Follow this 15 WordPress security steps to lock down your website. As the popularity of WordPress grows, it is also becoming a bigger target for hackers. WordPress is an open-source project that means it’s codes are free for anyone to inspect and find a vulnerability. So, it is crucial to ensure the security of the WordPress website. Whether you are the Developer or Administrator of the website, you need to make sure that the following things have been done regularly to keep the website secure from attackers. Follow this WordPress security guide and keep your hard works safe.
world wide 75 websites gets hacked every second!
Have you ever asked your self if your website is safe & secure? Well if you did, this WordPress Security Guide is for you.
Step 1. Take Regular Backup Of The Website
Prevention is better than cure, but always be prepared with the cure. So, you should take a regular backup of your website. It is better if there is an automated backup system, there are many WordPress backup plugins available for that job. And IT Nut Hosting’s cloud backup service does the backup job automatically. But manual weekly or monthly backup would work too. Keep the backup separated from the main server and keep a local backup of your websites. Often time, it is better to restore a hacked website from a clean backup or rebuild it all-together than to clean up every single file manually.
Step 2: Disable PHP Error Reporting
Hackers can get information about your server with the PHP error message displayed on various events. So, it is always advisable to disable PHP error reporting on the website. Error reporting can be easily disabled with the php.ini file on your root directory. Add the following code to it:
display_errors = Off
Step 3: Use A Good Security Plugin
A good WordPress security plugin can protect your website from various threats. Although there are many security plugins out there, you should use a plugin that would be most suitable for your website. All-in-One WP Security & Firewall or Wordfence are good plugins for most of the websites. If you are not the developer of your website, you need to take a recommendation from your developer or WordPress security expert about what plugin to use on your website.
Step 4: Keep Plugins & Theme Updated
You must keep all your plugins updated and make sure to keep the theme latest version. Using a child theme might help you to avoid any design break situation after the theme update. But if you are not using any child theme, take your web developer’s advice before updating the theme. You can set up the automated update for WordPress core and plugins by adding some codes on the wp-config.php file. Auto-update can sometimes break the website for some incompatibility on updated plugins, but it is better than leaving security holes because of outdated codes. Just add these codes to set up automated update:
define( ‘WP_AUTO_UPDATE_CORE’, true );
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
add_filter( ‘auto_update_theme’, ‘__return_true’ );
Of course, you can also update WordPress manually too. It’s completely up to you.
Step 5: Use Secure Web Hosting like IT Nut Hosting
Hosting is the backbone of your website. So, if you are not using a secure web hosting your website might be in risk. A secure hosting platform like IT Nut Hosting always takes care of the server-side security such as strict firewall rules, hotlinking protection, MySQL injection protection, file injection protection, symlink protection, and many other server-side defences. Also, IT Nut Hosting automatically scans all websites every month for known malware or adware and cleanup them to keep your website safe and secure. So, be wise when you choose hosting platform. Because when you have a strong backbone, common threats can be avoided easily.
87% of websites have mid-level weaknesses!
_Acunetix’s report “Web Application Vulnerability 2019”
If you ever thought about your website’s weaknesses, follow all the steps of this guide carefully and turn the weakness in to strength.
Step 6: Never Use Any Codes From an Unofficial Source
You should not use any pirated plugin or theme from an unofficial source. Most of the time nulled plugin or nulled themes come with security breach and malware codes encrypted in it. So, whenever you upload this security breach with the nulled codes, it create a backdoor in the website for the hacker to come in and play with your hard works. So, instead of using any pirated plugin or theme you should find a free alternative from WordPress directory.
Step 7: Keep The Plugin Usage Minimum
WordPress community offers access to thousands of plugins and themes for many usages. So, it is easy to get carried away and install plugins that you don’t really need that much. When securing a website, it is very important to keep the number of plugins on the website to a minimum. And only use the popular plugin with a large number of users. The more plugins you have on your website, the more chances there is that vulnerable code bugs are present in your website with those plugins. Do not just disable the plugins and feel safe. To remove those codes from your website, you need to completely delete the plugin. The same goes for unnecessary themes on the website.
Maintaining the security of a WordPress website is a very important thing. It is also very easy. Scheduling a time regularly to audit the security of your website can save you a lot of headaches. Whether you are running your website or managing your client’s website as an agency or a service, those tips should help you clear up the things to check on the website. If you have any questions or comment regarding WordPress security, feel free to let us know in the comment section.
Step 8: Use Strong Password
You should always use a strong password whenever you log in. Especially use a strong password on your WordPress login. Use a combination of Numbers, Uppercase and Lowercase characters and Special characters altogether. “Example: RHq158a@q1$rMt7w” Strong passwords are required so that brute force attackers have a hard time cracking your passwords. Do not use the same password on any other website because one compromises password can then lead to other hacked sites. You can use a password manager to easily organize a strong password so that you do not have to remember all of them. And especially never ever use “admin” as username or password. If you do so, it’s like you are covering your personal parts with fishnet’s clothing. 😛
Step 9: Disable File Editing From The Dashboard
WordPress allows you to edit the theme file from the admin dashboard. It is a good feature, but it can also bring unexpected situations sometimes with accidental change or a compromised account. You can disable file editing from the dashboard by adding the following lines to the wp-config.php file.
Step 10: Set Up Captcha On All Forms
A captcha tool can protect you in many ways. Your login page is prone to brute force attacks which can be mitigated by integrating captcha on your website. Preventing a brute-force attack secures your admin users. Also, if you have some kind of contact form on your website, you should also protect it using captcha. Google provides a very useful captcha that is also user-friendly. You can find many plugins to integrate captcha on your website. Also, most security plugins have Google reCAPTCHA integration features by default.
Step 11: Install An SSL Certificate
At this time, every website should have an SSL certificate even just to get rid of the “Not Secure” message beside the website URL on the browser. As WordPress has a login and might also have contact forms and other data input, you need to install an SSL certificate for it. SSL certificate on a website gives the visitors confidence and trust. IT Nut Hosting provides free lifetime SSL certificates with all of it’s hosting packages which you can utilize on your websites hosted with us.
Step 12: Use The Right File Permissions
File permissions are a very important part of hosting. You need to set the correct permissions so that other users on the system can not access your website files. You should never use 777 permissions on your files because, with that permission, everyone on the system can access your files. We take care of file permission by default in our web hosting services. WordPress recommends using 755 for all the folders and 644 for all the files. If you have SSH access, you can easily find if you have any files or folders that do not meet those requirements using the following command:
find . -type f ! -perm 0644; find . -type d ! -perm 0755
Step 13: Disable XML-RPC
XML-RPC offers some good features, but most of the websites do not utilize them. It is used to automatically post contents from feed or interact with plugins. But if you are not using it, you can disable it using WordFence or most other security plugins.
Step 14: Limit Login Attempts
The security plugin that you are using most probably has some option to limit the login attempts. If it is not there, you can use the “Limit Login Attempts” plugin to set how many times wrong login attempts are allowed. You can also set whitelisting in some cases if you are prone to forgetting the passwords.
Step 15: Harden Website With .Htaccess
A .htaccess file is a powerful tool that you can use to secure your website. For example, the core files of WordPress not really needed to be accessed by the visitors. Those files are mostly accessed by the hackers to find and use the vulnerability in the website. You can disable access to those files using the All in one wp security & firewall plugin or by adding the following code to your .htaccess file.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]