Wordpress is the most popular blogging platform and it represents about 34% of all websites hosted worldwide. With gained popularity, hackers target Wordpress websites to infect with malware and viruses. As your site grows in traffic, hackers find your website through search engines and infect with malicious codes or redirect users to another website. There are known vulnerabilities in every open-source platform including Wordpress, and it is important to update your site with the latest patches and protect your website from hackers by securing your site. In this article, we'll discuss simple steps to secure Wordpress website.
Defend your site from DDoS attacks
Hackers use your Wordpress website to attack other websites by using default "pingback" and "XML-RPC" features. The default Wordpress installation enables those features, and hackers use these features to attack your website. To protect from DDoS attacks, please follow Defend your site from DDoS attacks article.
Post installation security
The default Wordpress installation may open doors for hackers to attack your website. By following the post-installation procedure below, you can protect your website further.
- Disable directory listing with .htaccess - As with any website configuration, it is a good idea to disable directory listing on a website. This can be achieved by adding "Options All -Indexes" to the .htaccess file.
- Set directory and file permission - Removing write permission from web user (i.e. apache, wwwroot, or nobody) will help protect your website. Setting the directory permission to 755 and file permission to 644 will protect your Wordpress website. However, "upgrade", "uploads" and other plugin folders may need "write" permission to work correctly.
- Move wp-config.php outside of webroot - The wp-config.php file contains crucial information about your Wordpress installation, and it is located in root folder. Moving this file one level above the webroot will secure your site, and Wordpress will automatically find the file.
- Install security plugin(s) to limit number of login attempts - There are a number of security plugins available for Wordpress, and they can protect your website from various attacks. A few security plugins include iThemes Security, BulletProof Security, Wordfence, and Sucuri Security.
- Secure user login - (1) Rename login URL (i.e. wp-login.php, and /wp-admin/), (2) protect /wp-admin/ (or modified directory if changed), (2) Change the default "admin" username - By default, Wordpress uses "admin" as the admin username and this can be easily guessed by a hacker. Using something other than "admin" will make it harder for hackers to initiate brute-force attack, (3) Enforce email login instead of username via a security plugin.
- Use two-factor authentication - Using a two-factor authentication (2FA) on the login page is a good security measure.
- Backup regularly - Whether you use Wordpress backup plugin or cPanel backup utility, it is important that you make a backup of the website on a regular basis.
- Install Antispam Plugin - This isn't really about securing website, but helps you with managing spam comments into the Wordpress. Popular anti-spam plugins include Akismet, Anti-SpamBot and Antispam Bee to name a few.
- Install SSL certificate and serve via https only - SSL encrypts data and also helps with SEO. By installing SSL certificate, your website contents are encrypted when transmitted.
Update your Wordpress regularly
Every open-source software including Wordpress is being developed by a community of developers, and release patches and updates every so often to fix bugs and security issues. Running your website on an outdated Wordpress may pose a risk as hackers know about vulnerabilities existing on older versions of Wordpress and use it to inject malicious code into your website. By updating your Wordpress installation regularly, you're always up-to-date on security patches and bug fixes and making your website secure from hackers.
Wordpress provides a visual indication of available updates next to each element (i.e. Wordpress core, theme in use, and plugins) by number in a red circle. Wordpress also provides an update link on each of the outdated elements and allow an admin to update the core, theme or plugin by simply clicking on the "update now" link.
Many Wordpress webmasters are complaining about insecure nature of Wordpress websites. If you set up your Wordpress website, keep it in default settings and run it for a few years without any patches or update; and you'll soon become a victim of a hacker attack. It is easy for hackers to inject malicious code to redirect "only" search traffic to another website or inject malware to attack other websites or users. The onus is on you as the Wordpress owner to implement security updates to protect your site.
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.