TOPICS
WordPress July 07, 2016 Udit Nag 51

10 Steps to Secure WordPress

10 Steps to Secure WordPress

Step 1 : Update WordPress

WordPress is updated at regular intervals to resolve security issues as they occur. So you should always keep it up to date with the latest version because older versions of WordPress are not maintained with security updates.

Also out dated plugins/themes are the most vulnerable to hacking. So Please make sure your plugins/themes are always updated. Also, if you are not using a specific plugin, delete it from the system.

 

Step 2 : Change Your Login/Password

The default WordPress username is “admin” which is known to everyone (hackers). So you must change it to something different. For instance “David86“. Add this as a new user and allow admin privileges. Don’t forget to delete the default admin account.

Typically hackers will try to brute-force your passwords. So you should be fine if the password is strong enough.

We would suggest you to use strong passwords always (http://strongpasswordgenerator.com) such as UPPER and lowercase letters, numbers, and symbols. For instance “Fl@weRs#1$“.

Please don’t use the following when choosing a password

  • Any permutation of your own real name, username, company name, or name of your website.
  • Dictionary word
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

 

Step 3 : Change file permissions

Allowing write access to your files is quite dangerous, especially in a shared hosting environment. Please make sure the following permissions are set on your files:

Folders should have 755 whereas files should have 644 permissions.

If you have shell access to your account, you can change file permissions recursively with the following command:

*Please note if you are unsure about linux commands we recommend you open a ticket where we can complete this for you

For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

 

Step 4 : Securing wp-config.php

Please make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

Step 5 : Prevent .htaccess Hacks

To prevent .htaccess hack, You can put this in that file (at the very top) to deny access to anyone surfing for it.

<files wp-config.php>
 order allow,deny
 deny from all
</files>

 

Step 6 : Disallow search engine

Most of the search engine spiders crawl your sites (including all its sub folders) unless they are told not to index them. For instance, there is no point in indexing your wp-admin folder of your site because it can lead to security issues.

So let’s block search engine spiders from indexing the WordPress admin area. Just add the following lines of codes to the robots.txt file in your public_html folder.

User-agent:
 Disallow: /cgi-bin
 Disallow: /wp-admin
 Disallow: /wp-includes
 Disallow: /wp-content/plugins
 Disallow: /wp-content/themes

 

Step 7 : Install WP Security ScanPlugin and User locker

WP Security Scan(http://wordpress.org/plugins/wp-security-scan) checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as passwords, file permissions,
database security, version hiding, WordPress admin security and removes WP Generator META tag from core code.

This User locker (http://wordpress.org/plugins/user-locker) plugin locks user account after given number of incorrect login attempts. This makes brute force and dictionary attacks nearly impossible.

 

Step 8 : Change Table Prefix

Sometimes your WordPress site might be affected by SQL-injection attacks. It is because of SQL-injection attacks make the assumption of default  table_prefix for a WordPress site is “wp_”. So changing this to be different prefix like “fish_” can block at least some SQL injection attacks.

  • You can change database tables prefix during the time of one click installation using softaculous.
  • You can also use WordPress Security Scan Plug-in to accomplish this(http://wordpress.org/plugins/wp-security-scan). This plugin has a tab called “Database” in which there is an option to rename table prefix completely.

Step 9 :  Change your WordPress Keys

If your WordPress site gets hacked its very important to change the keys and wp-admin password immediately because a hacker can still login to your WP admin even after your admin password changes. In most cases when a WP gets hacked the hacker can still gain access to your WordPress admin area via the use of cookies (your old keys/salt). You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.

You can use the WordPress Key Generator(https://api.wordpress.org/secret-key/1.1/salt) to generate the below keys. Edit wp-config.php file and find the following lines:

 define(‘AUTH_KEY’, ‘copy and paste the unique key here’);
 define(‘SECURE_AUTH_KEY’, ‘copy and paste the unique key here’);
 define(‘LOGGED_IN_KEY’, ‘copy and paste the unique key here’);
 define(‘NONCE_KEY’, ‘copy and paste the unique key here’);

Save it.

 

Step 10 : Remove vulnerabilities on your computer

  • Scan local computer with good antivirus, anti spy ware programs and clean bad programs.
  • There is no point in spending time securing your WordPress site if there is a keylogger on your computer.
  • Keep your software up to date, especially your web browser.

EXTRA: Only Allow Admin Login From 1 IP Address

If you’re completely sure you have a dedicated (static) IP address from your ISP you may want to restrict access to your WordPress admin interface to your IP address only.

To do this simply edit the .htaccess file in the public_html folder and add the following code at the top.

<Files wp-login.php>
        order deny,allow
        Deny from all

# whitelist First IP Address
allow from xx.xxx.xx.xx

#whitelist Second IP Address
allow from xx.xxx.xx.xx

</Files>

Note: If a brute force attack were to occur on your site we recommend that you change the permissions on the wp-login.php file to completely hide it. This will stop the attack as the page being hacked will be inaccessible. To do this simply set the permissions to 000.

Then when you need to log in to your WordPress admin area again just revert the permissions back to 644.

4.7/5 - (3 votes)
Udit Nag
The Author

Udit Nag

Related posts

Benefits of WordPress As Your Content Management System
13 August
WordPress
Benefits of WordPress As Your Content Management System

Setting up a new website is like setting up a new physical store. To help people find what you’re offering, you need to display your goods in a way that looks appealing, makes sense, and […]

Read more
83 comment 0 By Udit Nag
How to Identify and Fix a Hacked WordPress Website
28 December
WordPress
How to Identify and Fix a Hacked WordPress Website

Is WordPress hack-proof? Never say never, but it is commonly accepted that the WordPress Core has strong security. Professional analysis of hacked WordPress sites typically reveals the point of entry to be the result of […]

Read more
61 comment 0 By Udit Nag
16 Ways to Optimize and Speed Up WordPress Sites
16 November
WordPress
16 Ways to Optimize and Speed Up WordPress Sites

WordPress, as a platform, is extremely well coded. However, some people mess their WordPress installations up by installing tons of low-quality plugins, choosing an awful web host, and filling their site with heaps of garbage. […]

Read more
81 comment 0 By Udit Nag

Leave a Reply

Your email address will not be published. Required fields are marked *

Become the part of Parallax Hosting family now!

Get Started