If you are using self-hosted WordPress one of the most popular blogging platform in the world then you are prone to getting hacked and you should now how to secure WordPress site.
Millions of websites today run on WordPress due to its simplicity and thousands of free plugins. But its popularity also makes it prone to hackers and thousands of websites get attacked every day. The question is how to secure WordPress site from hackers and attackers?
One of the most common ways in which WordPress deals with security issues is by releasing updates and newer versions to tackle known vulnerabilities but that’s not enough as WordPress core itself has never been secure enough. Here’s a very useful link about managed wordpress hosting.
Today, in this post we will cover everything in detail about securing wordpress site and how to protect wordpress website from hackers.
During the past few months we have witnessed 2 major zero-day vulnerabilities and mass hacking of WordPress websites.
Here are some very useful WordPress security recommendations by WordPress.org.
Thousands of websites were hacked by exploiting these vulnerabilities.
In the past a single vulnerable plugin led to the hacking of whole web server hosting hundreds of websites.
Before we start discussing how to secure wordpress website from hackers in detail, we would like to inform you that you must always update WordPress and run the newest version.
Another very important thing is to take a backup of your WordPress website and store it in secure location or disk on your computer or laptop.
Let’s find out first if WordPress has security issues?
Table of Contents
Yes, WordPress has security issues and before we move onto the top how to secure WordPress website, let’s first dig deeper into the WordPress Vulnerabilities.
Brute-Force Login – This is the most common of all types of WordPress attacks that finds a vulnerable WordPress site with a weak Admin login password.
These are automated scripts that try to force login to a WordPress site by guessing passwords and exploiting weak Admin passwords and gain access to it.
You can avoid Brute Force Login attempts and secure wordpress site by creating strong passwords for the WordPress Admin, changing your password every week or at least every two weeks, block IPs that seem unnatural or suspicious to you, enable two factor authentication, installing security plugin that automatically blocks such IPs and Brute force login attempts such as Sucuri or Wordfence.
Backdoors – It is called backdoor because hackers exploit these vulnerabilities through hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc.
After penetrating, backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks, compromising multiple sites hosted on the same server.
Backdoors often exploit the outdated versions of WordPress making their way through to WordPress database and so it is important to update WordPress with latest version.
In 2013 WordPress websites suffered from a major TimThumb Zero Day vulnerability that affected thousands of websites.
It gave hackers access to the servers hosting the files which is exactly what we have mentioned above, backdoors.
The prevention is easy and simple to tackle such vulnerabilities as you can simply scan your WordPress website using tools like SiteCheck which detects common backdoors.
Enableing two-factor authentication, blocking suspicious IPs, restricting admin access to multiple IPs and blobking unauthorized execution of PHP files ensure security from backdoors.
Other backdoors such as malicious redirects inject redirection codes into the website gaining access to the WordPress installations using FTP, SFTP, wp-admin and other protocols.
The malicious code is often placed in the .htaccess file through which hackers are able to redirect the web traffic from your website to other malicious websites.
There are several free tools available to scan WordPress websites for detecting malicious directs such as SiteCheck.
Denial of Service (DoS) – This is the most dangerous vulnerability as it can take the whole website down by draining out the memory, the resources of the website operating systems.
What happens when your website is under DoS attack? All the services and the website become unavailable and it could last for few hours to several days.
The easiest way to protect your website from DoS attack is to use a CDN services such as CloudFlare.
Don’t take DoS attack lightly as attackers can exploit you financially if your website or blog is popular on the web.
Pharma Hacks – Sometimes when your website is running an outdated version of WordPress or plugins an attacker can insert rogue code into the website causing search engines to return pharma related advertisements which is basically spam and that gives enough reasons to block your website or de-index its pages.
You can prevent pharma hacks by choosing managed wordpress web hosting providers and following the instructions from this blog on how to clean pharma hacks.
Since, you now have a clear idea about the WordPress vulnerabilities; it’s time to understand how to secure WordPress Website from hackers.
How to Secure Your Website From Hackers in 1 MIN (WordPress Website Security)
Recommendations to secure WordPress Site from hackers:
Step-by-step Video Tutorial on how to clean a hacked wordpress website
Fundamentally speaking, there’s nothing like eliminating risks and making your website 100% secure, the only thing that you can do is mitigate risks by hardening your WordPress security.
Over 60,000 websites are hacked every single day due to some kind of vulnerability or ignorance.
WordPress beginners often ask “how can I secure my WordPress site” and therefore
You must follow the security best practices when it comes to securing WordPress website that can help you stay safe from hackers.
So, follow the steps and recommendations below to secure WordPress website:
- Run latest version of WordPress – One of the most important factors to keep in mind when it comes to WordPress security is to always update your WordPress version to the latest one.
Latest version of WordPress ensures that all the security updates and patches have been applied to your website making it more secure.
New WordPress releases contain security fixes and code updates apart from new patches that make a website even more secure.
WordPress itself recommends updating to the latest versions for better security and new features.
- Use Latest PHP version – WordPress is a written in PHP which is not a secure scripting language and in case you are using older versions of PHP such as 7.0 or 7.1 on your server then it’s time to update to the latest version 7.2.
Websites and Content Management Systems written in PHP such as WordPress are prone to hacking due to lose coding and older versions of PHP are even more vulnerable, so ask your web hosting company to update the PHP version.
Also, refer to this PHP security manual for hardening your PHP code.
Don’t know which version of PHP your server is currently running? Most web hosts typically include this in a header request on your site.
The easiest way to check is to run your site through Pingdom tools. Click into the first request and look for a X-Powered-By parameter. Typically, this will show the version of PHP your web server is currently using.
- Update WordPress Plugins – Secure WordPress Site by updating your plugins whenever there’s a new version available.
60% of the WordPress sites are hacked because of an outdated version of plugin that has security flaws in the code.
As mentioned above, new WordPress releases and plugin updates carry lots of bug fixes and security fixes that secure WordPress site by overwriting the existing files.
Millions of WordPress websites are still using outdated plugins and website owners often ignore recommendations from security experts about updating WordPress plugins which gives hackers an easy entry point into their websites.
It is very simple to update WordPress Plugins by a click of a button as in the image below.
- Always update WordPress theme – Similar to WordPress core updates and plugin updates, it is extremely important to update your WordPress theme to the latest version.
More than 10% of the websites get hacked due to flaws in the theme files or lose coding that makes them vulnerable.
Updating your theme to the latest version hardens the security and fixes bugs which may have been present in the previous version.
Most of the well known theme developers such as StudioPress and Thrive themes always release theme updates to ensure better security and stability.
- Secure WordPress Admin – One of the most common type of hacking attempt is through WordPress Admin where a hacker would attempt to login several times using various password combinations.
Hackers often try to guess passwords to gain access to the WordPress Admin area.
In order to secure WordPress site it is extremely important to secure WordPress Admin by choosing strong passwords that are hard to guess.
You can secure WordPress Admin in two simple ways:
- Hide WordPress Admin Login URL – Generally, when you setup a WordPress website, the Admin URL is something like www.example.com/wp-adminexample.com/wp-admin which needs to be hidden from the users and hackers.
You can hide it by using free WordPress Plugins such as WPS Hide Login or HC Custom WP-Admin URL.
These plugins enable you to generate custom WordPress Admin URLs intead of /wp-admin which make it harder for the hackers to find your Admin URL.
- Limit Login Attempts – Hiding or changing your WordPress admin URL will decreases chances of bad login attempts but putting a limit to the login attempts can prove to be very effective.
Plugins such as Cerber Limit Login Attempts or Login Lockdown are a great way to easily setup lockout durations, login attempts, and IP whitelists and blacklists.
These security plugins work in a way that if more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
- Enable Two-Factor Authentication – You must be using this very smart security feature with your gmail and various other internet banking services that enables users to secure their account by registering their mobile numbers and receive a security each time you try to login to your account.
A similar feature is also available in WordPress that allows website owners to secure WordPress Site by enabling two-factor authentication.
All you have to do is download the Google Authenticator plugin and install it on your WordPress website.
Once installed you can click into your user profile, mark it active and create a new secret key or scan the QR code.
Then you need to install one of the free Authenticator Apps on your phone:
After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone.
You will notice an additional field that now appears on your WordPress login page.
Remember to enable two-factor authentication and secure WordPress site in minutes.
- Install SSL certificate – An SSL certificate is used to secure a website and connection between a website and a browser.
Whenever you try to login to an unsecured website the data that you submit is sent to the server as plain text which can be compromised easily by the hackers.
Forcing a website over HTTPS secure connection using an SSL certificate ensures that nothing is passed in plain text to the server and your connection to a website remains secure.
There are several benefits of using a secure HTTPS connection:
- Having a secure website running over HTTPS is a ranking factor now as per Google, so apart from securing your website you can also boost your website’s SEO.
- Users trust a website more which is secure when they see an https connection according a survey conducted by GlobalSign.
- It can boost the performance and speed of your website as the new protocol called HTTP/2 requires HTTPS because of browser support.
The improvement that you notice in performance is due to a various factors such as HTTP/2 being able to support better multiplexing, parallelism, HPACK compression with Huffman encoding, ALPN extension, server push and with TLS 1.3 launched on March 21st, 2018, HTTPS connections are even faster.
- Hide your WordPress Version – You can hide your WordPress version to secure your WordPress Website from hackers who know how to exploit different versions of WordPress.
The less other people know about your WordPress version the better protection you have.
If they see you are running an outdated version of WordPress then you are inviting hackers to exploit the known WordPress vulnerabilities.
By default, the WordPress version shows up in the header of your website’s source code.
We recommend you to always update your WordPress installation to safeguard your website against known WordPress vulnerabilities in the previous version.
Use the snippet of code below in your functions.php file to hide your WordPress version:
function wpversion_remove_version() {
return '';
}
add_filter('the_generator', 'wpversion_remove_version');Note: Sometimes adding a snippet of code to you functions.php file can break your website, so do it very carefully and always take a backup of the original file.
You should also delete the default readme.html file that is included in every WordPress installation.
It is located in the root directory on the hosting server.
You can safely delete this file by accessing your server via FTP or file manager through control panel.
Conclusion
We have made some solid recommendations for the WordPress users to secure WordPress site against hackers.
We will be coming up with more recommendations, so keep checking back for more updates.
As you can see it is fairly simple to keep secure WordPress site by giving sometime to your website and applying the WordPress security tips mentioned above.
No matter how secure your website is but we always recommend you to backup your WordPress website and store a copy locally.
How to Disable Theme Editor in WordPress Admin
How to convert pdf to word on Mac
How to Secure Shared Web Hosting Account
How to Create a Sitemap in WordPress
How to install a WordPress Theme
How to migrate WordPress from an old web host to a new one
References
https://codex.wordpress.org/Hardening_WordPress
https://premium.wpmudev.org/blog/ultimate-guide-wordpress-security/
https://www.codeinwp.com/blog/secure-your-wordpress-website/
After exploring a number of the articles on your blog, I truly like
your way of blogging. I added it to my bookmark webpage
list and will be checking back in the near future.
Woah! I’m really digging the template/theme of this website. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between usability and appearance. I must say you’ve done a very good job with this. Additionally, the blog loads very quick for me on Chrome. Superb Blog!
Sweet blog! I found it while browsing on Yahoo News. Do you have any
tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there!
Many thanks
An impressive share! I have just forwarded this onto a coworker
who was doing a little homework on this topic. Thanks for writing such as wonderful and informative post!
Hi, Thanks for the great article! Keep up the good work. I log on to your blogs on a regular basis.
No doubt very shortly this website will be famous, due
to its quality content and informative posts!
I appreciate you sharing this post on wordpress website security. Really thank you!
Thank you for another fantastic article on securing WordPress websites from hackers. Very useful tips!