Most WordPress users think that the chance of getting attacked by a hacker is slim to none. The truth is that it happens more often than you think and unfortunately most people are not aware of that danger.
Have you noticed sometimes when searching on Google that some results are labeled “This site may harm your computer”? Those are websites that have been hacked and therefore blacklisted by Google. Needless to say, most users will freak out and might never visit your site again. Even if you manage to recover your site from such an attack, this would definitely give a bad reputation to your business.
I compiled a list of tips that can greatly improve the security of your WordPress website. Please note that the following tips apply to all versions of WordPress.
1. Use Strong Passwords
It may seem obvious but you would be amazed by how many users ignore this. No matter how much you work securing your website, a weak password can ruin everything. Your whole website’s security is dependent on that password. Do not even bother reading the rest of this article if your password is not strong enough.
Here are 3 tips when selecting your password:
- Use something as random as possible (no single words, birthdays, or personal information)
- Use at least eight characters. The longer the password the harder it is to guess
- Use a mix of upper and lower-case letters and numbers. Passwords are case-sensitive, so use that to your advantage.
2. Keep WordPress Always Updated
It goes without saying that you always have to update your WordPress installation. If a vulnerability is discovered the WordPress development team will fix it by releasing a new version. The problem is that now the vulnerability is known to everyone so old versions of WordPress are now more vulnerable to attacks.
In order to avoid becoming a target of such an attack it is a good idea to hide your WordPress version number. This number is revealed in page’s meta data and in the readme.html file of your WordPress installation directory. In order to hide this number you have to delete the readme.html file and remove the version number for the header by adding the following line to your functions.php file of your theme folder.
<?php remove_action('wp_head', 'wp_generator');?>
3. Beware of Malicious Themes or Plugins
Some themes and plugins contain buggy or even malicious code. Most of the time malicious code is hidden using encryption so it’s not easily detectable. That’s why you should only download them from trusted sources. Never install pirated/nulled themes/plugins and avoid the free ones unless they are downloaded from the official WordPress themes/plugins repository.
Malicious themes/plugins can add hidden backlinks on your site, steal login information and compromise your websites security in general.
4. Disable File Editing
WordPress gives administrators the right to edit theme and plugin files. This feature can be very useful for quick edits but it can also be useful to a hacker who manages to login to the administration dashboard. The attacker can use this feature to edit PHP files and execute malicious code. To disable this feature add the following line in the wp-config.php file.
define('DISALLOW_FILE_EDIT', true);
5. Secure wp-config.php
wp-config.php contains some important configuration setting and most importantly contains your database username and password. So it is crucial for the security of your WordPress website that nobody will have access to the contents of that file.
Under normal circumstances the content of that file are not accessible to the public. But it is a good idea to add an extra layer of protection by using.htaccess rules to deny HTTP requests to it.
just add this to the.htaccess file on your website root:
<files wp-config.php>
order allow,deny
deny from all
</files>
6. Do not allow users to browse in your WordPress directories
Add the following line in the.htaccess file in the directory you installed WordPress:
Options -Indexes
This will disable directory browsing. In other words it will prevent anyone from getting the listing of files available in your directories without a index.html or index.php file.
7. Change username
Hackers know that the most common user name in WordPress is “admin”. Therefore it is highly advisable to have a different username.
It is best to set your username during the installation process, because once the username is set it cannot be changed from inside the admin dashboard but there are two ways to get around this.
The first way is to add a new administrator user from the admin dashboard. Then log out and log in again as the new user. Go to the admin dashboard and delete the user named admin. WordPress will give you the option to attribute all posts and links to the new user.
If you are more tech-savvy you can change your username simply by executing an SQL query. Go to phpmyadmin select your database and submit the following query:
UPDATE wp_users SET user_login = 'NewUsername' WHERE user_login = 'admin';
It is important to keep in mind that even if you implement all my advice you can never be 100% protected from hackers. But the above tips should be sufficient to decrease the chances of getting hacked.