How To Secure Your WordPress Website from being Hacked?

Secure WordPress Website

WordPress is most widely used popular CMS or content management system on the web. WordPress is developed with PHP and powered by mySQL databases. As, the WordPress incredibly user-friendly and is used by everyone from major corporate websites to small businesses,  it makes a tempting target for malicious activity and with such a large percentage of web content using WordPress as a CMS, any security vulnerabilities in WordPress’ coding or framework could affect millions of websites.

Taking prior security action to your website is a wise business decision. Most of the WordPress users even unaware before malware or attack has taken place before it is too late and they lose their SERPs in google and visitors. Ensure to apply some security to your WordPress site before bringing it live and ruin your busines. Here are the step by steps to Secure your WordPress site or blog:

1) Secure your Administrator Account

By default WordPress username is set to “admin” and is the main reason for hacking and this is why you need to create a new strong username and Password and delete the WordPress default “admin” user.

You can create a user by going into “Users” section in the menu and click on “Add New”. while creating the new user, ensure to give the role of an “Administrator”.  This will make sure that you have complete admin rights. Now, you need to delete the admin user, logout and login with your new user and go to User menu and delete the “Admin User”. Ensure to transfer your old posts to your new username before deleting the “admin” account.

2) Block Access to wp-login.php

The best way to secure your WordPress site is protecting your WordPress Login page from bening unauthorized access as the wp-login.php is default login page of WordPress. This can be done by editing .htacess file of your server root in Linux platform, If you are using Windows hosting then can be done by going to config file. This will require some editing of your .htaccess file if you’re using Apache and your config file if using Nginx. Most hosts will allow this and if yours doesn’t, it may be worth considering a change.

Blocking IP Addresses in .htaccess file:

The importance and most secure method you have to follow is limiting access to the wp-login.php page. First of all, you need to know your IP address which you will be accessible the login page and need to block all other IP Addresses. If you are not aware, you can even google for What is my IP Address. Once you ready with your IP Address, use the code below as an example for blocking access based on IP.

# Block access to wp-admin – replace x.x.x.x and y.y.y.y with your IP addresses.
order deny,allow
allow from x.x.x.x
allow from y.y.y.y
deny from all

# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Blocking IP Addresses in config file:

If you are using Windows hosting server, then you would need to block the IP Addresses using web.config file in the root server. Use the below code as an example for blocking access based on IP.

error_page  403  http://example.com/forbidden.html;
location /wp-admin {
deny    192.168.1.1;
allow   x.x.x.x;
allow   y.y.y.y;
deny    all;
}
location /wp-admin/admin-ajax.php {
allow all;
}

3) Remove Unwanted/Unused Plugins

*It is better to eliminate unused or unwanted plugins and themes from your WP dashboard.

*Don’t use a plugin when you can do it yourself.

*Update your plugins regularly, hence suggesting to install plugins which allows auto updates.

4) Apply Automatic Updates

Ensure to update your WordPress all the time, because every version of WordPress has fix for security holes that have been identified in previous versions. You can even make a small change to the code, so that you would not do it manually (only minor updates are applied automatically to WordPress v.3.7 and later).

To apply the auto updates, use the following code to your wp-config. wordpress Security
php file:

#Enable all core updates, including minor and major: define ( ‘WP_AUTO_UPDATE_CORE’, true );

5) Host Your Website with a Good Hosting company

Most of the hacking attempts being caused by a security vulnerability on a hosting platform. Hence, host your website with a good quality WordPress web hosting company. Look for a hosting provider that gives importance on Security and which supports following:

Support for the latest versions of PHP and MySQL
WordPress Optimized Plans
Which includes WordPress optimized firewall
Which provides malware scanning and intrusive file detection
Daily internal backups, but you still need to backup externally regularly too.

6) Last but not Least, Backup!

Backup is another importance concern for securing your WordPress site. Regular backup ensure your site safer than any other above. There are several Paid and FREE plugins are available for WordPress which manage the backup for you. If a website is professional and large it’s always better to go for paid back up solutions which are best for you to Backup your WordPress WP DB Backup.

Leave a Reply

Your email address will not be published. Required fields are marked *