Getting blog hacked and losing all the work overnight is really a sad thing that everyone has experiencing these days. According to the results of recent research, 37,000 websites are hacked every day including WordPress websites about 25.4%. So this means even a good deal of WordPress blogs is hacked every day. Read this article on “10 simple tips and tricks to secure your WordPress Sites”.
Security of WordPress is a whole new game. When you have a WordPress blog, having a strong password and a username that is difficult to guess is not sufficient to make your site secure. A single buggy theme, the wrong plugin, or an incorrectly protected file can make your site being hacked overnight.
Even though you aren’t much familiar with WordPress, or you have good experience with it, these are the 10 most practical ad common simple tips and tricks to secure your WordPress Sites. You won’t be able to find these simple tricks in a popular “how to secure your blog” post, but they will help you to protect your site one day.
1.Disable the WordPress theme and plugin editor
WordPress has a feature of giving site owners the to customize and edit their themes and plugins directly from the WordPress dashboard, but this feature is inactive on most blogs.
This feature may let your site at risk. A slight error can crash your site lock you out from your own site. This will let the hackers enter malicious code into your theme which will enable access to your site from outside, or give the entire control of your site which has enough spaces to use the theme and plugin editor.
You can fix this issue by disabling the plugin and theme editor. To make it impossible to do any changes to your themes and plugins without FTP access.
For that add this code to your wp-config.php file:
define (‘DISALLOW_FILE_EDIT’, true).
2.Enable two factor authentication
This is a great way to secure your online accounts and most websites recommend their users to enable this feature.
But the WordPress itself doesn’t have this feature. You can enable two-factor authentication on your blog by installing below mentioned plugins:
3.Limit the logins with number of failed attempts
There are so many ways hackers try to access your site, among them the most common technique is brute force attack. From there, hackers try to use many usernames and passwords until he/she can access your site successfully.
But in the default, WordPress isn’t secure your site against this attack. You can make it hard for hackers to gain access to your blog by installing plugins that limit your login after many failed attempts from a particular IP address.
Also, the Jetpack protects module plugin is able to secure your site from brute force attacks.
4.Do a regular scan
Theme files, plugins, links elements that seem to be harmless can use to gain the access to your site. So don’t wait until your site gets infected. Install a security scanning plugin to do a regular scan of your site and to inform you if any file changed happen.
One of the best security scanning plugins is Wordfence. It will give your site a scan manually/automatically, plus will notify you of any suspicious activity going on your site.
It also notifies you about any potentially malicious comments. Moreover, it will compare your theme and plugin files with the WordPress respiratory to inform you if the current version of your plugin and theme has been modified recently. So, this will act as a backdoor for hackers to your site.
Some other security plugins to scan your blog for malware and exploits are:
- Sucuri security scanner
- Acunetix WP security
- iThemes security (Also known as “Better WP Security”)
5.Change your host
Although this seems to be so simple it can do a lot more to your site. The research found that about 41% of WordPress sites were hacked due to the security vulnerability on their hosting platform. This is equal to having a weak password.
Your host plays the main role in securing your site from hackers, so be aware of your host. Go only for a reliable web host that has stood the test of time to observe industry best practices.
6.Hide the WordPress version number
By default, you will see your WordPress version number, this helps WordPress to identify how many WordPress blogs are active worldwide. But this can make a huge problem as hackers will scan the web for blogs using this WordPress version number with a known vulnerability easily targeting your site.
So, to fix this problem hide your version number. To do that add this code to your functions.php.file;
add_filter(‘the _generator’,’_return_null’);
7.Deactivate PHP error reports
You will be notified through these PHP error reports if your plugin or theme isn’t working properly. The negative side of it is, the report includes the entire server path of the error, revealing information that your hackers can use against you.
To fix this problem, deactivate PHP error reporting. Add this code to do that:
- Error_reporting(0);
- @ini_set(‘display_errors’,0;
8.Right file permission
To avoid any security exploits in your WordPress site, it is necessary to check whether you have the right file permission. So the hackers won’t be able to manipulate plugins, themes or files on your server to get access to your site.
Ensure that WordPress folder permissions are set to 755 or 750; file permissions set to 640 or 644; wp-config.php permission is 600.
9.Do regular backups
Even websites with a good team of security experts and consultants get hacked even they follow the best practices. But still, it can break.
The best security way to protect you from WordPress hack attacks is to do a good backup. Do not forget to do a regular backup of your site if you can do it daily. In the case of any hacker attack, you can simply restore things quickly.
Some of the best WordPress backup plugins;
- BackUpWordPress
- VaultPress
- BackupBuddy
10.Block access to you login page
Sometimes you need to get drastic actions to secure your site. To secure your site from hack attempts is blocking access to your wp-admin and wp-login.php. page entirely.
This is especially recommended if you have an unchangeable IP address (if you don’t need to block yourself from the site). Also, you can use this if you have more than one IP address, keep track of those addresses.
To limit the access, add this code to your .htaccess file:
fModule mod_rewrite.c>RewriteEngine onRewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$RewriteCond %{REMOTE_ADDR} !^Your IP address 1$RewriteCond %{REMOTE_ADDR} !^ Your IP address 2$RewriteCond %{REMOTE_ADDR} !^ Your IP address 3$RewriteCond %{REMOTE_ADDR} !^ Your IP address 4$RewriteCond %{REMOTE_ADDR} !^ Your IP address 5$RewriteRule ^(.*)$ - [R=403,L]</IfModule>
Make sure to edit IP address 1 via IP address 5 for the different IP addresses you want to give access to. To do this simply add or remove a line or avoid many IPS from gaining access to your site.
Summary
In addition to those tips, make sure to follow the basic securities like using a hard username, a strong password, do a regular update of your WordPress installation. Those above-mentioned tips are some additional security methods to make your WordPress blog more secure.
Thank you for visiting this page. If you need further clarification on this topic “10 simple tips and tricks to secure your WordPress Sites” feel free to leave a message in the comment section below.
Read more: What is WordPress?