Still searching for how to secure WordPress sites from hackers, here we have added few guidelines how to protect or harden WordPress sites. When we switching to WordPress CMS then there are many questions arises in our mind I.e how to secures WordPress website, Is WordPress website is good for a blog or not and many more questions. So don’t be hesitate and go to the WordPress CMS website if you want to switch from other CMS. Right now Millions of websites are using WordPress CMS and get tighten their websites/blogs by the WordPress plugins.
It goes without saying that WordPress is and will always be the number #1 choice of bloggers for blogging. If you worried about how to protect WordPress website from hackers then here you can get all the solutions. The main reason behind this is the security and content management system provided by WordPress. Though, the core software of world’s most popular content management system is secure in its own way but then still some bloggers and about its security.
According to website security report- 2016 prepared by Sucuri, “Out of the 11,000 plus infected websites analyzed, 75% of them were on the WordPress platform and over 50% of those websites were out of date.” This meant that no matter how secure your WordPress site is, it’s still vulnerable to attacks. But then you can’t blame WordPress for the same, every time. Why? Because it’s your responsibility to make your website secure. After All, you will not want to compromise with the security of your property (In this case, WordPress it is!).
So, then how will you ensure that your website not gets hacked by hackers? What WordPress security tips will you consider applying on your website?
Previously, we did our best part to make you learn about the topic – “How to create a WordPress blog. Today, we will discuss some WordPress security tips which you should consider to make your website immune from hackers.
Advantages for secure WordPress website / blog
- Get high encryption level
- Prevents from hackers
- Secure communication between browser and servers
- Increse in traffic
- Increase in conversion
- Get higer Search engine ranking
- Stay away from phishing sites
- Stay away from spamming
- SEO friendly website
- Increase User’s trust Level
- If anyone try to login with wrong user name then WordPress will blocked their IPs
Keys how to secure WordPress website-blog
Update your WordPress
This is the most important step to make your WordPress site secure. You should keep your WordPress updated on a regular basis. Though By default WordPress automatically update and installs some much-needed files on its own the latest available version of WordPress and its installed plugins need to be updated regularly from your side. Make sure that your WordPress plugins, themes are regularly updated with the latest versions.
If you are using WordPress then you have to update every time your WordPress version which announced by WordPress.org. Never download from third or other sources of websites, it can harm your website and got hacked. Updating WordPress give more and more additional function with high-security level. If you not aware of when WordPress release update then you can use WordPress dashboard to keep informed about updates. If you want to manual updates then you can use plugins which provided by WordPress community.
Create a child theme
If you have Installed any types themes which suited for your websites then before doing anything, first you have to create a child theme of your WordPress website, which protect your website time by time. When you have don’t back up and you have lost your theme by any types of attack or by any security breaches on your theme than this time child theme helps you for to uptime of your website. There are certain steps for creating a child theme for the WordPress. Follow these steps for creating a child theme.
Add a SSL certificate
SSL provides a secure connection between a browser and the server. This is another great security layer which provided by the web hosting companies, to the website owner. If your website deals information with credit cards or any types of sensitive data then
you must have to install SSL certificate to protect your data information. This SSL certificate also helps the hackers and protect from the unwanted malware to the websites.
Use a strong password combination
A strong password is a unique combination of up to or more than 8 characters (including special and alphanumeric). Having said that, you should use a strong password combination which includes a combination of letters, numbers and alphanumeric characters. Refrain from using strongly guessed passwords such as 123456 or 654321. These passwords can be easily identified and guessed. In order to make a strong password, You can consider using a password generator tool to generate a strong password. In case, you have a tendency to forget your password then you should consider using password manager tools such as google password manager or any third party tool such as LastPass or Dashlane.
If you are creating start creating password keep in mind that don’t add consecutive numbers, the alphabet in a password. Passwords always should be in form of one capital letter, small letter, numbers, special characters and with ten digit password. This type of password always help you to secure your WordPress website.
Use strong Username
We we start installing WordPress on our domain, WordPress give default username i.e Admin and we have left this username and not change. So this is really a big mistake, when you start installing WordPress keep in mind that change the username of the WordPress. If you not change username of your WordPress hackers start attacking on your WordPress website. Know more about, how to change username of WordPress.
Prefer a secure WordPress hosting
Using an insecure WordPress hosting make your website prone to malware and hackers. That’s why it is very important for you to host your website to a more secure WordPress hosting companies provider such as BlueHost or HostGator to make it secure from security threats. However, your website can still be hacked while using a shared hosting platform since you are sharing your server resources with other customers. Henceforth, we will recommend you to use a managed WordPress hosting platform such as WpEngine which expertise in offering automated updates and security configurations to its users.
Change the default username
Previously, WordPress lacks a facility to change the user account username of a website panel. Needless to say, as a result of which it gets prone to malicious attacks and thefts from hackers. Thankfully, nowadays WordPress.org is providing the facility to change the custom username of your WordPress account. Henceforth, it is important for you to change the username of your WordPress CMS panel.
Following are the ways through which you can change the username of your account
- By deleting the old username and creating the new one
- By using username changer plugin
- By updating username from phpMyAdmin
Use two factor authentication
As the name implies, two-factor authentication will require two different input and authentication methods which will make login less easy. Several WordPress plugins are available for two-factor authentication which will ask for username and password for the first time and a one time password on another time. Example of such types of plugins are Google Authenticator, Duo two factor authentication etc.
Refrain from downloading plugins from unknown sources
This is the most common mistakes bloggers do which later on cost them much as a result. There are umpteen no. of sources available on the web through which users can download plugins for their WordPress sites. Needless to say, some untrusted sources could make an attempt to steal any sensitive information or may try to phish your data from malware attacks. Henceforth, you should refrain from downloading plugins from any an unknown source. However, in case you feel any urgency or need to download any plugin from any other resource then :-
- Consider looking for any review, opinion or comments provided by other users
- Consider checking the authenticity of plugin provider on web
- Check whether the provider provides any support in the form of call or offline support (free or paid)
Disable pingbacks & trackbacks
Whenever your website content gets linked to other website pages then, in this case, you will receive a trackback (or say pingback) notification. You might have found it useful as well. But the main concern is these pingbacks & trackbacks can lead to a weak loophole in your WordPress website setup. Hackers can use Distributed Denial-of-service attack (DDOS) to potentially harm your website. Henceforth, it is very important for you to uncheck “Allow link notifications” checkbox while navigating into your WordPress settings.
Disallow certain files
If you are using WordPress website then you have to disallow some certain files which are not necessary for the search engine to crawl. So such types of files should be disallow from the Google webmaster robots.text or from your admin area. If these files still remains to allow then search engine start crawling and showing result from core file which is a very important file for WordPress file. So keep in mind that these types of file should be disallowed. I’ve added example below which file should be disallowed.
When you disallow these files please check your live robots.txt file on your PC web browsers.
If you want to protect your website/blog for unknown robot machine then captcha is a great option for you to prevent such types of harm spam. Only human can read and write captcha answer. This security really helps you a lot and also protect from spamming and bot who try to hack your website. If you allow comment, admin and any section or anything where a need to user input then using a CAPTCHA form will really protect your website and also filter spamming bot who want to try spamming. If you are using WordPress website here I’m giving you a few famous WordPress plugins for captcha:
- Really Simple CAPTCHA
- Captcha by BestWebSoft
- Google Captcha (reCAPTCHA) by BestWebSoft
Above captchas are the most famous captcha which used by WordPress blogger or website.
Disable login hints
You must have had encountered with the password hint message every single time you input wrong credentials in your WordPress C-panel. Certainly, it might appear to you that it is a good option as it reminds you with a login hint but it is the other way around. A login hint is a good opportunity for any hacker who wants to hack your website. Henceforth, it is advisable that you must disable any type of login hint message in your website panel. One way of doing such is to make some edits in your functions.php file:
return 'Sorry! We didn’t recognize you!';
add_filter( 'login_errors', 'no_WordPress_errors' );
Note: You can change the ‘Sorry! We didn’t recognize you!’ message line to whatever you feel is good.
Prevent WordPress directory from indexed
This is the most important thing to consider as a WordPress security tip. You must disable your directory browsing on your WordPress site. Your WordPress directory indexing will be enabled for visibility or indexing whenever your web server is unable to find any index.php or index.html file. With this, all the necessary information such as installed theme, plugin etc. will be visible as a link to a text file. On the other hand, if it redirects you to a ‘Page not FOUND’, or ‘Forbidden access’ message then it is a sign that directory indexing is disabled.
Note: – Also make sure that you have a blank index.php file in both of folders such as wp-content/themes and wp-content/plugins
Use High security plugins
Without plugins WordPress look like a box so when you start customizing your WordPress website then you need WordPress plugins which customize your blog/website without any coding.When you started your blog/website you worries about security, there are many WordPress security plugins available in WordPress.org plugins section. If you want to harden your WordPress website these plugins help you a lot to secure your WordPress website from hackers and who want to breach your security. According to WordPress there are four types of WordPress security plugins:
Types of WordPress security plugins
- Prevention: Help to protect from hackers.
- Detection: This give you notification if anythings error of someting is off and requires check.
- Auditing: Track and maintain activity log of your website i.e (Error logs, track logs, updates, plugins and many more.).
- utilities: Gives you a proper options to authorize user to make changes to their installation.
Follow these security postures, and look to integrate security plugins and achieve your goal.
Here are the most popular security plugins:
- Sucuri Security
- BulletProof Security
- Acunetix WP Security
- Wordfence Security
Final thoughts on making your WordPress website secure – It is always preferable to follow all the above-mentioned steps to make your WordPress website more secure. Afterall, it is an important thing you own.
In case, we are missing any other WordPress security tip you know, then let us know in comments.
All the best!