How to Secure WordPress Site Against Hacking Attempts: Quick Tips

Table of contents

• Introduction
• Top reasons behind successful hacking attempts
• WordPress Security Checklist
  • Strengthen Your Computer Security
  • Modify the WordPress Table Prefix
  • Reliable and High-Rated Themes and Plugins
  • Protect Important Files from Access
  • Keep WordPress and Its Components Updated
  • Change the Login Error Alerts
  • Enable Two-factor Authentication
  • Change the wordpress login URL
  • Disable XML-RPC
  • Automatically Keep Your Site Up to Date
  • Add Security Keys
  • Disable the Theme and Plugin Editor
  • Disable PHP Error Reporting
  • Restrict Admin Access to Specific IP Address
  • Lock Out Specific IP Addresses
  • Pay Attention to File Permissions
• Conclusion

Introduction

The most popular content management system, WordPress, has 64 % of the CMS market share which is more than all other systems such as Drupal, Joomla, etc, combined. Over 75,000,000 websites use WordPress or we can say that almost 40.3% of the internet is powered by them. Known for their unparalleled impact on web standards, usability, and the internet at large, WordPress have spread like wildfire and are still growing. However, widespread reach and growth have also made WordPress sites susceptible to vulnerabilities. Statistics reveal that WordPress accounted for 90 percent of all hacked CMS sites in 2018! This article talks about how as a WordPress user, you could secure your site against hacking attempts.

Top reasons behind successful hacking attempts

Before we get into tips for securing our WordPress site, let’s have a look at statistics that reveal the weak spots which hackers targeted.

• 41% are attributed to vulnerability in the hosting platform
• 29% came through vulnerable WordPress themes
• 22% took advantage of security issues of the WordPress plugins
• 8% happened through a weak login information

WordPress Security Checklist

Our technical experts recommend some of the best practices that are proven to secure a site from the above-mentioned threats.

• Strengthen Your Computer Security

  Presence of a virus and malware scanner on your computer that scans frequently must be a non-negotiable. Install a reliable firewall- possibly that one that was delivered with your OS.

• Modify the WordPress Table Prefix 

  All the tables in the WordPress database of a standard installation, start with the prefix naming convention wp_. This vulnerability can be fixed by changing it into something arbitrary such as 8uh7dsgakm_.

• Reliable and High-Rated Themes and Plugins

  While choosing plugins and themes, go for the ones that have a high rating and appear reliable. Also watch out for when they were updated last. If there’s no update since long, chances are that it’s more vulnerable due to unpatched security loopholes.

• Protect Important Files from Access

  .htaccess is an important server configuration that holds the code which enables using pretty permalinks in WordPress. It can also set redirects and increase WordPress security.

  For increasing security, you first need to access the file, which is located on your server’s root directory and hidden by default. Therefore, in order to edit it, make sure to set your FTP client to display hidden files (Go to Server > Select Force showing hidden files in FileZilla). After that, take the following measures.

  Use the code below to prevent access to critical files like wp-config.php, php.ini, error logs and .htaccess itself.

  <FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>

  Order deny,allow

  Deny from all

  </FilesMatch>

• Keep WordPress and Its Components Updated

  Keep WordPress versions and plugins up to date. Updated versions of WordPress don’t just bring new features but they also fix security holes identified in earlier versions.

• Use Strong Login Credentials

  A very common way to protect your WordPress account is using safe and strong login information instead of default username. Make your password as strong as possible.

• Change the Login Error Alerts

  If someone tries to log into your site with wrong credentials, WordPress will alert them whether the problem is with the username or password. This gives away half of the information, making it easier to hack into an account.

• Enable Two-factor Authentication

  Two-factor authentication serves an extra step for people to log into your site. An example can be the need to enter a validation code delivered to the mobile phone. Though it might add to efforts, it helps to block automatic attacks.

• Change the wordpress login URL

  Another way to keep the WordPress login page safe is to hide it. You usually reach the login page via yourdomain.com/wp-admin or yourdomain.com/wp-login.php. Move it to a different URL address instead of wp-admin.

• Disable XML-RPC

  This acronym is the name of a feature that allows connecting to WordPress remotely. For example, blogging clients use it and it’s also used for trackbacks and pingbacks. Unfortunately, it’s also sometimes the target of hackers, which is why you should protect it with a plugin Disable XML-RPC Pingback.

• Automatically Keep Your Site Up to Date

  Automatic updates should be enabled to keep the site up to date.

• Add Security Keys

  WordPress security keys(SALTs), encrypt information stored in browser cookies. This way, they protect passwords and other sensitive information. These keys are phrases that are used to randomize this information and stored inside wp-config.php

• Disable the Theme and Plugin Editor

  WordPress contains an internal editor for theme and plugin files that allows you to make changes to your site. Even though it can be useful in some situations, it also comes with a risk. The reason is that if somebody gains access to your site’s back end, they can use the editor to take out your website without even accessing your server.

• Disable PHP Error Reporting

  When plugins or themes cause any error on your site, WordPress displays a message on your front end. This message may contain the path to the file that is causing the problem. Hackers can use this information to better understand the layout of your server and attack your site.

• Restrict Admin Access to Specific IP Address

  By making changes in .htaccess you can restrict access to your WordPress login page to limited IP addresses. This way, only you can access it.

• Lock Out Specific IP Addresses

  A similar technique is available to block IP addresses that try to break into your website. If you notice such incidents (from your server logs, for example), you can lock them out of your site by configuring the .htaccess file.

• Pay Attention to File Permissions

  The following file permissions should be paid attention to in the WordPress site

  • 755 or 750 for directories
  • 644 or 640 for files
  • 600 for wp-config.php

Conclusion

If you are concerned about securing your website against hackers, the tips mentioned in this article are a step in the right direction. Apart from following important security measures mentioned above, to best protect yourself from attacks, it is also very important to keep your website up-to-date and to keep abreast of the latest WordPress related vulnerabilities.