Website security

9 Simple but Overlooked Ways to Secure WordPress Website

These days, WordPress-site hacking is becoming very common. Although this shouldn’t make you doubt WordPress (mind you that any site is prone to hacking, be it on WordPress or anything else), you should treat this as a wake-up call that everyone on the Internet should pay more attention to the security of their websites.

Hackers usually use a bug as a backdoor and this bug may come from WordPress plugins or themes that you use or from the WordPress engine itself. Here we have listed several tips on securing your WordPress site from hacking or malware:

1. Use a Strong Password

Usually, people use too simple a phrase for their passwords such as their phone number, birthday, or even names. However, what is worse is a word that is listed in the dictionary.

Hackers have a technique named ‘brute force‘ and when doing this, they will try any possible phrase from the dictionary to guess your WordPress password. So, the best password is a non-dictionary phrase or a combination of numbers and alphabet like th1s-p4ssw0rd.

2. Modify the .htacess File

Modifying the .htacess file may be dangerous if you do it without knowledge. Your site may stop functioning because of the error you make. So, make sure you’ve already got a backup before doing this. For some hosting like Yahoo.com, the .htacess file is forbidden and cannot be created, deleted or modified. If your site is hosted on such hosting services, you cannot follow these steps.

Create a new .htacess file in your wp-admin folder like below. What this does is that it whitelists specific IP addresses and allows access to your WordPress Dashboard. This will deny access from IP addresses not listed in the .htaccess file. Unless the hacker accesses your Dashboard from your home or office, this method will help a lot.

AuthType Basic
order deny,allow
deny from all
# your home IP address
allow from xxx.xxx.xxx.xxx
# your office IP address
allow from yy.yyy.yyy.yyy

3. Change the wp-admin URL

WordPress has a feature to “mask” the URL of the wp-admin folder. If your domain is example.com, hackers will, by default, first try example.com/wp-admin to access your Dashboard because that’s where WordPress keeps the admin files. However, WordPress allows you to access your Dashboard from a different URL.

You will have one URL publicly used to access contents on your site and another one to access your WordPress Dashboard. Let’s say, example.com is your site’s URL and example.org/wp-admin is your wp-admin URL.

To do this, you need to go to the WordPress Dashboard → Settings → General Settings

4. Create a Redirect File

If you go to http://www.your-site.com/wp-includes, you will see an open folder and this is definitely not safe. You need to create a redirect file in order to forward visitors who access that URL to your main home page. If you ask yourself, who in the world would access that URL? Well, hackers would? To redirect visitors away from that URL, simply create a new file named index.html and put this code in it:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="REFRESH" content="0;url=http://www.your-site.com/"></HEAD>
<BODY></BODY>
</HTML>

5. Do a Daily Back-up

Create a backup of your themes and your SQL database daily. If your site is hacked, your can restore it through FTP, cPanel, or usually through an app available on your hosting admin interface. Hackers usually target the index.php file of your WordPress theme and also the wp-user and wp-usermeta tables in your SQL database so they can change and/or create a new administrator username.

6. Update WordPress Copy

Always update your WordPress copy whenever an update available. It only takes a click!

7. Do a clean upload

Make sure that any files you’re uploading are clean from viruses. Not only you’re possibly infecting other files on the server (this becomes very complicated if you’re on a shared hosting environment), the infected file will be flagged by Google and a red warning page will be displayed when your site is accessed. You’re simply telling visitors to go away. You don’t want this, do you?

8. Install a Saecurity Plugin

The WordPress community also provides several security plugins that will help you protect your site. These plugins work on your site’s backend. BulletProof and iThemes Security are the plugins that we really recommend.

9. Don’t Use an Outdated Plugin

If you wanted to use any plugin, you had a better check and download it from WordPress.org and not from your WordPress dashboard. The WordPress.org plugin pages always notify you of an outdated plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *