Protect Your WP Site From Hacking Step-by-Step – Easy And Very Effective

Share this!

Introduction

hacking websiteNo one wants to wake up one morning and see that his or her website was hacked. You don’t want that, do you? Lost data, lost money, headache and lots of time spent on your website recovery – it’s not the full list of the ‘pleasures’ that you can get literally in any second, even while you are reading these lines right now (at least 1,250 sites are hacked every hour).

I’ve written this post to to help you understand the security threats and protect your website easily but very efficiently. You don’t need to have a technical background to secure your online assets with these tips and detailed recommendations in step-by-step manner below.

The post contains materials from very basic (but efficient) to more advanced (but you can still handle it if you can install and setup plugins and can work in your hosting control panel).

In addition to step-by-step instructions and video tutorials, I do some easy-to-understand explanations on the security subject so that you could not just follow the instructions blindly, but learn a little bit something new and become smarter online.

I’ve put this article not in an eclectic manner (kind of ‘do-maybe-this-do-maybe-that’ mimicking ape-style), but in the way so that you could not get lost in the security issues and get the overall picture prioritized by the balance between effectiveness and simplicity of implementation.

Mostly, this post focuses on WordPress site protection hosted on a shared hosting, but you can apply many advice and principles from this article to any website platform.

Besides, I’ve written this article with the following idea in mind: to make it the only one comprehensive but not excessive guide that any beginner WordPress user need to have in order to be safe from hackers.

What You’ll Know From This Article

  • Why hackers and hacking bots want to hack your website
  • How someone hacked my website
  • How your website can be hacked
  • Live demonstration how almost anyone can hack your website if you don’t protect it the right way
  • How you can protect your website quite easily and free (step-by-step instructions a total newbie can do)
  • How you can protect your website hassle-free (if you are serious about security)
  • General and very reasonable advice on your website security (perhaps, the most important part of this article)

For easy navigation in this post use these links:

Contents

Bad News And Good News

Before we start, here’s one thing you should know. Any website can be hacked, even the most protected ones. The point is how much efforts and skills hackers will put into their actions. Hacking and security protection is the ever-evolving game, that hackers lead (find vulnerabilities) and security just catches-up (deploys security patches).

And when hackers find out a new security loophole, they start hunting the vulnerable websites.

hackers looking for a victim

Hacker’s lunch

That was a bad news.

Now here’s a good one. If you are not a very big fish, there are little chances that you will be attacked personally by human hackers (they are the most sophisticated source of troubles). It’s more likely that just hacking bots (which are automated scripts) will try to break your website security.

And here’s another one good news. Hackers and their hacking scripts are very unlikely to succeed if you follow quite simple steps to protect your website. And I’ll explain in this post how to make these steps. (But if you ARE a big fish, then you may want to do what the Pentagon does – hiring hackers to protect from other hackers ๐Ÿ˜‰ )

Why Hackers And Bots Want To Hack Your Website

It’s simple. Just because they are bad@sses ๐Ÿ™‚
Kidding.
Anyway, may be true, but here’s a more detailed list:

  • Just for fun, for leveraging self-esteem or for learning purposes
  • To damage your business because of competition or hate
  • To put some backlinks on your website for SEO purposes
  • To put affiliate links silently so you don’t notice them
  • To put malware on your website to hack your readers’ computers
  • To remove your site content and demand money for putting it back
  • To steal sensitive data (passwords, credit card credentials or your naked selfies) stored on your website (especially e-commerce)

Anyway, hackers can be good guys, can’t they? ๐Ÿ˜‰
good hacker

How My Website Was Hacked

I’ve got a website for testing purposes. It’s hosted on a cheap $1/mo hosting which is enough for it.
One day I woke up and wanted to open my site. This is what I saw instead of the main page:

my site was hacked

Obviously it was hacked by some script, not a human (a human just wouldn’t spend time on my test garbage 1-page site). As it appeared, not the site itself was hacked, but it was the hosting account that was hacked. They got server-side access and deleted all my original files, databases and email accounts. Perhaps owner of a hacking script wanted me to pay them or whatever in return for my data, but I had a better idea.

Although the host did not keep backups for me, I had made and downloaded to my home computer a full CPanel backup some time before the accident. So, it took little time to restore everything.

The hosting support denied the fact that it was hacked on their end and they tried to say at first that it was kind of my fault because I did not use the most recent version of Drupal. So, it was clear that they were not interested in the details of the accident to make their hosting more secure.

By the way, after I gave them my short clear thoughts that it was not my website but my whole hosting account hacked together with my email accounts, they forced all their clients to change their control panel passwords ASAP, which was a good move, but not enough to make it secure for their clients.

Anyway, it was a vivid proof that you better use a reliable hosting maintained my professionals if your website is really important for you. And of course, do keep backups (more security tips will be further in this article).

How Your Website Can Be Hacked

As I already mentioned, hacking is constantly evolving game. New methods and vulnerabilities are discovered and used by hackers year by year. If you are interested in technical details, see new Hacking Techniques discovered each year from 2006 to 2013 here (warning: it’s a bit technical).

Website hacking – what does it mean?

In this section, I think it will be enough to list several major technical ways how your website (or server-side infrastructure) can be hacked, so that you could grasp the overall picture:
(the ways how to protect from these and other hacks are given in one of the next sections below)

  • Guessing your admin name and password – hacking scripts just make tons of requests and finally guess your login credentials (it’s called brute-force and dictionary attacks)
  • Sending a malicious command to your database that will return your sensitive data (SQL injection attack)
  • Changing the code of your website so that your website will do whatever the hackers want, including damaging your visitors’ computers (code injection)
  • Changing your websites scripts to control your or your users’ browser, e.g. imitating input forms to steal sensitive information like credit card credentials or admin user/password (cross-site scripting attack or user interface re-dress attack)
  • Stealing your authentication and session information to be able to use your login and password
  • Redirect your visitors on a DNS level to hacker’s website (DNS spoofing)
  • Stealing your cookies (I mean the ones which are stored during your session in your browser)

Generally, the hacks can be done on these levels:

  • client level (your operation system and browser)
  • website level (software, e.g. WordPress, plugins),
  • server level (e.g. hosting),
  • network level (connection breaches, e.g. insecure wi-fi).

The most scary thing (at least for me) is that you may even not notice that you have been hacked. But a malicious code can be on your website doing its harm for your business and even for your visitors silently.

What WordPress security issues you should be aware of

Here are the general vulnerable spots directly connected with your WordPress website:

Hackers have a lot of potential because of people’s predictability, laziness or lack of awareness. For example, less than 17% of WP sites use the most recent WP version (4.0 and above) as of time of writing this. It means that majority of WP sites (which use outdated WP versions) can be hacked much easier. So it’s people who are lazy to keep their WordPress version up to date.

Although WordPress core is pretty secure (provided you regularly update its version), WordPress add-ons such as themes and plugins are not reliable. If you still think that the vulnerabilities of WordPress add-ons that everyone can’t live without are rare, watch this video with a lead WordPress core developer confessing that the stuff is disappointingly insecure (the video is technical, but you may just watch an easy 2-minute part – from the 1:00 to 3:00):

In short, the speaker says WP plugins are generally not secure at all, and it’s not exaggeration.

You may ask why all these weaknesses in plugins, themes etc take place? Well, the short answer is laziness of developers and lack of developer’s expertise in security. Seriously, why many developers should bother if users themselves don’t care much about vulnerabilities of plugins and themes? Anyway, serious providers update their products regularly fixing new security weaknesses.

If you are concerned about the security (and you should so), I’ll tell you in some section below in this post how to make sure you will not become a victim of a hacker.

Live Demo How Your Website Can Be Hacked As Easily As 1, 2, 3

In the video below I show you how even a beginner hacker (I myself play this role in the video) can get your WordPress administrator user name and password without much ado.

Of course, in general, hacking is not as easy as 1,2,3. But laziness and lack of awareness of WordPress users (as well as plugin and theme developers) leave a lot of loopholes for hackers. One of such loopholes I exploit in this video:

So, in short, the video demonstrates how a hacker can hack your password if it is not strong enough. Even if you think that your password is o’kay, it may be absolutely not o’kay and can be an easy task for cracking tools used by hackers.

Anyway, password is just one of the many aspects of the game.

Well, I think we have warmed up enough and now we can roll up our sleeves to dive into the core of this post.

Let me ask you – are you ready now to get brutally practical advice on how to protect your cool precious WordPress site from hackers? I don’t hear you! Say it loud again! Good! Let’s roll then!!

How You Can Protect Your WP Website With Your Own Hands – Step-by-Step Instruction

Below I will show you how you can protect your WordPress website from hacking without spending a cent. It’s not difficult, as you’ll see, but still very effective just because most hackers (and their hacking scripts) target most unprotected sites first. And if you do the steps below you will already put yourself above the majority of vulnerable sites.

protecting websites is easy

– It’s time to protect my little blog from big hackers

The list below is in a prioritized order as I suggest it generally for a person who is not very technical.
I will give you both recommendations and exact step-by-step instructions (tutorials) how to harden your website.

Protection against hacking is all about risk. It means that if you don’t follow any recommendations from this section, you put your website under a great risk of being hacked. And with each additional step that I describe here, you will reduce the risk of being hacked and/or reduce the headache and losses connected with recovery after the hacking attack.

1. The first line of your WordPress site security defense is Password

Before I give you the exact recommendations what password is secure enough, here is why I put the importance of strong password before all – setting secure password is the easiest, the cheapest and quite efficient protection against hackers. But many people ignore it or just unaware of this threat.

password hacking I've got you

Don’t let it happen

1.1. Use unique passwords

Here’s something interesting about passwords that people use.

You might think that every person is unique and their thoughts and actions are unique. Well, it’s true. But only to some extent, because people have common patterns of behavior, which are exploited not only by marketers, but also by hackers. Do you want proof that people are very predictable like animals in the herd? Here we go.

Mark Brunett, a security consultant and a researcher, who specializes in MS Windows-based servers and networks, has been gathering passwords since 1999 and by 2011 he had collected more than 6 mln passwords. And he shares his observations and thought on passwords security in his book “Perfect Passwords“.

Also here are some most interesting and shocking facts Mark shares with us after analyzing 2.5 mln passwords from publicly available sources (as of March, 2015):

  • 0.5% of users use the password password;
  • 0.4% use the passwords password or 123456;
  • 0.9% use the passwords password, 123456 or 12345678;
  • 1.6% use a password from the most popular 10 passwords;
  • 1.4% use a password from the most popular 100 passwords;
  • 9.7% use a password from the most popular 500 passwords;
  • 13.2% use a password from the most popular 1,000 passwords.
  • 30% use a password from the most popular 10.000 passwords.

The most popular 10,000 passwords are used by almost a third of all users!
So, are people really as unique as they think? Well, well. Only 1 person out of 555 people can be considered unique when using passwords!

Different versions of the lists with the most common passwords like top 10,000 can be easily found in the web, so everyone including hackers can get to know these most popular passwords which so many people use.

Resume: Don’t assume that your password is unique (and therefore secure). In many cases it is not.

1.2. Use strong passwords

Here are some simple general rules that will let you have a strong password:

  • Consider having a password at least 12 characters long (if you’ve heard that 8 characters is enough, just know that 8 characters is 14,820,480 times less secure than 12 characters)
  • Don’t use any existing words, names in your passwords (sophisticated hacking scripts may combine dictionary words easily, e.g. password ‘iloveyouverymuch’ is still very easy to crack)
  • Don’t consider that tricks you use to encode your passwords are hard to decode (if you replace ‘a’ with ‘@’, ‘i’ with ‘!’, ‘e’ with ‘3’ etc in your password like the word ‘sh!th@pp3nz’, hackers know how people usually decode the letters or words and these tricks will not help you much)
  • Don’t use the same password anywhere else (once your password is compromised, it may be included in the database of leaked passwords that hackers use, and thus all your other places will become insecure). Don’t underestimate it because sensitive data leakage is wide spreading more and more (2 mln accounts have been compromised from Google, Yahoo, Twitter, Facebook and LinkedIn; 5 mln GMail passwords become public; 7 mln DropBox passwords leaked and it will not stop)
  • Change your passwords regularly or as soon as possible after you suspect of data leaking (it will decrease the chances that your passwords will be decrypted or used in case they were compromised)
  • Use passwords which are impossible to remember and can not be easily typed (e.g. password ‘q1o0w2i9e3u8r4y7’ is very bad because it has an easy-to-remember typing pattern)
  • Use passwords which are random combination of letters, symbols, numbers, lower and upper case (here is a table that can give you a rough estimates on how quick your password can be hacked using super easy and dumb brute force attack, e.g. password containing just 8 numbers can be hacked within 10 seconds)

Here’re some examples.
Password T;)R@tJ;4Wf5 is more secure than 123!@#qweASD because the last one can be typed easily (the keys are located nearby each other). Advanced hacking algorithms can identify typing patterns and such passwords are comparatively easy to crack.

Here’s a recommendation I’ve got from one of the hosting providers:

Hi, a lot of hosts have reported vps’s getting hacked lately, please use a strong login password for anything you use not just your vps etc, use a password like this:
jsdsdj6963hGEW4gz54%h(bb)0_h%c3@vjHPOIZXASDhv67754iu9jkjjgrt5bht^_hnb2kjl;xzz

Yes, using passwords like that makes sense.

(By the way, all these password examples became less secure as soon as I published them online, because they are exposed now and can be scraped by hackers’ web crawlers. So don’t use them ๐Ÿ˜‰ )

Resume: Use passwords which are impossible to remember, hard to type, contain random mixture of letters, numbers, symbols and at lest 12 characters long.

1.3. How to remember all these long, unique and strong passwords

The short answer – you can’t. If you can remember a password, then it’s not good enough.
Luckily, there are software products that allow manage passwords in a secure way. Here’s a couple of reputable examples: LastPass, KeePass, 1Password.
Or, if you are very conservative, you may want to store your impossible-to-remember passwords in a file or a folder which is zipped and protected with a strong password.

2. Backups. I should have put it first in this list

When it regards safety, I believe there’s nothing even close to having up-to-date backups of your online assets. Backups is the ultimate way to return everything in case of disaster caused by hackers or just by life itself. There aren’t many things that can improve your sleep better than having a recent backup.

backup your website against hackers

– I don’t have a backup. Is it ok?

This topic is worth a separate post. But for now, I can tell you that if you have a website and don’t use any backup service provided by your hosting provider or a third-party company, stop reading and go download a full backup of your website.

By the way, reliable hosting companies use inner backup systems even if they don’t offer daily downloadable backups for their clients.

Also, if you are going to make any serious changes on your website, e.g. update a plugin, install a new theme, then it makes sense to have the most recent backup at hand, because according to Murphy’s law, anything that can go wrong, will go wrong.

3. Keep WordPress core, themes and plugins udated

As I’ve already mentioned above in section “What WordPress security issues you should be aware of”, hackers look for and exploit security vulnerabilities which are contained in WP, themes and plugins.
The predator-prey game is simple:

  1. Predators (hackers) find the security holes in the software that you (prey) are using
  2. Software developers need to patch the holes ASAP
  3. You need to update your software ASAP
  4. If you don’t update it, then hackers (or their bots) may find you and hack you
Have you updated? I'm watching you!

– Have you updated? I’m watching you!

4. Use a safe reliable hosting

It’s discussable that I’ve put hosting on the 4th place in my list (hosting is more important security factor in many ways). But anyway, let’s just go on.

Although nothing is 100% safe from hackers, some hosting services are safer than others.

If you use an amateur cheap hosting, then there’s a greater risk that the server can be hacked, not just your WordPress site. Also, many shared hosting don’t make you safe from a hacker who hacked a website (not yours, but someone else’s) on the same server and through that loophole the hacker hack your website easier.

So, your hosting should be run by true professionals who do their work properly, if you don’t want to get a disappointing message like that soon:

we got hacked

– Say thanks your website was not affected lethally… yet

I’ve got this email from a cheap $1/mo hosting company where I have an account for not important stuff, so I was not thrilled much about this warning news. But if your website is important to you, you surely better use a reliable hosting that successfully does everything to prevent it.

5. Restrict login attempts

One of the most popular ways to hack sites is using brute-force attacks (i.e. trying millions of passwords until the password is hacked).

A simple and effective way to fight it back is using a plugin for WordPress like Limit Login Attempts.
The plugin simply blocks IP for specified time if login failed certain times in a row. And the plugin is free.

stop sign for brute-force hackers

– Slow down, brute-force hacker-dude!

– Words of warning about .htaccess for newbies before continuing

You know that it’s advised to get a full cPanel account backup (or database/files backup) or you use a reliable backup service before you make any significant changes like installing or updating WordPress, themes or plugins.

And below there are tips on how to change .htaccess file. It’s a critical file for your WordPress configuration. So make sure you have a copy of this file (as well as other files you’ll be changing) in case you mess up with editing it so that you could restore it in seconds if something goes wrong.

If you are not sure what is going on in some of the following tips regarding .htaccess, then you may just skip these tips and read this article further – there are more tips and alternatives below in this post (for example, paid services and advanced plugins).

But if you want to learn how to become a bit more tech-savvy with WordPress, then I encourage you to continue with .htaccess tips. It’s not as difficult as it may seem at first.

editing .htaccess - not a game but fun

Consider yourself warned ๐Ÿ˜‰

Anyway, please feel free to ask any questions in the comments.

– What if you can’t find .htaccess file?

In most cases your web hosting uses Apache server (that uses .htaccess configuration files). And there are much less chances that your hosting is based on Nginx or some other technology which are not widely used. In the latter case there’s no .htaccess file.

If the above sentences have confused you, don’t worry – I’ve put them just for consistency and educating purposes ๐Ÿ™‚ Feel free to continue reading, because it’s a very high probability that your web hosting is configured with .htaccess files.

Also, some hosting providers don’t allow editing .htaccess files. In this case you may contact your hosting support with your concerns so that they could implement what you want.

Alright, here’s the most frequent case – you are allowed to work with .htaccess files. If you can’t find the .htaccess file in your WordPress installation directory (e.g. public_html), then you need to create this file.

Note that the .htaccess file is hidden (the dot at the beginning of the file name indicates that), and you need to make sure that hidden files are displayed when you browse your directories.

So, here’s the plan if you use a standard cPanel’s File manager:

  1. Make sure you can see hidden files, otherwise turn on Show hidden files option
  2. Make sure you don’t have .htaccess file
  3. Create a new file with name .htaccess (or rename a template like htaccess.txt if there’s one provided with WordPress installation)
  4. Make sure the permission for .htaccess is 644

6. Make sure the files access permissions are safe

The default safe permissions (that can be set by unix chmod command or via your hosting standard control panel) in general case are as follows:

  • 755 for directories:
    wordpress directory permission CHMOD 755
  • 644 for files:
    wordpress file permission CHMOD 644

You may find that some your files or directories have permission 777. Probably it’s due to a bad default setting during WordPress installation or it’s required for some plugins that you use. Permission 777 is not safe and highly not recommended. I’d suggest changing permission to minimum recommended 755/644 and check if the functionality of your WordPress works (and make sure you have a website backup before that).

Also, you may ask your hosting support for advice (it’s not their direct responsibility to educate you though, but why not try? ๐Ÿ˜‰ ).

If you’re a wannabe-geek or want to dive deeper into permission tuning, consider these recommendations for shared hosting environment:
755 - Folders
600 - PHP Scripts
400 - Configuration Files (wp-config.php, etc)
600 - Script files requiring WRITE access
644 - Non-Script Files, HTML, Images, etc
755 - CGI/Perl Scripts

And you may want to read this thread on cPanel discussion.

7. Don’t let execute PHP files in some folders

A lot of hacking dangers come from the possibility of malicious PHP files execution (in fact, PHP execution is the way how WordPress software actually works). Malicious PHP files can be uploaded to writable folders on the server (e.g. the uploads folder).

In order to protect from this threat you need to edit the .htaccess file on your server.

This tip is very effective, but requires some more sophisticated approach rather than copy-paste, or otherwise it may break your theme or some plugins. That’s why you need to carefully try and check if this does not break anything in your website.

Alright, here’s how the general code to insert into the .htaccess file looks like:

# Forbidding PHP files execution
<FilesMatch โ€œ\.(php|php\.)$โ€>
Order Allow,Deny
Deny from all
</FilesMatch>

This piece of code simply forbids access to any files that have php in their names or extensions.

And put .htaccess file with this code into each directory that you want to protect from PHP files execution (create .htaccess files in the directories if necessary).

If you don’t know which directories to protect this way, just do it for /wp-content/uploads and wp-includes directories.

By the way, if you want to explore many other .htaccess tricks, this link can be useful to you.

8. Protect your wp-admin directory and wp-login.php file

WordPress administrative tools are contained in the administration area which is the wp-admin directory. It makes sense to give it an additional level of protection.

Also, restricting access to wp-login.php adds additional protection against brute-force attacks (bots which want to login your administration area)

8.1. Disabling theme/plugin editing in wp-admin

A great way to secure WordPress is to disable editing in wp-admin area.
Add this to the wp-config.php file:

#Disable Plugin / Theme Editor in WP-ADMIN area
Define('DISALLOW_FILE_EDIT',true);

It will disable plugin and theme editors in the WordPress administration panel. And if a hacker (or it’s bot) gets into your administration area, they will not be able to modify the code of themes and plugins.

Do note however, that you and anyone else will also not be able to edit the code from your WordPress administration area. But you surely still can do it from cPanel File Manager or via SFTP.

8.2. Limit access to wp-admin by IP

This option allows to restrict access to administration area by IPs. In other words, only you (and some other people if you want) identified by IP can have access to wp-admin. To use this option you need to know your IP address (or your IP range if your IP is dynamic).

Code to add to the .htaccess file (which should be in the wp-admin directory):

# Block access to wp-admin
order deny,allow
deny from all
allow from x.x.x.x 

Replace x.x.x.x with your IP.

For example, if your IP is 50.36.43.12, then you’ll need to use this code:

# Block access to wp-admin
order deny,allow
deny from all
allow from 50.36.43.12 

By the way, if your IP is not static (which means that you get a new IP each time you start new Internet sessions), then you can do the following: determine IP range that you are assigned to and adjust “allow from” command – see below how:

  • If your IP changes within limits, say, 12.123.44.x (where x – any number), then you need to use command “allow from 12.123.44.0/24”.
  • If your IP changes within limits, say, 12.123.x.x (where x – any numbers), then you need to use command “allow from 12.123.0.0/16”.

For example, the whole code would be:

# Block access to wp-admin
order deny,allow
deny from all
allow from 12.123.0.0/16

It will forbid access to any users whose IPs do not belong to your IPs pool, and only users wth IPs that start with 12.123. will be allowed to access.

Also, here’s a caveat in this admin area restriction approach. If your theme or plugins use AJAX, then it’s likely you’ll need to add additional directives to the .htaccess file in order to avoid breaking AJAX functionality:

# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

 

8.3. Limit access to wp-login.php by IP

It’s the same approach as above – restricting access by IP. It will not let anyone access your login page (wp-login.php), which is quite efficient against brute-force attacks.

Here’s the code to add to the .htaccess file (which should be in the same directory as your wp-login.php file (by default it’s in the WordPress installation directory (e.g. public_html) directory):

# Block access to wp-login.php
<Files wp-login.php>
order deny,allow
deny from all
allow from x.x.x.x 
</Files>

Don’t forget to replace x.x.x.x with your IP or IP mask (kind of x.x.0.0/16 – see above for details).

For example, if your IP is static 50.36.43.12, then you’ll need to use this code:

# Block access to wp-login.php
<Files wp-login.php>
order deny,allow
deny from all
allow from 50.36.43.12 
</Files>

 

9. Don’t use the default user name admin

If you use the default administrator user name ‘admin’, then it will make easier for brute-force hacking scripts to crack your login credentials. It’s so because a vast majority of brute-force attacks target admin user name.

Here’s below a log of brute force attacks on one of my test sites.

brute-force attacks log

if you use ‘admin’ user name, you are #1 target for brute-force hackers


I use not admin user name, so these hacking attempts were doomed to fail ๐Ÿ™‚

But what if you already use admin?

It’s very simple to change it. There are several ways, such as changing user name in the database using phpMyAdmin, or via some plugin.

But I like a much more elegant and simple way getting your hands dirty in the database stuff or using one more plugin. Here’s how you can do it:

  1. Create a new administrator user name
  2. Log out your admin session
  3. Log in as a new administrator
  4. Delete admin user name and attribute all admin‘s content to the new administrator user

And yes, make a backup (database backup is enough) or use a website backup service before doing that, just in case.

10. Secure the wp-config.php file

WordPress configuration file (wp-config.php) contains very sensitive information. That’s why it should be protected carefully.

Apart from setting permission 400 or 440 as recommended earlier in this post (read-only setting for the file owner), it’s advised to protect the wp-config.php file by restricting access to it adding this code to the top of the .htaccess file

# securing wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

This code is valid if .htaccess and wp-config.php are in the same directory.

11. Protect access to .htaccess

Add these lines to your .htaccess file to protect it from external access:

# securing .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>

 

12. Use secure file transfer protocol

If you want to use FTP (file transfer protocol) to upload files to your web hosting, use SFTP (secure FTP) through a reputable program like FileZilla. It allows to encrypt files that you send over the network that eliminates the possibility that your sensitive data (e.g. passwords that you enter) can be taken over by a third party (i.e. a hacker).

sensitive data transfer

Don’t transfer your sensitive data to hacker’s hands (or mouth)

 

13. Two-factor authentication

This security enhancement will allow you to fight off brute-force attacks (which try to hack your password) by adding one more layer between hacker and your WordPress login page.

Here are some examples of such additional layers:

  • Authorization code (sort of a secret word or PIN)
  • A code sent by SMS
  • A code sent by phone call
  • A push action on your mobile phone

Although it may seem a simple approach, two-factor authentication is one of the most effective protections from brute-force attacks.

An example of the simplest plugins that provide two-factor authentication (a specified authorization code that you need to remember) for your WordPress site is Stealth Login Page plugin (free):

Stealth Login Page - before

Normal login page


Stealth Login Page - after

Stealth Login Page with Authorization code

There are other plugins with more convenient and advanced features. Here’s a couple of great examples which have free versions:

14. Don’t use the default database table prefix wp_ when installing WordPress

Some hacking scripts (SQL injection in particular) assume that your tables have prefix wp_. You’ll make your website safer and hacker’s lives more difficult if you specify a different prefix for tables when installing WordPress:

wp prefix

Be a harder nut to crack

But what if you already use database with the default wp_ prefix?

In my opinion, the most reliable way to get it fixed is to manually rename database tables, edit Options and UserMeta tables content, as well as configure wp_config.php file. But it’s not easy for a beginner.

Besides, there is a good iThemes Security plugin (former Better WP security) which has a functionality of table prefix changing (but I have not tested it myself yet).

After all, I think that using the default tables prefix is not a critical breach compared to the issues above. Moreover, there are simple ways for a hacker to get your DB table prefix anyway. So, as an additional security hardening option changing DB table prefix is fine, but not an absolute must-do.

15. Tip number last but not least: Protect your computer with antivirus software

Yes, it’s very basic advice, and no doubt you know about it. But I’ve included it in this article as it may be the weakest link in your security if you disregard it for some reason. For example, a trojan virus that steals the passwords you enter makes all other security measures useless.

cat suggests using antivirus

– You do use antivirus software, don’t you?

Intermediate resume: I’ve listed above security measures that you can easily apply to your WordPress website on your own. And generally it will be more than enough. Of course, there are more advanced anti-hacking techniques like differentiating user access, advanced .htaccess tweaking, WordPress functionality restriction, access monitoring, log analysis etc but it’s definitely not for beginners. For now, if you apply the above steps, consider yourself protected better than the vast majority of website owners on the planet.

– Video tutorial on editing .htaccess and wp-config.php files to protect your WordPress site

It’s simply a helping video tutorial that demonstrates how I’ve implemented the recommendations I’ve written above on my testing website (tweaking .htaccess and wp-config.php files).

How You Can Enhance Your WordPress Security

There may be cases when you want to to protect your WordPress website even more than I described above.

  • For example, you were so unlucky that you got hacked and you don’t want it to happen again
  • Or you have to use some insecure plugins and want to make sure hackers will not exploit its vulnerabilities
  • Or you want to be able to scan and monitor if your website is not infected
  • Or you simply want to get security professionals ready behind you to help you in case of emergency

If you are not an expert in security and don’t have much time, desire or skills to work on a server side of your hosting and get your hands dirty with coding, then you basically have two and a half choices:

  1. Go with WordPress managed hosting solution
  2. Subscribe to a paid service (or buy premium subscription to security plugins) that provide your website safety and sanity
  3. Install free versions of WordPress security plugins, run their checks and keep an eye on their reports and warnings

The first one (managed WordPress hosting) is the most expensive but the least effort- and time-demanding solution. You just hands over all the technical stuff about web hosting and your website security to a hosting company. And everything you focus on is how your website looks like, the content and your business. Do note however, that managed hosting may be strict on using some plugins.

The second option (paid security service or premium security plugins subscription) provides you the guarantee that your site will be taken care of (or assisted with) from a security point of view. And it case your website is hacked, it will be cured by the staff free of charge (the charge is included in paid subscription).

The last option (free versions of WordPress security plugins) is a half-measure of the previous option – you install the comprehensive WordPress security software and do maintenance and after-hacking service yourself.

This section is worth actually separate detailed research. Here’s my article about choosing the best WordPress security plugin, combinging plugins and products for better security. both free and paid solution.

Instead Of Resume (Perhaps The Most Important Part Of This Article)

If you prefer just a short guide about WordPress security, then read this section. if you need a more detailed description about anything specific, just read a corresponding chapter above.

So, here’s a short list of recommendations that you must do to avoid the biggest risks of being hacked:

  1. Have backups
  2. Use strong password
  3. Keep WordPress, themes and plugins up-to-date
  4. Install Login Limit Attemps or similar plugin to fight with brute-force attacks
  5. Remove outdated plugins that you don’t use (even if they’re not activated) or at least make sure they don’t have vulnerabilities
  6. Use themes and plugins from trusted sources to decrease the possibility of code vulnerability and infected software
  7. Use antivirus software on your computer

It’s super basic, easy to do, does not break your theme/plugins, but it’s quite effective. Surprisingly, many people don’t do it. So, you’ll be better protected than most WordPress users if you follow the simple recommendations in the list above.

The next level of hardening your website security, considering the balance between effectiveness and inconvenience of using or implementing, is implementing all or some of the following (still highly recommended to do):

  • Add security tweaks to .htaccess and wp-config.php files, check permissions (I’ve put all necessary instructions in this post)
  • Use SFTP instead of FTP (e.g. use FileZilla)
  • Don’t use a super cheap kind of $1/mo hosting
  • Don’t use admin user name
  • Add plugin for two-factor authentication (see for some details above in the post)

If you follow the recommendations mentioned above in this chapter (at least some of them), then you may consider yourself protected pretty well compared to most WordPress users. A very good thing is that you can do it for free without being an expert in WordPress.

And If you want comprehensive solutions for your WordPress security to have some more advantages in addition to what you have already done (e.g. SSL or web application firewall), then consider

  • Installing security plugins or using services (free or premium versions – see my reviews and comparison here)

And you’ll be able to do monitoring, scanning, cure your website easily if it’s infected and do other useful stuff.

After all, if the tips and recommendations from this article are too much for you (or maybe not enough) for some reason, too difficult or not worth your time, then the best choice for you can be

It will let you get rid of headache connected with technical stuff including security issues.

And one more security point:

In addition to protecting your WordPress, don’t forget to protect yourself. Your passwords and other sensitive data can be compromised when you least expect it. That’s why I’m repeating here these simple things:

  1. Use antivirus software on your computer
  2. Don’t write down passwords on pieces of paper, in your paper notebooks, in your mobile phone etc in unprotected way etc if you can loose them or get stolen
  3. Don’t use passwords and other sensitive data when working via wifi in public places (especially if no SSL is used)
  4. Don’t use sensitive data when working on someone else’s computer

And if anything is not clear or you are not sure about anything, or you got issues when implementing the tips – don’t hesitate to write about it in your comments below. I’ll do my best to assist you.

P.S.: Here’s the promised post in which I compare comprehensive security plugins and solutions for WordPress. So, if you don’t want to miss articles like that, then subscribe to the updates to my blog in the box below or in the sidebar.

Subscribe to Free Researches
Get smarter and work on your blog and small business more efficiently

subscribe
BTW, I respect your privacy, and of course I don't send spam, affiliate offers or trade your emails. What I send is information that I consider useful.

Comments

  1. Hi Michael! Excellent steps. The article is very informative and sure I am going to follow every step.
    Thanks!!

  2. Hello Michael,

    Great post indeed. All terms are well described and easy to understand. I really don’t know much more about website hacking although I have two WordPress site. Hope, your tips will help me to protect my sites from hacking.

    Thanks for the awesome sharing.

    • Hey Manik,
      Thanks for your feedback. Yes, most people just don’t care about or don’t know much about website security and therefore become easy target for hackers and their bots.
      If you have any issues with implementing the tips – just ask in the comments and I’ll help.

  3. Its a nice post thanks a lot for sharing this kind of supportive and effective with us . You defined all things in easily and effectively . And I think you will share this type of helpful post with us in next .

  4. Seriously excellent information. I found all this information piece-by-piece on my own (a long slog). I am so happy to find all the info in one place and so clearly explained. I’ll be sending this link to every client I work with who is using WordPress. That’s 100% of my clients. I get the sense they think I’m “over-blowing” the security issues on their site (as they happily have ‘admin’ as the user name and “flowerssmellnice” as their PW. UGH!) I installed the Wordfence plugin on one site and immediately got over 60 alerts of brute force attacks on their sign in page–all of the attacks were testing the user name “admin.” Luckily that site doesn’t use “admin.” In an case, excellent info! Thank you!

    • Thank you Chris for your feedback.

      WordPress CMS itself, in fact, is a quite strong and secure platform. What makes it vulnerable is mostly diferent plugins, themes (in many cases are not secure), insecure hosting and user laziness or unawareness. It all is hugely widespread and that’s why topic of website security is so hot.

      By the way, Wordfence is one of the most powerful plugins, especially if you don’t just set-and-forget it, but do a due management regularly.

      Also, I’m about to finish writing (in a couple of days I hope) a well-thought post where I review several security plugins, their combinations and solution (both free and paid, and very effective). So stay tuned if you are interested!

      if you any one of your clients have any quesions about WP security or protection implementation, I’ll be happy to help in the comments.

      Thank you again for you comment and I’ll be glad to read more from you and be useful for you as much as I can.

    • Chris, just wanted to let you know that I’ve published a huge post about WordPress security plugins and solutions. Hope you’ll enjoy it.

  5. Murad Abuseta says:

    Hi mate i have questions

    in your video in the top of WordPress panner beside your name>>> i saw a little yellow circle called SEO what is that and how i can add one like this ?

    and thank you for this awesome tutorial it help me a lot

    • Hi Murad,
      Thanks for your question.
      It’s a WordPress SEO Plugin by Yoast – one of the best SEO plugins in the world ๐Ÿ™‚
      Yellow circle indicates that my on-page SEO for this post is OK (the best when it’s green though)
      Feel free to ask me anything else – I’ll be glad to help.

  6. Great stuff! I get lost and emotional if I get minor issues with my Blog! I can’t imagine what I’d do if something major happened! This information is very useful, Hosting company has suspended my account due to some infected files uploaded by hacker or i don’t know my site name is brightverge.com please share some tips to make strong my site security. I thank you for you time & effort, it’s clearly not one of these 5 minutes posts! Quality! Love it, regards

    • Olivia, thanks for your coment.
      Here are some tips for you:

      1. Contact your host to rectify the situation. If your site was destroyed, then the easiest (and the cheapest) thing you can do is to restore a backup.
      2. After you get your site back online, harden it with the tips I explain in the above article – just do what you can. Also see my next article about security plugins and solutions.
      3. As a side note – think of changing your host. I see you are using iPage. It’s a EIG brand which is not respected in the professional hosting sphere because of its overpriced and low quality serivce. My belief is that you can get much better service for less price with another host. See my recommended list here .

      If you have any questions after you read the two articles about WordPress security, feel free to ask.

  7. I know I ask To much sorry but one more help>>>

    when i post a picture in posts and publish the post any one click the picture gives hem the source of the pic in WordPress in new tap with Link of it -_- so.
    here in your pictures at this post nothing happened when i click the picture ?
    what do you do for that and how to hide my pictures and content source?
    and how I do it like this post any body click on the pic nothing happened>>>

    thank you a lot

    • Murad, no problem about asking! Do so as much as you want. I answer all questions. At least as long as I’m physically able to ๐Ÿ™‚

      I think the following will help you.
      In this article (https://codex.wordpress.org/Inserting_Images_into_Posts_and_Pages) go to section “Step 5 โ€“ Attachment Display Settings” and look at the image on the right “Attachment display settings”.

      So everything you need to do is to set “None” instead of “Media File” in the dropdown list “Link to”.

      Check it yout and let me know if it’s what you needed.

  8. Hi Michael,

    I followed your blog and videp tutorial – it was awesome! However I’m not sure that it has worked? i was recently a victim of a HACK attempt, they were unsuccessful at getting into my WP site – but they did manage to eat all my bandwidth for the month. I have followed your suggestions however I am getting a ” A 403 Forbidden error ” “Apache/2.2.29”
    Do you this this might be that i uploaded the .HTACCESS file incorrect in my “WP-Contents” folder?

    • Hey Lena, sorry you got a hacking attempt.

      This article does not help from botnet attacks that eat your bandwidth ๐Ÿ™‚
      But you have not got hacked, so congrats!

      You may want to contact your hosting provider and ask for their advice about bandwidth leaking.
      Anyway, if bots attacked your site, then a whole server got a load, so a good hosting provider is interested to do some actions to protect their environment. And they can also give you their professional advice.

      In general, using proxy (firewall) services such as CloudFlare helps to filter out botnet attacks.
      Also, you may want to consider installing security plugin(s) (have a look at this article if you have not read it yet) – right plugins are good security enhancement.

      If you are getting “A 403 Forbidden error” then it’s likely that your IP is not static but dynamic, and you have blocked yourself when you specified exact IPs in your .htaccess files.

      You may want to determine what range your IP can change within and adjust your .htaccess accordingly. For example, if your IP changes within ranges e.g. 123.33.44.xx (i.e. last block changes only) then use “allow from 123.33.44.0/24”. If the ranges are within e.g. “123.33.xx.xx” (i.e.e two last blocks change), then use “allow from 123.33.0.0/16”

      > Do you this this might be that i uploaded the .HTACCESS file incorrect in my โ€œWP-Contentsโ€ folder?

      I don’t think so. I guess it’s just your IP has changed. Verify it is so and then make adjustment to your .htaccess files – it should help.

  9. Kate Smith says:

    Hi Michael,

    Very helpful article and video.It helped me a lot.Thanks a lot.

    Talking about point no. 8.1. Disabling theme/plugin editing in wp-admin

    When i applied following code in wp.config.php,

    #Disable Plugin / Theme Editor in WP-ADMIN area
    Define(‘DISALLOW_FILE_EDIT’,true);

    I was unable to access theme’s editor, it was not visible too in admin.These lines of code disabled me from theme editor.So i could not modify files like header,php, index.php, etc.

    So how I can see my theme editor and deny/disable plugin and theme editor to other users?
    What is solution for that? Should I add code ” Allow from x.x.x.x” next to code given?

    Looking for your help.Thanks.

    • Hi Kate,

      Thanks for your question.
      8.1 does exactly what you said – it disables theme/plugin editor and it’s very efficient hardening.

      Unfortunately I don’t know an easy way how to make the editors accessible for you and closed for others. “Allow from x.x.x.xโ€ will not help you in this case. But in fact I personally don’t worry about it, because there’s a simple solution – whenever you need to edit your theme of plugin, you may comment the added line, so it will be like this:

      #Disable Plugin / Theme Editor in WP-ADMIN area
      #Define(โ€˜DISALLOW_FILE_EDITโ€™,true);

      (note the # mark before “Define…” – it’s what comments a line)

      And when you finish editing, uncomment the line again to restore the security.

      Also, you may edit plugins/theme directly via SFTP client (like Filezilla) or simply through cPanel File editor.

      Please let me know if you have more questions.

  10. Hi I’m Back Thank you again and every thing is gong will in my site every time in my mind i just thank you

    I’m asking if it’s passable to do another tutorial of how to configure our SEO Plugin very will we will be very very thankful for that

  11. Using a child theme, do all the changes you recommend to the directory files above get wiped out when a mother theme is updated and do I have to reenter the security fixes with each update?

  12. Hey John, thanks for your question.

    Both mother and child themes are (should be) stored in wp-content/themes folder by default, so all security changes I recommend stay untouched if you change your themes.

    However, theoretically, when your update your theme new files or folders may have a weak 777 permission, because your theme provider did so. But good theme providers do not make such things.

  13. kim kardashian hollywood hack says:

    I’m truly enjoying the design and layout of your website.
    It’s a very easy on the eyes which makes it much more enjoyable for me to
    come here and visit more often. Did you hire out
    a designer to create your theme? Excellent work!

  14. Awesome tips! You are the man! Very well put together and laid out.

  15. what are some superior and in demand websites for blogs?

  16. Hi mr how are you I’m returned back after almost 6 months of creating my website and protecting it with your advice here
    my name is Murad Abuseta you see old comments with old domain address
    So my website facing an issue today
    my visitors getting 403 error with all website i call my host support they remove all the code I’ve mede and the website come back fine

    • Hi Murad,
      I manage more than 100 websites and I apply these security techniques to all my websites. They all work fine.
      Your issue is the result either of not correct implementation of the tips, or there was something else that gave you 403 error.
      Your website may be sort of fine now, but at the same time it is less secure.
      If you want, I advise you implementing the tips once again and check after which step you got issues. You may share your result and I will try to assist you.

  17. Hi sir as always you never be late in replays, i do the steps again and now I’m good and the website is good to thanks for what you give us thank you a lot

  18. Tom Simonis says:

    Hi Michael,
    I’ve run into your site searching for Securi vs iThemes and found your other incredible page. It linked to this one and it seems really, really useful! Bur before I’m going to implement it I got a question regarding the .htaccess code.
    Recently I’ve upgraded from Apache 2.2 to 2.4.17 in order to get some ‘speed’ back when using SSL for my site (enabling OCSP and Strict Transport Security, among other things). I’ve been told by my host the code within the .htaccess file is going to be a little bit different then it used to.

    I assume your provided code is based on Apache 2.2, right? If so, could you please provide the code for Apache 2.4.17? I’m not that good with these kind of things.

    Thanks!

    • Thanks for your feedback and great question, Tom!
      I have not checked it on Apache 2.4.17, but I’ve got a website on Apache 2.4.12 and this works fine there.
      I believe you will not have any problems with the code on 2.4.17 too.
      The code I use should be compatible with both Apache 2.2 and 2.4.
      Feel free to let me know if it does not work for you.

  19. This is a good trick you must learn a lot of stuff before proceeding to protect your website from hacking, there are a lot of alternatives and methods hackers can perform, generally most WP sites are really easy to hack, you can use VPN VPS servers to get a better overall security too.

  20. Hi, What do you think about using the Jetpack by WordPress.com plugin and activating the various security features including two factor authentication?

    On a side note, do you use Cloudflare in front of your sites?

    Regards, Jithin

    • Hi Jithin,

      Thanks for your questions.

      I don’t use Jetpack because if I need some plugins I just install them. Jetpack wants to be all-in-one and it makes the choice for you, where as I prefer making my on research and installing the plugins or use the services I want.

      Two factor authentication is always a good thing for security.

      As regards security stuff offered in Jetpack in general, I don’t find them exceptional or the best in the field. I believe that security is to be trusted to those teams or companies that do full time work in this field. I’ve made a detailed overview of the best security plugins/services in this post.

      I don’t use Cloudflare, because I get what I need with other solutions.
      I use a dedicated security solution Sucuri WAF as my website firewall and Bulletproof security plugin.
      CDN is not needed for my site because most of my visitors are from US, and anyway my hosting is fast to deliver the content to them without any CDN. I also use W3TotalCache plugin as a caching solution which works fine for me.
      Thus, I get a better package (in my case) than CloudFlare and for the less price.

  21. how can we protect online web directory wordpress website from hackers ? as website itself provides username and password for making listings.

  22. What antivirus options would you recommend? There is so much out there. I have been running AVG for several years, but don’t like them as much as I used to

    • Hi Deborah, you may use actually any well-known one that you like the most.
      Free antivirus is really enough.
      Avira, Comodo, AVG, Avast, Panda, Bit Defender – choose any of them by your liking.
      If you don’t like AVG, that’s okay, try another one.
      If you need a certain advice – try Avira. It shows good testing results.
      However, on my Windows PC I use Avast, because it was simply at hand when I installed my Windows. And then I was just lazy to re-install anything else. It works okay for me.
      In fact, the difference between the well-knows Antivirus software is not that important from security point of view – just use what you like the most.

  23. What a post, thanks a lot for sharing your knowledge. No doubt is on of the best post ive read about wordpress and hacking activities and how to act before one hacker.
    Have you any comments about WordPress Plesk Integration? it looks like a good option for security

  24. I work mainly with WordPress and you are exactly correct about the many unsecure plug-ins!

    I have tried a few .htaccess methods of denying executability of PHP files in “data folders” and such, but I have even found a few plug-ins that violate one of my most basic sets of rules concerning files and their placement in certain folders! One such case: Having a PHP-file within a “JS”-folder that needed to be accessed through a URL= HTML attribute, all within what was supposed to be a “NO-PHP Zone”.

    My security research and suggestions will be forth-coming on my own blog for web-developers (namely, my own business thereof). I have been experimenting with other “.htaccess” methods with some of the WordPress folders and will be sharing my insights and results when I get that particular website back up as well.

    Again,

    Great article.

    – Jim

    • Hey Jim,
      Thanks for your comment!
      If you a fan of .htaccess protection, then have a look at BPS or BPS Pro plugins reviewed in my other article. In my opinion they are the best in respect of protecting website via .htaccess plus many other useful tools included.

  25. hi, Michael
    i’m also appreciate from your blog, this type security most important for wordpress website.

  26. Now using backup & Restore Dropbox plugin wordpressโ€ฆ after trying two other backup plugins with (dropbox) more than perfect results, I think I finally found a keeper! Itโ€™s of high speed, safe,reliable so therefore gets the job done. I recommend it for anyone to use

  27. Hi All,
    Someone is hacked my website and How itโ€™s possible I have already use security plugging of Wordfence Security and now I am very worried about this please suggest me what to do and how?
    And I am also using his step by step guide http://researchasahobby.com/protect-your-website-from-hacking/
    And other I also follow this step.
    https://codex.wordpress.org/Hardening_WordPress

    My Site is http://www.jehanabadonline.com please anyone help me to protect my site.

    • Hi Maaz,
      Sorry to hear that. Sometimes it happens however strong your security is.
      The best and the easiest thing what you can do right now is to contact website security company Sucuri. They will clean up your site and will protect it from now on. Also in case of future hacks they will clean up your site unlimited times. it’s the best website protection and clean up service I know for such cases.
      There are also some recommendations from Sucuri about what to do in case of hacks.

  28. Hi Michael,

    I just want to thank you for having this great hobby! I mean, you do such a good job with your posts, it’s amazing. I have learned so many things that have never crossed my mind before. I’ve just launched my website and I have to admit I owe you big time. I’ve become quite the regular visitor here and I want to say, keep up the good work.

    Cheers

    • Hi Ledaki,
      Thanks a lot for your feedback. Happy to see you as a subscriber!
      By the way, you’ve got a cool-looking website!

      • Hey Michael,
        Thank you so much for your kind words. It really means so much, coming from you! Especially, since this is my first ever website and it’s only a month old. It’s still a work in progress and I’m learning so much from you.
        Next stop, your “Backup up your wordpress to google drive” tutorial.

  29. Oh, give you 100 like. You are a real researcher.

  30. Hello Michael. my name is Sharon…a newbie . Thank you for your post /video too
    I want to know about removing indexing of my site’s content on search engines… also pasting these codes to my .htaccess file….will it conflict?.

    • Hi Sharon,

      Thanks for your question.

      If I understood your question correctly, protecting your website (including changing .htaccess file) will not conflict with removing indexing of your site.

      But are you sure you want to remove indexing of your site? People will not be able to find your site in search engines like Google then.

It's important for me to know what you think

*

Show Buttons
Hide Buttons