Is your WordPress website infected with malicious codes?
Or do you want to build a secure website using WordPress?
WordPress is definitely a great choice when it comes to website development. It is one of the most popular CMS available today on this planet. WordPress is loved by many webmasters and web developers but at the same time, hackers are also working hard trying to find their way into even the most well-protected sites.
But the good news is that you can definitely secure your WordPress website by simply implementing a few techniques.
In this blog post, I will be sharing 10 ways to protect your website against hackers and malicious codes.
#1 Always Update WordPress To Its Latest Version
This sounds like a no-brainer tip but still, most webmasters don’t really pay attention to upgrading their WordPress version. As a result, their websites are prone to malicious code injections and other forms of viruses too.
Why you should care to update your WordPress version?
As we all know that WordPress is free, and it is developed by a community of developers.
Whenever there is any new release, the WordPress community developers would fix bugs, add new features, improve performance, and upgrade existing features to stay up-to-date with the latest industry standards. If you don’t update your website’s version, you are simply compromising the security of your website.
Tip: You must always back up your website before you proceed to update your WordPress version.
#2 Always Update Plugins & Themes
Again, it seems quite obvious but unfortunately, most WordPress websites still have outdated plugins and themes.
In my own experience as a web developer and web consultant in Singapore, I have come across many websites that are still carrying and even worst, still using plugins that haven’t been updated for many months and years. Needless to mention, most of these websites were infected with malicious codes and some of them were even suspended because of their compromised codes.
The best way to avoid this situation is to check & update your website plugins and themes every 2 weeks.
Again I would like to add here that you must back up your full website before you update any plugin or theme because, after the update, it may affect the features and design of your website. If you are unsure about how to update and backup, you may consult your web developer who will charge a nominal fee to help you.
You may also hire a web developer to maintain your website on regular basis.
#3 Choose Plugins & Themes Carefully
Installing necessary plugins and themes is a core activity of any WordPress website development but at the same time, it’s critical too. It’s very important to choose each and every plugin that you use for your website development, with utmost care.
Some of the basic tips to choose any plugin or theme are:
a. Always check the reviews of existing users.
b. Check out the last updated date of a plugin or theme that you intend to use.
You may also like to read my blog posts on choosing WordPress themes and plugins.
#4 Take Care of File Permissions
File permissions are usually represented by a 3-digit number in WordPress, and each digit has a meaning.
The first digit stands for an individual user (the webmaster), the second digit for the group (for example, the site’s members), and the third for anonymous users.
The number itself means that the user, group, or world:
0: Has no access to the file.
1: Can only execute the file.
2: Can edit the file.
3: Can edit and execute the file.
4: Can read the file.
5: Can read and execute the file.
6: Can read and edit the file.
7: Can read, edit, and execute the file.
Let’s take an example.
If a file is given a permissions level of 640, it means the primary user can read and edit the file, the group can read the file but not edit it, and everyone else cannot access it.
When you restrict all the users (other than the webmaster/admin) to edit the file, you take one step ahead to secure your website.
#5 Set Up Website Lockdown
In order to prevent brute force attempts, a lockdown feature for failed login attempts could be very helpful to resolve the problem. By implementing a lockdown feature with your WordPress website, whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
How to do this?
Well, there are several plugins available to implement lockdown features, however, I found the “iThemes Security plugin” to be one of the most reliable plugins. This plugin allows you to specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.
#6 Rename Your Login URL
This is another measure that I found useful in preventing unauthorized login attempts.
By default, the login URL for your WordPress website is wp-login.php or wp-admin which simply means that hackers or attackers can easily access the login page of your website and can attempt to log in.
To avoid this situation, the best way is to rename the login URL which can be done with the help of any plugin. Again, the “iThemes Security plugin” does a better job for this purpose. By installing this plugin with your website, you can change the login URL from /wp-login/ or /wp-admin/ to /wp_login_12345_new/ which is very hard to guess and crack.
#7 Protect wp-admin Directory
The wp-admin directory is the most important area of any WordPress website. The whole website can be managed from this section. We can also say that wp-admin is the heart of any WordPress website. Therefore, if this part of your site gets breached then the entire site can get damaged.
One possible way to prevent this is to protect the wp-admin directory with a password. By doing this, the website owner will be required to submit two passwords in order to access the dashboard. The first authentication protects the login page, and the second one will protect the WordPress admin area.
How to do this?
You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password, and configures the correct security-enhanced file permissions.
#8 Change Admin Username
During WordPress installation, you should never choose “admin” as the username for your main administrator account. The reason is pretty simple. It’s very easy to guess and using such a username is easily approachable for hackers.
All they need to know is the password, and your entire site gets into the wrong hands.
So by taking the first step to change the admin username to something which is hard to guess, you take the next step toward your website security.
#9 Change WordPress Database Prefix
This is perhaps another important step to perform for securing a WordPress website.
By default, the database prefix for a WordPress website is “wp_” which is again easy to guess and prone to SQL injection attacks. Such attacks can be prevented by changing wp- to some other term, e.g. you can make it wbwp_, wpmy_, etc.
Ideally, you must define a custom prefix during the installation process of your WordPress website however if you have already installed your website with the default prefix, you can still change the prefix with the help of some great plugins like “WP-DBManager” or “iThemes Security plugin“
Note: Before changing the database prefix, it is always recommended to back up your website.
#10 Disallow File Editing
If an authorized user has admin access to your WordPress dashboard, they can edit any files that are part of your WordPress installation. Therefore you must disallow file editing from the WordPress dashboard. Even if the hacker is able to enter the admin area of your website, they won’t be able to modify any of the files.
How to do this?
It’s very simple. Just add the following to the wp-config.php file (at the very end):
If you are not sure about how to do this, you may consider hiring a web developer to do this job for you.