How to Protect WordPress Website From being Hacked? Ensuring protection for your WordPress website has become a necessary task. Imagine, you work very hard on developing your website using WordPress. You spend all your time. And one day you see, “everything disappears”, Your website down or is a mess on your server. If you do not have a backup, you will lose everything.
How to Protect WordPress Website From being Hacked?
You can protect your WordPress website using techniques, available methods and even plugins. You need to be sure that your WordPress is shielded against the most common and different types of security attacks and problems.
Let’s see some basic safety tips that every webmaster should have on their WordPress websites to avoid invasions problems and security attacks.
Always Keep Your WordPress Up to Date
This is the most basic step for securing your WordPress website. Each new released version of WordPress comes with many security fixes.
Normally the update does not affect your website, but you should always make backups before updates. Also keep your theme and and all your plugins up to date.
Don’t Disclose the Version of Your WordPress
It looks useless, but the version no of WordPress allow hackers to target specific vulnerabilities of the WordPress version you use. Note that anyone with basics knowledge can find out the platform and version that your website is using.
With the code below you can hide your WordPress version:
add_filter ('the_generator', 'remove_wp_version');
You must be aware about the readme.html file that also contains the information of your WordPress website. Its better to remove it completely, or you can just remove the version number from the file.
Don’t Use the Default Username “admin”
Most of the people choose username as “admin” when they do a fresh install of WordPress. This is one of the basic mistakes that facilitate the attacks. Hackers just need the username and password and the first attempt they choose the username as “admin”.
For this reason, It is very important to create a unique and difficult username and password. The internet robots try multiple users and random passwords to gain access. If you choose your username or password easy, the boats can make change directly in the database by accessing your MySQL and can change the login information.
Set the Admin ID NOT=1
Whenever you perform a new WordPress installation, and you choose a username (usually administrator) receives the ID=1. ID refers to the users in the database. Note that all hackers, web developers and most web geeks know that the ID always starts with 1. So, the hackers can use this as one of the best resource.
Changing the user ID is not so complicated, but you need to have basic knowledge and understanding of database. Otherwise, a simple change through update queries may invalidate your Username and even can bring down your website. The ID that needs to be changed, referring to the table wp_users. If you have access to phpMyAdmin on your web server, then this task is very easy.
Login to your web hosting, Go to phpMyAdmin, Navigate to Your Database, select table “wp_users”, click edit and set the id that is not equal to 1. For example, you can set 2, 3, 15, 20, etc.
Use Difficult to Guess Passwords
If you do not want to lose your website, its necessary to choose strong passwords and keep them safe. WordPress has an builtin password analyzer, where you can see the strength of the password you entered. To have strong passwords you should always choose a password that contains the mixture of alphabet, numeric, and special characters. Forget passwords such as 123456, a1b2c3d4e5, admin@123 or websitename@year, etc.
Limit the Number of Login Attempts
Unauthorized users can attempt to login to your website using a variety of combinations of usernames and passwords, using their own programs, and they are quite likely to be succeed.
To prevent this form of attack, you can install the plugin Limit Login Attempts. This plugin limits the number of login attempts that a single user can do, exceeding this number, the user will be blocked.
Invalid Login Response from WordPress
It may be the main drawback of the current login system in WordPress. WordPress tells you which part of the information of your login were entered incorrectly. For example, if you type the correct username and the wrong password, WordPress will inform that the password was incorrect. This makes it easier for hackers to force access to login.
This problem can be solved by entering the code on functions.php file from your WordPress template:
return 'Username or password is incorrect.';
add_filter ('login_errors', 'failed_login');
Disable the Option “Anyone can Register”
This is the option that allows anyone to register on your website. The issue is that many WordPress sites under-use this functionality and can override this feature with an email capture form. By default this option is disabled, but to ensure go to the Settings tab and uncheck the “anyone can register’ checkbox.
As an extra precaution, also confirm that the “New User Default Role” is set to “subscribers”.
Always Make Backups of Your Database
Its very important to keep a backup of your WordPress files and database. If something went wrong, You can easily restore your WordPress website with the last settings. Do manual backups using Web Hosting Control Panel or use plugins that do this work.
As being a WordPress Developer, taking care of the permissions for folders and files is a prerequisite to securing your server. By default folders should respond to the standard 755 and files 644. In WordPress you should study and carry out differences of permissions for folders and files.
Settings in .htaccess File
Using specific instructions you can protect folders, files and even your own .htaccess file. Protect any kind of external access to the wp-config.php and also the directory listing within the URL. Allow only images and files without .php extension to be accessed within the wp-content folder. All this you can do only through .htaccess.
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.
Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
deny from all
Disable File Editing
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.
These are some of the actions you must take to prevent security attacks on your WordPress website. Even with minimal knowledge, you can perform these steps.
If you know other relatively simple tactics, You can share your experiences with us.