Tutorials

Customize our premium WordPress themes and stand out from the crowd.

Secure Your WordPress

http://colorlabs.co/XSX73x

These days, WordPress-site hacking is becoming very common. Although this shouldn’t make you doubt WordPress (mind you that any site is prone to hacking, be it on WordPress or anything else), you should treat this as a wake-up call that everyone on the Internet should pay more attention to the security of their websites.

Hackers usually use a bug as a backdoor and this bug may come from WordPress plugins or themes that you use or from the WordPress engine itself. Here we have listed several tips on securing your WordPress site from hacking or malware:

  1. Use a strong password
    Usually people use too simple a phrase for their password such as their phone number, birthday, or even names. However, what is worse is a word that is listed in the dictionary. Hackers have a technique named ‘brute force‘ and when doing this, they will try any possible phrase from the dictionary to guess your WordPress password. So, the best password is a non-dictionary phrase or a combination of numbers and alphabet like th1s-p4ssw0rd.
  2. Modify the .htacess file
    Modifying the .htacess file may be dangerous if you do it without knowledge. Your site may stop functioning because of the error you make. So, make sure you’ve already got a backup before doing this. For some hosting like Yahoo.com, the .htacess file is forbidden and cannot be created, deleted or modified. If your site is hosted on such hosting services, you cannot follow these steps. Create a new .htacess file in your wp-admin folder like below. What this does is that it whitelists specific IP addresses and allows access to your WordPress Dashboard. This will deny access from IP addresses not listed in the .htaccess file. Unless the hacker accesses your Dashboard from your home or office, this method will help a lot.
    AuthType Basic
    order deny,allow
    deny from all
    # your home IP address
    allow from xxx.xxx.xxx.xxx
    # your office IP address
    allow from yy.yyy.yyy.yyy
  3. Change the wp-admin URL
    WordPress has a feature to “mask” the URL of the wp-admin folder. If your domain is example.com, hackers will, by default, first try example.com/wp-admin to access your Dashboard because that’s where WordPress keeps the admin files. However, WordPress allows you to access your Dashboard from a different URL. You will have one URL publicly used to access contents on your site and another one to access your WordPress Dashboard. Let’s say, example.com is your site’s URL and example.org/wp-admin is your wp-admin URL.

    To do this, you need to go to the WordPress Dashboard → Settings → General Settings

  4. Create a redirect file
    If you go to http://www.your-site.com/wp-includes, you will see an open folder and this is definitely not safe. You need to create a redirect file in order to forward visitors who access that URL to your main home page. If you ask yourself, who in the world would access that URL? Well, hackers would? To redirect visitors away from that URL, simply create a new file named index.html and put this code in it:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <html>
    <head>
    <meta http-equiv="REFRESH" content="0;url=http://www.your-site.com/"></HEAD>
    <BODY></BODY>
    </HTML>
  5. Do a daily back-up
    Create a backup of your themes and your SQL database daily. If your site is hacked, your can restore it through FTP, cPanel, or usually through an app available on your hosting admin interface. Hackers usually target the index.php file of your WordPress theme and also the wp-user and wp-usermeta tables in your SQL database so they can change and/or create a new administrator username.
  6. Update your WordPress copy
    Always update your WordPress copy whenever an update available. It only takes a click!
  7. Do a clean upload
    Make sure that any files you’re uploading are clean from viruses. Not only you’re possibly infecting other files on the server (this becomes very complicated if you’re on a shared hosting environment), the infected file will be flagged by Google and a red warning page will be displayed when your site is accessed. You’re simply telling visitors to go away. You don’t want this, do you?
  8. Install a security plugin
    The WordPress community also provides several security plugins that will help you protect your site. These plugins work on your site’s backend. This is a plugin that we really recommend.
  9. Don’t use an outdated plugin
    If you wanted to use any plugin, you had better check and download it from WordPress.org and not from your WordPress dashboard. The WordPress.org plugin pages always notify you of an outdated plugin.
  • Andreas Ostheimer

    Good ones. Which backup plugin would you suggest?

    • hexter991

      Hi Andreas,

      To do a backup, i would prefer to use a feature which already provided by your CPanel. It is more safe and professional. You can find out how to do it by following this step from CPanel official site: http://www.cpanel.net/media/tutorials/backup.htm

  • http://www.sridharkatakam.com Sridhar Katakam

    Just because a plugin has not been updated in 2 years it doesn’t make it insecure.

    There are some plugins which work perfectly fine for what they are intended for and did not need to be updated in the last 2 years and they are perfectly secure.

    • hexter991

      Hi Sridhar,

      For some plugin, yes it still safe to use even if it not been updated for 2 or more years. But the other is not.

  • http://www.paulund.co.uk/ Paul

    Another one…don’t use the admin user, you should create a new user with admin rights and delete the user with the username admin.

    • hexter991

      Hi Paul,

      Yes it is, never use admin/administrator username to make your site safe from brute force

  • http://www.mathewporter.co.uk/ Matt Porter

    There are some great security plugins available such as ‘limit login attempts’ to help secure up your WP site. You could always in an ssl and setup wp admin to work only on a secure connection.

    • hexter991

      Hi Matt,

      Thanks for sharing. Also you can use a WordPress firewall plugin. By installing such plugin, you will be notified if someone attacking your site

  • Mihael Presečan

    On number 3 it means that i have to own the diferent URL adress :)