WordPress is the most popular CMS (Content Management System)in the world, which powers more than 30% of the website on the internet today. Choosing WordPress for your website platform is a great way to start. WordPress is not only a powerful and user-friendly platform but its also a remarkably secure system.
Thousands of thousands of startups and big business use this awesome free tool for creating their client websites.
Of course, no platform is 100% secure today. Each and every day, the WordPress community is doing the hard work making this platform more secure. And since it powers more than 30% of the web, this platform is also very popular enough to be a constant target.
Before discussing some important security tips let’s talk about why WordPress website gets compromised, first.
- 41% WordPress websites get hacked through a vulnerability in the hosting platform
- 29% gets hacked via vulnerable WordPress themes
- 22% of sites targeted through WordPress plugins (Not secured enough)
- 8% WordPress sites hack because of a weak password
11 Powerful & Most Important Tips to Secure Your WordPress Website from Hackers
1. Use a Secure Hosting Company
Host your WordPress website in a secure environment. This is the no.1 step you can take keep your WordPress website secure from hackers.
Whatever hosting provider you are using, make sure to ask them to install a security firewall, update PHP and MySQL version and malware scanning extension in your server environment.
Some of the secured hosting company you can use are :
- Bluehost
- Siteground
- WP Engine
- Pagely
It’s better to switch your hosting provider as soon as possible.
2. Use a Web Application Firewall (WAF)
Using a web application firewall could be a great decision. Website firewall scans all the web traffic and blocks all the malicious traffic that may harm your website.
In WordPress, there is some free and paid web application firewall which you can use for your website. some of them are :
- Wordfence (free firewall)
- Sucuri (Paid firewall)
- NinjaFirewall (free firewall)
- BulletProof Security
3. Change WordPress Prefix
You should change your WordPress prefix as soon as possible if you haven’t done that during the installation process. Keeping the same WordPress prefix makes a hacker work easy.
by default, WordPress prefix is ‘wp_’ which you can change during the installation process as well as after the installation of WordPress.
You can use ‘WP-DBManager’ WordPress free plugin for this job. Just change the prefix from ‘wp_’ to ‘anything_’.
4. Update Your WordPress Theme & Plugins Regularly
Update WordPress theme & plugins whenever you get a chance. Cracking old theme and plugins code is easy for hackers. Old plugins may also contain some unpatched security holes or some bad database code.
You will see a notification in WordPress admin area whenever there is a new update of theme and plugin. Do it before its too late.
5. Eliminate Theme and Plugin Editor
If you want to make some changes in WordPress theme and plugin code don’t directly do it from the editor’s page inside the WordPress dashboard.
In fact, you should eliminate this editor’s page to add one more security point to your website. for this add this code to your WordPress ‘wp-config.php’ file :
define( ‘DISALLOW_FILE_EDIT’, true );
6. Switch to HTTPS
You should use valid SSL Certificate for your website. SSL Certificate encrypts the connection between browser and server.
If you have an online e-commerce store then you must switch your website to HTTPS. You can use ‘Let’s encrypt‘ free SSL certificate generator online tool for this.
7. Create Strong Login Credentials
When you first install WordPress application then it will ask you to put username and password. Make sure your username and passwords are very strong so no one can guess.
Don’t use safe passwords instead you can use the ‘password auto generator’ and then you can copy the password (with numbers, special characters etc.) in a safe place.
You can also protect your WordPress login page from ‘Brute Force Attack.’ for this, you can use ‘Brute Force Login Protection’ free WordPress plugin.
8. Disable PHP Error Reporting
When you get any error (cause of theme, plugins), WordPress will display a ‘Parse error’ which will show the path to the problematic file. It will make hackers job easy to crack the site.
Hackers can use this information to better understand and attack your site. for switching it off you can use this code in ‘wp-config.php’ :
error_reporting(0);
@ini_set(‘display_errors’, 0);
9. Protect Important Files from Direct Access
You can use ‘.htaccess’ file to protect your website important files like ‘wp-config.php’, ‘php.ini’ and ‘error logs’.
For this put, this code into your .htaccess file in root WordPress installation root folder.
<FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all
</FilesMatch>
You can also disable directory listing with your .htaccess file for this put this code at the top of your .htaccess file :
Options All -Indexes
10. Correct Your WordPress File Permissions
File permissions are represented by a three-digit number in a website. WordPress recommends settings files permissions to 644 and folder permissions to 755. some files may have 600 permissions which are also good and it depends on the server host.
11. Implement Two Factor Authentication
Using two-factor authentication may be a time-consuming task, but it can be a smart move to protecting your website from hackers.
Two-factor authentication refers to the two-step process to follow when logging into your WordPress website.
In the two-factor authentication process, a smartphone can be a use to verify your login. First, you will visit the login page of your WordPress website and enter your correct username and password as usual. then a unique code will be sent your mobile device which you will need to complete the logging process.
You can use the free ‘Two Factor Authentication’ WordPress plugin for this.
Locking it Up
These 11 tips should help. Some are pretty easy and some may take some time like switching to HTTPS, implementing two-step authentication.
As we already mentioned, there is no platform which is 100% safe. If you don’t want to spend some hours (even days) trying to repair the damage, then we recommended you to follow all these steps carefully.