WordPress website security is the single and most prioritized concern, that keeps every webmaster and website owner zoned out scanning for security flaws in their website. To keep their websites away from unexpected hacking, some site owners appoint ethical hacker and some develop custom CMS. But both solutions are costlier, simultaneously time consuming, but above all risk remain unchanged.
According to Forbes, about 30,000 websites around the web are hacked every day. But the interesting fact is all of them are not WordPress websites.The number is miscellaneous in total. But what’s happened if your WordPress website is hacked or injected with the malicious code or malware. I bet it costs a lot of money, traffic and couple of unrest days to undo whole website. We had our demo server hacked last year because of a plugin created security leakage, that cost us loss of customers, time, money and traffic.
Now the question how to keep our WordPress website away from unexpected hackin? Site hacking is not confined to some countable numbers, the reason could be unknown or many. Sometime it’s becomes difficult to find where to start or what works well to enhance your site security. You might be thinking WordPress is itself vulnerable, right? No, WordPress core is secured and WordPress Codex provides numerous effective tips to make a WordPress website more secured.
But on top that there are a lot more steps should be taken to improve the security of your WordPress website. It means the more you take measures to secure your WordPress websites, the more you can put strong defence against the hacking. Here are 10 steps, you should take while your WordPress site installation.
01. Use Themes and Plugins from Trusted Source
Over the web you’ll found an abundant source of WordPress themes and plugins. If you are accustomed to picking up them from random source, your site security will be at stake. Do you know why? Because anyone can make themes and plugins without having knowledge of security best practices of WordPress and ship them at your reach anytime.
02. Use Strong Administrative Password
Having WordPress themes & plugins from trusted source is not enough to secure your WordPress websites from hackers. You site could be hacked because your weak password selection for WordPress administrative account. Now the question is – what denotes weak password.
Weak passwords refer to any password that can be easy to guess and find out. According to SplashData, the most common passwords for both 2013 and 2014 were “123456” and the runner up was “password,”
If you’ve select password like, hackers may be able to sign into your website and take complete control of it. such an hacking can easily avoided by using a strong password incorporated with both uppercase and lowercase letters, numbers and punctuation. You can also go the random string unreadable for humans.
03. Keep your WordPress Version Updated
WordPress has immense contributor community, contributing to enhance WordPress everyday. As a result WordPress brings out newer version regularly, that packed with important security updates, new feature, fix for bugs and so on. If you forget to apply those updates into your existing WordPress site, that includes the latest security fixes, it means you are attracting hacker to hack your site.
To update your WordPress version, head over to Dashboard >> Updates, and update WordPress version, theme and plugins.
04. Change the Default Admin Username:
When you setup your WordPress website first time, you’ll find admin would have been set as username by default. If you run your website without change default username, it means hackers have only to guess your site password.
So, change the default username immediately just after your kickstart. If you do change it, it means you’ll be one step safer and hacker will be one step away from your site hacking.
05. Check your File Permission
Servers play important role to secured websites from hacking. There are various types of server out there in the market like managed server and unmanaged server. Manage server is managed by hosting provider and you don’t need worry about file permission. If you’re using unmanaged server like Linux or Unix server, you’ve manage it on your own with full access to your folder and file permission,, which either provides or limits access based on the settings you choose.
If you inadvertently make your website files and folders access level too permissive, anyone can access your site important files and documents anytime. If don’t know the details of file and folder permission of your website, here WordPress Codex created an in-depth guide on file permission.
06.Keep Regular Site backup
The possibilities of your being hacked is numerous, If you keep proper backup of your website files and databases. you can safely undo the rest of the hacked site without any hassle. The process of keeping backed of a website is simple and there are some free and premium useful WordPress plugin available in the market like VaultPress, BackBuddy, blogVault and a more.
Make sure you’re running your site having backup regularly. But it could be varied from site to site, and number of changes your make daily or weekly basis. It depends on you. If you’ve site like enterprise level, I not only recommend you to keep regular update but also save the multiple updated copy in different servers in different location. In your website or your couple of servers are hacked, your can recover everything without losing anything.
07. Install a Security Plugin
Even since I started using WordPress security plugins, I won’t go back to not using one. When I look at the statistics, and found; how many hundreds of times in a day my sites are hit by an unexpected attack that’re also get blocked by WordPress security plugins.
Once one of my website really gets hacked and malicious code was injected which was responsible for adding backlinks on my website to the spam sites. Even I noticed when i tried to share a blog post from Facebook and twitter, the preview would replaced with the title and content with spam contents. You might be thinking why my site get hacked in spite of security plugin being enabled there, right? I forgot my WordPress admin password, tried severl attempt to login. Consequently The security plugin blocked my IP and I couldn’t get on the site anymore. So, I login the server and removed the plugin.
I had to start fresh to redo my site from scratch and enable a WordPress security plugin. Now the question is what are the best WordPress security plugins? In my opinion choose those plugins which offer offer anti-virus, firewall and anti-malware services. Some of them can even help clean up a hacked site if you still have access to install it such as Wordfence Security, which works for both single and Multi-site installs.
Here are some other plugins that can help you amp up your security:
- BulletProof Security
- iThemes Security
- Sucuri Security Malware Scanner
- Sucuri Security Website Firewall
- All in One WP Security and Firewall
- WordPress Simple Security Firewall
- Triagis WordPress Security
- SiteGuard WP Plugin
- Anti-Malware and Brute Force Security by ELI
This is just a sampling of the many out there that you can peruse at your leisure.
8. Limit login attempts
Brute-force attack is pretty common in the today’s web. Where hackers and abusive bots try to crack down you login credentials by systematically checking all your possible keys or passwords until the correct match is found. In this case you didn’t limited your site login attempt, you might endanger yourself from unexpected trouble.
If you have strong credential enabled for your login verification, that would be great. But your site becomes unexpectedly slow and you may lose traffic and revenue altogether while attacking. If you thinking how to limit login attempt to be away from such hassles, that is simple because nearly all security plugin come with this feature right out of the box.
Though attackers attack a website from a large number of different IP address, but security plugins still can put strong defense as an addition precautions.
9. Disable File Editing Via The Dashboard
WordPress default installation allows administrators to edit core files of a WordPress website right from dashboard navigating Appearance > Editor area. If you have put strong defence for your site security and chances of hacking pulled down to the zero. That would be great you are the safe.
But In case hackers managed to takeover your site admin access cracking down your login credentials, you would be in trouble. They can edit your site’s core files easily and execute what code they want to. If you want to be keep your site safe a bit further, add the following code in wp-config.php file.
define( ‘DISALLOW_FILE_EDIT’, true );