WordPress security is often deemed questionable because it is completely open-source. It is, however, also known that WordPress improves its robustness and security with every new release. You might be wondering why a considerable proportion of WordPress websites are still vulnerable to security attacks? While 50,000 new WordPress websites are launched every day, only about 22 percent of the current WordPress websites are using the latest version of the software. Do you now agree that WordPress security tips are important for your brand?
When you have finally completed developing your WordPress website, you would want to launch it as soon as possible. But you need to spend some time and effort to follow certain steps of protecting your website and avoid future train-wrecks. As you get on with implementing these WordPress security tips, you will realize that most of the security problems arise not due to WordPress, but your own lack of attention.
In this blog…
We start by talking about why you should care about WordPress security at all. We have divided the blog into multiple sections and shared WordPress security tips that will help you secure your:
- Themes and Plugins
- Hosting Setup
- Admin Dashboard
- Login Page
So let’s start with the first topic.
Why should you care about WordPress security?
Your business revenue precariously hangs at the tip of your WordPress site. A hacked site can lead to serious damage. A hacker may go ahead and cause information breach, steal user credentials, or spread malware. You may even end up paying ransoms to hackers to retain access to your own website.
Moreover, Google blacklists tens of thousands of websites every week for malware and phishing. Trust me, you do not want to be blacklisted! And, you definitely do not want to lose credibility by compromising the privacy of user information. Just look at what is happening at Facebook. You can be a small start-up but your user’s privacy is not something you would want to take lightly. We have listed down some simple steps to follow at an early stage to avoid a lot of hard work when your business grows.
WordPress Security Tips: Securing the Database
1. Do not use the default database table prefix
Anyone who has installed WordPress must have seen the “wp-“ prefix used by WordPress by default in the database. This prefix renders your database vulnerable to SQL injection attacks. To steer clear of such a problem, change this prefix to something else, maybe “wpdb-“, “newwp-“, or whatever your preference.
Already installed your WordPress website with the default database table prefix? Worry not.
But, be sure to back up your site before changing anything in the database.
2. Take regular backups
However well you secure your website, there is always some or the other aspect where it is left vulnerable to attacks and malware.
The most foolproof solution is to maintain an off-site backup. No matter what goes wrong, you have everything backed up and ready to restore.
Some WordPress plugins can help you out in this respect. These include VaultPress, BackupBuddy, UpdraftPlus, etc.; VaultPress being the best among the premium ones. VaultPress can be set up to back the website up at regular intervals, while also monitoring the site for malware.
3. Secure the database with strong passwords
The main database user, through which WordPress itself accesses the database, has to have a reliably strong password. Just like for any strong password, combine different kinds of characters in a unique way. The best way is to use a password generation tool for this task.
WordPress Security Tips: Themes and Plugins
1. Keep your WordPress up-to-date
WordPress frequently releases updates fixing the existing bugs and improving security. Make sure that you update your plugins and themes on a regular basis.
Many hacks rely on the idea that website owners would not update their software. You may end up suffering hacks due to a vulnerability issue which was already fixed in the latest version of the software. So, whatever WordPress products you use, update them as often as possible to prevent stale vulnerabilities.
2. Erase WordPress version number
It is super easy to find WordPress version number on your website from the source view. It becomes all the easier for a hacker to plan the perfect attack on your website if they know which WordPress version you are using. Almost all security plugins allow you to hide the version number.
WordPress Security Tips: Securing Hosting Setup
1. Safeguard the wp-config.php file
The most essential file in your website’s root directory is wp-config.php. Critical information about your WordPress installation can be found here. Making this file inaccessible to hackers will make it hard for them to cause a security breach.
Hiding wp-config.php is simpler than you may think. You just need to move it a step higher than your root directory. Do not fret over how the server will access this configuration file. Even if you store it a level above the root directory, the current WordPress architecture always finds it and prioritizes the configuration file settings.
2. Forbid file editing
A user with admin access to your WordPress dashboard can edit any files installed within your WordPress, even your plugins and themes. By disallowing file editing, you can prevent your files from being modified even if a hacker gains access to your admin account.
Here’s how you can do this. Simply add the following at the very end of your wp-config.php file:
3. Connect the server right
Make sure you only use SSH or SFTP to connect your server while setting up the website. SFTP includes many security features which FTP does not come equipped with. In this way, all file transfers will remain secure. While this comes as a part of the package with many hosting providers, if it does not in your case, you can do it manually.
4. Be careful while setting directory permissions
A lot can go wrong if you do not set your directory permissions carefully, especially if you have shared hosting. One of the important WordPress security tips at the server hosting level is fixing these files and directory permissions. All you need to do is to set the files permissions to “644” and directory permissions to “755”. This way you can secure the complete filesystem at all levels of hierarchy.
To do this manually, you can use the File Manager in your hosting control panel or start by typing “chmod” in your SSH-connected terminal. Plugins like iThemes Security can make checking current permissions much easier.
5. Disable public listing of directories
If a directory on your website does not contain an index.html file, any visitor can easily attain a complete directory listing of your website. If, for instance, you have a directory named “info”, any user can access all files in this directory by opening “http://yourwebsite.com/info” in the browser. They do not even need a password.
This is simple to prevent. Open the file named .htacccess, and add the following to it:
Options All -Indexes
WordPress Security Tips: Admin Dashboard
1. Safeguard wp-admin
This directory is the soul of your website, and access to it is a hacker’s dream come true. Damage done from the wp-admin directory can cause damage to the entire website. The first step is password protection for the directory. The administrator will then be using two passwords to access the dashboard, one on the login page, and the second for WordPress admin.
If you want others to access particular parts of the directory, you can always unblock the respective areas.
To autogenerate a .htpasswd file, encrypt the passwords, and set the correct file access permissions, you can use plugins like AskApache Password Protect.
2. Encrypt data with SSL
Secure Socket Layer certificate is a flawless way to secure data transfer between browsers and the server. A hacker cannot alter, imitate, or access the information transferred if you have an SSL connection.
An awesome side-benefit is that Google ranks your website higher if it is equipped with an SSL certificate.
You can easily get one by purchasing one from an SSL firm or ask your hosting company to fix one for you. A lot of hosting packages include SSL.
3. Reassign the username for admin
While installing WordPress, never go for “admin” as your chief administrator username. “admin” is so easy to guess, that the hacker only needs to find a way to tear through or find your password to break into the dashboard.
Plugins like iThemes Security automatically ban IP addresses if they try logging in with this username.
4. Keep an eye on your files
You should know what changes are being made to the files and directories in your WordPress. Relax! You don’t have to do this manually. There’s a plugin for everything. WordFence and iThemes Security can help you accomplish this pretty easily.
WordPress Security Tips: Securing the Login Page
1. Configure User Ban and Website Lockdown
Multiple failed login attempts smell fishy, and a lockdown feature nips them in the bud. Every time a hacker repetitively tries entering wrong passwords, the website gets locked and you get notified. Many security plugins out there, like iThemes Security and Login Lockdown, allow you to specify the number of attempts after which the lockdown should occur.
2. Install 2-factor authentication
What better way to ensure authentic login than making the user enter two credentials? The best way to introduce 2FA is by adding a secret code, question, etc. which the user encounters after entering the regular password. The simplest path here is Google Authenticator.
3. Login with email
Your website is way more secure if you ask users for email addresses instead of their username while logging in. To do this without any manual efforts, use WP Email Login plugin which starts to work as soon as you install it.
4. Use a different login URL
The default login URL on WordPress is wp-login.php or wp-admin.php at the end of the website’s address. Hackers have their Guess Word Databases (GWDb) to automatically try out millions of guess usernames and passwords. To keep them from entering the page at all, you can change the login URL to a unique name. Security plugins let you achieve this pretty easily.
5. Keep updating passwords
Regularly play with your password; keep it strong and fresh, consisting of a combination of different kinds of characters. Password generators are a godsend for this purpose.
As excited as you are to get your e-commerce website up and running, it is critically important that you take some care for securing it before launching it in the mad internet. Once your online platform is out there, you will perpetually find failed login attempts with username “admin” in the logs. Your resources, credibility, success rate, rankings, everything depends on how secure your website is. If you or your technical team has limited knowledge of this, you can hire a professional freelancer for consultation. The best way is to only hire professional developers to create your website. Even if you cannot follow all the WordPress security tips mentioned in this article, at least try to implement the most important ones. Tell us in the comments if the information helped or if you require any other assistance.