You need to make sure your WordPress site is secure before it’s too late!
In today’s world of website development it seems more and more sites are created using the industry leader, WordPress. But WordPress’ success has also resulted in an ever-increasing number of programs being created to hack into and attack such sites. As new hacks are developed and discovered, hackers, spammers and all round trouble-makers are quick to pounce onto these opportunities to infect your blog or website with rubbish content and spam backlinks.
In my line of work, I unfortunately come across many sites that fall prey to hacking attempts. The reason for these attacks vary a great deal. Once hacked, a site can sometimes be compromised beyond repair and would therefore need to be reinstated from a previous backup, or rebuilt from scratch, which is both a costly and time consuming outcome.
It is therefore not surprising, that my recommendation is that any WordPress website owner does everything within their power to protect their site. The positive news is that there are several easy steps one can take to ensure their site is safe:
Keep your WordPress installation up-to-date:
I cannot repeat this often enough – make sure your WordPress version and installation is up-to-date. This includes the WordPress version itself, as well as all the plugins and themes installed, both of which can be done relatively easily with WordPress’ auto-update functionality.
Should you have any plugins or themes that are not in use by your site, these should be uninstalled and you should also make sure all your current plugins are up-to-date with the latest versions.
A word of caution though, if you change or alter the WordPress code, you will end up making the updating process immensely harder. So my advice, is to rather stick to the original code and make your life easier in the long run.
Choose a strong username and password:
Make sure you do not use “admin” as your username. This is the default username and brute force attacks will always be tempted with this. A strong password should also be created for your login account to prevent unauthorised access, and no, your son’s name is not a strong enough password. For help on generating strong passwords try a password generating tool such as this one.
Make backups of your site in order to avoid the loss of your entire site! Should your site be compromised, you would need backups in place to restore your site from.
The good news is that there are a number of plugins that assist you with creating and managing these backups, including:
For more premium, paid solutions we recommend:
Create custom Security Keys:
WordPress Security Keys are a collection of random variables that are used by WordPress to improve the encryption of information stored in the user’s cookies. The aim of these security keys is to make your password more difficult to crack. One is able to change these security keys in order to make them even more secure.
Click here to auto-generate random security keys for your site. Once the random security keys have been generated they will need to be placed in your wp-config.php file, replacing the following:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
Add protection to your configuration files:
To protect both your wp-config.php and .htaccess files from being accessed externally, one can choose to add some additional protection, especially to your important configuration files, via the .htaccess file.
Believe it or not, this is actually relatively easy to do:
In your webroot directory, create (if it has not already been created) an .htaccess file. Then add the following to the file:
deny from all
deny from all
Protect your WordPress version
Hide your WordPress version from hackers by placing the following in your function.php file. This can be found in the theme directory for the theme that you are using (eg: wp-content/themes/twentyfifteen). To prevent the version from being visible simply remove the actions: remove_action(‘wp_head’, ‘wp_generator’).
This prevents hackers seeing which version of WordPress you are running, which makes it more difficult for them to determine where they should start attacking your site. This and other smaller but very useful tweaks can be implemented easily by installing the WP-Security-Scan plugin.
Server Security – Intelligent blocking
Modsecurity is a great plugin for the Apache web server and there are specific rules that can be added to your Apache config. to protect it even further. Unfortunately this step can be more difficult if you don’t have access to or own server.
ModSecurity is a module for open source web servers, like Apache, that acts as a detector and firewall by providing protection from a wide range of typical attacks against web applications on a web server (like WordPress).
Below are some plugins that can be very useful in ensuring that your site stays secure:
Acunetix WP Security: This plugin scans for vulnerabilities and makes suggestions to correct them.
Ninja Firewall: has a wide range of features, including creating 2 factor authentication for your admin panel, Brute-Force protection and real-time detection of any access made to a php file within your WordPress installation.
Wordfence: This plugin can scan your files on the server to check for any infections. It also includes a Cellphone sign-in feature for your admin panel. It has real time blocking of known attackers that get detected by other sites running Wordfence.
Here are a few more articles we have written about WordPress: