Is your WordPress website infected with malicious codes?
Or do you want to build a secure website using WordPress?
WordPress is a great choice when it comes to website development. It is one of the most popular CMS available today on this planet. WordPress is loved by many webmasters and web developers, but hackers are also working hard to find their way into even the most well-protected sites.
But the good news is you can secure your WordPress website by implementing a few techniques.
In this blog post, I will share 10 ways to protect your website against hackers and malicious codes.
Let’s start!
#1 Always Update WordPress To Its Latest Version
This sounds like a no-brainer tip but still, most webmasters don’t really pay attention to upgrading their WordPress version. As a result, their websites are prone to malicious code injections and other forms of viruses too.
Why should you care to update your WordPress version?
As we all know, WordPress is free, and a community of developers develops it.
Whenever there is any new release, the WordPress community developers would fix bugs, add new features, improve performance, and upgrade existing features to stay up-to-date with the latest industry standards. If you don’t update your website’s version, you are simply compromising the security of your website.
Tip: You must always back up your website before you proceed to update your WordPress version.
#2 Always Update Plugins & Themes
Again, it seems obvious, but unfortunately, most WordPress websites still have outdated plugins and themes.
In my experience as a web developer and web consultant in Singapore, I have encountered many websites that are still carrying and, even worse, still using plugins that haven’t been updated for many months and years. Most of these websites were infected with malicious codes, and some were suspended because of compromised codes.
The best way to avoid this situation is to check and update your website plugins and themes every two weeks.
Again, I would like to add that you must back up your entire website before you update any plugin or theme because, after the update, it may affect the features and design of your website. If you are unsure how to update and back up, you may consult your web developer, who will charge you a nominal fee to help you.
You may also hire a web developer to maintain your website regularly.
#3 Choose Plugins & Themes Carefully
Installing necessary plugins and themes is a core activity of any WordPress website development but at the same time, it’s critical too. It’s very important to choose each and every plugin that you use for your website development, with utmost care.
Some of the basic tips for choosing any plugin or theme are:
a. Always check the reviews of existing users.
b. Check out the last updated date of a plugin or theme that you intend to use.
You may also like to read my blog posts on choosing WordPress themes and plugins.
#4 Take Care of File Permissions
File permissions are usually represented by a 3-digit number in WordPress, and each digit has a meaning.
The first digit stands for an individual user (the webmaster), the second digit for the group (for example, the site’s members), and the third for anonymous users.
The number itself means that the user, group, or world:
0: Has no access to the file.
1: Can only execute the file.
2: Can edit the file.
3: Can edit and execute the file.
4: Can read the file.
5: Can read and execute the file.
6: Can read and edit the file.
7: Can read, edit, and execute the file.
Let’s take an example.
If a file is given a permissions level of 640, it means the primary user can read and edit the file, the group can read the file but not edit it, and everyone else cannot access it.
When you restrict all the users (other than the webmaster/admin) to edit the file, you take one step ahead to secure your website.
#5 Set Up Website Lockdown
In order to prevent brute force attempts, a lockdown feature for failed login attempts could be very helpful to resolve the problem. By implementing a lockdown feature with your WordPress website, whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
How to do this?
Well, there are several plugins available to implement lockdown features, however, I found the “iThemes Security plugin” to be one of the most reliable plugins. This plugin allows you to specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.
#6 Rename Your Login URL
This is another measure that I found useful in preventing unauthorized login attempts.
By default, the login URL for your WordPress website is wp-login.php or wp-admin, which simply means that hackers or attackers can easily access the login page of your website and can attempt to log in.
To avoid this situation, the best way is to rename the login URL which can be done with the help of any plugin. Again, the “iThemes Security plugin” does a better job for this purpose. By installing this plugin with your website, you can change the login URL from /wp-login/ or /wp-admin/ to /wp_login_12345_new/ which is very hard to guess and crack.
#7 Protect wp-admin Directory
The wp-admin directory is the most important area of any WordPress website. This section allows for the management of the whole website, making it the heart of any WordPress website. Therefore, if this part of your site is breached, the entire site can be damaged.
One possible way to prevent this is to protect the wp-admin directory with a password. To do this, the website owner must submit two passwords to access the dashboard. The first authentication protects the login page, and the second protects the WordPress admin area.
How to do this?
You can use the AskApache Password Protect plugin to secure the admin area. It automatically generates a .htpasswd file, encrypts the password, and configures the correct security-enhanced file permissions.
#8 Change Admin Username
During WordPress installation, you should never choose “admin” as the username for your main administrator account. The reason is pretty simple. It’s very easy to guess, and using such a username is easily approachable for hackers.
All they need to know is the password, and your entire site gets into the wrong hands.
So, by taking the first step to change the admin username to something that is hard to guess, you take the next step toward your website security.
#9 Change WordPress Database Prefix
This is perhaps another important step in securing a WordPress website.
By default, the database prefix for a WordPress website is “wp_,” which is, again, easy to guess and prone to SQL injection attacks. Such attacks can be prevented by changing wp- to some other term, e.g., you can make it wbwp_, wpmy_, etc.
Ideally, you must define a custom prefix during the installation process of your WordPress website; however, if you have already installed your website with the default prefix, you can still change the prefix with the help of some great plugins like “WP-DBManager” or “iThemes Security plugin.”
Note: Before changing the database prefix, you should always back up your website.
#10 Disallow File Editing
If an authorized user has admin access to your WordPress dashboard, they can edit any files that are part of your WordPress installation. Therefore, you must disallow file editing from the WordPress dashboard. Even if the hacker is able to enter the admin area of your website, they won’t be able to modify any of the files.
How to do this?
It’s very simple. Just add the following to the wp-config.php file (at the very end):
define(‘DISALLOW_FILE_EDIT’, true);
If you are not sure about how to do this, you may consider hiring a web developer to do this job for you.