Getting your website hacked is not fun. It’s a serious matter that needs to be handled with care and intelligence. WordPress is gaining popularity with each passing day. Millions of websites are being powered by WP every minute of the day. However it’s popularity is what makes it so vulnerable to hacking and security threats. Hackers find it easy to hack your WordPress websites through a majority of entry points. Thus, it becomes more important than ever to protect your websites from hacking and spamming.
Hacking is something that cannot be stopped but it is something that should be prevented. Therefore, we have compiled a list of tips that many cloud service providers, including our own, use to prevent websites from being hacked. The article is going to focus on few ways that can be used to protect your website against hacking and ways that aren’t discussed time and time again on the internet because we understand security is a serious issue and should not be taken lightly.
0. Test Your Site For Vulnerabilities
1. Don’t Use Premium Plugins For Free
There is a reason why premium plugins are not free. Downloading them from anywhere (un-authorized sites) for free put only your website at risk and obviously, you wouldn’t want that. These pirated copies come with many flaws which give hackers’ direct entry into your website.
2. Eliminate PHP Error Reporting
3. Disable Dashboard File Editing
Therefore, it is always a bright idea to disable file editing option from your dashboard by adding this code snippet to your wp-config.php file.
define( ‘DISALLOW_FILE_EDIT’, true );
4. Regular Backups
5. Always use Security Plugins
Some of the best plugins are:
6. Hide your WordPress Version
(‘version’); ?>” />
<? remove_action(‘wp_head’, ‘wp_generator’); ?>
7. Use 2-Factor Login Authentication
2-Factor login authentication, as the name suggests, is a two level of login to a service or page. WordPress provides many plugins that help you efficiently implement this 2 level login authentication to your website and make your site more secure. Clef and Rublon are two most popular WordPress plugins that help you implement this strategy.
8. Protect Your Files: Htaccess
If you have been running a WordPress website for quite some time, you probably are familiar with the .htaccess file. Well, as a matter of fact, it is one of the most important files of your website. .htaccess file directly affects the permalinks of a website and how it deals with the security issues. .htaccess file can help you prevent your site against any hacking by allowing you to add various code snippets in it. However, make sure whatever code you add in the file should be outside #BEGIN WordPress and #END WordPress tags.
First of all, you should hide your wp-config.php file completely since it is responsible for everything on your website and includes plenty of important details such as database details, user details and more.
Add this code to hide it:
order allow, deny
By adding the following code snippet into a new .htaccess file and upload it to the wp-admin, you can restrict admin access.
order deny, allow
deny from all
Add the following code to your .htaccess file.
Deny from all
# access from my IP address
There are various other ways in which you can modify your .htaccess file and secure your website against hackers and spammers.
9. Use SSL Certificates to Encrypt Data.
Using a Secure Socket Layer (SSL) certificate is a very smart move to secure the admin panel of your WordPress website. The SSL certificate always ensures a safe data transfer between the server and user browser. This makes it difficult for the hacker to spoof into your information or breach the connection.
For a WordPress website, it is very easy to set up an SSL certificate. You can either purchase it from the dedicated and authorized SSL reseller like www.cheapsslshop.com at a huge discount price or you can also ask your hosting service provider to provide you with one. Most of the hosting service provider arranges it as a part of their service.
The SSL certificates also give a boost to your Google ranking. If a website doesn’t have SSL certificate then it will be ranked lower than the one which has the certificate. This will definitely increase traffic on your WordPress website.
10. Change the WordPress database table prefix.
Do you know that the files in the WordPress database table have a prefix “wp-”? Why am I telling this in public, the hackers will get benefited right? They already know that it is just you who didn’t know this (If that’s a shocker to you). Any hacker can hack into your database files just by simple SQL injection.
Hackers and spammers run automated codes for SQL injections. Most of you didn’t bother that all the files in the WordPress database start with the initials “wp-”. You need to change the prefix as this can potentially harm your website.
In order to change the prefix of the WordPress database table, you can either do it manually or with the help of WordPress plugins. In either way, you can easily change the WordPress database table prefix. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you backup your site before doing anything to the database).
11. Set Directory Permissions Carefully
Most of the websites are hosted on the shared hosting network. This is where wrong directory permissions can be not just harmful but fatal. So, in a shared hosting network, it is wiser to change files and directory permissions to secure the website at the hosting level.
Set the directory permissions to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.
You can easily do it with the help of either the file manager in your hosting control panel or through the terminal via the “chmod” command.
You can also use the iTheme Security plugin to check the current permission setting.
12. Conduct The Website Security Audit Regularly
It doesn’t matter how clever you are, expert hackers always search for new ways to annihilate your website/blog. So, don’t be careless when it comes to your site security. Just conduct the website security audit from time-to-time, find loopholes, and eliminate them as soon as possible. If you can’t do that, consult a reputed tech-company to perform the action.
13. Always Be Prepared For Emergency Situations
Don’t sit idle even if your website is safe and you are implementing the website security practices regularly. Just prepare yourself for unexpected situations, such as,
|Unexpected Situations||Possible solutions|
|Your website is hacked||
14. Open Your Website On Virus-Free Computers/Laptops
There are many individuals who own and operate several websites to increase their earnings. Successful website management and operation tasks keep them busy at all the times. So, they tend to access their sites on any available computer/laptop to keep it up-to-date. This is a dangerous practice that can provide a backdoor for hackers to compromise your website.
When you open your website on a computer/laptop (infected with harmful Virus/malware), it is exposed to online security vulnerabilities. Even a single security lapse in your website can enable hackers to bring it down and cause limitless damage to you.
Make sure your computers/laptops are free from harmful programs/data grabbing applications/viruses, etc. Format the infected systems and install the recommended OS, Antivirus, web-browsers, etc. This will reduce the scale of your site’s exposure to online security threats up to a great extent.
WordPress security is certainly so much more than merely installing a security plugin and keeping strong login passwords. You need to follow a particular strategy and make sure you work on every aspect that may break down your WordPress website.
We hope you find these tips useful and help you protect your site against hacking and spamming.
- Updated on Aug 2017 with more useful tips.
- Updated on Dec 2017 with more useful tips.
- Updated on July 2018 with more useful tips.
This article is contributed by Emily Johns and Lauren McLaren.
Emily Johns is a WordPress developer by profession and a writer by hobby. She works for Wordsuccor Ltd., which is a leading custom WordPress plugin development company based in the USA. If you need to hire a WordPress developer you can connect with them through Google+, Facebook, and Twitter.
Lauren McLaren was born and raised in Australia. She is working as blogger and professional Digital Marketer for Digital Muscle Limited- An SEO Company in Australia providing affordable seo services. She’s hardworking, competent and trustworthy. Her role within the company is to manage team of SEO Experts. In her spare time, she loves to read, cook and watch movies.