Protect Your WordPress Website From Hackers With These 25 Tips
Disha Thakkar
SEO Specialist | Content Strategist | Driving Organic Growth and Engagement
Today, technology is taking the online world to a completely different stage. But still several businesses and individuals are finding a platform that is free and open to all and that is WordPress. WordPress is a popular open source CMS and therefore, it is used by all.
Being a free platform, it is vulnerable to several threats by hackers. Therefore, securing your WordPress site from hackers is the first thing that strikes your mind. Hackers are discovering new skills and so, it has become crucial for all WordPress users to take preventive measures in protecting their WordPress site.
On an individual level, you can learn from your mistakes but in terms of business, you just can’t take any risk. You can‘t even imagine the loss you would face, in case your website faces an attack. As a blogger or a eCommerce business owner, you are always occupied with content creation and product sale and so there’s no focus on website security.
No one wants to wake up suddenly on some day and find that your WordPress site is hacked and your website security is scorned by some hacker. Do you want it to be your wake-up call? No. Right?
Below are some tried, tested and efficient ways to protect your WordPress site:
Secure Your Login Page and Avoid Brute Force Attacks
Being a WordPress user, you know that the platform has a standard login page URL. The backend of the website is accessible from there and so, hackers try to brute force their way in. Simply adding /wp-login.php or /wp-admin/ at the end of your domain name will make it for you.
Below are the important things to be considered to secure your login:
1. Changing your login and password
Many WordPress users select “admin” as their default WordPress login username and this is very well known by hackers. Your login should be changed to something else that would confuse a hacker when trying to guess it. The username must comprise of some irrelevant name or something out of the blue but yes ensure that you remember it.
Next is the password which should contain lower case as well as upper case letters, numbers and symbols too. For example: your password should be like “iwbgfMT23$$”. You can make such combinations of the passwords and change them regularly.
For creating a strong password, you can follow a technique mentioned here. Take a sentence that you would recall, if you set it as a password. Pick the initials of the words in that sentence and add some digits and symbols to it. This type of password is almost very hard to be guessed as it would be meaningless.
2. Set up website lockdown and ban users
Have you heard about website lockdown feature? This can help solve a big problem by giving failed login attempts to the outsiders. When the hacker tries to access the site with repetitive wrong passwords, site will get locked and you will be notified of this unauthorized activity.
The iThemes Security plugin offers you the feature of failed login attempts and blocks the attacker’s IP address when the hacker tries to attempt to enter your website.
3. Use 2-factor authentication
Adding the 2-factor authentication (2FA) while logging into a website, is another security measure which is being applied by many websites today. This means the user provides login details for two different components. It depends on the website owner what those two factors would be. Those can be a regular password followed by a secret question, a secret code, a set of characters, etc.
4. Rename your login URL
Changing the login URL is an easy thing to do. The WordPress login page, by default, is easily accessible via wp-login.php or wp-admin added to the site’s main URL.
If the direct URL of your login page is known to the hackers, it is very easy for them to enter your website with a brute force attack. They try to log in with their Guess Work Database (also called as GWDb which is a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).
This is a small trick that restricts an unauthorized user to access the login page. Only someone who knows the exact URL can do it. You can change the URLs as shown in below examples:
- Change wp-login.php to something unique; e.g. my_new_login
- Change /wp-admin/ to something unique; e.g. my_new_admin
- Change /wp-login.php?action=register to something unique; e.g. my_new_registration
5. Use email as login
You need to input your username to log in by default. Instead of using a username, you can use an email ID for a more secure approach. This is because usernames can be easily predicted while email IDs can’t be. Additionally, any WordPress user account is always created with a unique email address which makes it a valid indicator for getting logged in.
You can use the WP Email Login plugin for this as it starts working immediately after activation and there isn’t any configuration required at all.
For taking a test, you need to simply log out of your website and then log in again but this time you need to use the email address that you used for creating the account.
Related: Protect Your WordPress with These Amazing Security Tips
Secure your admin dashboard
The admin dashboard is the most interesting part for a hacker and the most secured section of all. It is quite challenging part for attacking the admin section but if the hackers succeed, it gives them a moral victory and access to exploit several things.
Here’s what you can do:
6. Protect the wp-admin directory
The wp-admin directory serves as the heart of any WordPress website. In case, this part of your site gets violated then the complete site might get damaged.
You can prevent this by password protecting the wp-admin directory. This type of security measure will allow the website owner to access the dashboard only after submitting two passwords. One is for securing the login page while the other secures the WordPress admin area. If the website users need to get access to only particular parts of the wp-admin, you may unlock those parts when you lock the rest.
The AskApache Password Protect plugin can be used for securing the admin area. An .htpasswd file is automatically generated; the password is encrypted as well as the correct security-enhanced file permissions are configured.
7. Use SSL to encrypt data
Another smart trick to protect the admin panel is to implement an SSL (Secure Socket Layer) certificate. With SSL you can ensure that your data is transferred in a secure way between the user browsers and the server which makes it difficult for hackers to breach the connection or spoof your info.
You can get an SSL certificate for your WordPress website easily, just by purchasing from some dedicated companies or asking for your web host to provide you with one (you will often find an option for SSL with the hosting packages).
Don’t forget that the SSL certificate also has a great impact on your website’s rankings in Google. The websites that are SSL certified rank higher in Google, as compared to those that aren’t. This ultimately means that there’s no more traffic. Do you want this to happen? Therefore, understand the importance of SSL to encrypt data.
Related: SSL Certificate Can Act Like A Superman To Protect Your Website
8. Add user accounts with care
In case, you are running a WordPress blog or a multi-author blog then you might be dealing with multiple people that access your admin panel. Due to this, your website can be highly vulnerable to security threats.
For this, installing a plugin like Force Strong Passwords might help your users for ensuring that the passwords they use are secure or not.
9. Change the admin username
While installing WordPress, don’t choose the username as “admin” for your main administrator account. This is very easily guessed by the hackers and they just need to know the password after this, leading to destruction of your website.
These types of attempts can be stopped with the use of the iThemes Security plugin that cleverly bans any IP address immediately as it tries to attempts to login with the “admin” username.
10. Monitor your files
For additional security, use plugins such as Wordfence, or again, iThemes Security that monitor the changes to the files of the website.
Secure the database
The site’s data and information is stored in the database and so, it is important to protect it. Below are the ways in which you can secure it:
11. Change the WordPress database table prefix
In case you have installed WordPress, you might be aware of the wp- table prefix used by the WordPress database. You need to change it to something unique.
Your database becomes highly vulnerable to SQL injection attacks with this default prefix. You can prevent such attack simply by changing wp- to some other term, for example, you can make it mywp-, wpnew-, etc. You can take the help of plugins such as WP-DBManager or iThemes Security for this.
12. Back up your site regularly
Though you think your website is secure with all the essentials but it’s always better to improve. So, it’s always better to keep an off-site backup of your website saved somewhere.
When you have a backup, it can help you restore your WordPress website to a working state at any time you require. There are some plugins such as VaultPress, BackupBuddy, BlogVault, CodeGuard, UpdraftPlus, etc. that can help you in taking backup of your WordPress website and restore it when required.
Related: 7 Excellent WordPress Backup Plugins For Easy Website Backup
13. Set strong passwords for your database
Even your main database user needs to have a strong password. It is the one that WordPress uses for accessing the database.
As recommended above, use combination of uppercase, lowercase, numbers, and special characters for the password.
14. Check your ‘comments’ and forms settings
When you enable comments on your posts, it is important to check your ‘Discussion’ settings. Ensure that all the comments are approved manually. It would add more administration work from your side but it’s always the best way for ensuring that no spam comments are entered.
Also, don’t miss to check that akismet is activated and that a Captcha is enabled on all your contact forms.
Secure your hosting setup
Almost all the hosting companies commit to offer an optimized environment for WordPress, but we can take a step further:
Related: Understanding Managed WordPress Hosting and When do you need one?
15. Protect the wp-config.php file
Crucial information about your WordPress installation is stored in the wp-config.php file which is the most important file in the root directory of your site. Securing it means securing the heart of your WordPress website.
If the wp-config.php file isn’t accessible to the hackers then they can’t breach the security of your site.
The good point here is that this can be done very easily. You simply need to take your wp-config.php file and place it to a higher level than your root directory.
If you store it to some other place, how can the server access it? The configuration file settings in the current WordPress architecture are set to the highest priority. So, though the file is stored one fold above the root directory, it is still visible to WordPress.