13 Steps to Follow to Protect WordPress Website
WordPress is on the list of the most popular CMS in the world. About 18.9% of websites are built on it. Furthermore, the number of installations has exceeded 76.5 million. Unfortunately, such popularity has its downsides. According to the Security research, WordPress is the main target for hackers.
Today, programmers and developers tend to use different security tools like VPNs to safeguard their sites and data stored online. There are both paid and free VPNs like Betternet, for example.
But, one thing at a time.
If you follow all the pieces of advice highlighted in this blog post and don’t make these 5 security mistakes, your WordPress site will not fall victim to crackers.
Just before you start reading this article, make sure:
- you have access to the WordPress Control Panel;
- access to the hosting account (optional).
STEP 1 – VPN PROTECTION
Compromised free Wi-Fi hotspots can help hackers to get access to your sensitive data, such as passwords, credentials, search history, files stored on your device and to install scumware on your WordPress site.
VPN subscription is one of the best ways to be safe on the Internet when you work with a WordPress site. VPNs serve to encrypt data sent and received through the world wide web.
To safeguard your site, you:
- subscribe to a credible provider;
- install the application on a device used when working with WP;
- connect to a secured VPN server and start your safe work online.
STEP 2 – LOGIN INFORMATION
Do you use a standard ”admin” to log on your WordPress site? Answering ”yes”, you reduce the level of your site protection. Hackers have strong chances to lay their hands on such site. It’s highly recommended to change a user name into something more complicated or to create a new admin account. Here’s an action plan:
- enter the control panel of your WP site;
- add a new user in the section ”Users”;
- the new user is to obtain Administrator privileges;
- use new login information to work with the CMS;
- delete a standard account.
A reliable password is at the forefront of WordPress website security. It is more complicated to crack a password that contains numbers, lower and upper case letters, and additional symbols.
There are special services to help with this issue. They serve to generate and save passwords in one safe place. You are to think up only one password for this manager, and all the rest will be done by the service.
Here is a couple of examples: LastPass, 1Password, Sticky Password.
STEP 3 – RECENT VERSION OF WORDPRESS
It is one of the most important steps on the way to WordPress security. If you need a malware-free site, you are to be convinced that the WP version you use is up-to-date. This advice might look easy, but 22% of all WordPress installations falls for the share of the last version of this CMS.
WP has implemented an automatic update function for version 3.7 (it works only for some security updates). Other updates should be installed manually. Don’t ignore them!
STEP 4 – TWO-FACTOR AUTHENTICATION
Two-stage authentication provides WP site with the additional level of protection. It’s highly likely you have already tried it for email or online banking. Why not use it for website’s safety?
It’s not an easy task to enable two-factor authentication for WordPress. You are to install an app for your smartphone and configure it for your site.
STEP 5 – DISABLE PHP ERROR REPORTING
One might find such reports rather useful when being engaged in website development and being minded to make sure the site works properly. But the demonstration of such errors is a serious failure in WordPress security.
You are to fix it within the shortest possible time. No special skills are required to disable PHP error reporting on the WP site. The majority of hosting service providers offer this option on the Control Panel.
If you haven’t found it there, just add the following lines to your wp-config.php file:
That’s all there is to do! The error reporting function is disabled.
STEP 6 – SAFE WEB HOSTING
Perhaps, this step might seem a bit strange for you, but it is still worth following it. According to the statistics, over 40% of WordPress websites were hacked because of security holes in hosting accounts. This data should make you think about secure hosting.
When choosing a web hosting for your WP site, you are to keep in mind:
- a server should have a third-party firewall and scanning tools;
- the function of automatic back-up is a must;
- your login account is to be isolated from other users.
This step allows protecting your business when you have an e-commerce site and preventing data leak when you keep a blog.
STEP 7 – TRUSTED TEMPLATES
Remember that free cheese is only found in a mousetrap. It is subject to nulled templates and plug-ins.
There are thousands of nulled plug-ins and templates on the Internet. Due to various file-sharing services and torrent trackers, users can download them free of charge. But people can face serious troubles when working with such free WordPress templates. The thing is that most of such free files contain malicious software and black hat SEO links.
Stop using such nulled templates and plug-ins. That would not only unlawful but also such files can be harmful to WordPress site security.
It’s better to use this site to download themes and plug-ins for your WP website.
STEP 8 – DISABLE FILE EDITING
It is a common knowledge that WordPress possesses a built-in editor which allows editing PHP files. Many users find this function very useful as it serves to edit files in a very handy way. Nevertheless, in the event hackers manage to get access to your site’s Control Panel, file editor will be the first thing to attract their attention.
Thus, many WP sites owners disable this function. Here’s what to do:
- open wp-config.php file;
- add define ( ‘DISALLOW_FILE_EDIT’, true ); to this file.
That’s it. File editing is disabled.
STEP 9 – SCAN WP SITE
Adversaries use weak sides of templates and plug-ins to infect WP sites with malicious software. That is why it’s recommended to check your site for infection. Developers have worked out a set of good plug-ins for such purposes. They allow users to scan sites and recover infected files with a couple of clicks only. Some add-ons can even prevent DDoS attacks.
We have prepared for you our own top 3 security plug-ins:
- BulletProof Security;
- Sucuri Security.
STEP 10 – MORE BACK-UPS
Sometimes it happens that even large sites undergo hacking attacks despite the fact that their owners spend thousands of dollars on security precautions. If you follow the rules of the best practice in this issue, you still need to back up on a regular basis.
There are several ways to back up. For example, you can download all the site’s files manually and export the database or make use of the service offered by your hosting company.
However, we’ll cover one more way to do it – WordPress plug-ins. They were designed to back up automatically. The most popular ones are here:
STEP 11 – DELETE UNNECESSARY TEMPLATES
It is recommended to check if there are any plug-ins or templates you don’t use anymore. If there are, you’d better delete them. This measure is explained by the fact that hackers use such files to access the Control Panel of your site or to infect it with malicious soft.
When you delete such templates and plug-ins, the risk of your site to be cracked decreases.
STEP 12 – CHANGE STANDARD DATABASE PREFIXES
WordPress database contains key information necessary for the efficient operation of your website. As a result, it becomes one more target for resourceful hackers and spammers who try to integrate SQL-code.
During WordPress startup, not many people bother with changing a standard database prefix (wp_) and how wrong they are!
In fact, 1 out of 5 WordPress cracks is occasioned by SQL-code integration.
STEP 13 – IMPROVE WP PROTECTION
Do you know that an .htaccess file is responsible for the correct work of WordPress links? I fact, it is. An .htaccess file should contain correct data, otherwise, there would be a lot of 404 errors.
However, not many users know that this file can be used for additional protection of a WordPress site. For example, you can fence off to PHP in definite folders.
For example, it is possible to allow access to the WordPress admin area by means of definite IP addresses.
In spite of the fact that WordPress CMS can be cracked by hackers, it is not an uphill struggle to improve its security level. Just follow 13 simples steps described in this post and your WordPress site will not fall victim to cyber attack.