WordPress, the most popular Content Management System(CMS) in the market, which powers almost 42.4% of all the websites on the Internet. This popularity also brings some problems to your room making it the most targeted CMS by hacker to get benefited using a site. If you are serious about your website, then you need to pay proper attention to your site and WordPress security best practices. Keeping your WordPress site secure takes a little effort but should be top of the agenda for anyone serious about their website.
Hacker uses two approaches to hack WordPress websites. They target individual sites as well as large clusters. Nothing in this world is hack-proof but what We can try is make this as difficult as possible, so they go elsewhere.
In this tutorial, We will share our Best Tips to keep your WordPress website secure.
1. Update your WordPress
WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update. Not updating your themes and plugins can mean trouble. In most cases, WordPress-powered sites are compromised because their core software, files, themes, and plugins are outdated making them traceable. WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well. Every WordPress site administrator should regularly check for update and keep WordPress including plugin and theme files up-to-date.
How to configure automatic updates
You can configure automatic updates as well. To auto-upgrade WordPress core, insert this code into your wp-config.php file:
define( 'WP_AUTO_UPDATE_CORE', true );
For plugins, use:
add_filter( 'auto_update_plugin', '__return_true' );
For themes, use:
add_filter( 'auto_update_theme', '__return_true' );
2. Install a WordPress Security Plugin
Many users find it easier to rely on a one-stop security solution. If that is the case with you, one of the following WordPress security plugins might be suitable:
iThemes Security – available in both a free and premium version, iThemes provides over 30 different ways to improve the security of your website.
WordFence – is another security plugin that offers both a free and premium version. With just over 11 million downloads, WordFence has a strong user base who depend on this plugin for their security needs.
Sucuri – While Sucuri maintains a free plugin in the WordPress repository, they also provide a more comprehensive service that includes: malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection and more. One of the great features of the Sucuri service is that it includes cleanup in the event that you site is compromised.
3. Install SSL Certificate
SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information. For instance, our hosting service comes with free SSL on all plans which customer can avail from cPanel >> Let’s Encrypt SSL.
4. Use a Strong Password
The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin account, but also for database user, WordPress hosting account.
5. Disable File Editing
If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes. It can be accessed by going to Appearance >> Editor. Another way you can find the plugin editor is by going under Plugins >> Editor. If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.
To make this work, add the following to the wp-config.php file (at the very end):
6. Change your WP-login URL
By default, the URL We use to log into our dashboard is either wp-login.php or wp-admin, added after your site’s main URL. For instance, YOURSITE.com/wp-login.php and guess what, those two are also the most accessed URLs by hackers who want to get into your database. If you change that URL, you reduce the chances of finding yourself in trouble. Guessing a custom login URL is way harder for hackers.
The iThemes Security plugin does this trick. For instance, your login URL can turn into something like YOURSITE.com/my_site.
7. Securing wp-includes Folder
The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress, one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to content of the wp-include folder. You can disable access using this following code snippet by updating your default .htaccess file:
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
8. Hide wp-config.php and .htaccess files
While this is an advanced process for improving your site’s security, if you’re serious about your security it’s a good practice to hide your site’s .htaccess and wp-config.php files to prevent hackers from accessing them. We strongly recommend this to be done by an experience developer because a slight mistake can take down your site. You should start by taking backup of the files as well. To hide the files, there are two things you need to do:
Go to your .htaccess file and add the following code,
<Files wp-config.php> order allow,deny deny from all </Files> <Files .htaccess> order allow,deny deny from all </Files>
Another security measure that you can take is to restrict wp-config.php file permission. Set the file permissions to 600 so that only true owners can edit the wp-config file. To change the file permission of wp-config, select the file from cPanel >> File Manager and then choose the option ‘Permission’.
9. Disable PHP File Execution in Certain WordPress Directories
Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.
You can do this by opening a text editor like Notepad and paste this code:
<Files *.php> deny from all </Files>
Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using File Manager or FTP Client.
10. Change Security Keys
It is recommended that you change the WordPress Secuity key periodically so that if someone/something got login credentials, resetting the security keys will log them out immediately. You can generate a new set of security keys and place them in the ‘wp-config.php’ file and here is the URL where you can generate new set of keys. It’ll help secure your WordPress site. Its generate new keys every time someone browse the URL.
11. Choose a Good Hosting Company
You should find/choose a good hosting provider who has up-to-date security system deployed on their servers. You might look for Cloudlinux, Litespeed, Imunify360 Scanner etc. A company with good support and daily backup system will help you to run your WordPress site properly.
12. Don’t Use Nulled Themes
We have seen, people are using nulled theme for their website which is one of the main reason for security breach of a site. You should try to get the premium theme by paying the charges to actual seller. Nulled themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials very easily.
13. Monitor your site – to find any unusual activity.
14. Back up your site regularly – in-case of emergency.
15. Use Latest PHP Version – PHP is used for backend coding and using latest version of PHP will enhance the site security parameter.
16. Use Clever Usernames and Passwords – do not go with the common ones, think and use harder.
17. Captcha Protection – Protecting your site with google captcha protection.
That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.