Protecting WordPress from Attacks - 8 Ways
Whether it's a business website or a simple blog, proper WordPress security is a must these days. No site is 100% secure, so we need to take certain measures to protect against attacks from the Internet. Nowadays, most websites are built on the popular content management system WordPress. Despite the fact that WordPress tries to constantly patch holes in its security, many sites still fall victim to hacking.
Why should you care about protecting WordPress from attacks?
More than 25% of all sites indexed by popular search engines are based on WordPress.
Such interest in this system gives rise to a problem - the threat of hacker attacks.
If something is as popular as WordPress, there will always be those willing to exploit its weaknesses.
If the site becomes a victim of such an attack, not only the entire site, but also your image among customers may suffer.
Therefore, it is extremely important that WordPress security is at the highest level in order to reduce the possibility of hacker attacks.
1. Choice when selecting and installing plugins
This is the most important item on this list, since almost 95% of website attacks are associated with inappropriate plugins that are outdated and not updated.
Why?
The WordPress repository is huge and contains hundreds of thousands of more or less advanced plugins.
However, not all of them deserve our attention due to the lack of any security features and outdated code.
If you install every plugin you see, there is a good chance that in the near future your website search results will look like this:
Which plugins are safe and which are not?
By installing the plugin:
- Check out its reviews.
- Look at user ratings.
- Check out the comments and help section.
- Check when it was added and when it was last updated.
This is a very good practice - whether it's a plugin or even a WordPress theme, it's worth following.
Before installing new plugins, it's a good idea to make a defensive copy of your site so that you have a backup wheel in case of a crash or other problems.
Remember that your host also makes backups and usually keeps them for a week, so you always have the option to restore your site.
2. Choose a strong password
Create a strong password for your admin panel and change it regularly.
Worth using:
- uppercase and lowercase letters
- numbers and special characters
If you find it hard to come up with such a password, the Secure Password Generator website will help you choose and remember a new strong password .
3. Change your admin login
Never use 'admin' or 'administrator' for your WordPress site.
Why?
Because you are giving a helping hand to hackers who will first look at the username 'admin' or 'administrator' and they will only have to crack the password.
As an administrator of many WordPress sites, I look through the logs every day and I always see that someone tried to log into the site using the 'admin' login to get into the cockpit.
Which login should I choose?
Here are some tips:
- Don't use your email.
- Do not use your username.
- Do not use a single catchy phrase on the site.
- Do not use the same username as when replying to comments.
All other names are allowed and safe enough.
4. Change or password protect the wp-admin address
The wp-admin directory is the backbone of the entire WordPress site.
If this part of the site is somehow compromised, the entire site may stop working.
One way to avoid this is to change or password protect the wp-admin address.
Thus, before getting into wp-admin, it will be necessary to enter one more password, which means that we are doubly protecting our WordPress.
If you decide to change the wp-admin address to something else, remember that you cannot use the phrase 'admin' and derivatives in the address.
5. Blocking file editing from the admin panel
If someone manages to access your admin panel, they can easily start modifying and editing your theme files, allowing them to do almost anything.
We can easily counter this by adding a directive to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
At what moment?
Just before the comment:
/* That's it, stop editing! Happy blogging. */
This makes it impossible to edit files from the admin panel. Now the only way to edit is to login to FTP.
6. Remove WordPress version information
Your current WordPress version is very easy to read from the page source in the browser.
Why hide WordPress version?
Here's the thing: if a hacker knows what version of WordPress you are using, it will be easier for him to develop a suitable attack on your site.
How do you hide it?
There are two ways. You edit the functions.php file and add the following code:
function remove_wp_version() {
return '';
}
add_filter('the_generator', 'remove_wp_version');
The second way is to use the WP Hide & Security Enhancer plugin.
7. Change the WordPress Database Prefix
If you've ever set up a website using WordPress, you've probably noticed that every table in the database is prefixed with "wp_".
Using the default prefix makes your database vulnerable to SQL injection attacks.
You can easily prevent this by changing the table prefix to characters other than "wp_". These can be, for example, "wit_", "str_" or completely random characters.
If your site is already up and running for a while, then you can use a special plugin called WP-DBManager to change the table prefix of an existing database.
Before this operation, we advise you to create a secure copy of the database.
8. Update plugins and WordPress itself
You should know that everyone has access to the WordPress code thanks to the open source policy. Even though WordPress is fairly well protected, it's still not a perfect system.
As you may have noticed, various WordPress updates come out very often. Most of them are security patches to keep WordPress protected from attacks.
Outdated versions of WordPress and lack of plugin updates can cause serious problems for the site.
Many people simply don't remember this, don't have the time or technical knowledge to maintain the latest versions of plugins and WordPress, so their sites can get infected or attacked by hackers.
Be sure to keep WordPress, plugins and your theme up to date.
Protecting WordPress from attacks - summary
Protecting WordPress from attacks is something that needs to be taken very seriously. If you don't take the right security measures, then the risk of being hacked is very high.
This may cause your site to become unsafe for users and Google to block it with a corresponding message. In the worst case, you will lose all your data and reputation among your customers.
We hope this article helped you learn some best practices to protect WordPress from hacker attacks. Unfortunately, you should know that WordPress has its weaknesses, like many other CMS systems, and in fact, we are not 100% sure that even the security measures mentioned in our post will allow you to sleep peacefully.
There are a huge number of statements on the Internet about why WordPress is secure and why not. In fact, WordPress small business websites are quite safe as long as they adhere to basic security rules. The concern is large and popular sites that have decided to move to WordPress and do not have the technical base of experienced webmasters.
It's worth reading the comments under the article from Spider's Web and drawing your own conclusions. Aside from the obvious "horror" about the factuality of this post, there is some interesting material here from people with extensive knowledge in the field.
If you have any questions feel free to ask them in the comments. We will respond to everyone to the best of our ability.
