WordPress is one of the most popular and preferred Content Management System, its known for being one of the most user-friendly website platforms available online. Due to it's popularity and growing users base, WordPress is a popular target for hackers and spammers.
Even through there is no way to completely protect yourself against hackers and security threats towards your WordPress blog/Site. A determined hacker will find his or her way into your site whether you like it or not.
All we can do is make it difficult for the hacker to have his or her way with your site. Most hackers will give up and look for an easier/unprotected site to hack since there are lots of wp sites now-a-days.
Today we will talk about tricks and plugins to keep your WordPress blog safe from hackers. If you follow the advice given below, a hacker will surely find it difficult to gain access to your site.
How To Protect Your WordPress Site From Being Hacked
Table of contents
Important Installation Settings
Delete the Default Admin Account
Rename your WordPress tables prefix
Update the WordPress Security Keys
Stronger Login Information
Remove the WordPress Version Number
Limit Login Attempts
Keep Things Up To Date
Use Well Coded WordPress Themes
Remove Unwanted/Unused Plugins
Back Up RegularlyFinal Words
Important Installation Settings
After installing the WordPress, you need to make sure the following changes are made, These are simple changes but it can improve your site security tremendously.
Delete The Default "Admin" Account
Never use the default "admin" as your username. When you install a WordPress blog, the first user is called “admin” by default. if you use this account hackers will have a easy way to hack your account since they already have the username. So, To avoid it you have to delete the default admin account.
You cannot delete the default admin account right away if you do not have a new admin account, So Create a new administrator account with a username that’s harder to guess.Now, Logout from the default admin account and Login using the new administrator account and finally,Delete the default account. ;)
Rename Your WordPress Tables Prefix
If you have installed WordPress using the default options, your WordPress tables have names like wp_posts orwp_users. It is thus a good idea tochange the prefix of tables (wp_) to some random value. To change the table prefix you can check this tutorial about how to change wp database table prefix.
P.S. If you're going to install wordpress for a new site you can change the default (wp_) prefix of the tables while installing WordPress.
Update The WordPress Security Keys
Adding WordPress security keys is an important security measure. They will make it harder to crack your password thus making it more secure. The other advantage is that if someone is logged into WordPress without your knowledge, they will get logged out immediately as their cookies will become invalid now.
The Security keys can be changed inwp-config.php which can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');Use the WordPress Key Generator to generate eight security keys for your WordPress blog, Once the code has been generated, you simply replace the code above with the unique generated phrases.
Stronger Login Information
Even if you removed the default admin account and changed the security keys it's still easy to hack your site if you're password is not strong. Without strong passwords your blog will be vulnerable to brute force attacks.
If you use secure passwords then the chances of successful brute force attacks become extremely low. You should therefore:Create a strong password which Include small and capital letters, numbers and different symbols to make your password not difficult, but impossible to guess.Change passwords frequently (every 2-3 months)Store strong passwords using a Password Manager Software Also Make sure you use lots of different passwords for your other accounts (like your gmail account, facebook, etc). It is nice to have just one single password and access everything through it, but imagine what happens if someone knows this password. He can basically access all your accounts.
Remove The WordPress Version Number
WordPress sites always place a meta tag in your website code that states the version of WordPress you are using, thus making it easier for hackers to determine if you are running an older version of WordPress that has a security hole.
We can easily remove the WordPress version number from your blog. To do this add this snippet to thefunctions.php file found in your WordPress themes folder.remove_action('wp_head', 'wp_generator');
Limit Login Attempts
As we discussed hackers use brute force attacks to guess your login information by continuously trying new random usernames and passwords. we can mostly prevent this types of attacks by using a strong hard to guess passwords. But, The best way to prevent brute force attack is by installing the Login Lockdown Plugin.
This Plugin allows you to limit the number of login attempts from a given IP range. Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time.
Keep Things Up To Date
Keeping your WordPress updated all the time is important, Because every version of WordPress has fix for security holes that have been identified in previous versions. So, it is a good idea to keep it up-to-date. Do not stick with old versions of WordPress because the longer a WordPress version exists, then the higher the chances are that hackers have found a way to break into it.
This not only apply for WordPress core, it also apply for WordPress themes and plugins. So, update the WP themes and Plugin along with the WordPress core.
Use Well Coded WordPress Themes
Even through you update your site regularly, if your WP themes/plugin doesn't have a secure code then it'll pose a security risk. So, it's better to use a theme from reliable source who updates the theme regularly, mostly it can be found only on paid themes. At the same time, it's not like we should never use a free WP theme. It's just that we have to check for few things before installing.
If you're going for a free WP theme or plugin, check for the following before choosing:Is it compatible with the latest version of WordPress?Does the theme has many downloads? (If it does, then it's popular, thus many people use it without any bugs)How long has it been since it's published and Has it been regularly updated? (the longer the better)Is the developer popular? (if he is then the plugin is most likely has secure code.)Does the developer offer support?(Optional since the theme is free but it's better if yes.)The above points can be also applied for premium themes and plugins. ;)
Remove Unwanted/Unused Plugins
It's better to remove unwanted or unused plugins. Some People keep plugins on their server even through they no longer use them. Since you don't use them any more there is a good chance you haven’t updated it recently, thus this may contains security holes and vulnerabilities. Hackers can gain access to your site via a hole they find or create in your unused plugin and there is an even bigger chance you do not notice the breach because you rarely use the plugin.
In a nutshell, it is a good idea to delete plugins which you are not going to use again.
Back Up Regularly
People ofter say "It's better to be safe than sorry", it certainly is true for wp sites. Even if we follow all the steps above, there is no guarantee that your website will not be compromised by hackers. That is why it is important to backup your website frequently. In-case if something unfortunate happens you can still restore your site using the backup.
Most hosting sites offer automated daily backup but it's always best to keep a back up externally on your PC or cloud drive. you can backup your site using backup plugins such as BackupBuddy, Backup and Restoration for WordPress.
Final Words
I've rounded up most of the basicsecurity tips for WordPress to prevent your site from hackers. There are still many other security tips to secure your WP site like limiting the file types on wp-content directory using .htaccess file.
I'm planning to cover some advanced tips in this topic some other time (Since, This article is already pretty long.). Following the above tips will give a basic security needed for your site.
Hope this article was helpful to secure your site, Let me know your views about this article, Feedbacks are always appreciated. :) Thanks...