+91 80170 49042 [email protected]

How To Safeguard your WordPress Website- WordPress Security Tips

by | Updated on: Mar 3, 2023 | Tech Tips & Tech News | 6 comments

Learn why 1L learners preferred Seven Boats Academy
How to safeguard WordPress
How to secure Self Hosted WordPress Sites?

Securing your WordPress sites (Self Hosted WordPress site) is a major concern nowadays as too many sites have been hacked lately. We all know that wordpress is a very easy platform and hence it is very popular among non-techies. Managing WordPress sites or blogs are very easy which cuts the cost of having a webmaster. Keeping in mind its user friendliness, WordPress can also be hacked easily. That is why securing your WordPress site is always a mandate and following are the tips to improve the security of your WordPress website/blog.

The most common types of WordPress trojans, backdoors, and malware

Here are some of the most common types of WordPress trojans, backdoors, and malware:

  1. Pharma hack: This type of hack injects spammy content and links into your website’s pages and posts. It’s called “pharma” because it’s often used to sell pharmaceuticals.
  2. Backdoors: Backdoors are hidden access points that allow attackers to bypass normal authentication procedures and gain control of your website.
  3. Redirect hacks: This type of hack redirects users to malicious websites or pages.
  4. Malicious code injections: Attackers can inject malicious code into your website’s files or database, which can be used to steal data, launch attacks, or spread malware to other sites.
  5. Cryptojacking: This type of hack uses your website’s resources to mine cryptocurrency without your knowledge or consent.
  6. File upload vulnerabilities: Attackers can exploit file upload vulnerabilities to upload malicious files to your website.
  7. Brute force attacks: This is a type of attack where hackers try to guess your login credentials using automated tools.
  8. Cross-site scripting (XSS) attacks: This type of attack injects malicious code into your website’s pages or forms, which can steal user data or spread malware.

It’s important to note that there are many other types of WordPress hacks and malware, and attackers are constantly developing new techniques. Regular security monitoring and updates are critical to protect your website.

How to secure your WordPress Site?

How to secure your WordPress Site? Step by step guide to harden security of your WordPress site

Secure WordPress Admin

Don’t use the default admin user. After WordPress installation, the default user comes as admin. Hackers try and hit that factor first. So it is always recommended to create a new username with administrator rights and then delete the default admin user. But if you are keeping the default user, make sure you change the role from administrator to subscriber.

And if creating a new user, then always try and create a username which is hard to be guessed and then you can also use your e-mail id to login. There is a plugin called All In One WP Security & Firewall which can help you for this purpose.

And always use strong passwords for the usernames to boost the security. You should always limit the number of unsuccessful attempts to log in. In this way you are keeping your site a step further from being hacked.

 Secure WordPress directories

You have to secure your WordPress directories from the outside world and for that you have to open your .htaccess file in WordPress root directory and provide the line “Options – Indexes” on top.

This will prevent others from viewing the files listed in the directories in case the index.html or index.php is absent.
Not only you have to prevent users from browsing the directories, you also have to make sure that you are not letting others write to your WordPress directory. And for that you have to do the following. First of all you have to login to WordPress Linux Shell and execute the following command to get a list of open directories.  The command is “find . -type d -perm -o=w”

After that you have to run following two commands to set the permissions.
find /your/wordpress/folder/ -type d -exec chmod 755 {} \;
find /your/wordpress/folder/ -type f -exec chmod 644 {} \;

755 (rwxr-xr-x) means the administrator has write permission but others can read and execute & for files 644 (rw-r–r–), the administrator has both read and write permission but others can only read files.

Hide WordPress Version

Make sure your WordPress website/blog does not display the WordPress version. This will notify the outsiders that you are running on outdated or non-patched version of WordPress.  You also have to delete the readme.html file from the directory as it also displays the version.

Always stay updated with the latest version of WordPress as the updates provide you the security fixes of all the time. You will get notification on your dashboard for all kinds of updates such as WordPress  version update, plugins update and theme updates. So make sure you don’t ignore the notifications related to updates thinking it can disturb your themes or plugins. Secure WordPress  

Secure WordPress database tables

WordPress database tables have default names like wp_users, wp_posts etc. It is ideal to change the names of default database tables by changing the prefix of tables to some random value.  Changing prefix means changing the “wp_ “ part. There is a plugin available called “Brozzme DB Prefix & Tools Addons” which can help you on this part.

Secure WordPress Security Keys

You should update the WordPress security keys. First generate six security keys and then open the wp-config.php file. And then overwrite the default keys with new ones. The advantage to this is if no one can logs in to your WordPress without your information as the cookies will go invalid.

Protect .htaccess

It is definitely required to protect your .htaccess file and wp-config.php file. For that we have to place the following code in your .htaccess file.
<Files .htaccess>
order allow,deny
deny from all
</Files>

Similarly  you can protect your wp-config.php file by providing the following code in your .htaccess file.
<Files wp-config.php>
order allow,deny
deny from all
</Files> 

Enable WordPress Error Log

By keeping error logs of WordPress php and database, you can get hints of invalid file request hitting your WordPress. To enable error logging, the following code has to be added. The error.log file should be placed in folder not accessible from the browser.

define(‘WP_DEBUG’, true);
if (WP_DEBUG) {
define(‘WP_DEBUG_DISPLAY’, false);
@ini_set(‘log_errors’, ‘On’);
@ini_set(‘display_errors’, ‘Off’);
@ini_set(‘error_log’, ‘/path/to/error.log’);
}

Protect WP-Admin Folder

You should protect the wp-admin folder of your WordPress as this section is not meant fro public. Even the authorized users will have to provide two passwords for logging in.

Find unknown IP addresses for logged-in users

To get the list of users who logged in your WordPress server with their IPs, you can use the “last –i” command. If you find an unknown IP address, its high time you should change the password.

Security Scan of WordPress

There are some plugins available to monitor your website. Some of them are Exploit scanner, WordFence Security,  VIP Scanner, WordPress Sentinel. These plugins will scan the files, detect the suspicious codes and spam links if any. You can also check online your website’s security for free by Sucuri Sitecheck

Right Backup

It is always advised to keep a back up of your site. If possible keep a weekly back up and that will keep your website safer. The free plugins available for back up are Backup WordPress & WP DB Backup. Another great paid one is vaultpress

Secure Web host

Last but not the least is you should secure your hosting. Avoid free Hosting because we know that to have something good, you need to shell out some money. So do a proper research before hosting your website. And then your own machine should be secured because if there is a malicious logger on your machine then that logger can help in getting your website hacked.

Keep Spam Free WordPress

Try to keep your WordPress spam free. You can use these 2 plugins – Spam free WordPress or Akismet

Fetch as Google Bot

In your google webmaster central, try to check your site as “Fetch as Googlebot” and check for any abnormality. Sometimes malicious scripts hide changed title tags or add some other text content or links to your site that are not visible from page source. This tool would help you to find that.

Use WP Security Plugins

Use WP security plugins such as WordFence, Limit Login Attempts, All In One WP Security & Firewall plugin.

Use HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as cookie hijacking. So when you use SSL with your self hosted wordpress site, make sure you use HSTS also. There is a plugin WP Force SSL that can help on this.

X-Frame SAMEORIGIN & X-Content NoSniff

Use these 2 lines in your htaccess file.
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
sameorigin: When the XFrame-Options header is set to sameorigin, content can only be loaded in a frame that has the same origin as the page itself.
 header XContent-Type-Options: nosniff . This prevents the client from “sniffing” the asset to try and determine if the file type is something other than what is declared by the server.

Update your PHP version

It’s best to update your PHP version to the latest and active stable release such as PHP8.1 or 8.2

Update theme & plugins

Always keep your theme and all plugins updated and regularly checked.

best WordPress security plugins and tools

Here are some of the best WordPress security plugins and tools:

  1. Wordfence Security
  2. Sucuri Security
  3. iThemes Security
  4. Jetpack Security
  5. All In One WP Security & Firewall
  6. WPScan Vulnerability Scanner
  7. Security Ninja
  8. MalCare Security
  9. Defender Pro
  10. VaultPress Backup and Security

It’s worth noting that while security plugins can help increase the security of your website, they are not a guarantee against all types of attacks. It’s important to also follow best practices for WordPress security and to stay up-to-date with security news and vulnerabilities.

Steps and best practices to recover a hacked WordPress website

Here are some steps and best practices to recover a hacked WordPress website:

  1. Identify the hack: Determine the extent of the hack and what was compromised.
  2. Take your website offline: Take your website offline to prevent further damage.
  3. Change all passwords: Change your WordPress login credentials, as well as any FTP or cPanel credentials associated with your website.
  4. Restore from a backup: If you have a recent backup, restore your website to the most recent clean version.
  5. Scan for malware and vulnerabilities: Use a security plugin or service to scan your website for malware and vulnerabilities.
  6. Remove malware: Remove any malware found during the scan.
  7. Update everything: Update WordPress, themes, and plugins to their latest versions.
  8. Check file permissions: Make sure file and folder permissions are set correctly.
  9. Harden security: Implement additional security measures, such as using a web application firewall (WAF), changing default login URLs, and limiting login attempts.
  10. Monitor website activity: Monitor your website for any suspicious activity going forward.
  11. Educate yourself and your users: Educate yourself and your users on common security threats and best practices to prevent future attacks.

It’s important to note that the steps to recover a hacked WordPress website can vary depending on the extent of the hack and the specific circumstances. It’s always a good idea to consult with a security expert if you’re unsure about the best course of action.

Summary: Tips on how to secure a self-hosted WordPress website

Here are some tips on how to secure a self-hosted WordPress website:

  1. Keep WordPress and all plugins up to date
  2. Use strong passwords and change them regularly
  3. Limit login attempts and use two-factor authentication
  4. Use a reliable web host with good security measures
  5. Use a SSL/TLS certificate to encrypt data in transit
  6. Use security plugins to scan for vulnerabilities and malware
  7. Restrict access to important files and directories
  8. Disable directory browsing and file editing within WordPress
  9. Remove unused themes and plugins
  10. Limit user permissions and only grant access when necessary
  11. Implement a web application firewall (WAF)
  12. Use a content delivery network (CDN) to protect against DDoS attacks
  13. Back up your website regularly and keep a copy offline
  14. Monitor your website regularly for suspicious activity
  15. Educate yourself and your users on common security threats and best practices.

Always keep the Webmaster Tools at your fingertips. This will enable you to be the only one with authority to make changes to your website. Do not allow just about everyone in your office to have editorial access to your website’s WordPress. Keep that privilege only to yourself or to the head of the website designing and development, preferably the Webmaster. That way you will know who is making changes and at what time. Your website’s security and content will not be compromised in any way.

So above were some must follow tips to improve the security of your WordPress website/blog in order to make it difficult for hackers.

Author:- Debajyoti Banerjee is the Founder, Director & CEO of Seven Boats - A leading digital marketing agency & digital marketing training institute in India since 2011. He is a TEDx Speaker, Google & LinkedIn Certified Digital Marketer & Trainer, Brand Strategist, Consultant & Entrepreneur. B. Tech in computer engineering & post graduate diploma in Marketing, Debajyoti has 18+ years of domain experience and successful track records in digital marketing services & digital marketing training with 500+ clients & 100K+ students in 165+ countries. He has been invited & felicitated by 25+ Top B Schools & universities including London Business School, AICTE ATAL FDP, UGC-HRDC, IIM Shillong, IIM ROHTAK, IIT KGP, IIT Guwahati, Calcutta University, Ranchi University, St. Xavier’s, Brainware, Techno India, JIS Group, Jaypee Group, Shikshayatan Foundation, IIEST Shibpur, Bhavan’s, ICFAI Business School, GITAM Deemed University, Swami Vivekananda Group of Institutions & many more. He has been awarded with more than 20 national awards and he has received notable media coverage. Learn more

 

6 Comments

  1. WPSecurityCheck

    Hi Debajyoti,
     
    This is a great list of things to do to secure your WordPress…
     
    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
     
    I have written up my experiences in a WordPress Security Checklist which can be downloaded for free on wpsecuritychecklist.com.
     
    My checklist has a few more items on it and includes step by step instructions on how to get the job done…
     
    Hopefully the checklist can help other people securing their WordPress sites…

    Reply
  2. Jatin Rohatgi

    well worth a read
    Recently I facing a problem with WordPress. I’m finding of protecting .htaccess. Here I have found this code .
    I have also a Wordfence plugin for protection. But sometimes we have to add manual codes for better results.
    Thank you for this informative post

    Reply
  3. Priyanka Singh

    Hi Debajyoti sir,
    I never read such a detailed article on WordPress security. You have explained the topic in a brilliant way & shares valuable insights on hacking methods and prevention. I already seen some similar articles like security plugins, change login URL, limit login attempts etc. But I never heard about that you can Protect .htaccess. Thanks to your article, I will start doing that now.
    I appreciate your tips and guidance on hardening WordPress security. It will be handy for anyone who is running websites on WordPress.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

learn digital marketing - Seven Boats
Get a call back
Download Brochure
WhatsApp Chat

Alert: Scammers are impersonating & pretending to be Seven Boats Info-System Private Limited. Be Aware. Learn How to Protect Yourself.

Read more →