WordPress is one of the most popular CMS in the world. More than 18.9% of all Internet sites are using it, and the number of installations has exceeded 76.5 million. Unfortunately, such popularity has its disadvantages. According to the report by Sucuri (website security & protection), WordPress is the most hackable CMS worldwide. However, if you follow the best practices in this matter and implement a few techniques from this guide, you will realize that the protection of WordPress can be easily strengthened through a few simple steps.
What you will need
Before we begin, check for the following:
- WordPress control panel access;
- Your hosting account access (optional).
Step 1. Maintaining the current version of WordPress;
Step 2. Using non-standard login credentials;
Step 3. Enabling two-step authentication;
Step 4. Disabling PHP error reports;
Step 5. Do not use nulled templates for WordPress;
Step 6. Scanning WordPress for malware;
Step 7. Transferring your website to a more secure hosting;
Step 8. Backing up your data as often as possible;
Step 9. Disabling editing files option;
Step 10. Deleting unused templates and plug-ins;
Step 11. Using .htaccess to improve WordPress security;
Step 12. Changing the standard WordPress database prefixes to prevent SQL injection Conclusion
Step 1. Maintaining the current version of WordPress
This will be the first and most important step to improve WordPress security. If you need a clean website without malware, you need to make sure that the version of your WordPress is up to date. This advice may look simple, but only 22% of all WordPress installations are in the latest version.
WordPress has implemented the automatic update feature in version 3.7 but it only works for small security updates. While large key updates must be installed manually.
In case you don’t know how to update WordPress, check this out.
Step 2. Using non-standard login credentials
Do you use “admin” as the administrator name in WordPress? If the answer is “yes,” then you seriously reduce WordPress security and make it easier to hack into your control panel. It is highly recommended that you change the administrator’s username to something else (see this tutorial if you’re not sure how to do this) or create a new administrator account with different data.
Follow these steps if you prefer the second option:
- Log in to the WordPress control panel;
- Find the “Users” section and click the “Add New” button;
- Create a new user and assign administrator rights;
- Log in to WordPress with your new data;
- Return to the Users section and delete the default Admin account.
A good password plays a key role in WordPress security. It’s much harder to crack a password consisting of numbers, upper and lower case letters, and special symbols. Tools like LastPass and 1Password can help you create and manage complex passwords. In addition, if you ever need to log into your WordPress control panel when connecting to an insecure network (e.g. coffee shops, public libraries, etc.), don’t forget to use a secure VPN that protects your login information.
Step 3. Enabling two-step authentication
Two-step authentication adds an additional layer of security to your authorization page. Once the user name is confirmed, it adds another step that you need to complete in order to successfully authenticate. You are most likely already using this to access your email, online bank, and other accounts that contain confidential information. Why not use it in WordPress as well?
Although this may seem complicated, enabling two-step authentication in WordPress is very easy. All you need to do is install an app for two-step authentication and configure it for your WordPress. You can find more detailed information on how to enable two-step authentication on WordPress here.
Step 4. Disabling PHP error reports
PHP error reports can be quite useful if you are developing a website and want to make sure that everything is working properly. However, showing errors to everyone is a serious omission in the security of WordPress.
You should fix this as soon as possible. Don’t worry, you don’t have to be a programmer to disable PHP error reports on WordPress. Most hosting service providers offer this option in the control panel. If not, simply add the following lines to your wp-config.php file. You can use the FTP client or File Manager to edit the wp-config.php file.
Step 5. Do not use nulled templates for WordPress
Remember, “the only free cheese is in the mousetrap.” The same applies to nulled templates and plugins.
There are thousands of nulled plugins and templates all over the Internet. Users can download them for free, using different file sharing or torrent files. They don’t know that most of them are infected with malware or links to black search engine optimization methods.
Stop using nulled plugins and templates. Not only is this unethical but it also harms your WordPress security. Eventually, you will pay more to a developer to clean your website.
Step 6. Scanning WordPress for malware
Hackers often use holes in templates or plugins to infect WordPress. Therefore, it is important to check your blog more often. There are many well-written plugins available for this purpose. WordFence stands out from the crowd. It offers a guide to use and the ability to automatically test, along with a bunch of other different settings. You can even recover modified/infected files in a few clicks. It is available free of charge. These facts should be enough for you to install it right now.
Other popular plugins to enhance WordPress security:
- BulletProof Security . Unlike WordFence, we talked about earlier, BulletProof does not scan your files but provides you with a firewall, database protection, etc. A distinctive feature is the ability to configure and install the plugin in a few clicks.
- Sucuri Security . This plugin protects you from DDOS attacks, has a blacklist, scans your website for malware, and controls your firewall. If it finds anything, you will be notified via email. Google, Norton, McAfee – this plugin includes all the blacklists from these programs.
Step 7. Transferring your website to a more secure hosting
This advice may seem odd, but statistics show that more than 40% of WordPress websites were hacked because of security holes in their hosting accounts. These statistics should encourage you to move WordPress to more secure hosting. A few key facts to keep in mind when choosing a new hosting:
- If it is shared hosting, make sure that your account is isolated from other users and there is no risk of infection from other websites on the server.
- Hosting has an automatic backup feature;
- The server has a third-party firewall and a scanning tool.
Step 8. Back up your data as often as possible
Even the biggest websites are hacked every day, despite the fact that their owners spend thousands to improve the security of WordPress.
Even if you follow best practices in this area and have applied the tips in this article, you still need to make regular backups of your website.
There are several ways to create a backup, e.g. you can manually download site files and export the database, or use the tools offered by your hosting company. Another way is to use WordPress plugins. The most popular of them are:
You can even automate the process of creating and storing WordPress backups in Dropbox.
Step 9. Disabling editing files option
As you probably know, WordPress has a built-in editor that allows you to edit PHP files. This feature is as just useful as it is likely to be harmful. If hackers gain access to your control panel, the first thing they will notice is the File Editor. Some WordPress users prefer to disable this feature completely. It can be disabled by editing the wp-config.php file by adding the following code to it:
define( ‘DISALLOW_FILE_EDIT’, true );
That’s all you need to disable this feature in WordPress.
IMPORTANT. In case you want to enable this feature again, use the FTP client or File Manager for your hosting and remove this code from the wp-config.php file.
Step 10. Deleting unused templates and plugins
Clean your website on WordPress and remove all unused templates and plug-ins. Hackers often use disabled and outdated templates and plug-ins (even official WordPress plug-ins) to access your control panel or to download malicious content to your server. By removing plugins and templates that you stopped using (and maybe forgot to update) a long time ago, you reduce the risks and make your WordPress website more secure.
Step 11. Using .htaccess to improve WordPress security
.htaccess is a file necessary for correct work of WordPress links. Without the correct entries in the .htaccess file, you will get a lot of 404s.
Not many users know that .htaccess can be used to improve the protection of WordPress. For example, you can block access or disable PHP execution in specific folders.
IMPORTANT. Before you make any changes to the file, back up the old .htaccess file. To do this, you can use the FTP client or File Manager.
Disabling access to the administrative part of WordPress
The code below will allow you to access the administrative part of WordPress only from certain IPs.
AuthName “WordPress Admin Access Control”
deny from all
allow from xx.xx.xx.xx.xxx
allow from xx.xx.xx.xx.xxx
Note that “xx.xx.xx.xx.xxx” is your IP address. You can use this website to check your current IP address. If you use more than one connection to manage the site on WordPress, make sure you have written other IP addresses (add as many addresses as you need). It is not recommended to use this code if you have a dynamic IP address.
Disabling PHP execution in specific folders
Hackers like to upload backdoor scripts to the WordPress download folder. By default, this folder is only used to store media files. Therefore, it should not contain any PHP files. You can easily disable PHP execution by creating a new .htaccess file in /wp-content/uploads/ with these rules:
deny from all
Protection of the wp-config.php file
The wp-config.php file contains the WordPress configuration kernel and MySQL database details. Therefore, it is the most important file in WordPress. Therefore, it often becomes the main target of WordPress hackers. However, you can easily secure it using the following .htaccess rules:
order allow, deny.
deny from all
Step 12. Changing the standard WordPress database prefixes to prevent SQL injection
The WordPress database contains and stores all key information necessary for the operation of your website. As a result, it becomes another target for hackers and spammers who perform automated code for the implementation of SQL-code. During the WordPress install, many people do not bother to change the standard wp_ database prefix. According to WordFence, 1 out of 5 hacks of WordPress is connected with the implementation of SQL-code. Since wp_ is one of the standard values, hackers begin with it first. At this stage, I will briefly consider protecting a website on WordPress from such attacks.
Changing the table of prefixes for an existing WordPress site
IMPORTANT. Safety first! Before you start, make sure you have a backup of your MySQL database.
Part One. Changing the prefix in wp-config.php
Find your wp-config.php file using the FTP client or File Manager and find the line with $table_prefix.
You can add additional numbers, letters, or underscores. After that, save your changes and move on to the next step. In this guide, I will use wp_1secure1_ as the new table prefix.
While you are in your wp-config.php file, find your database name to know which one to change. Look in the define(‘DB_NAME’ section.
Part Two. Updating all database tables
Now you need to update all records in your database. This can be done using phpMyAdmin.
Find the database defined in the first part and login to it.
By default, the WordPress installation has 12 tables and each of them should be updated. However, this can be done faster by using the SQL partition in phpMyAdmin.
Changing each table manually will take a huge amount of time, so use SQL queries to speed up the process. The following syntax will let you update all the tables in your database:
RENAME table `wp_commentmeta` TO `wp_1secure1_commentmeta`;
RENAME table `wp_comments` TO `wp_1secure1_comments`;
RENAME table `wp_links` TO `wp_1secure1_links`;
RENAME table `wp_options` TO `wp_1secure1_options`;
RENAME table `wp_postmeta` TO `wp_1secure1_postmeta`;
RENAME table `wp_posts` TO `wp_1secure1_posts`;
RENAME table `wp_terms` TO `wp_1secure1_terms`;
RENAME table `wp_termmeta` TO `wp_1secure1_termmeta`;
RENAME table `wp_term_relationships` TO `wp_1secure1_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_1secure1_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_1secure1_usermeta`;
RENAME table `wp_users` TO `wp_1secure1_users`;
Some WordPress templates or plugins may add additional tables to the database. If you have more than 12 tables in your MySQL database, add the remaining tables manually to your SQL query and execute it.
Part Three. Checking options and custom metadata tables
Depending on the number of plugins installed, some values in your database must be updated manually. You can do this by executing separate SQL queries for the options and metadata tables.
For the options table, use:
SELECT * FROM `wp_1secure1_options` WHERE `option_name` LIKE `%wp_%`
For the metadata table:
SELECT * FROM `wp_1secure1_usermeta` WHERE `meta_key` LIKE `%wp_%`
When you receive the query results, simply update all values from wp_ to your newly configured prefix. In the user’s metadata table, you need to edit the meta_key field, while for the options table, you need to change the option_name value.
Securing new WordPress installations
If you plan to install new WordPress websites, you do not have to do this all over again. You can easily change the prefixes of WordPress tables during the installation process.
Congratulations! You have successfully improved your database security.
Although WordPress is the most hackable CMS in the world, it’s not that hard to improve its protection. In this guide, I’ve given you 12 tips to follow to keep WordPress secure.
Author bio : Roy is a tech enthusiast, a loving father of twins, a program in a custom software company, editor in chief of TheHomeDweller.com greedy reader, and a gardener.