The newly invisible reCAPTCHA can even detect a human automatically.
You can add the reCAPTCHA on your WordPress login, comment and/or registration form manually or by using a No CAPTCHA reCAPTCHA plugin.
But, first, you need to get your reCAPTCHA key from Google. After you get the keys, enter it in your codes if you are doing it manually, or in the plugin settings if you use a plugin.
4. Update WordPress
You ought to dependably refresh WordPress. WordPress refreshes are not only to include highlights. The updates are discharged, above all, to settle bugs and security openings.
In any case, imagine a scenario where I keep running into similarity issues with my topics and modules after I refresh the WordPress. Indeed, typically, great subjects and modules discharge refreshes when the center WordPress is refreshed.
On the off chance that the modules or subjects you utilize haven’t been refreshed, it’s an ideal opportunity to discover options in contrast to them.
The dominant part of sites that get hacked utilizes obsolete WordPress or modules or subjects. The outdated adaptations of Plugins may put your site in danger.
Thus, refresh your topics and modules asap! In the event that there are no updates accessible, transform them. You can discover a lot of up and coming topics and modules in the WordPress vault.
You can likewise experiment with our WordPress topics. We refresh them consistently with the goal that you don’t need to stress over security issues from the subjects.
The most effective method to Update WordPress
Updating WordPress is simple. WordPress naturally shows warnings on Dashboard if there are any updates for the center framework, subjects, or modules.
Go to Dashboard> Updates and tap on the refresh catches.
You can likewise empower auto-refreshes with the goal that your center WordPress, modules, and subjects naturally refresh themselves for minor discharges. You will get an email warning when your site is naturally refreshed.
5. Disable File Editing
You can without much of a stretch redo your site with an inbuilt code proofreader in WordPress.
In any case, envision, programmers in one way or another figured out how to sign in to your site. Presently, they can likewise effortlessly alter your site utilizing the proofreader. Along these lines, it is a protected practice to cripple altering WordPress by means of the editorial manager.
To handicap the supervisor, reinforcement your WordPress first. At that point, find the wp-config.php document toward the back of your site. You can discover wp-config.php in the root envelope of your site alongside different organizers like wp-administrator and wp-content.
You can utilize FTP-customer to interface with the back-end of the site. Or then again, in the event that you have cPanel get to, you could utilize the File director accessible in cPanel.
Presently, include the accompanying line of code in the wp-config.php document and spare the record
/Disallow record alter characterize( 'DISALLOW_FILE_EDIT', genuine );
After the record is refreshed, you won’t have the capacity to alter the topic formats utilizing the WordPress dashboard. You can, in any case, alter the topics utilizing FTP or cPanel’s File Manager.
6. Limit Login Attempts
When you install WordPress, WordPress ask you whether to install limit login attempts plugin or not.
Limiting login attempts is a great way of protecting your WordPress website from brute force attacks.
Hackers will try to log into your WordPress website with different login combinations. However, if you enable limit login attempts, you are allowing users to try logging in only for a certain number of times, after which the user gets blocked.
If you forgot to check this option during WordPress installation, don’t worry. You can find the plugin in the WordPress repository.
Go to Plugins> Add New from your WordPress dashboard menu. Search for “Loginizer”, and then install and activate the plugin.
After activating the plugin, go to Loginizer Security> Brute Force from the WordPress admin menu to setup login protection.
7. Brute Force Attack Protection
Programmers utilize Brute Force assaults to access the administrative board or FTP records of your site. Fundamentally, beast constrain assault is an experimentation technique. It resembles attempting distinctive key blends to open a bolt. Interlopers can utilize botnets to computerize the assaults.
To shield your site from turning into the objective of beast compel assaults, adhere to guidelines 1, 2, 3, and 6.
You can likewise change the default login URL (www.mywebsite.com/wp-administrator/) with the goal that programmers experience considerable difficulties discovering the login frame in any case.
You can make a custom login URL utilizing a module called All In One WordPress Security and Firewall. After you introduce the module, go to the Brute Force area to empower the custom login URL. This module has such a large number of highlights that you won’t require some other WordPress security modules in the event that you introduce this one.
8. DDoS Attack Protection
With such a large number of Internet-empowered gadgets, the recurrence of DDoS assaults has been expanding.
DDoS is a strategy for overflooding a site/benefit with phony activity with the expectation of cutting down the administration. Programmers utilize contaminated frameworks (that have malware) to perform DDoS assaults. In 2016, programmers folded DYN putting numerous renowned sites like Twitter, Amazon, Reddit, and Netflix disconnected.
Hence, you ought to dependably be prepared to handle DDoS assaults.
By following the previously mentioned safety efforts (1, 2, 3, 4, 6, and 7), you are as of now arranged for DDoS assaults.
Notwithstanding that, I would likewise prescribe utilizing cloud administrations like CloudFlare or MaxCDN. They can enable you to moderate DDoS assaults.
Thus, storing your site can likewise enable you to shield your site from movement over-burden. You can reserve your site utilizing modules like WP Super Cache.
9. Scan for Malware and Remove Them
Since you are perusing my security tips so deliberately (I truly trust you are), let me disclose to you something scarier, in the event that you haven’t terrified yet!
Programmers are tricky! They may have officially set some malware on your web documents.
Thusly, you have to filter your web server for noxious documents asap! What’s more, evacuate them.
How to do that?
Module a security module. Sucuri Security is the best free module for recognizing and expelling malware on WordPress.
On the off chance that you don’t care to add modules or need to do finish server-side examining, buy into Sucuri. This administration costs you.
In the event that you can’t bear the cost of Sucuri (I realize it is costly), there’s a freeway. Since I have been lecturing you pretty much so much geek stuff, I think you merit a treat.
Here’s the manner by which to sweep and expel malware from your site for nothing!
Initially, download a public_html envelope from your server utilizing FTP customer of your decision. At that point, examine the downloaded organizer utilizing antivirus programming (Norton, Kaspersky, or something different) on your PC. Ensure the antivirus program is cutting-edge.
From that point forward, supplant the old public_html record with the recently cleaned one utilizing FTP. As simple as that!
10. Good Webhost
The web has played a critical, vital, job in the site’s security.
A decent web has given you support and apparatuses to handle DDoS assaults, Brute-Force assaults, and malware. Subsequently, I suggest SiteGround facilitating on the grounds that they keep security at high need.
By and large, a shared facilitating plan is more helpless in light of the fact that the server is imparted to different sites. Programmers can utilize different sites on a similar server to assault your site on shared facilitating. This idea is called cross-site tainting.
Usually thought to be best to get committed to facilitating or VPS facilitating, yet they are costly. As a starter, you might not have a financial plan for it.
Does that mean you hazard yourself? No. Indeed, even shared facilitating can be ensured.
Great web facilitating organizations like SiteGround introduce firewalls like ModSecurity, even in shared facilitating plans. Likewise, they limit the number of sites on a server and sweep servers for malware consistently.
Essentially, if your web host can give you Sucuri Security, it’s an or more point.
11. Choose Plugins and Theme Wisely
All things considered, pick modules and subjects shrewdly. That is all you have to know at this point.
The alternative to introducing outsider modules and topics is the thing that makes WordPress defenseless against programmers.
Modules and WordPress topics accessible on WordPress archive are protected. Be that as it may, in the event that you have to include some modules or topics physically, dependably check for malware, utilizing antivirus programming, before you transfer them on your WordPress.
Likewise, before introducing modules or topics, check for surveys and the last refreshed date.
12. Remove Unnecessary/Outdated Themes and Plugins
Always keep your WordPress neat and clean.
If you are not currently using any plugins or themes, and they are older versions, remove them immediately. They might be calling letter to hackers.
Similarly, go to the back end of the WordPress, and check if you have any unnecessary files by comparing it with default WordPress files.
Or, you could just do a fresh installation of WordPress.
First, backup your databases and WordPress. Then, remove WordPress. And, install a new latest version of WordPress.
Make sure you inform your visitors during maintenance by displaying a maintenance page.
13. Secure .htaccess and wp-content.php
Only the GOD knows what hackers can do if they can access your .htaccess or wp-content.php file.
So, you should always hide .htaccess and wp-content.php file. Even if you don’t know how to write code, you can easily secure .htaccess and wp-content.php by writing some codes in the .htaccess file.
Please always try to keep a backup of the .htaccess file before making changes to it.
Locate the .htaccess file from the root of your WordPress website, and add the following lines of code to it.
Code to hide wp-config.php
deny from all
Code to hide .htaccess file
order allow, deny
deny from all
14. Secure Your WordPress with a Firewall
A firewall is a software program that blocks an intruder. Wordfence is one of the best WordPress firewalls. The main functioning of the Wordfence is that it checks the behavior of an abusive bot and matches it with the visitor’s behavior. If the bot performs certain functions and breaks certain rules like asking for unexpectedly high web pages in a very short span.
Here the Wordfence will automatically block the bots. Legitimate bots like Google and Bing are also programmed by Wordfence. There are certain advanced features as well, which check what type of bots are attacking the website. If there is any bad bot from the amazon web services or any other one, Wordfence has given the ability to the publisher to block the bot using their IP address.
15. Hide Sensitive Information
Ensure you evacuate (or if nothing else rename) readme.html document after you install WordPress. Readme document will tell hackers what version of WordPress you installed.
Likewise, in the event that you have made a phpinfo.php or i.php document, I prescribe you to erase or rename it. This document contains all the data about your server.
Moreover, impair registry order. Aggressors can see the structure of your envelopes and documents with catalog perusing. You don’t need to have technically knowledgeable to do it. Simply go to the .htaccess file, and include the code written down below toward the finish of the file.
16. Stay Ahead and Updated
Hackers are dependably a one step ahead of all the security specialists. As a matter of fact, a security expert wouldn’t think about a security breach or loophole until the point that somebody breaks into their system.
Accordingly, always keep yourself informed and alerted about security news and issues. Pursue security company social pages on Twitter or Facebook, or even subscribe to their daily bulletins.
KrebsOnSecurity is a great blog to keep yourself updated about security issues.
Make the guessing game hard for hackers!
You cannot stop hackers from hacking. All you can do is become prepared for the attacks.
The good guys are working hard to protect WordPress from hackers, but mistakes happen.
Always keep a backup of your WordPress website, just in case hackers take over your website. Keep the backup in a safe place(s) (multiple places if possible).
Finally, follow all the aforementioned 16 tips for protecting a WordPress website. And keep yourself, themes, plugins, and WordPress updated! If you are owning a WordPress site and not able to protect it from hackers, then contact Escale Solutions which is a reputed WordPress website development company in Delhi. They will help you in protecting your site from hackers. You can also get a newly developed WordPress website from them at affordable prices.