7 WordPress Security Tips

Most WordPress users think that the chance of getting attacked by a hacker is slim to none. The truth is that it happens more often than you think and unfortunately most people are not aware of that danger.

Have you noticed sometimes when searching on Google that some results are labeled “This site may harm your computer”? Those are websites that have been hacked and therefore blacklisted by Google. Needless to say, most users will freak out and might never visit your site again. Even if you manage to recover your site from such an attack, this would definitely give a bad reputation to your business.

I compiled a list of tips that can greatly improve the security of your WordPress website. Please note that the following tips apply to all versions of WordPress.

1. Use Strong Passwords

It may seem obvious but you would be amazed by how many users ignore this. No matter how much you work securing your website, a weak password can ruin everything. Your whole website’s security is dependent on that password. Do not even bother reading the rest of this article if your password is not strong enough.

Here are 3 tips when selecting your password:

  • Use something as random as possible (no single words, birthdays, or personal information)
  • Use at least eight characters. The longer the password the harder it is to guess
  • Use a mix of upper and lower-case letters and numbers. Passwords are case-sensitive, so use that to your advantage.

2. Keep WordPress Always Updated

It goes without saying that you always have to update your WordPress installation. If a vulnerability is discovered the WordPress development team will fix it by releasing a new version. The problem is that now the vulnerability is known to everyone so old versions of WordPress are now more vulnerable to attacks.

In order to avoid becoming a target of such an attack it is a good idea to hide your WordPress version number. This number is revealed in page’s meta data and in the readme.html file of your WordPress installation directory. In order to hide this number you have to delete the readme.html file and remove the version number for the header by adding the following line to your functions.php file of your theme folder.

<?php remove_action('wp_head', 'wp_generator');?>

3. Beware of Malicious Themes or Plugins

Some themes and plugins contain buggy or even malicious code. Most of the time malicious code is hidden using encryption so it’s not easily detectable. That’s why you should only download them from trusted sources. Never install pirated/nulled themes/plugins and avoid the free ones unless they are downloaded from the official WordPress themes/plugins repository.

Malicious themes/plugins can add hidden backlinks on your site, steal login information and compromise your websites security in general.

4. Disable File Editing

WordPress gives administrators the right to edit theme and plugin files. This feature can be very useful for quick edits but it can also be useful to a hacker who manages to login to the administration dashboard. The attacker can use this feature to edit PHP files and execute malicious code. To disable this feature add the following line in the wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

5. Secure wp-config.php

wp-config.php contains some important configuration setting and most importantly contains your database username and password. So it is crucial for the security of your WordPress website that nobody will have access to the contents of that file.

Under normal circumstances the content of that file are not accessible to the public. But it is a good idea to add an extra layer of protection by using.htaccess rules to deny HTTP requests to it.

just add this to the.htaccess file on your website root:

<files wp-config.php>

order allow,deny
deny from all
</files>

6. Do not allow users to browse in your WordPress directories

Add the following line in the.htaccess file in the directory you installed WordPress:

Options -Indexes

This will disable directory browsing. In other words it will prevent anyone from getting the listing of files available in your directories without a index.html or index.php file.

7. Change username

Hackers know that the most common user name in WordPress is “admin”. Therefore it is highly advisable to have a different username.

It is best to set your username during the installation process, because once the username is set it cannot be changed from inside the admin dashboard but there are two ways to get around this.

The first way is to add a new administrator user from the admin dashboard. Then log out and log in again as the new user. Go to the admin dashboard and delete the user named admin. WordPress will give you the option to attribute all posts and links to the new user.

If you are more tech-savvy you can change your username simply by executing an SQL query. Go to phpmyadmin select your database and submit the following query:

UPDATE wp_users SET user_login = 'NewUsername' WHERE user_login = 'admin';

It is important to keep in mind that even if you implement all my advice you can never be 100% protected from hackers. But the above tips should be sufficient to decrease the chances of getting hacked.

WordPress Security Tips and Hack Defense

From WordPress core, theme and plugin safety, to user name and password best practices and database backups.

Other topics to consider include:

  • layered security measures like using the .htaccess file to enable or disable features
  • limiting file permissions
  • black listing and white listing IPs
  • disable file editing
  • using HTTPS

WordPress Security

If you run a large commerce site and it gets hacked, you can lose valuable customers and of course, money. Web hosts are likely to suspend accounts that are hacked taking your site offline. You don’t want to waste your time patching up a site after hacks or paying hosting when your site is down.

Why is WordPress so successful?

WordPress is the world’s most popular content management system now powering 20% of all websites. It’s success is due to its intuitive interface and the fact that its free and open source. Its features provide endless options for extending functionality through the addition of plugins and the ability to customize your site with themes and widgets. With thousands of paid and free themes and plugins available on the web, the option to create a site that is both functional and uniquely yours is virtually limitless.

Why is WordPress exposed to attack?

These same features are the most common ways that we expose our sites to attack. Because WordPress is open source, anyone can easily explore the core code or search through any of the most popular themes and plugins for hacks. These are items of WordPress that are out of your control.

Your host and WordPress hacks

Unless you pay big money to have your own server for web hosting, you also can’t control the hosting environment your website is run on.

Brute force attack

A brute force attack is also something that is out of your control. While you can’t always stop them, you can put into place measures to limit the damage and make it difficult for someone to successfully hack your site. Even tech giants like Microsoft, Apple and Amazon have had their security breached. No site, WordPress or otherwise, is completely secure. What you must do is recognize where weakness exist and create extra layers of defense to protect your content in the event your site is hacked. Use as many common solutions as possible to help manage the weakening of your site through human error.

A brute force attack can last months and involve thousands of servers world-wide. All hosting providers who offer WordPress are potential targets Hackers use compromised servers and PCs to hack websites’ administrator panels by exploiting hosts with “admin” as account name, and weak passwords which are being resolved through brute force attack methods.

4 Points of Vulnerability

1. host security breaches

2. out of data WordPress core

3. unsafe plugins and themes

4. brute force attacks

Managing your WordPress powered site well is the most valuable security tool available to you.

  • speed
  • options
  • services
  • security
  • backup solutions
  • control
  • server type
  • price point

Choosing WordPress to power your site means WordPress is the foundation of everything on your site. The fact that it is free and open source carries many benefits. But with each update, the exploits of the previous version are made available to the public making previous versions more susceptible to being hacked. Employing backs security through obscurity tactics, you can remove or hide the version number of your WordPress installation from displaying. You can even choose a more simple solution with plugins to hide the version number. This may deter a bot from attaching to your site, but this does not patch holes in older versions of WordPress. Only updating your WordPress installation as newer versions are made available will remove the published exploits.

Updating WordPress is simple (since version 3.7 was released with automatic updates)

In previous versions of WordPress a new version banner would display in your dashboard whenever there is an update available. Now WordPress installs will automatically update to new minor versions without you having to lift a finger. Minor versions are usually for security updates. You will, however, still need to update for to new major versions.

To update WordPress

  1. First things first! Backup your WordPress.
  2. Dashboard
  3. Updates

The biggest threat to your site

The quickest way to compromise your site includes adding poorly, maliciously coded or out of date themes or plugins from untrusted developers or sites. Due to the open source nature of WordPress many themes or plugins are distributed under a GPL or GPN (General Public License) licenses. So its easy for themes and plugins to be forked and redistributed on free WordPress theme and plugin sites with the addition of hidden or malicious code. This code can be as simple as exposing a virus or as serious as exposing your visitors to identity theft.

Before downloading a free theme or plugin:

  1. Research the author and only download from the authors site or the WordPress depository
  2. Ask advise at WordPress.org/support
  3. If you are going to use free trusted plugins or themes, check the version number compatibility listing and verify that the plugin or theme is still being supported and updated. Many themes or plugins are slow to receive updates or are simply abandoned.
  4. If you don’t use it, lose it. If you are not using a theme or plugin, delete it.
  5. Use paid supported themes and plugins (not free).

Experience shows that nearly all WordPress attacks could be defended against and defended by simply using safe, up to date and trusted plugins and themes.