WordPress is the most widely used content management system in world. According to data, it empowers nearly 34% of the web. That doubles the significance of security check issues. WP is also the favorite target of hackers, because usually many webmaster do not have sufficient knowledge of How to WP security check.
Just like all other software, WordPress also has vulnerabilities. Every day thousands of WP websites are hacked. That is why daily a lot people type this on Google, ‘How To Prevent WordPress Hack?’
You will find thousands of articles and wordpress security plugin, but an overlooked reality is that most of these articles are not frequently updated. Hence, their credibility declines to minimum or may be zero, because of ever morphing panorama of IT world. WP security is an important issue, and you need up to date knowledge for addressing it properly.
Here, we have compiled the list of 13 easiest, basic and up-to-date hacks for wordpress security.
Frequent Backups
Very first and basic step towards wordpress security is backup. Whenever you make change, do not forget to backup entire database of website. You may do it manually or via any plugin. One of the most famous plugins for wordpress security is Backup Buddy.You can use bellow wp security plugin to backups your site
- All-in-One WP Migration
- Jetpack by WordPress.com
- UpdraftPlus Backup Plugin
- BackWPup
- Duplicator – Migration Plugin
Update WP Version
Updating your wordpress to latest version is the most crucial aspect, which you should not ignore, in any scenario. This is because wordpress team is always striving to provide you the best possible wordpress firewall, and create patches to fix different security loopholes. If you do not download new patches and hackers use old loopholes to break into your website and steal your confidential data, you have no one else to blame but yourself. Keep following wordpress feed to find out about latest updates.
Choose Username and Password Wisely
Most common mistake is the having commonly used username and password. Many people’s username is simply admin and hackers are wise enough to take advantage of guessable stuff.Your username and password must be difficult to guess. Passwords should be the combination of everything. Upper keys, lower keys, number, symbols etc.
Update SALT Security Keys?
Authentication and Key Agreement security keys in WordPress ar the variables that store your login credentials in AN encrypted type. By default, WP saves your login data in cookies that given the correct conditions may be compromised specially once using public computers.
One way to remain ahead of this risk is to change your security keys manually from your wp-config.php file that’s available in the root directory of your WordPress website. the security and SALT keys can look like this:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
The first factor you have to do is install and activate Salt Shaker plugin. For additional details, Check out how to install a WP plugin.
Once the plugin is activated, you have to navigate to Tools » Salt Shaker page in your wp-admin to set a schedule for changing the SALT keys.
Great ! Now click the checkbox for automatically changing the Salt keys and so select your schedule from the dropdow
Install Security Scan Plugin
Install the plugin, named as Wordfence Security – Firewall & Malware Scan. This simple plugin automates the stuff. It scans your wordpress website and informs you if any malicious content is there.
You are safe if all text is green in admin panel. Otherwise, you might be swimming in dangerous waters.
Change Database Table Prefix
Default table prefix wp_, is easy to guess. That facilitates SQL injection attacks.
Example of good prefix can be “wpdb23_”, or “sasdoe265_”. Changing your database table prefix is highly recommended and there are two ways to do it. The manual way requires some work and is not suitable if you are novice.
WP Security Scan Plugin is there to help you out and simplify your work. There is a tab called “Database”. Once you are in this tab, you have the option to rename your entire table prefix to something unpredictable. It would take you a step closer to unbreakable wordpress security.
Block Search Engine Spiders By Indexing Admin Section
Search engine spiders crawl all over your website. They by default index every content unless they instructed for the opposite.
Admin section has all sensitive information, so we do not want it to be indexed. The easiest way to do it is to create a robots.txt file in your root directory. Next step is to paste following code in file.
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
Protecting .htaccess
Place following code in your domain’s root .htaccess file to prevent external access.
# STRONG HTACCESS PROTECTION
order allow,deny deny from all satisfy all
Directory Browsing Should Not Be Allowed
Prohibit your visitors from browsing through your entire directory as it may help hackers in finding security holes. Add these two lines to .htaccess in root directory of your wordpress website.
# disable directory browsing
Options All -Indexes
Protect wp-config.php
This file also is as important as .htaccess. Add following code in .htaccess to secure wp-config.php.
order allow,deny
deny from all
# protect wp-config.php
Order deny,allow
Deny from all
Secure WP Admin Files
Only you and your fellow bloggers should be able to access wp-admin. It is possible to use .htaccess to restrict access and allow particular IP addresses to access this directory.
It may be a good option if you have static IP address and you always blog from your computer. In case of multiple user blog however, you may not go for it. You may allow access from range of IP’s. For complete instructions about setting this up, refer Apache’s documentation on mod_access
Type the code below in the .htaccess in wp-admin folder. Be careful about not typing in root folder.
# deny access to wp admin order deny,allow allow from xx.xx.xx.xx # This is your static IP deny from all
It will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.
Another method of restricting access to the directory is to use a password in the .htaccess.
Counter SQL Injection
Copy and paste following code in the end of your .htaccess file in root to avoid SQL injection.
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Also, a great WordPress developer community Facebook ( wpworkforce ) and reddit ( WPSecurity ) group, also a great online courses available on linkedin.
They are right, when the say that prevention is better than cure. We do not claim that these secure wordpress site hacks would make it 100% impossible for anyone to hack your wordpress website. Although we promise that probability of such incidents would reduce to minimum.
If you know any other super hack(s) of better wp security, feel free to share in comments section.