Why It Is Important To Secure Your WordPress Website
WordPress is a very popular content management system used for website building which can be managed easily even by a non-technical person. However, it is really important to keep your WordPress site secure.
The reason for this is that WordPress is opensource and it’s code is available online. So anybody who is smart enough to find a loophole can attack a website. Unfortunately hackers have a bit of an upper an upper hand here which makes it even difficult for the developers and website owners to keep it secure and prevent hackers from accessing their website.
In this tutorial we will go through some of the very basic security techniques to prevent hackers from attacking your WordPress website.
Use Strong Passwords
One of the commonly used hacking technique is to try different passwords for your wordpress hosting account or WP admin and login with the password they obtain with the trial and error method. There are various password hacker softwares available online which uses trial and error method to sneak in. So it is very important strong alphanumeric passwords with multiple characters. There are online tools available which can create strong passwords. Also make sure you are not saving it in your browser for auto-login etc.
Use different username
It is always recommeded to use different user names for WP admin login because most of the WP users use the default user name admin and attackers are very much aware of this, so if you are going with the default username, you are giving attackers an advantage.
Enable BruteForce Protection
As an additional security to prevent attackers from brute forcing passwords, you can enable BruteForce protection tools like cPHulk (cPanel servers) or other WP Plugins which protects you from BruteForce attacks.
These plugins will limit the number of login attemts to a very small number which we can set. Here are a few BruteForce protection WP plugins.
Go to WP Admin >> Plugins >> Add New to install new plugins.
Update WordPress version, themes and plugins on a regular basis
Keeping outdated WordPress application, it’s themes and/or plugins is a very serious security threat. Attackers could find backdoors to your website with the outdated, vulnerable WordPress application, themes and plugins. To prevent this from happening we need to update the WordPress application, it’s themes and plugins to the latest stable version.
To enable WordPress auto updates
Add the following codes in the wp-config.php file present in the WP installation directory.
define( 'AUTOMATIC_UPDATER_DISABLED', false );
define( 'WP_AUTO_UPDATE_CORE', true );
To auto-update WP Plugins
Add the following code in wp-config.php file.
add_filter( 'auto_update_plugin', '__return_true' );
To auto-update WP Themes
Add the following code in wp-config.php file.
add_filter( 'auto_update_theme', '__return_true' );
One other method to automatically update WP themes and plugins is to use trusted WP plugins like Advanced Automatic Updates. This plugin automatically updates the outdated versions and also provides you Email notification if there is an update available for any of the installed plugins and themes.
You can follow the screenshots below to install and setup Advanced Automatic Updates plugin.
Go to WP Admin >> Plugins >> Add New >> search for Advanced Automatic Updates plugin >> Click Install Now.
This will install the plugin. To enable the plugin, click on Activate Plugin.
The plugin is now activated.
If you goto WP Admin >> Plugins >> Installed Plugins, you can see Advanced Automatic Updates plugin amonng the installed plugins. Click on the ‘Settings’ button to edit the settings.
This will take you to the settings page of the plugin.
Tick box the options given below to enable the auto-update of installed themes and plugins and for Email notification of outdated themes and plugins.
* Update your plugins automatically?
* Update your themes automatically?
Allow access to WP configuration file from trusted IPs only
WP configuration file (wp-config.php) file has all the details about the WordPress website including the database credentials, database table prefix etc. so it is recommended to block access to the said file from outside world and only allow access to it from the trusted IPs. Easiest way to do this is by adding the below given code in the .htaccess file present in the WP installation directory.
<Files wp-config.php> order allow,deny allow from IPAddress deny from all </Files>
This code means that access from the provided IP Adress is only allowed and access from the rest of the IPs will be blocked.
Prevent your websites from Malwares and Viruses
The majority of hacks reported are most likely due to outdated applications and due to injection of malware, viruses into the files. It can either be due to a virus attack through an infected machine which is used to upload web contents to the site or due to some vulnerabilities with the installed application/theme/plugin or in the code.
To prevent this, make sure your website contents are clean. You can make use of advanced anti-virus software to scan the website contents. Or, make sure the web host that you are choosing provides routine malware checkup or if they provide virus/malware cleaning tools like ‘ClamAV’ via their web hosting control panel.