0

How To Secure A WordPress Website

Posted on by Michel Maling
how to secure a wordpress website

If you, like most website owners are running a WordPress website, security needs to be your primary concern. In this article we are going to look at ways on how to secure a WordPress website so that you can keep your website running smoothly with no risks.

How To Secure A WordPress Website

how to secure a wordpress websitePlugins

Let’s first look at plugins when it comes to how to secure a WordPress Website.

In many cases, WordPress blogs are compromised because of outdated core files and/or plugins. Files that are outdated can be traced and you are unwittingly providing hackers with an open invitation to your site.

I am lucky enough to have secure hosting with Wealthy Affiliate, so I don’t need to have any of these plugins installed, as they have all the safety measures in place. So check with your hosting provider what sort of security they offer. Most of them will charge an extra fee for this service.

Although the plugins below are excellent, remember that the more plugins you have installed, the slower your site will load up and the search engines favor sites that load up quickly.

So if your hosting platform doesn’t provide the secure hosting that mine does, here are some essential plugins to make sure you have installed on your blog.

WP DB Backup

WP DB Backup is an easy to use plugin that allows you to backup your core WordPress database tables with just a few mouse clicks. Don’t let its ease of use fool you, because this is a powerful tool and it remains one of the most popular plugins for people when it comes to how to secure a WordPress website.

WP Security Scan

Using this plugin, scanning your WordPress site becomes a simple task to carry out. It will find the vulnerabilities in your website and provide useful tips on how to remove them.

WP-DB Manager

This is yet another terrific plugin that lets you manage your WP database. It can be used as an option rather than using the WordPress Backup Manager.

Ask Apache Password Protect

This plugin does not control WordPress, nor will it mess with your database. Rather it uses speedy, proven built-in security features that provide a number of multiple security layers to your blog.

Admin SSL Secure Plugin

This is another plugin for keeping your admin panel secure.

It acts on your SSL encryption and is extremely helpful against hackers or others who are attempting to get access to your panel that isn’t allowed.

Limit Login Attempts

Limit Login Attempts blocks the internet address from making any further attempts after a specified number of retries has been reached, which makes a brute-force attack on your website next to impossible.

One Time Password

This unique plugin will help you to set a one-time password for your login. This will stop unwanted users from logging in from internet cafes or other open sites.

Bad Behavior

Bad Behavior is a plugin that aids in fighting annoying spammers.

This plugin will help you prevent spam messages on your blog, and it will also attempt to limit access to your WordPress blog, so they will not even be able even to read it.

User Spam Remover

This plugin has a name that gives away just what its function is. This is a popular plugin that helps in the prevention and removal of unwanted spam messages.

Better WP Security

Better WP Security lets you change certain WordPress features to make it more difficult for hackers to gain access. Be sure to take advantage of this tool to give you the best chance at a secure WordPress site.

Better WP Security will let you:

  • change the default ‘Admin’ username to something different.
  • lock entrance to the admin at specific time periods.
  • change your admin user ID from 1 to something different.
  • ban users based on IP addresses.
  • automatically email your database backups to yourself.
  • change the URL you use to log in from wp-login to something different.
  • change your WordPress directory files from wp-content to something different.
  • change your database prefix from wp_ to something different.
  • check the number of hits on 404 pages and lock the user out if they are excessive.
  • track any file changes.
  •  limit the log in attempts with the wrong password.

And there’s more.

One of the easiest ways to get through a site’s security is with their password.  Many don’t take the time to create solid passwords because they claim they take too much time, but compared to the time it will take you to attempt to rebuild your site, it seems like such a small price to pay.

When you are creating a password:

  • every password should be at least 15 characters.
  • every site should be different.
  • stronger passwords are not an actual word.
  • it is strongest if it is a mix of special characters, lowercase letters, capital letters, and numbers.

More Essential Tips On How To Secure A WordPress Website

Hackers

how to secure a wordpress websiteBecause hackers are always looking for an opportunity to attack a site, your WordPress blog could be the next target.

Here are some essential tips to help keep your blog secure and hacker free.

Computer hacking can occur in different ways.

Your computer system might be hacked and mined for your personal information. If your password is obtained, your blog or site might be at risk.

Use all or some of these steps to protect your WordPress website from being hacked.

There are a number of ways to protect your database-driven ASP or PHP site from being attacked by hackers, that range from weak to strong security. SQL database-driven websites are at more risk than most.

Learn the most efficient ways to slow down the hackers who use methods like SQL injection attacks and/or XSS by means of the URL query string and form inputs.

Two common types of hacker blocking techniques are input validation and custom error pages. These methods are so simple you won’t have any problem doing them even with just basic coding knowledge. Your greatest strategy would be to put up one or more obstacles.

Keep the details of your database from getting into the hacker’s hands with the setup of a custom error page for your website. Hackers will not see any detailed error messages. If you do nothing else, this is the one thing that every site needs. Otherwise, you are basically providing the hackers with an open invitation into your site’s database and offering the hackers all the information they require to launch an attack.

In addition to hunting for errors, hackers can enter more dangerous code than a simple single quote in the URL query string.

In an attempt to carry out malicious scripts on the database, a variety of creative coding is engaged. Once the hacker can carry out these scripts, the defenseless database is theirs for the taking. The hacker never needs to have the database login, nor does the hacker need the connection string because he/she is utilizing the URL query string, where there is already an open connection.

To check if the input entered into your URL query string or your text box is actually safe, you can use input validation rules. Using ASP code on your web page(s) can authenticate the input collected from the query string to make sure it includes only characters that are safe. Once it is deemed to be safe, it can then be stored in a new variable, then inserted into the SQL string, and sent to your database.

These are a few technical ways to prevent hacking of your website. Put them to good use.

Hide your login error messages because error login messages could provide hackers with ideas about whether they have figured out your username and password correctly or incorrectly. It is a good idea to hide it from all unauthorized logins. Just add the following code in functions.php

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Maintaining Backups 

Keep backups of your entire WordPress blog. This is just as vital as it is to keep your site secure from hackers. If the hackers are successful at least you will have a full set of backup files to get your site up and running again quickly.

Changing default “wp_” Prefixes – Your WordPress blog might be at risk if you are using the predictable wp_ prefixes in your database. Use the WP Security Scan plugin.

Prevent directory browsing – Another security issue is when your directories and all the files in the directory are accessible to the public. Use this test to check if your WordPress directories are properly protected:

Enter the following URL in the browser, without the quotes. “http://www.domain.com/wp-includes/”

If it shows blank or redirects you back to the home page, you are safe. However, if you see a screen similar to the image below, you are not.

To prevent access to all your directories, place this code inside your .htaccess file.
# Prevent folder browsing
Options All –Indexes

Update Regularly

Keep WordPress core files and plugins up to date as one of the easiest ways to keep your WordPress site safe is to make sure your files are always current. Here are a few ways  you can do that:

  • Deactivate & remove plugins that are not used – Unused plugin will eventually become outdated and can cause a security risk so it is best to delete them.
  • Login to your dashboard frequently. When an update is available you will see aa notification at the top of your dashboard. Login frequently and keep up to date with the most recent WordPress files. Subscribe to WordPress Releases RSS.

That’s just a few essential tips to keep your WordPress blog secure from hackers. However, there are also other security risks to worry about.

how to secure your wordpress website

How to Protect Your Website from Plagiarism

The WordPress Protection Plugin offers you complete security for a WordPress site so that you can ensure that data remains secure and plagiarists are not able to copy and steal your data and images off of your WordPress pages.

secure your wordpress websiteUse the WordPress Protection Plugin (Lite), to block Keyboard Shortcuts (like CTRL+V, CTRL+A, CTRL+C, and CTRL+X), and disable the text-selection, and it will also block the use of right-click on your website. You can also purchase the full professional version of WordPress Protection Plugin.

WordPress Protection Plugin does the following:

  • It disables keyboard shortcuts such as cut, copy and paste.
  • It disables text-selection.
  • It disables image drag and drops.
  • It doesn’t compromise you in the search engines when it comes to picking up your content.

The professional WordPress Protection Plugin offers many many features that the lite does not, so you may want to explore that further for yourself.

Your blog is actually protected by copyright laws the minute you publish it but it doesn’t hurt to also mention it on each post. This should be adequate to discourage potential thieves from stealing your content. If you would like to take it a step further, you can register your blog with the U.S. Copyright Office, and create a Creative Commons license, but you don’t really have to take this action, it’s just an option for further discouragement.

You can also use plagiarism sites like Copyscape to make sure your content isn’t elsewhere on the web. It will search for content that is identical or similar and then provides you with a link to that content.

If you find that your content has been plagiarized you need to immediately contact that website and provide them the information. Ask them to remove the content or provide credit to you by linking back to your blog.

Passwords

The solution to WordPress password security is to take advantage of one of the password services that will generate up to 50 characters of random gibberish. Then it will memorize that password for you so you don’t have to. Each website will have a new and unique password generated for it.

So how does the password service keeps all these preposterous passwords secure? Easy! You have a master password for the service. This must be something that you are going to be able to remember. It will keep all of the other passwords safe and secure. Even if it’s stolen by hackers, to access all of your passwords they would need your master password.

It may seem like a complicated security approach, but it does work. It certainly is a solid method to keep your WordPress site safe, along with the rest of your digital life.

A password service is a great way to get the strongest passwords possible and that’s good protection!

More Things You Can Do To Secure Your Website

protection from hackers

It is so important to take your website security seriously, as more and more people are finding themselves the victims of hackers. How to secure a WordPress website is something we all need to take seriously to avoid becoming the next statistic.

Here are a few extra precautions that you can take:

1.  Protect Your wp-config.php

This is an important WordPress file and so you will want to make sure it is protected. You can hide it so it is not available for public view just by putting a few lines of code into your htaccess file.

order allow, deny
deny from all

Add this code and it will stop the wp-config.php file from being visible to public users and makes it harder for hackers and robots to spot.

2.   Never use “admin” to Log in

One of the most common mistakes is to leave the default ‘admin’ as your login to your WordPress site. This needs to be changed right away as this is dangerous as most hackers will try using the word Admin first before they try anything else.

3.   Use SFTP

Most people use FTP to upload their files, but you really should use a Secure FTP connection so an SFTP. That way when you send your files they will be encrypted.

4.   Using the Login Lockdown Plugin

Login Lockdown plugin will make sure that you remember your password. Every failed attempt at logging in is registered along with the person’s IP address and it will block the ability to login from different IPs if the login has failed after the set number of attempts, which you control.

The default setting is 3 failed logins within 5 minutes per hour. You have the control to remove the blocked IP address from the plugin panel in your WordPress dashboard.

Using Htacces 

In addition, we can make the.htaccss file secure with proper configuration and updating it regularly to make sure you have the tightest security by giving you that extra degree of protection.

Typically your WordPress .htaccess file will look something like this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Any additions you make to the .htaccess file should be at the end after # END WordPress.

That way you won’t wreck any WordPress based .htaccess functions.

Before making any changes to the .htaccess file back it up and store it in a safe place.

You can also limit who is able to access the admin fold by restricting it to your IP address. To do this you will have to create a new .htaccess file. You can do this in any text editor and then you will need to upload to your wp-admin folder.

This snippet will stop access to your admin folder to everyone except the IP address that you have specified. If you have a dynamic IP you will need to regularly change this file otherwise you will find that you are denied access.

Copy code

order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all

Using the .htaccess file on how to secure a WordPress website is a great start.

Last but not least remember to do regular backups of your site files and database(s). If the unthinkable happens, you will at least have a backup safely stored away which will definitely reduce your stress levels.

Please comment below should you have any other ideas on how to secure a WordPress website.

Loading

Facebooktwitterredditpinterestlinkedinmail

Related Posts

Michel Maling

More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *