10 Tips For Securing Your WordPress Site
10 Tips For Securing Your WordPress Site
It was back in 2003 when WordPress was developed by Matt Mullenweg to be an easy-to-use platform for bloggers to share their thoughts over the internet. But the program's easy-to-use interface and extreme scalability caught the attention of many webmasters around the world and within just a few years of its release, WordPress became the world's most popular CMS.
Now the WordPress we use is actually much more advanced than before. In fact, the WordPress CMS still has vulnerabilities, but don't worry, you can use these 10 tips to secure your WordPress site.
Securing WordPress Sites
1. Get Fast & Secure Hosting
When it comes to hosting people always look for unlimited plan accounts with unlimited space, unlimited bandwidth, and unlimited domains because they think it will be cheaper that way. But what they never understood was that they were caught in a trap. In short, nothing is unlimited in this world. Even the sunlight will run out sometime later.
Big brand companies use the “UNLIMITED” tag to lure novice users online and then provide such pathetic service that they will almost feel compelled to upgrade to a more expensive VPS server.
2. Never Use the Default “admin” Username
Now when you install WordPress on any server it becomes so easy that most people ignore these little things in the installation process. It doesn't matter whether you use the default WordPress installer or the one-click installer that comes with your server's control panel, make sure you change the username of the main admin to any of the default “admin”. This is very important.
The most important reason is because most hackers use Brute Force Attack tool to randomly guess your username and password to login successfully. Now if your admin username is actually “admin” then you have made the hacker's life very easy because now they just need to crack your password.
3. Always Use a Very Strong Password
Admins know this is very basic stuff and everyone on the internet already knows this but trust me not everyone uses this when needed. Make sure your WordPress admin password contains a combination of Uppercase, Lowercase, Alphanumeric (e.g. @, #,?), numbers and is at least 9 characters long. This way you can give hackers real pain to actually decrypt your passwords.
4. Always Update WordPress Core, Themes & Plugins
Trust me this is one of the most common things found on almost every WordPress site. While it is true that updating WordPress core, themes or plugins can break your site sometimes but it only happens for 0.001% of websites using poorly coded themes and plugins.
The reason it got broken after an update is because sometimes the developer of the theme you are using or some of the plugins on your site has stopped supporting and updating the code. So, when WordPress terminates any function, the theme/plugin still tries to access it and ends up getting lots of PHP errors.
Whatever the case, keep your site updated with the latest version of WordPress, themes and installed plugins. Developers release patches daily to fix vulnerabilities in their software as soon as they become aware of or are notified.
5. Remove Unused Themes & Plugins
Many WordPress sites are full of themes and plugins installed and they don't even use them on their site. They just leave these things disabled and think they won't be hard either since they are disabled. This is absolutely the wrong idea. It is much easier for any hacker to target old themes/plugins or things that are installed but deactivated in order to bypass the security of your website by targeting the vulnerabilities in those themes and plugins.
As these things are already disabled on your site you will not notice any subtle changes to the theme/plugin code and hackers use this to their advantage. When you repeatedly install a plugin on your site and then deactivate it, the real developer of that plugin stops updating that plugin and hackers use the vulnerability in that old theme/plugin to hack your site.
So, always save the things you actually use on your site, if there is a list of plugins and themes installed on your WordPress site but you don't use them, just DELETE them. Is it a theme or a plugin that comes with the default WordPress installation or something that you have installed before. The same rule applies to everything. Just keep the things you need and get rid of the rest.
6. Tighten Admin Area
In the event of an admin problem, you should change the default admin URL and limit the number of failed login attempts before a user is locked out of your site. By default, the admin URL for your website will look something like this: domainname.com/wp-admin . Hackers know this and will try to access this URL directly so they can gain access to your site. You can change this URL with a plugin like WPS Hide Login.
Next, you limit the number of failed login attempts. by adding a locking feature for failed login attempts can solve the big problem of continuous brute force attempts. Every time there is a repeated hacking attempt with wrong password, the site is locked, and you are notified about this unauthorized activity. You can use the LockDown plugin.
7. Use HTTPS and SSL
The internet is full of blog posts and articles about the importance of the HTTPS protocol and adding an SSL security certificate to your site. HTTPS stands for Hypertext Transfer Protocol Secure, while SSL stands for Secure Socket Layers. In short, HTTPS allows the visitor's browser to establish a secure connection with your hosting server. The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all information between the visitor's browser and your site is encrypted.
Using both of these on your site will not only increase your site's security, but will also benefit your search engine rankings, building trust in your visitors. Talk to your hosting provider and ask about the possibility of getting an SSL certificate or you can try using CloudFlare's free service, instead of not using it at all.
8. Only Install Trusted Themes And Plugins
Never install a theme or a plugin from some fake marketing videos or marketing website because in most of the cases even though it provides a fully built free website there is a high probability that the theme and plugins have malicious code which can compromise the security of your website. If you are installing a free theme or plugin, just install it via the WordPress plugin installer or download it from the WordPress add-ons repository. Purchase or download themes and plugins only from trusted websites like themeforest, codecanyon etc.
9. Disable Directory Listing
In most cases the webservers directory listing has been enabled by default for various reasons, but after your website development is complete, just open the .htaccess file located in the root directory or under the public_html directory of your server and add the following code at the top of the existing htaccess Options code -Indexes
This will disable the directory listing feature of your server and anyone who tries to access a server directory that doesn't have an index.html or index.phpfile will return a 403 Forbidden error. The above code will work for Apache as well as Lightspeed server but if you have nGinx server contact your server admin to enable it on your website.
This is very important because if you don't disable this feature in your website hackers can easily follow your directory structure and find out exactly what files you have on your server and how they are organized. This gives them the advantage of knowing your site perfectly.
10. Set Appropriate Permissions For Files And Folders
If you have cPanel access go to your file manager and make sure all your site files have permissions set to 644 and all directories have permissions set to 755, unless some plugins specifically ask you to set some special permissions to some special folders. As some cache plugins ask the user to set permissions to /wp-contents/cache/folder to 777. This is an exceptional case, but for the rest of the files follow the permissions structure above. So make sure to set the appropriate permissions to secure your WordPress site.
WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But because it is so popular, it is also a favorite target for hackers. Luckily, there are a number of steps you can take to secure your WordPress site and if you follow the tips in this article, you will be well on your way to having a secure WordPress website.
That's all for the article 10 Tips for Securing WordPress Sites. Look forward to other interesting articles and don't forget to share this article with your friends. Thank you.
Just an ordinary person who wants to share a little knowledge, hopefully the knowledge I provide can be useful for all of us. Keep in mind! Useful knowledge is an investment in the afterlife.