Let’s get one thing straight first – no software is bug-free. Thus, no site is 100% hack-proof!
And this is why hackers love WordPress websites. The very nature of WP as a CMS has always been attractive to hackers, and with the use of themes and plugins, they have plenty of space to explore within your website. If hackers manage to access your website code or wp-admin with administrator privileges, it is almost certain that your WP website will be used for malicious intentions.
That is the reason why website security is of enormous importance. Things will be safer for you after you read and implement our following tips to help you create a hacker-proof WordPress website.
Why WordPress Security Matters?
There are several reasons why your WordPress website may become a victim of hackers:
- Outdated WordPress Core
- Insecure Themes/Plugins
- Insecure Hosting Service
- Weak Passwords
- Compromised network (i.e. unencrypted public wi-fi)
- Compromised computer of a user with administrator privileges or access to the site file system
A hacked WP website can cause serious damage to your business in terms of revenue and reputation alike. Hackers can steal valuable information such as passwords, usernames, user profiles, and even bank account information.
These people are also capable of installing malicious code/software into your WP core and distribute the malware towards the website users.Just as you need to protect your physical assets, such as buildings, offices, and inventory, you need to protect your most valuable online asset, too, your WordPress website.
1. Regular Updates
One of the fundamental steps towards better WP security is updating. The updates of this open-source software come and go the same as trends in the industry.
By default, minor updates are done automatically by the CMS, but for a more significant release, it will ask from you to update manually. It is advisable to do so if you want to protect your website from hackers as older WordPress versions are slowly being dropped from receiving security patches in the future.
The themes and plugins that you use are also regularly updated and maintained by developers. When they fix a bug or a security issue, they make the update available for you, and you can update them manually from your WordPress dashboard.
These updates are vital if you want a safer and balanced website. That’s why you need to make sure that you regularly update your WP core, themes, and plugins.
2. Powerful Password and Permissions Optimization
Hacker’s first attempt is to brute-force on your username and password. A secure password can consist of at least a dozen characters and numbers that are combined into a difficult combination.
But, instead of having a password that is hard to guess, lots of WordPress users go for passwords like “123456” which is pretty easy to guess. The reason behind the usage of weak passwords is simple – they’re easier to remember.
You need to make the job difficult for hackers. Make sure that your passwords are a combination of special characters, letters, and numbers. Never give access to your admin account unless it is indispensable to do so and if this happens, don’t forget to change your password after the need for sharing it has passed.
If you have a bigger team of administrators and bloggers, make sure that each of them gets the required role and permissions. If you have too many passwords, and you find it challenging to handle them, you can always use a password management app, such as:
Don’t use the WP admin password for another purpose/program. If hackers manage to compromise at least one of your other accounts, they’ll manage to get hold of that password too and you’re just as good as not having a password at all.
We recommend you to additionally protect your WP administration from brute-forcing attacks by introducing login attempts limitations. The Limit Login WordPress plugin can analyze the number of incorrect login attempts and stop the specific user from attempting to crack your password.
3. Better WordPress Hosting
Your WP hosting service is one of the keys to a more secure website. If you use shared hosting, in essence, you share your page code and data with many other pages on the server. This increases the chances for hackers to enter your page via neighboring page.
A managed WordPress hosting service such as Pagely always makes extra effort to protect your WP website and servers from common hacker threats.
The number of websites that switch to managed hosting has multiplied over the last few years, and along with WordPress websites, it has become a dominant way for businesses to manage their content. The six key benefits of using a managed hosting provider are:
- Better Security: Managed hosting services offer unparalleled security compared to other types of web hosting. A managed provider applies the highest level of security, daily backups, malware scanning, and updates that prevent hackers from attacking your site.
- Monitoring Uptime: Speed and performance have a direct impact on search rankings. Most of the managed hosting providers offer 24/7 website monitoring, which means that you don’t have to dwell on your website’s performance.
- 24/7 Support: Managed hosting providers have trained experts that understand the technical details of the platform, and know how to solve common and complex problems.
- Quality: Having a quality and premium managed hosting plan can make the difference, plus, you’ll get all the perks such as 24/7 support, your private server, all sorts of plugins, a web app firewall, and much more.
- High-Speed Data: A quality hosting plan also provides you with excellent caching plugins and CDN access that can have a significant effect on your website speed, which decreases the load on web servers.
- Customizable Solutions: Most managed hosts can support almost every niche, from educational blogs to eCommerce websites, and everything in between. The solution is adapted to your business needs, instead of the other way around.
4. Regular Backups
If you think that you have taken all the precautions to safeguard your site without doing a backup, think again. On the web, nothing is 100% safe. And if your data gets stolen and erased, without a backup, you won’t be able to restore your web presence without having to rebuild it again from scratch.
If your web hosting service doesn’t provide you with site backups, or you just want to increase your WP security, you can always use a backup plugin that can help you store your website data on cloud services such as Amazon or Dropbox:
You can choose backups that will be performed for over a given period or launch them in real-time.
5. Deploying a Security Plugin
After backups, the next logical step is to monitor your page for malware and attacks and react immediately to any accident that might occur. Using a security plugin allows you to do that and add an extra layer of safety for your page.
The following plugins all have options such as monitoring, blacklisting, and two-factor authentication and are regularly updated to make sure that your webpage can cope with the latest security threats:
You don’t have to install each of these plugins on your WordPress site. However, it’s not a bad thing to test them all and see which one performs better. If you have the budget, it is always recommended to use the premium version of security plugins.
6. Use a Web Application Firewall
One of the easiest ways to protect your WP site from hackers is to use a Web Application Firewall (WAF). What the firewall does is monitor the web traffic that comes to your page and blocks every security threat that it detects.
The best WP firewall plugins that you can use to protect your WordPress site from bad traffic requests are:
7. Changing the Default “admin” Username
Since the beginning of WordPress as a blogging platform, the default username is “admin”. Because many users don’t change the default username, hackers can quite easily guess it.
If you want to change your admin username by default, there are three acceptable methods that will do the job:
- Create a new admin username and erase the old one.
- Use the Username Changer plugin.
- Update the username from phpMyAdmin.
If you notice that the name is still “admin” even after your correction, it might be due to a shady practice by a hosting provider that needs to be replaced with a reliable one.
8. Prevent File Editing
Your WordPress website has a built-in code editor in the admin area where you can edit your theme and plugins. If this comes into the hands of hackers, they can cause issues that may not fixable (unless you followed our advice on preparing regular backups of your site).
To turn off the file editing, you need to insert the following code in your wp-config.php file:
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
9. Restrict Login Attempts
We mentioned this earlier but decided to stress on it again, as it’s super-important. WordPress will allow you to log in as many times as you want by default.
This is an excellent opportunity for cybercriminals to do a brute-force attack on your website. It is a gap that you can easily fix just by limiting the number of login attempts. If you utilize any of the web application firewalls that we mentioned above, the login attempts will be automatically handled by it.
10. Altering the WP Database Prefix
Your database is the center of your WordPress operations. Every piece of information is stored there. That’s why when hackers get access to it, it’s like they’ve won the jackpot.
They’ll start running automated scripts for stealing sensitive information, injecting black-hat SEO links in your posts, and/or defacing your content with political, religious, or other visual content of theirs.
For each of your database tables, WordPress uses wp_ as a prefix by default. If you still use this default prefix, you make SQL injections and the execution of automated database-related scripts easier for hackers. This is why you need to change the prefix immediately.
11. Protecting WP Admin and Login Pages with a Password
Hackers will attempt to run DDoS attacks and they’ll request your wp-admin folder and login page without any restriction if you don’t protect them with an additional password on your server side which will prevent those requests.
You can protect your admin and login page with a password directly from your cPanel, by using the following steps:
Log into cPanel
Click on “Password Protect Directories,” then select “Web Root (public_html/www)” and click “Go.”
In the list select the “public_html” folder, the new screen at the top will say “Set permissions for /home/user/public_html/” and write down your login/password.
Go back to the home cPanel screen, the icon is at the top left and click on “File Manager”, select “Home Directory”, then check “Show Hidden Files (dotfiles).” and click Go.
You should now be in /home/user, look for the .htaccess file, if it doesn’t and enter the following code inside:
<FilesMatch "wp-login.php"> AuthType Basic AuthName "Secure Area" AuthUserFile "/home/user/.htpasswds/public_html/passwd" require valid-user </FilesMatch>
Change the user in /home/user/.htpasswds/public_html/passwd to match your cPanel username.
Save and Exit
After that, anytime you go to your WordPress admin side you will first be prompted for your username/password that you created.
Bear in mind that this approach is not appropriate for sites where you have users logging in the backend, as it would lead to poor UX.
12. Deactivate Directory Browsing
Those that attack WordPress websites can utilize directory browsing to find plugins or themes with vulnerabilities in your site. These can be used to gain access to your website, injecting malicious scripts, unwanted links or advertisements. Here, hackers can look into your files, copy images, find out your directory structure, and other information. This is why it is recommended that you turn off directory indexing and browsing.
To execute this, you need to access your WP website through an FTP client or other means (File manager from cPanel or even SSH) and edit your .htaccess file in your site’s root directory, adding the following line at the bottom:
13. Disable XML-RPC
XML-RPC is a protocol that uses XML to encode its calls and HTTP as a transporting mechanism. In the context of WordPress, it is a system that allows you to post on your blog using popular weblog clients. It is also useful if you use the WordPress mobile app.
The XML-RPC provides hackers with an additional ground to attack your website and that’s why it is a smart move to disable it. For the purpose, you can use your .htaccess file:
Just insert the following code:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 18.104.22.168 </Files>
And then save the .htaccess file
With that, any remote use of the XMLRPC will be disabled.
14. Log Out Idle Users
Users that are logged on your WordPress site can sometimes wander off screen or enter a completely new tab and forget that they’re still logged in. Active sessions are vulnerable to hijacking when a malicious script gets executed on the user’s computer, leading to passwords being changed, data being stolen and and additional changes to your WP account might be made.
This is the main reason why banking and freelance websites automatically log users out if they close the tab or they’re inactive for a short period of time. You can automatically log out users on your WordPress site with the Idle User Logout plugin.
In the plugin, you can set the time duration that is allowed for an idle user to wander off the dashboard, and automatically redirect the logged out user to the login page.
15. Adding Login Security Questions
Want to make it even more difficult for someone to log into your WP site? You can add security questions just like financial institutions, membership sites, or email platforms use when someone from an unauthorized IP address tries to log in.
The security question is in essence like an additional password for your page. A perfect security question is something that only you can know about. Even better, the answer shouldn’t be related to the question. For example “Bon Jovi” in response to “Your favorite car brand?”. This additional layer can boost your security, however, you need to be careful to remember your answer.
16. Run Your WordPress on the Latest PHP version
This is a real no-brainer when it comes to web security. Only 3.6% of WP pages run on the latest version of PHP (7.2). In fact, there are almost 12% of WordPress sites that still run on the 5.4 version, which is no longer supported!
If you don’t use the latest PHP version, that means some security gaps have been discovered and fixed with the new version, but will not be available for your site. As a result, your page will remain an open target for hacker attacks.
While updating themes and plugins is really simple, the update of PHP in most of the cases depends on your hosting provider. A reliable and good hosting service must make the latest PHP installation accessible to a function in the cPanel called PHP Version Switcher or provide you with another seamless way for switching to the new PHP version.
Beware that some older plugins or themes might not be completely compatible with newer versions of PHP, so always test your site before such a change.
17. Two-Factor Authentication
When you log in WP, besides the regular password, you can allow for a time-based token that needs to be entered from the user. Because of the fact that this token expires in a minute, even if a hacker or someone that knows your password will not be able to log in without entering the required token. There are numerous plugins that you can use for the purpose, such as:
18. Tweak File Permissions
Most WordPress sites are hosted on Linux servers which employ a permissions system that is applied to all folders and files. These permissions are represented by a three-digit number. Each of these digits has its meaning. The first digit always refers to the operating system user, that is perceived as the owner of the file/folder, the second digit is for the users, members of the group, which is assigned to the file or folder, and the third is for everyone else on that server.
0 – Cannot access the file.
1 – Only file execution.
2 – Editing allowed.
3 – Editing and executing allowed.
4 – Can read the file.
5 – Reading and executing allowed.
6 – Reading and editing.
7 – Read, edit, and executing the file.
The web server cannot operate with your site if it doesn’t have enough permissions, but at the same time, permissions should be strict enough in order to restrict other users on the server from accessing your files and folders. As a rule of thumb, you should set your permissions as 644 for your files, 755 for folders, and your wp-config.php file should have a 400 permission. To learn how to alter your file permissions, read this guide from WP Beginner. Another good read on the topic is the article in WordPress Codex on changing file permissions.
In a nutshell, the more secure the website, the harder it is for hackers to get in. We hope that the tips above will help you to strengthen the safety of your online presence and take a step towards handling a massive amount of web traffic without any security issues.
If the above is too much for you to handle, or you’re just a novice and you have additional questions how to secure your website, it is best to hire a professional to do the job for you.