Security

Few tips to secure WordPress website

Hello friends! I was just thinking how hacking has spread like an epidemic. There is a loophole for every possible issue nowadays. Hacking has become quite prevalent in today’s scenario. So I just wanted to ask something from you. Is your WordPress website safe? Can you prevent it from getting hacked? I am sure most of you would have “No” for an answer. So in my today’s article I am going to offer you a few tips to secure  WordPress website.

 

Just have look. It’ll cost you nothing but a few minutes:-

1. WordPress username change-

Your WordPress username should be different from the one that appears on your posts. Why should you

do this? Because it is very important as hackers will always target your username first and try to decipher your password. If you have a different username then it would complicate things from them and this is exactly what you need.

How can you do this? Just create two admin accounts for your use. You can use one to do all your back end activities while the other can be used to be displayed on your posts.

2. Often change password-

You should change your WordPress password atleast thrice a month. Try to make your password complicated by using a combination of numbers, symbols, special characters and letters. This would make your password strong and hard to crack. If there is more than one WordPress user for the same blog, ask them to follow the same password.

Refrain from using names, birthdates, favorite movie names and others as your password. This feature is often overlooked but it is an important step towards securing your website.

3.Update to the Latest Version-

WordPress informs its users whenever there is a relevant updated version. Many of us tend to ignore it. However, these updates are extremely important because they contain latest security fixes and bug fixes.

By not updating WordPress, you expose your website for hacking in future.

4. Take Weekly WordPress Backup-

You should frequently have a backup of the entire WordPress database before and after you make any changes into it. You can either do this manually or you can use the Backup Buddy plug-in that will email you the backup of the entire database. By entire database, I mean everything like files, images, digital media and others.

If you are using this plug-in, do not forget to update it as and when the update is required.

5. Use WordPress Security Scan-

There is a security plugin available for WordPress, 0ne of the best plugins that WordPress has to offer its users, WordPress  security plug-in.

Install it on your website and scan it every week. The scanner will scan the entire WordPress database and inform you if it finds any malicious codes or vulnerabilities. It will either say “You have the latest stable version of WordPress” or “You do not have a stable version of WordPress” and will list out the problems. Perform scanning frequently.

6. Do not Display WordPress version and Plugin Details-

Never ever display what plugins you are using or which WordPress version you are using because it becomes convenient for hackers to hack into your site.

To cover the WP version details, you need to modify,

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

To,

<meta name=”generator” content=”Powered by WordPress” />

I recommend you this tutorial on WordPress for beginners. Check it out.

For plug-in list, check http://yoururl.com/wp-content/plugins or check the http://yoururl.com/wp-content/

Replace your URL.com with your real URL. Hit enter and see whether the list of plug-in or the entire WP-content directory is being displayed. If it is, you should not display this list as hackers can use codes to infiltrate, which will affect your blog. How can you hide the list?

Visit the c Panel and create “.htaccess” file in /wp-content/themes/ and paste the following code:-

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# Prevents directory listing

IndexIgnore *

# END WordPress

Save the file, click browser refresh and refresh the plug-in page. Now if you click on http://yoururl.com/wp-content/, you will see none of the files are displayed.

An alternative process is to de-index the chosen file via cPanel. Your c Panel might be different but this might work. Go to cPanel > Advanced > Index Manager > (Choose the domain and folder you want to de-index) > No Indexing > Save.

You are done here.

7. Use Secret Keys

Secret Keys are used in the WP-Config file which stores every detail like the name and password of the MySQL database. You can restrict access to these files by using Secret Keys. These are encrypted keys that protect the information in the MySQL database. These keys are long, complicated and random. You don’t have to remember it.

Some Secret Keys examples are:

t`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|’)

‘MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^’)

‘I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #’)

8. Use Login Lockdown Plugin-

If you install the Login Lockdown plugin and if a hacker tries to crack the site password through force, the plug-in will immediately disable the site’s login function and permanently block the IP address from which the hacker is trying to force access.

This is a must have plugin for WordPress.

9. Restrict Directory Browsing-

If hackers have access to your directory, they can easily make out the pattern of your directory structure and use the information for hacking.

To deactivate directory browsing, just visit .htaccess file and in the root directory add the code given below:

# protect wp-config.php

<files wp-config.php>

Order deny,allow

Deny from all

</files>

10. Disable WordPress Admin section Indexing-

Your WP admin section contains sensitive information. Unless the search engine spiders are told that the admin section should not be indexed, the automatic bots will scan and index them as well. This should be avoided as the hackers can use the admin indexes to hack your website.

How to avoid it? Create a robots.txt file in the root directory and insert the following code:

#

User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins/

Disallow: /wp-content/cache/

Disallow: /wp-content/themes/

Disallow: */trackback/

Disallow: */feed/

Disallow: /*/feed/rss/$

Disallow: /category/*

After the code is installed, the search engine spiders will not attempt to index the above pages.
To make the above code changes, you need access to the cPanel directory. If you do not have this access, ask the webmaster to do the changes.

Note: Wherever plug-ins is mentioned, they are applicable for paid WP sites. Free WP sites cannot install plug-ins.

Hence I conclude this article by suggesting that you all should start implementing the above tips to secure your website/blog from the hackers. After all prevention is better than cure.

Keep liking and keep sharing!!

Harinder
the authorHarinder
blacklisthackers.com is created and owned by Harinder(Aarav).Aarav is a technology Blogger from India(Dehradun). He’s Quiet type and Creative Guy who enjoys creating and exploring new trends on the WEB. Currently pursuing B.tech from DIT University.

Leave a Reply