On average 30,000 websites are hacked every day (source Sophos Security Threat Report). It is estimated that WordPress makes up about 30% of all existing websites today. This popularity makes WordPress a massive target for hackers and malwar. Statistics show that more than 70% of WordPress installations are vulnerable to hacker attacks. 83% of the roughly 90,000 websites that get hacked each day are using WordPress.
This is why it is so important to take as many precautions as possible to secure your site. Now, if you have a small blog, you might be thinking “no hacker could possibly be interested in my tiny site“. Unfortunately, that’s the type of mentality that keeps you from taking any action to prevent these attacks from occurring in the first place.
It is important to realize that most attacks are automated. Hackers simply use software to automatically identify websites with vulnerabilities which they can take advantage of, no matter how big or small the websites are. So if you leave the front door to your website wide open, so to speak, they’re likely to just come right in.
Google have stated that they blacklist 10,000 websites that have been infected with malware every day and around 50,000 for phishing every week. If a site is blacklisted by Google, it will be removed from their index. This is what can happen to you if you don’t take proper care of your website.
Whilst you cannot prevent a hacker from attacking your site, there are things you can do to make their job as difficult as possible and to encourage them to go elsewhere. Read on to find out 15 things you can do today to reduce the risk of an attack and keep your website as safe and secure as possible from attackers and other threats that exist on the web.
1. Change your WordPress admin username.
Changing the default WordPress username is one of the simplest and quickest things you can do to protect your WordPress site. This is because the most common WordPress attack is focused on gaining administrative access to your website by attempting to log in with your admin user name. So, if your user name is admin, you’ve already given potential hackers half of the information that they need to gain admin access to your Web site.
When choosing a username, avoid using the following names:
- Your domain name
- Your first, middle or last name or full name
- Any common English names
- The name you use to moderate comments on the site
If you’ve already setup your blog, you’re going to have to change the username to something that is unique and hard to guess such as a name with alpha-numeric characters.
2. Use a strong password that is virtually impossible to crack.
A unique and complex password that is not easy to guess is vitally important for the security of your WordPress site. You can use the password that your WordPress site generates automatically. That password typically contains a variety of numbers, nonsensical letter combinations and special characters like % or ^. That is a very strong password. But the problem with that password is that it is impossible to remember.
A better option would be to use a passphrase, which would be a lot harder for a hacker to guess. A passphrase can be anything. It can be a phrase from your favourite song or your favourite quotation. It is always going to be longer than a password and contains dashes in between words such as this: “You-cannot-have-a-harvest-without-planting-a-seed.” But the main reason you’ll want to use a passphrase is that they will be a lot easier to remember, and they will be next to impossible to crack by password cracking tools.
Click here to learn how to create a strong and complex password that would be easy for you to remember.
3. Hide your username from being found.
An attacker can easily find out your WordPress administrative username by using a tool such as WPScan. They can also find your username by typing in ?author=1 into a browser. For example: www.domain.com/?author=1. If the author ID is valid then they will be redirected to the author URL, for example: http:://www.example.com/author/admin
It is the same process even when you change the WordPress administrative username. For example, if you changed the username to iron25dude, then by requesting the URL, the user will be redirected to http://www.example.com/?author= iron25dude.
WordPress usernames can also be found in the source code of blog posts and pages. This is why it is so important to hide the username, and avoid publishing anything using the WordPress administrator account username.
Take the following actions to avoid the display of your administrative username:
- Go to your profile page by going to Users -> Profile and make sure the First Name, Last Name and Nickname fields are populated. Note that the nickname field is typically auto filled with your username. The nickname allows you to set the display name to something other than your username or first and last name,
- From the Display name publicly as drop down menu, choose a name that should appear in blog posts, pages etc. You can choose something like Admin to give attackers the impression that you’re using admin as your username.
- The quickest way to hide the login page is with the WPS Hide Login plugin. However, note that this also means you’ll be adding yet another plug-in to your WordPress.
4. Disable error login hints.
By default, WordPress displays an error message if you type in the wrong username or password on the login page.
For example, WordPress displays this error message when you enter the wrong username:
WordPress displays this error message when you enter the wrong password:
This may be helpful for you, but the problem is that it is also helpful for hackers because they now know which part of the equation they have to work on. Furthermore, since WordPress 4.5, you’re able to login to your WordPress site with your email address instead of a username. All of this can make it easy for hackers to compromise your account. Removing these error messages will make it a lot harder for hackers to know what they’ve guessed right or wrong.
To do so, you need to edit your functions that PHP file by adding the following code:
'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors'
This will remove the default error messages from your login screen. Now if you or anyone else enters incorrect username, password, or email, WordPress would simply show the following error without providing any hints as to what you’ve typed in wrong.
If you don’t feel comfortable editing the functions.php file directly, you can do this using the code snippets plugin.
5. Limit the number of login attempts that a single user can make.
By default, WordPress allows unlimited login attempts. This can lead to passwords being cracked through brute force attacks. Many people use plugins in order to prevent this from happening and to stop users from continually trying to enter a new password. You can use a plugin such as the Limit Login Attempts plugin to limit the number of times a user can enter a password.
However, this is not necessarily the best option because the plugin has not been updated in years. A better option would be the Brute Protect plugin, which is now owned by the creators of WordPress. You now have Brute protect as part of Jet Pack, which, as you may be aware, comes pre-installed when you install WordPress. All you have to do is go into jetpack and activate that from your plug ins. This plug in will protect your log in when it notices too many log in attempts.
If you don’t want to add yet another plugin to your WordPress site, you can secure your login page by pasting the following piece of code to your .htaccess file:
Deny from all
Allow from xx.xxx.xxx.xxxx
This code will deny anybody from logging in to your site except for the IP address that you have specified in the piece of code. You can also include the IP address of anybody else that you want to allow access to your website.
6. Setup two-factor authentication (2FA) on the login page.
You can add an additional layer of security to your WordPress by enabling 2-factor authentication. This means that before anyone can login to your site, they will have to present additional pieces of information to gain access to the WordPress backend. You can configure this with the freemium plugin Google Authenticator – Two Factor Authentication. You don’t have to upgrade to the premium plan because the free plan is probably enough for what you need.
7. Set directory permissions carefully.
If you look through your directories and files in File Manager in your CPanel, you may have noticed a permissions column with various numbers. What you may not realize is that these numbers determine the level of access anyone can have to your website.
In the image below, you can see the permissions on the right, and you’ll be able to click on the permission number, enter the numeric value and click save, But what number should you change it to? Generally speaking, the lower the number that you have for your permissions, the more secure that directory is going to be.
But one number you must absolutely avoid when setting permissions is 777. This number will allow an intruder to gain complete ccess to your files. They can modify a file, upload malicious code and take over full control of your website. To protect the entire files system, including directories, subdirectories and individual files, set directory permissions to 755 and files to 644. This becomes even more important especially if you’re using shared hosting.
8. Do some due diligence when choosing your shared hosting provider.
Hosting can play a big part in just how vulnerable your website is. Shared hosting is the most popular type of hosting plan because of its relatively low cost. However, this type of hosting is also the most vulnerable to issues of security. This is because if you’re on a shared hosting plan, your website can be hosted alongside thousands of websites on a single web server. This means that all of those sites coexist in the same directory, and are accessible with the same FTP account. They also all use the same public IP address. This poses a certain amount of security risks.
For example, if any one of the hosted sites do not adopt proper security measures and gets hacked, then that hacker can use that access to attack other sites on the same server.
You can also opt for a managed WordPress hosting account, so you don’t have to share space with other website owners. If you must go with shared hosting, here are some things to check about security before signing up to a shared host:
- Supports the most updated versions of software such as the latest PHP and MySQL versions.
- Isolates one website’s environment from another with a Firewall.
- Have intrusion detection mechanisms in place for when there are intruders on your account.
9. Update your WordPress to the latest version
Updating to the latest version of WordPress is vitally important for the security of your site. If you’re not using the latest WordPress version, it means that you’re using software with known security vulnerabilities. Hackers are always on the lookout for loopholes that will provide the opportunity to get into sites. If you have not updated to the latest version of WordPress, you’re effectively increasing the security risk by leaving the door open to attacks.
Hackers can easily look at the WordPress security log to see the loopholes that have been fixed and take advantage of sites that aren’t up to date. They can then do an automated search for websites running these older versions, which will be easy for hackers to find. The good news is that WordPress automatically rolls out updates and informs users by email whenever they do so.
10. Only login to your site from a safe and trusted computer.
When you think about protecting your WordPress website, you should also consider the computer you’re using to access the site. This is because the device that you use to login to your site can harm your website if it has already been infected. This is something to also consider if you’re working in a public place with an insecure connection such as a Wi-Fi hotspot.
No matter how secure we make our website, if the device that we are using to access the site then the chances off our website getting hacked is higher. Before you login to your website, be sure to scan the device you’re using for any viruses or malware by running antivirus software to make sure your computer is safe.
11. Hide your database from hackers.
A WordPress website consists of both files and a database, and all of the data on your website is actually stored in this database. This is why the database is a hacker’s favourite place to attack a website because it allows them to attack multiple WordPress sites simultaneously by running automated codes for SQL injections. The default database table prefix is wp_, so hackers tend to run automated code targeting that database table.
You can easily prevent this by renaming the database table when you are installing WordPress, and it doesn’t really matter what you rename this to. Just make sure that you pick something unique and that you stay away from the wp_ database prefix. If you’ve already installed WordPress, you may have to get a developer involved because you’ll have to change the prefix in several places.
12. Avoid WordPress plugin vulnerabilites.
Plugins are wonderful because of the functionalities they can add to your site. But the way you manage plugins is crucial to your site’s security. And that is because badly coded, out-of-date plugins or rogue plugins are enough to bring your entire site down.
According to a survey by Wordfence, 55.9% of WordPress websites were breached due to plugin vulnerabilities. This is why it is so important that pay particular attention to the way you manage pluginson your website.
Here are tips for keeping your site safe through effective plugin management
- Scan for WordPress plugin vulnerabilities. If you’re unsure about any plugin, start by checking WPScan Vulnerability Database, which lists plugins and their known vulnerabilities.
- Choose the right plugins. No plugin is 100% secure; but you can significantly reduce plugin vulnerabilities by doing some due diligence before installing them. This means only installing plugins from reputable sources like Code Canyon, the WordPress plugin repository or trusted third-party sitesHere’s what to check to find out if a plugin is worth installing:
- User reviews.
- Updates and compatibility
- Active installations.
- Support and documentation
- Average user ratings.
3. Update plugins regularly.
Out-of-date plugins are one of the most popular methods that hackers use to attack WordPress websites. Most times, plugin developers will release new updates for the plugins and include security updates. It is vitally important to keep updated to the latest plugins.
According to a Sucuri analysis, three popular out-of-date (Gravity Forms, Timthumb and RevSlider) plugins caused 18%of the hacked WordPress sites they looked at in Q3 2016. So, even if you choose the right plugins for your site, your site will still be at risk if you don’t keep them up-to-date. And the best way to keep your plugins updated is to enable automatic updates, which you can do with Easy Updates Manager. This plugin is free of charge.
4. Delete unwanted plugins. Go through your list of plugins and delete any ones that you are not using to avoid leaving yet another loophole for hackers to exploit.
5. Only install well-maintained plugins. This means you should only use plugins whose last update was no more than a year from the last update. This is because when a plugin isn’t maintained, they’re going to become vulnerable to hacking. One great thing about WordPress is that for every plugin out there, there’s always one or two alternatives to choose from. Use as few, well-maintained plugins as possible.
13. Delete any themes you’re not using.
Another way to keep your site safe and secure is to delete any themes you’re not using. Not doing so can leave you wide open to hackers who will always try to inject malicious code into vulnerable themes So, the less you have, the fewer the chances are that they will succeed in doing so. If you ever decide to switch to a new theme, you can install several themes to identify the theme that you like or prefer to use on your site. But once you have confirmed your preferred theme, be sure to go back and delete the other downloaded themes so that no malicious code can be injected into any of them.
14. Keep a record of everything that happens on your WordPress.
It is important to take control of what is happening with your WordPress website. You need to know who’s logged in, where they are logging in from and what they are doing once they are logged in. The WP Activity Log plugin keeps track of everything that happens on the site in the WordPress activity log. Once installed, the plugin keeps track of everything that is done by everyone who has logged into the site.
15. Install a security plugin.
There are several WordPress security plugins available for your website. Here are 4 free and freemium security plugins that you can use to protect your site and keep it safe and secure.
WordFence is one of the most widely used security WordPress plugins. it includes an endpoint firewall and malware scanner and will scan all your WordPress files including themes, plugins, posts and comments to look for malware infections.
- Malware scanning
- Monitors everything that takes place on your site, such as file changes, last logins and failed login attempts
- Protects against SQL injections, XSS and all known attacks
- DNS-level firewalls
- Protects against brute force attacks
- Improves site performance by blocking malicious traffic
- There’s a free version and the pro version is $299 per year.
All-In-One WP Security & Firewall
The All In One WordPress Security plugin is comprehensive and 100% free. Unlike most of the other plugins, it doesn’t slow down your site. This powerful plugin covers various aspects of WordPress security, and is well supported and regularly updated. It has a user-friendly interface which makes it a lot easier to setup than most of the other security plugins. Security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This allows you to implement the firewall rules using a progressive points system.
- Completely free
- Scans for malicious patterns
- Uses IP filtering to blacklist specific IP addresses
- Allows you to generate strong passwords
- Login lockdowns after failed login attempts
- Website-level firewall
This plugin provides security for various types of online threats. The free plan offers a diverse range of security features including malware scanner, firewall, login security, DB backup, anti-Spam & much more. You can upgrade to the premium plan if you are interested in advanced security features, but the basic plan is sufficient to secure most small business websites.
- Completely free
- Scans for malware
- User-friendly interface
- Automatically logs out idle sessions
- Protects logins
- Database backups
- Firewall protection
Cerber Security, Antispam & Malware Scan
Cerber Security, Antispam & Malware Scan is a free to use security plugin. This plugin mitigates brute force attacks by limiting the number of login attempts. The plugin defends against hacker attacks, spam, trojans and malware. Additional features offered for a premium plan.
- Reduces brute force attacks
- Limits login attempts
- Automatically identifies and deletes spam comments
- Advanced malware scanner
- Two-factor authentication
- Hides wp-admin for users that are not logged in P
- rotects wp-login.php, wp-signup.php and wp-register.php from attacks.
So, there you have it. Securing your WordPress site from online threats should be a priority. I hope you now have the info you need to choose the ideal security tool for your needs.