These days, WordPress-site hacking is becoming very common. Although this shouldn’t make you doubt WordPress (mind you that any site is prone to hacking, be it on WordPress or anything else), you should treat this as a wake-up call that everyone on the Internet should pay more attention to the security of their websites.
Hackers usually use a bug as a backdoor and this bug may come from WordPress plugins or themes that you use or from the WordPress engine itself. Here we have listed several tips on securing your WordPress site from hacking or malware:
1. Use a Strong Password
Usually, people use too simple a phrase for their passwords such as their phone number, birthday, or even names. However, what is worse is a word that is listed in the dictionary.
Hackers have a technique named ‘brute force‘ and when doing this, they will try any possible phrase from the dictionary to guess your WordPress password. So, the best password is a non-dictionary phrase or a combination of numbers and alphabet like
2. Modify the .htacess File
.htacess file may be dangerous if you do it without knowledge. Your site may stop functioning because of the error you make. So, make sure you’ve already got a backup before doing this. For some hosting like Yahoo.com, the
.htacess file is forbidden and cannot be created, deleted or modified. If your site is hosted on such hosting services, you cannot follow these steps.
Create a new
.htacess file in your
wp-admin folder like below. What this does is that it whitelists specific IP addresses and allows access to your WordPress Dashboard. This will deny access from IP addresses not listed in the
.htaccess file. Unless the hacker accesses your Dashboard from your home or office, this method will help a lot.
AuthType Basic order deny,allow deny from all # your home IP address allow from xxx.xxx.xxx.xxx # your office IP address allow from yy.yyy.yyy.yyy
3. Change the wp-admin URL
WordPress has a feature to “mask” the URL of the
wp-admin folder. If your domain is
example.com, hackers will, by default, first try
example.com/wp-admin to access your Dashboard because that’s where WordPress keeps the admin files. However, WordPress allows you to access your Dashboard from a different URL.
You will have one URL publicly used to access contents on your site and another one to access your WordPress Dashboard. Let’s say,
example.com is your site’s URL and
example.org/wp-admin is your
To do this, you need to go to the WordPress Dashboard → Settings → General Settings
4. Create a Redirect File
If you go to
http://www.your-site.com/wp-includes, you will see an open folder and this is definitely not safe. You need to create a redirect file in order to forward visitors who access that URL to your main home page. If you ask yourself, who in the world would access that URL? Well, hackers would? To redirect visitors away from that URL, simply create a new file named
index.html and put this code in it:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv="REFRESH" content="0;url=http://www.your-site.com/"></HEAD> <BODY></BODY> </HTML>
5. Do a Daily Back-up
Create a backup of your themes and your SQL database daily. If your site is hacked, your can restore it through FTP, cPanel, or usually through an app available on your hosting admin interface. Hackers usually target the
index.php file of your WordPress theme and also the wp-user and
wp-usermeta tables in your SQL database so they can change and/or create a new administrator username.
6. Update WordPress Copy
Always update your WordPress copy whenever an update available. It only takes a click!
7. Do a clean upload
Make sure that any files you’re uploading are clean from viruses. Not only you’re possibly infecting other files on the server (this becomes very complicated if you’re on a shared hosting environment), the infected file will be flagged by Google and a red warning page will be displayed when your site is accessed. You’re simply telling visitors to go away. You don’t want this, do you?
8. Install a Saecurity Plugin
The WordPress community also provides several security plugins that will help you protect your site. These plugins work on your site’s backend. BulletProof and iThemes Security are the plugins that we really recommend.
9. Don’t Use an Outdated Plugin
If you wanted to use any plugin, you had a better check and download it from WordPress.org and not from your WordPress dashboard. The WordPress.org plugin pages always notify you of an outdated plugin.