WordPress Security
June 2, 2020
What Should I Do to Prevent Potential Attacks on My WordPress Site?
Author:
Seçil Durgun
Preventing attacks on your WordPress website is more manageable than recovering from one. Generally, WordPress sites are not targeted by hackers directly but are threatened by bots designed to exploit known vulnerabilities. The most common security weaknesses include weak passwords, outdated plugins, WordPress versions, and low-quality web hosting services.
Fortunately, preventing such attacks is possible with simple precautions. Here are 18 tips to prevent your WordPress website from being hacked:
1. Keep Your WordPress Site Up to Date
To protect your WordPress site from attacks, you must keep it consistently updated. Logging in once a month isn’t sufficient to ensure your site is secure. You should update your site whenever themes, plugins, or the WordPress core receive updates. For automatic updates, consider using the Shield Security plugin.
2. Remove Unnecessary Files from Your Server/Hosting Space
Do not keep files on your server or hosting space that could create security vulnerabilities. Delete unused WordPress versions, files, plugins, themes, and any backup files (if available).
3. Use Strong Passwords
Do not use the same passwords you always use for your website or websites. Avoid easily guessable passwords like your pet’s name, a favorite friend’s name, or something like “admin123.” Use password management tools like 1Password or LastPass to track your passwords easily.
4. Enable Two-Factor Authentication
One essential security measure against potential attacks on WordPress is two-factor authentication. With two-factor authentication, you can enhance the security of your users and visitors by requiring additional verification methods, such as SMS, Email, Google Authenticator, Authy Authenticator, Duo, Microsoft Authenticator, TOTP-based authenticators, security questions, and others, during login and registration.
5. Choose Plugins and Themes That Are Regularly Updated
Do not use themes and plugins that are no longer updated in your WordPress system. Replace plugins and themes that have not been updated for over a year (if possible) with ones that are actively maintained. Consider well-established teams that regularly update their themes when purchasing a theme rather than individual developers. Check how they respond to support requests. If buying through marketplaces, review the theme’s sales numbers, reviews, and ratings. WordPress premium themes often come with third-party plugins, so ensuring they are updated along with your theme is crucial.
6. Be Careful When Logging in on Public Wi-Fi Networks
If you log in to your WordPress site from a public network, your login credentials could be intercepted by other users on the network using special software. If your site does not have an SSL certificate (which encrypts your username and password), consider using a Virtual Private Network (VPN) to encrypt your network traffic. If you must log in to your site on public networks, use a VPN even if your site has an SSL certificate.
7. SSL Certificate
An SSL certificate is essential for protecting your sensitive data. Whether submitting contact forms or logging in, encryption ensures your information remains secure. Without an SSL certificate on your website, there is a risk that third parties could access this data. If you have an SSL certificate, you can use the Really Simple SSL plugin for WordPress to redirect your HTTP content to HTTPS.
8. Protect Your Computer from Malware
Keep your antivirus system active and regularly scan your Windows system for malware. Be cautious of the websites you visit, as they could potentially transfer spyware, such as a Trojan horse, to your system. Logging your keystrokes and capturing your WordPress password, you need protection for every page you browse on the web.
9. Use a WordPress Security Plugin
Security plugins like Shield Security and WordFence add essential protection to your WordPress site. Their key features include:
10. The Choice of Hosting Provider Matters
Work with companies that offer proven hosting solutions in the WordPress field. Hosting companies that prioritize server security can help you encounter fewer problems and may even improve your site performance (such as loading speed and related factors). Online reviews can provide valuable guidance when deciding among many local and international options that offer reasonable price/performance solutions.
11. Regularly Back Up Your Site
Backup files will be crucial in case your site has problems. Therefore, it is recommended to take regular backups and to back up before updating themes, plugins, and WordPress itself. Often, restoring from a backup is less time-consuming than troubleshooting or debugging errors.
12. Monitor Your Site Continuously
Use Google tools to receive critical and helpful feedback about your website. To do this, register for Google Search Console and stay informed about any issues related to Google’s indexing. Review your site’s error logs using the CPanel file manager or FTP (SFTP). Check your site’s access logs to monitor who is accessing the files on your server/hosting space. If access logs are not visible, you can enable them via cPanel. You can also use the audit trail feature of the Shield Security plugin.
13. Do Not Assign Administrator Roles to Untrusted Individuals
Individuals with the administrator role on your website have complete control over the site. Therefore, only those with proven technical competence or good intentions should be given administrator privileges. The author’s role should be sufficient for those writing or editing content.
14. Change the Default Table Prefix for the WordPress Database
The default WordPress table prefix is “wp_.” Using the default table prefix can make SQL Injection attacks easier. It’s highly recommended that you change the table prefix when installing WordPress. There are two ways to do this. The manual method can be challenging for those without experience editing databases. Using the WP Prefix Changer plugin to change the table prefix is easier.
15. Block Search Engines from Indexing the Admin Panel
Search engine bots crawl your entire website and index every content unless instructed otherwise. The easiest way to prevent files under the admin panel from being indexed is to create a robots.txt file in your root directory. Then, add the following code to the file:
#
User- agent: *
Disallow: /cgi -bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */ feed/
Disallow: /*/feed/rss/$
16. Protect Your “.htaccess” File
To safeguard your website from hackers, you must protect your “.htaccess” file from attacks. By adding the following code, you can block external access to any file starting with “.hta”:
# STRONG HTACCESS PROTECTION
order allow, deny deny from all satisfy all
17. Protect Your “wp-config.php” File
The “wp-config.php” file is crucial as it contains all your website’s sensitive data and configuration settings. You can protect this file by adding the following code to your “.htaccess” file:
# protect wp-config.php
Order deny, allow Deny from all
18. Block PHP Files in the wp-content/uploads Directory
Our media gallery is stored in the uploads folder, and files can be uploaded for various reasons via the front end. To prevent files that could be executed from being hosted here, you can add the following code to a .htaccess file within the wp-content/uploads directory:
Order Allow,Deny
Deny from all
# after that add file extensions you want to allow access
<FilesMatch “.(jpg|jpeg|jpe|gif|png|mp4|pdf)$”>
Order Deny,Allow
Allow from all