As an owner of a WordPress site, WordPress Site Security is always first and foremost on your mind. While other CMS platforms may be more vulnerable to cyberattacks, WordPress hacks are more commonly heard of.
Despite a number of guides on optimal security practices, most WordPress sites still have a high number of vulnerabilities that can be easily resolved.
Before stepping into certain tips and tricks you can employ for WordPress site security, always remember to secure a backup of your site.
Even if the changes made are to increase WordPress Site Security, you shouldn’t take unnecessary risks that can permanently disable your site.
WordPress Site Security Measures
If your site is already hacked, follow this WordPress Malware Removal guide Some of these methods can be easy or too difficult to implement, depending on your comfort and expertise. If you’re doubtful about the process behind any step, make sure to ask for help from an expert before moving forward.
1. Maintain strong login credentials
This is one of the most common instructions and yet, the one that’s most neglected. The more enthusiastic you’re about setting a suitably difficult username and password combination, the more likely you’ll forget it.
However, it’s very important that you follow the basic rules behind setting strong passwords and unique usernames. If you’ve to, you can always maintain a secure password manager with all of this information.
This is especially important if you’ve multiple users handling your site. You don’t have to exert manual effort either, just use the automated software that WordPress provides for ensuring strong passwords. You can also check out plugins that set expiry for your passwords, forcing the user to change it after a specific time period.
2. Blocking PHP execution in certain vulnerable folders
Some files and/or folders on your WordPress site use the PHP coding script, like ‘wp-config.php’. Hackers often try to gain access through these files, then create new ones of their own or insert malicious PHP functions into the existing ones. To prevent this, you can remove the option of executing PHP functions from unknown folders.
However, this step requires a certain level of expertise with backend files and database tables, so ensure this before proceeding with the steps below:
- Check cPanel > File Manager – or use an FTP client if this isn’t possible.
- Click on ‘public_html’ which has three folders – ‘wp-admin’, ‘wp-includes’, and ‘wp-content’.
- Look out for the ‘.htaccess’ file (if there isn’t one, you can open a file in Notepad and save it as ‘.htaccess’). Use the code:
<Files *.php>
deny from all
</Files>
If you’re creating a new file, you’ll need to upload it to the ‘wp-includes’ and ‘wp-content/uploads folders.
3. Monitoring login attempts
Maintaining a log of login attempts, and other aspects like file modifications or any additions is a smart move. This will allow you to keep an eye out for all the major activities that happen on the site and knowing which user is responsible. For example, if the login attempts suddenly increase beyond your usual expected traffic, you can suspect a potential brute force or DDoS attack.
There are also features to limit login attempts so as to prevent events like brute force attacks from happening. By default, WordPress allows unlimited login attempts, so you’ll have to either install a plugin that limits them or install a WordPress Site security plugin that comes with this feature. Otherwise, you can insert specific code in the ‘functions.php’ file by adding the action and hook feature, with a callback response.
You can also design your site to log out inactive users which protects it from unauthorized access – this is offered by some plugins. Set up alerts for any suspicious login activity which can be tagged along with the auditing log or offered by your security plugin.
4. Disabling the file editor
Most of the WordPress hacks happen through the editing of core files when hackers place malicious scripts. It ranges from defacement, pop-up ads, questionable external links, to displaying unknown content on your site. For disabling the editor:
- You can access the File Manager > ‘wp-config’ file > ‘Edit’
- Then, you should press on the ‘Disable Encoding Check’ > ‘Edit’.
- You’ll find a line that says ‘That’s all, stop editing. Happy publishing.’ Above this, put in this code:
define( ‘DISALLOW_FILE_EDIT’, true );
- Save all the changes and close the editor. If you follow the steps given above again, you’ll find that the ‘Editor’ option no longer shows.
5. Secure the ‘wp-config.php’ file
This is one of the more important WordPress files, also containing the database access credentials, making it the favourite target of hackers. To improve security, you can change your security keys, disable the file editing option, and remove options for installing plugins.
You can also hide or simply deny access to the ‘wp-config’ file. For the latter, you can type in this code at the beginning of the ‘.htaccess’ file:
<files wp-config.php>
order allow,deny
deny from all
</files>
There are many more steps one can follow to increase the WordPress Site Security. Sometimes, some security measures may not apply to you, or you find out that you’ve been hacked despite all of the precautions.
Check out: Top 9 WordPress Tips That Are Worth Knowing