WordPress is the most popular blogging and CMS system on the Internet which makes it a favorite target for hackers. Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data hence hardening your WordPress deployment is mandatory.
We know from experience that having your site hacked is not fun. That’s why, here at WebHostingWorld, we take security very seriously.
In line with our serious approach to security, our products are carefully optimized to be as secure as possible. There are, however, still a handful of potential security risks, when running a website, that we have no control over. You, the website owner, need to pay attention to these potential security risks, in order to keep your website safe.
With that in mind, here are few things you can do to improve your WordPress security.
1. Update all the things
It is really important to keep your core WordPress files and all of your plugins, themes updated to their latest versions. Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
The latest version of WordPress is always available on official WordPress site. Official release is not available from other websites or resources, thus, NEVER update WordPress from third party resources. Also, you can easily update WordPress from Admin Dashboard directly
It is strongly recommended to update your plugins and themes to the latest versions too, as a bug in one of these can affect your whole installation. You can update both plugins and themes via Admin Dashboard > choose Plugins or Themes menu and click ‘Update now’ near the necessary plugin or theme:
NOTE: it is recommended to create backups of your WordPress files and database before applying any changes.
2. Strengthen up those passwords
You will be surprised to know that there are thousands of people that use phrases like “password” or “123456” for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack.
The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.
Things to avoid when choosing a password:
- Any permutation of your own real name, username, company name, or name of your website.
- A word from a dictionary, in any language.
- A short password.
- Any numeric-only or alphabetic-only password (a mixture of both is best)
3. Don’t use the “admin” username
The default WordPress login is ‘admin’ and most hackers know that. It should be changed to custom one with a strong password which include upper/lower keys, numbers and symbols. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process.
If you have already installed WordPress you can still change username.The easiest way to change your WordPress username is by creating a new user with your desired username and with the administrator user role. You will need to use a different email address than the one used by the old account.
- To add a new user on your WordPress site, simply click on Users » Add New and fill out the form.
- Add a new user with Administrator role, make sure you use a strong password.
- Now you need to logout and then login with the new user account you just created.
- Go to the Users section and click on the Delete link under your old username
While deleting your old user, WordPress will ask what you want to do with their content. Make sure that you click on ‘Attribute all content to:’ option and then select the new user you just created. Click on the ‘Confirm Deletion’ button to delete the old user account.
That’s all you have successfully changed your WordPress username
4. Protect your WordPress Admin Area
Keeping “wp-admin” folder protected adds an extra layer of protection. Whoever attempts to access files or directory after “wp-admin” will be prompt to login.
Protecting your “wp-admin” folder with login and password can be done in several ways:
4.1. WordPress plugin
Using the WordPress AskApache Password Protect plugin.
You can set protection easily on any folder via cPanel’s Password Protect Directories
- Go to cPanel > Security > Password Protect Directories to access a list of your site’s folders:
- Choose the directory you wish to protect and click on it
Put a tick on Password protect this directory and name your protected directory, insert the username and password and click on Add or Modify the Authorized User button to save your changes:
4.3. .htaccess + htpasswd
Creating a password-protected folder can also be done easily by setting the folders you want to protect inside .htaccess and users allowed to access inside .htpasswd.
The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.
Deny from all
Allow from xx.xxx.xxx.xxx
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.
5. Securing wp-config.php
It is very important to protect wp-config.php file and wp-admin folder since they are more susceptible for hacker attack.
Move wp-config.php outside of the web directory (eg. one directory up). WordPress knows to look for the file in other directories if it can’t find it in the web directory.
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file. You can put this in that file (at the very top) to deny access to anyone surfing for it:
deny from all
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
6.Changing database prefix
Your website might be at stake if you are using the predictable wp_ prefixes in your database.
This one can be difficult to do but it is the absolute most critical. By default, WordPress prefixes all its database tables “wp_”. Changing the table prefix to a random string makes it difficult if not impossible for a hacker to execute remote SQL injection attacks.
If you haven’t installed WordPress yet, then during installation you can change the table prefix to the random string you generated previously. Make sure you add an underscore ( _ ) after the string so your tables are easier to read.
If you have already installed WordPress you can still change database prefix in two ways: either manually or using a special plugin.
- For manual database prefix change, go to cPanel > phpMyAdmin menu > choose the necessary database from the left side > click on SQL option above.
Here you need to run RENAME SQL queries on tables in your WordPress database:
RENAME table `wp_commentmeta` TO `newprefix_commentmeta`;
RENAME table `wp_comments` TO `newprefix_comments`;
RENAME table `wp_links` TO `newprefix_links`;
RENAME table `wp_options` TO `newprefix_options`;
RENAME table `wp_postmeta` TO `newprefix_postmeta`;
RENAME table `wp_posts` TO `newprefix_posts`;
RENAME table `wp_terms` TO `newprefix_terms`;
RENAME table `wp_term_relationships` TO `newprefix_term_relationships`;
RENAME table `wp_term_taxonomy` TO `newprefix_term_taxonomy`;
RENAME table `wp_usermeta` TO `newprefix_usermeta`;
RENAME table `wp_users` TO `newprefix_users`;
*where newprefix_ should be replaced with new database prefix you wish to have instead of wp_, then click Go:
- Once done, you will see the new database prefix has been applied to your WordPress database:
- After that you will need to search the options table for any other fields that is using wp_ as a prefix in order to replace them. It is necessary to run the following query in the same way:
|SELECT * FROM `newprefix_options` WHERE `option_name` LIKE ‘%wp_%’|
- Then click Go and you will get the result as on the screenshot below:
- Here you will need to go one by one to change these lines and replace the old database prefix with the new one. Once done, we need to search the usermeta for all fields that is using wp_ as a prefix with the help of this SQL query:
|SELECT * FROM `newprefix_usermeta` WHERE `meta_key` LIKE ‘%wp_%’|
- After that click Go and the following results will appear:
Number of entries may vary on how many plugins you are using and such. Here you need to change everything that has wp_ to the new prefix as well.
- Once done, make sure to update your wp-config.php file with new database prefix:
7. Plugins For Better Security
7.1. WP DB Backup
WP DB Backup is an easy to use plugin which lets you backup your core WordPress database tables just by a few clicks. Besides it is so easy, it
has also been one of the most used plugin to secure your WP-powered website.
7.2. WP Security Scan
With this plugin, scanning your WordPress-powered site will be a simple task. It finds the vulnerabilities in your site and offer useful tips on removing them.
7.3. User Locker
If you want to avoid brute-force hacking your site, then the User Locker plugin is right for you. It works on the same system as Login
Lockdown, however, it’s a 5-stars rated WP plugin which has a great fame among its users. With this plugin, scanning your WordPress-powered site will be a simple task. It finds the vulnerabilities in your site and offer useful tips on
8. Keeping the backups
Back up your data regularly, including your MySQL databases. A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location.
The following is a very simple version of how to use phpMyAdmin to back up your WordPress database.
- 1. Click on Databases in your phpMyAdmin panel. (It may not be necessary to do this, depending on your version of phpMyAdmin)
- You may have several databases. Click the one that holds your WordPress data, the database you created when you installed WordPress.
- Below is a picture of the default tables in the Structure view tab. You may have more tables — this would happen if you have any statistics plugins or anti-spam plugins.
- Click Export. There are two methods to export, Quick and Custom; if you choose Custom, follow these steps:
1.1. Select all the tables.
1.2. In the Output section check Save output to a file and select None for Compression. (If your database is very large use a compression method)
1.3. Select SQL from the Format drop-down menu.
1.4. Check “Add DROP TABLE”: this can be useful for over-writing an existing database.
1.5. Check “IF NOT EXISTS”: this prevents errors during restores if the tables are already there.
1.6. Click Go. The data will now be saved into your computer.
Keep these files safe, copied and stored in separate places on separate media.
The tips provided above do not guarantee 100% secure of your WordPress website, however, they drastically decrease chances of getting hacked. We sincerely hope this article helped you enough in securing your online business and becoming a trouble-free and happy customer.