No one wants to wake up one morning and see that his or her website was hacked. You don’t want that, do you? Lost data, lost money, headache and lots of time spent on your website recovery – it’s not the full list of the ‘pleasures’ that you can get literally in any second, even while you are reading these lines right now (at least 1,250 sites are hacked every hour).
I’ve written this post to to help you understand the security threats and protect your website easily but very efficiently. You don’t need to have a technical background to secure your online assets with these tips and detailed recommendations in step-by-step manner below.
The post contains materials from very basic (but efficient) to more advanced (but you can still handle it if you can install and setup plugins and can work in your hosting control panel).
In addition to step-by-step instructions and video tutorials, I do some easy-to-understand explanations on the security subject so that you could not just follow the instructions blindly, but learn a little bit something new and become smarter online.
I’ve put this article not in an eclectic manner (kind of ‘do-maybe-this-do-maybe-that’ mimicking ape-style), but in the way so that you could not get lost in the security issues and get the overall picture prioritized by the balance between effectiveness and simplicity of implementation.
Mostly, this post focuses on WordPress site protection hosted on a shared hosting, but you can apply many advice and principles from this article to any website platform.
Besides, I’ve written this article with the following idea in mind: to make it the only one comprehensive but not excessive guide that any beginner WordPress user need to have in order to be safe from hackers.
What You’ll Know From This Article
- Why hackers and hacking bots want to hack your website
- How someone hacked my website
- How your website can be hacked
- Live demonstration how almost anyone can hack your website if you don’t protect it the right way
- How you can protect your website quite easily and free (step-by-step instructions a total newbie can do)
- How you can protect your website hassle-free (if you are serious about security)
- General and very reasonable advice on your website security (perhaps, the most important part of this article)
For easy navigation in this post use these links:
- What You’ll Know From This Article
- Bad News And Good News
- Why Hackers And Bots Want To Hack Your Website
- How My Website Was Hacked
- How Your Website Can Be Hacked
- Live Demo How Your Website Can Be Hacked As Easily As 1, 2, 3
- How You Can Protect Your WP Website With Your Own Hands – Step-by-Step Instruction
- 1. The first line of your WordPress site security defense is Password
- 2. Backups. I should have put it first in this list
- 3. Keep WordPress core, themes and plugins udated
- 4. Use a safe reliable hosting
- 5. Restrict login attempts
- – Words of warning about .htaccess for newbies before continuing
- – What if you can’t find .htaccess file?
- 6. Make sure the files access permissions are safe
- 7. Don’t let execute PHP files in some folders
- 8. Protect your wp-admin directory and wp-login.php file
- 9. Don’t use the default user name admin
- 10. Secure the wp-config.php file
- 11. Protect access to .htaccess
- 12. Use secure file transfer protocol
- 13. Two-factor authentication
- 14. Don’t use the default database table prefix wp_ when installing WordPress
- 15. Tip number last but not least: Protect your computer with antivirus software
- – Video tutorial on editing .htaccess and wp-config.php files to protect your WordPress site
- How You Can Enhance Your WordPress Security
- Instead Of Resume (Perhaps The Most Important Part Of This Article)
Bad News And Good News
Before we start, here’s one thing you should know. Any website can be hacked, even the most protected ones. The point is how much efforts and skills hackers will put into their actions. Hacking and security protection is the ever-evolving game, that hackers lead (find vulnerabilities) and security just catches-up (deploys security patches).
And when hackers find out a new security loophole, they start hunting the vulnerable websites.
That was a bad news.
Now here’s a good one. If you are not a very big fish, there are little chances that you will be attacked personally by human hackers (they are the most sophisticated source of troubles). It’s more likely that just hacking bots (which are automated scripts) will try to break your website security.
And here’s another one good news. Hackers and their hacking scripts are very unlikely to succeed if you follow quite simple steps to protect your website. And I’ll explain in this post how to make these steps. (But if you ARE a big fish, then you may want to do what the Pentagon does – hiring hackers to protect from other hackers 😉 )
Why Hackers And Bots Want To Hack Your Website
It’s simple. Just because they are bad@sses 🙂
Anyway, may be true, but here’s a more detailed list:
- Just for fun, for leveraging self-esteem or for learning purposes
- To damage your business because of competition or hate
- To put some backlinks on your website for SEO purposes
- To put affiliate links silently so you don’t notice them
- To put malware on your website to hack your readers’ computers
- To remove your site content and demand money for putting it back
- To steal sensitive data (passwords, credit card credentials or your naked selfies) stored on your website (especially e-commerce)
Anyway, hackers can be good guys, can’t they? 😉
How My Website Was Hacked
I’ve got a website for testing purposes. It’s hosted on a cheap $1/mo hosting which is enough for it.
One day I woke up and wanted to open my site. This is what I saw instead of the main page:
Obviously it was hacked by some script, not a human (a human just wouldn’t spend time on my test garbage 1-page site). As it appeared, not the site itself was hacked, but it was the hosting account that was hacked. They got server-side access and deleted all my original files, databases and email accounts. Perhaps owner of a hacking script wanted me to pay them or whatever in return for my data, but I had a better idea.
Although the host did not keep backups for me, I had made and downloaded to my home computer a full CPanel backup some time before the accident. So, it took little time to restore everything.
The hosting support denied the fact that it was hacked on their end and they tried to say at first that it was kind of my fault because I did not use the most recent version of Drupal. So, it was clear that they were not interested in the details of the accident to make their hosting more secure.
By the way, after I gave them my short clear thoughts that it was not my website but my whole hosting account hacked together with my email accounts, they forced all their clients to change their control panel passwords ASAP, which was a good move, but not enough to make it secure for their clients.
Anyway, it was a vivid proof that you better use a reliable hosting maintained my professionals if your website is really important for you. And of course, do keep backups (more security tips will be further in this article).
How Your Website Can Be Hacked
As I already mentioned, hacking is constantly evolving game. New methods and vulnerabilities are discovered and used by hackers year by year. If you are interested in technical details, see new Hacking Techniques discovered each year from 2006 to 2013 here (warning: it’s a bit technical).
Website hacking – what does it mean?
In this section, I think it will be enough to list several major technical ways how your website (or server-side infrastructure) can be hacked, so that you could grasp the overall picture:
(the ways how to protect from these and other hacks are given in one of the next sections below)
- Guessing your admin name and password – hacking scripts just make tons of requests and finally guess your login credentials (it’s called brute-force and dictionary attacks)
- Sending a malicious command to your database that will return your sensitive data (SQL injection attack)
- Changing the code of your website so that your website will do whatever the hackers want, including damaging your visitors’ computers (code injection)
- Changing your websites scripts to control your or your users’ browser, e.g. imitating input forms to steal sensitive information like credit card credentials or admin user/password (cross-site scripting attack or user interface re-dress attack)
- Stealing your authentication and session information to be able to use your login and password
- Redirect your visitors on a DNS level to hacker’s website (DNS spoofing)
- Stealing your cookies (I mean the ones which are stored during your session in your browser)
Generally, the hacks can be done on these levels:
- client level (your operation system and browser)
- website level (software, e.g. WordPress, plugins),
- server level (e.g. hosting),
- network level (connection breaches, e.g. insecure wi-fi).
The most scary thing (at least for me) is that you may even not notice that you have been hacked. But a malicious code can be on your website doing its harm for your business and even for your visitors silently.
What WordPress security issues you should be aware of
Here are the general vulnerable spots directly connected with your WordPress website:
- Hosting vulnerabilities
- WordPress core (that’s why new WP security updates are issued regularly as new vulnerabilities open up)
- Insecurities in WordPress themes
- Plugins security breaches
- Insecure passwords
- Website file access insecure permissions
Hackers have a lot of potential because of people’s predictability, laziness or lack of awareness. For example, less than 17% of WP sites use the most recent WP version (4.0 and above) as of time of writing this. It means that majority of WP sites (which use outdated WP versions) can be hacked much easier. So it’s people who are lazy to keep their WordPress version up to date.
Although WordPress core is pretty secure (provided you regularly update its version), WordPress add-ons such as themes and plugins are not reliable. If you still think that the vulnerabilities of WordPress add-ons that everyone can’t live without are rare, watch this video with a lead WordPress core developer confessing that the stuff is disappointingly insecure (the video is technical, but you may just watch an easy 2-minute part – from the 1:00 to 3:00):
In short, the speaker says WP plugins are generally not secure at all, and it’s not exaggeration.
You may ask why all these weaknesses in plugins, themes etc take place? Well, the short answer is laziness of developers and lack of developer’s expertise in security. Seriously, why many developers should bother if users themselves don’t care much about vulnerabilities of plugins and themes? Anyway, serious providers update their products regularly fixing new security weaknesses.
If you are concerned about the security (and you should so), I’ll tell you in some section below in this post how to make sure you will not become a victim of a hacker.
Live Demo How Your Website Can Be Hacked As Easily As 1, 2, 3
In the video below I show you how even a beginner hacker (I myself play this role in the video) can get your WordPress administrator user name and password without much ado.
Of course, in general, hacking is not as easy as 1,2,3. But laziness and lack of awareness of WordPress users (as well as plugin and theme developers) leave a lot of loopholes for hackers. One of such loopholes I exploit in this video:
So, in short, the video demonstrates how a hacker can hack your password if it is not strong enough. Even if you think that your password is o’kay, it may be absolutely not o’kay and can be an easy task for cracking tools used by hackers.
Anyway, password is just one of the many aspects of the game.
Well, I think we have warmed up enough and now we can roll up our sleeves to dive into the core of this post.
Let me ask you – are you ready now to get brutally practical advice on how to protect your cool precious WordPress site from hackers? I don’t hear you! Say it loud again! Good! Let’s roll then!!
How You Can Protect Your WP Website With Your Own Hands – Step-by-Step Instruction
Below I will show you how you can protect your WordPress website from hacking without spending a cent. It’s not difficult, as you’ll see, but still very effective just because most hackers (and their hacking scripts) target most unprotected sites first. And if you do the steps below you will already put yourself above the majority of vulnerable sites.
The list below is in a prioritized order as I suggest it generally for a person who is not very technical.
I will give you both recommendations and exact step-by-step instructions (tutorials) how to harden your website.
Protection against hacking is all about risk. It means that if you don’t follow any recommendations from this section, you put your website under a great risk of being hacked. And with each additional step that I describe here, you will reduce the risk of being hacked and/or reduce the headache and losses connected with recovery after the hacking attack.
1. The first line of your WordPress site security defense is Password
Before I give you the exact recommendations what password is secure enough, here is why I put the importance of strong password before all – setting secure password is the easiest, the cheapest and quite efficient protection against hackers. But many people ignore it or just unaware of this threat.
1.1. Use unique passwords
Here’s something interesting about passwords that people use.
You might think that every person is unique and their thoughts and actions are unique. Well, it’s true. But only to some extent, because people have common patterns of behavior, which are exploited not only by marketers, but also by hackers. Do you want proof that people are very predictable like animals in the herd? Here we go.
Mark Brunett, a security consultant and a researcher, who specializes in MS Windows-based servers and networks, has been gathering passwords since 1999 and by 2011 he had collected more than 6 mln passwords. And he shares his observations and thought on passwords security in his book “Perfect Passwords“.
Also here are some most interesting and shocking facts Mark shares with us after analyzing 2.5 mln passwords from publicly available sources (as of March, 2015):
- 0.5% of users use the password password;
- 0.4% use the passwords password or 123456;
- 0.9% use the passwords password, 123456 or 12345678;
- 1.6% use a password from the most popular 10 passwords;
- 1.4% use a password from the most popular 100 passwords;
- 9.7% use a password from the most popular 500 passwords;
- 13.2% use a password from the most popular 1,000 passwords.
- 30% use a password from the most popular 10.000 passwords.
The most popular 10,000 passwords are used by almost a third of all users!
So, are people really as unique as they think? Well, well. Only 1 person out of 555 people can be considered unique when using passwords!
Different versions of the lists with the most common passwords like top 10,000 can be easily found in the web, so everyone including hackers can get to know these most popular passwords which so many people use.
Resume: Don’t assume that your password is unique (and therefore secure). In many cases it is not.
1.2. Use strong passwords
Here are some simple general rules that will let you have a strong password:
- Consider having a password at least 12 characters long (if you’ve heard that 8 characters is enough, just know that 8 characters is 14,820,480 times less secure than 12 characters)
- Don’t use any existing words, names in your passwords (sophisticated hacking scripts may combine dictionary words easily, e.g. password ‘iloveyouverymuch’ is still very easy to crack)
- Don’t consider that tricks you use to encode your passwords are hard to decode (if you replace ‘a’ with ‘@’, ‘i’ with ‘!’, ‘e’ with ‘3’ etc in your password like the word ‘sh!th@pp3nz’, hackers know how people usually decode the letters or words and these tricks will not help you much)
- Don’t use the same password anywhere else (once your password is compromised, it may be included in the database of leaked passwords that hackers use, and thus all your other places will become insecure). Don’t underestimate it because sensitive data leakage is wide spreading more and more (2 mln accounts have been compromised from Google, Yahoo, Twitter, Facebook and LinkedIn; 5 mln GMail passwords become public; 7 mln DropBox passwords leaked and it will not stop)
- Change your passwords regularly or as soon as possible after you suspect of data leaking (it will decrease the chances that your passwords will be decrypted or used in case they were compromised)
- Use passwords which are impossible to remember and can not be easily typed (e.g. password ‘q1o0w2i9e3u8r4y7’ is very bad because it has an easy-to-remember typing pattern)
- Use passwords which are random combination of letters, symbols, numbers, lower and upper case (here is a table that can give you a rough estimates on how quick your password can be hacked using super easy and dumb brute force attack, e.g. password containing just 8 numbers can be hacked within 10 seconds)
Here’re some examples.
Password T;)R@tJ;4Wf5 is more secure than 123!@#qweASD because the last one can be typed easily (the keys are located nearby each other). Advanced hacking algorithms can identify typing patterns and such passwords are comparatively easy to crack.
Here’s a recommendation I’ve got from one of the hosting providers:
Hi, a lot of hosts have reported vps’s getting hacked lately, please use a strong login password for anything you use not just your vps etc, use a password like this:
Yes, using passwords like that makes sense.
(By the way, all these password examples became less secure as soon as I published them online, because they are exposed now and can be scraped by hackers’ web crawlers. So don’t use them 😉 )
Resume: Use passwords which are impossible to remember, hard to type, contain random mixture of letters, numbers, symbols and at lest 12 characters long.
1.3. How to remember all these long, unique and strong passwords
The short answer – you can’t. If you can remember a password, then it’s not good enough.
Luckily, there are software products that allow manage passwords in a secure way. Here’s a couple of reputable examples: LastPass, KeePass, 1Password.
Or, if you are very conservative, you may want to store your impossible-to-remember passwords in a file or a folder which is zipped and protected with a strong password.
2. Backups. I should have put it first in this list
When it regards safety, I believe there’s nothing even close to having up-to-date backups of your online assets. Backups is the ultimate way to return everything in case of disaster caused by hackers or just by life itself. There aren’t many things that can improve your sleep better than having a recent backup.
This topic is worth a separate post. But for now, I can tell you that if you have a website and don’t use any backup service provided by your hosting provider or a third-party company, stop reading and go download a full backup of your website.
By the way, reliable hosting companies use inner backup systems even if they don’t offer daily downloadable backups for their clients.
Also, if you are going to make any serious changes on your website, e.g. update a plugin, install a new theme, then it makes sense to have the most recent backup at hand, because according to Murphy’s law, anything that can go wrong, will go wrong.
3. Keep WordPress core, themes and plugins udated
As I’ve already mentioned above in section “What WordPress security issues you should be aware of”, hackers look for and exploit security vulnerabilities which are contained in WP, themes and plugins.
The predator-prey game is simple:
- Predators (hackers) find the security holes in the software that you (prey) are using
- Software developers need to patch the holes ASAP
- You need to update your software ASAP
- If you don’t update it, then hackers (or their bots) may find you and hack you
4. Use a safe reliable hosting
It’s discussable that I’ve put hosting on the 4th place in my list (hosting is more important security factor in many ways). But anyway, let’s just go on.
Although nothing is 100% safe from hackers, some hosting services are safer than others.
If you use an amateur cheap hosting, then there’s a greater risk that the server can be hacked, not just your WordPress site. Also, many shared hosting don’t make you safe from a hacker who hacked a website (not yours, but someone else’s) on the same server and through that loophole the hacker hack your website easier.
So, your hosting should be run by true professionals who do their work properly, if you don’t want to get a disappointing message like that soon:
I’ve got this email from a cheap $1/mo hosting company where I have an account for not important stuff, so I was not thrilled much about this warning news. But if your website is important to you, you surely better use a reliable hosting that successfully does everything to prevent it.
5. Restrict login attempts
One of the most popular ways to hack sites is using brute-force attacks (i.e. trying millions of passwords until the password is hacked).
A simple and effective way to fight it back is using a plugin for WordPress like Limit Login Attempts.
The plugin simply blocks IP for specified time if login failed certain times in a row. And the plugin is free.
– Words of warning about .htaccess for newbies before continuing
You know that it’s advised to get a full cPanel account backup (or database/files backup) or you use a reliable backup service before you make any significant changes like installing or updating WordPress, themes or plugins.
And below there are tips on how to change .htaccess file. It’s a critical file for your WordPress configuration. So make sure you have a copy of this file (as well as other files you’ll be changing) in case you mess up with editing it so that you could restore it in seconds if something goes wrong.
If you are not sure what is going on in some of the following tips regarding .htaccess, then you may just skip these tips and read this article further – there are more tips and alternatives below in this post (for example, paid services and advanced plugins).
But if you want to learn how to become a bit more tech-savvy with WordPress, then I encourage you to continue with .htaccess tips. It’s not as difficult as it may seem at first.
Anyway, please feel free to ask any questions in the comments.
– What if you can’t find .htaccess file?
In most cases your web hosting uses Apache server (that uses .htaccess configuration files). And there are much less chances that your hosting is based on Nginx or some other technology which are not widely used. In the latter case there’s no .htaccess file.
If the above sentences have confused you, don’t worry – I’ve put them just for consistency and educating purposes 🙂 Feel free to continue reading, because it’s a very high probability that your web hosting is configured with .htaccess files.
Also, some hosting providers don’t allow editing .htaccess files. In this case you may contact your hosting support with your concerns so that they could implement what you want.
Alright, here’s the most frequent case – you are allowed to work with .htaccess files. If you can’t find the .htaccess file in your WordPress installation directory (e.g. public_html), then you need to create this file.
Note that the .htaccess file is hidden (the dot at the beginning of the file name indicates that), and you need to make sure that hidden files are displayed when you browse your directories.
So, here’s the plan if you use a standard cPanel’s File manager:
- Make sure you can see hidden files, otherwise turn on Show hidden files option
- Make sure you don’t have .htaccess file
- Create a new file with name .htaccess (or rename a template like htaccess.txt if there’s one provided with WordPress installation)
- Make sure the permission for .htaccess is 644
6. Make sure the files access permissions are safe
The default safe permissions (that can be set by unix chmod command or via your hosting standard control panel) in general case are as follows:
- 755 for directories:
- 644 for files:
You may find that some your files or directories have permission 777. Probably it’s due to a bad default setting during WordPress installation or it’s required for some plugins that you use. Permission 777 is not safe and highly not recommended. I’d suggest changing permission to minimum recommended 755/644 and check if the functionality of your WordPress works (and make sure you have a website backup before that).
Also, you may ask your hosting support for advice (it’s not their direct responsibility to educate you though, but why not try? 😉 ).
If you’re a wannabe-geek or want to dive deeper into permission tuning, consider these recommendations for shared hosting environment:
755 - Folders
600 - PHP Scripts
400 - Configuration Files (wp-config.php, etc)
600 - Script files requiring WRITE access
644 - Non-Script Files, HTML, Images, etc
755 - CGI/Perl Scripts
And you may want to read this thread on cPanel discussion.
7. Don’t let execute PHP files in some folders
A lot of hacking dangers come from the possibility of malicious PHP files execution (in fact, PHP execution is the way how WordPress software actually works). Malicious PHP files can be uploaded to writable folders on the server (e.g. the uploads folder).
In order to protect from this threat you need to edit the .htaccess file on your server.
This tip is very effective, but requires some more sophisticated approach rather than copy-paste, or otherwise it may break your theme or some plugins. That’s why you need to carefully try and check if this does not break anything in your website.
Alright, here’s how the general code to insert into the .htaccess file looks like:
# Forbidding PHP files execution <FilesMatch “\.(php|php\.)$”> Order Allow,Deny Deny from all </FilesMatch>
This piece of code simply forbids access to any files that have php in their names or extensions.
And put .htaccess file with this code into each directory that you want to protect from PHP files execution (create .htaccess files in the directories if necessary).
If you don’t know which directories to protect this way, just do it for /wp-content/uploads and wp-includes directories.
By the way, if you want to explore many other .htaccess tricks, this link can be useful to you.
8. Protect your wp-admin directory and wp-login.php file
WordPress administrative tools are contained in the administration area which is the wp-admin directory. It makes sense to give it an additional level of protection.
Also, restricting access to wp-login.php adds additional protection against brute-force attacks (bots which want to login your administration area)
8.1. Disabling theme/plugin editing in wp-admin
A great way to secure WordPress is to disable editing in wp-admin area.
Add this to the wp-config.php file:
#Disable Plugin / Theme Editor in WP-ADMIN area Define('DISALLOW_FILE_EDIT',true);
It will disable plugin and theme editors in the WordPress administration panel. And if a hacker (or it’s bot) gets into your administration area, they will not be able to modify the code of themes and plugins.
Do note however, that you and anyone else will also not be able to edit the code from your WordPress administration area. But you surely still can do it from cPanel File Manager or via SFTP.
8.2. Limit access to wp-admin by IP
This option allows to restrict access to administration area by IPs. In other words, only you (and some other people if you want) identified by IP can have access to wp-admin. To use this option you need to know your IP address (or your IP range if your IP is dynamic).
Code to add to the .htaccess file (which should be in the wp-admin directory):
# Block access to wp-admin order deny,allow deny from all allow from x.x.x.x
Replace x.x.x.x with your IP.
For example, if your IP is 220.127.116.11, then you’ll need to use this code:
# Block access to wp-admin order deny,allow deny from all allow from 18.104.22.168
By the way, if your IP is not static (which means that you get a new IP each time you start new Internet sessions), then you can do the following: determine IP range that you are assigned to and adjust “allow from” command – see below how:
- If your IP changes within limits, say, 12.123.44.x (where x – any number), then you need to use command “allow from 22.214.171.124/24”.
- If your IP changes within limits, say, 12.123.x.x (where x – any numbers), then you need to use command “allow from 126.96.36.199/16”.
For example, the whole code would be:
# Block access to wp-admin order deny,allow deny from all allow from 188.8.131.52/16
It will forbid access to any users whose IPs do not belong to your IPs pool, and only users wth IPs that start with 12.123. will be allowed to access.
Also, here’s a caveat in this admin area restriction approach. If your theme or plugins use AJAX, then it’s likely you’ll need to add additional directives to the .htaccess file in order to avoid breaking AJAX functionality:
# Allow access to wp-admin/admin-ajax.php <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
8.3. Limit access to wp-login.php by IP
It’s the same approach as above – restricting access by IP. It will not let anyone access your login page (wp-login.php), which is quite efficient against brute-force attacks.
Here’s the code to add to the .htaccess file (which should be in the same directory as your wp-login.php file (by default it’s in the WordPress installation directory (e.g. public_html) directory):
# Block access to wp-login.php <Files wp-login.php> order deny,allow deny from all allow from x.x.x.x </Files>
Don’t forget to replace x.x.x.x with your IP or IP mask (kind of x.x.0.0/16 – see above for details).
For example, if your IP is static 184.108.40.206, then you’ll need to use this code:
# Block access to wp-login.php <Files wp-login.php> order deny,allow deny from all allow from 220.127.116.11 </Files>
9. Don’t use the default user name admin
If you use the default administrator user name ‘admin’, then it will make easier for brute-force hacking scripts to crack your login credentials. It’s so because a vast majority of brute-force attacks target admin user name.
Here’s below a log of brute force attacks on one of my test sites.
I use not admin user name, so these hacking attempts were doomed to fail 🙂
But what if you already use admin?
It’s very simple to change it. There are several ways, such as changing user name in the database using phpMyAdmin, or via some plugin.
But I like a much more elegant and simple way getting your hands dirty in the database stuff or using one more plugin. Here’s how you can do it:
- Create a new administrator user name
- Log out your admin session
- Log in as a new administrator
- Delete admin user name and attribute all admin‘s content to the new administrator user
10. Secure the wp-config.php file
WordPress configuration file (wp-config.php) contains very sensitive information. That’s why it should be protected carefully.
Apart from setting permission 400 or 440 as recommended earlier in this post (read-only setting for the file owner), it’s advised to protect the wp-config.php file by restricting access to it adding this code to the top of the .htaccess file
# securing wp-config.php <files wp-config.php> order allow,deny deny from all </files>
This code is valid if .htaccess and wp-config.php are in the same directory.
11. Protect access to .htaccess
Add these lines to your .htaccess file to protect it from external access:
# securing .htaccess <Files .htaccess> order allow,deny deny from all </Files>
12. Use secure file transfer protocol
If you want to use FTP (file transfer protocol) to upload files to your web hosting, use SFTP (secure FTP) through a reputable program like FileZilla. It allows to encrypt files that you send over the network that eliminates the possibility that your sensitive data (e.g. passwords that you enter) can be taken over by a third party (i.e. a hacker).
13. Two-factor authentication
This security enhancement will allow you to fight off brute-force attacks (which try to hack your password) by adding one more layer between hacker and your WordPress login page.
Here are some examples of such additional layers:
- Authorization code (sort of a secret word or PIN)
- A code sent by SMS
- A code sent by phone call
- A push action on your mobile phone
Although it may seem a simple approach, two-factor authentication is one of the most effective protections from brute-force attacks.
An example of the simplest plugins that provide two-factor authentication (a specified authorization code that you need to remember) for your WordPress site is Stealth Login Page plugin (free):
There are other plugins with more convenient and advanced features. I’m not doing a research on them right now, so I’ll just name two of them as examples:
- Clef Two-Factor Authentication plugin (free) – you don’t need to remember the authorization codes, just use your smartphone
- Duo Two-Factor Authentication plugin (has a free version) – you get your authorization code by SMS, phone call or push notification
14. Don’t use the default database table prefix wp_ when installing WordPress
Some hacking scripts (SQL injection in particular) assume that your tables have prefix wp_. You’ll make your website safer and hacker’s lives more difficult if you specify a different prefix for tables when installing WordPress:
But what if you already use database with the default wp_ prefix?
In my opinion, the most reliable way to get it fixed is to manually rename database tables, edit Options and UserMeta tables content, as well as configure wp_config.php file. But it’s not easy for a beginner.
Besides, there is a good iThemes Security plugin (former Better WP security) which has a functionality of table prefix changing (but I have not tested it myself yet).
After all, I think that using the default tables prefix is not a critical breach compared to the issues above. Moreover, there are simple ways for a hacker to get your DB table prefix anyway. So, as an additional security hardening option changing DB table prefix is fine, but not an absolute must-do.
15. Tip number last but not least: Protect your computer with antivirus software
Yes, it’s very basic advice, and no doubt you know about it. But I’ve included it in this article as it may be the weakest link in your security if you disregard it for some reason. For example, a trojan virus that steals the passwords you enter makes all other security measures useless.
Intermediate resume: I’ve listed above security measures that you can easily apply to your WordPress website on your own. And generally it will be more than enough. Of course, there are more advanced anti-hacking techniques like differentiating user access, advanced .htaccess tweaking, WordPress functionality restriction, access monitoring, log analysis etc but it’s definitely not for beginners. For now, if you apply the above steps, consider yourself protected better than the vast majority of website owners on the planet.
– Video tutorial on editing .htaccess and wp-config.php files to protect your WordPress site
It’s simply a helping video tutorial that demonstrates how I’ve implemented the recommendations I’ve written above on my testing website (tweaking .htaccess and wp-config.php files).
How You Can Enhance Your WordPress Security
There may be cases when you want to to protect your WordPress website even more than I described above.
- For example, you were so unlucky that you got hacked and you don’t want it to happen again
- Or you have to use some insecure plugins and want to make sure hackers will not exploit its vulnerabilities
- Or you want to be able to scan and monitor if your website is not infected
- Or you simply want to get security professionals ready behind you to help you in case of emergency
If you are not an expert in security and don’t have much time, desire or skills to work on a server side of your hosting and get your hands dirty with coding, then you basically have two and a half choices:
- Go with WordPress managed hosting solution
- Subscribe to a paid service (or buy premium subscription to security plugins) that provide your website safety and sanity
- Install free versions of WordPress security plugins, run their checks and keep an eye on their reports and warnings
The first one (managed WordPress hosting) is the most expensive but the least effort- and time-demanding solution. You just hands over all the technical stuff about web hosting and your website security to a hosting company. And everything you focus on is how your website looks like, the content and your business. Do note however, that managed hosting may be strict on using some plugins.
The second option (paid security service or premium security plugins subscription) provides you the guarantee that your site will be taken care of (or assisted with) from a security point of view. And it case your website is hacked, it will be cured by the staff free of charge (the charge is included in paid subscription).
The last option (free versions of WordPress security plugins) is a half-measure of the previous option – you install the comprehensive WordPress security software and do maintenance and after-hacking service yourself.
This section is worth actually separate detailed research. Here’s my article about choosing the best WordPress security plugin, combinging plugins and products for better security. both free and paid solution.
Instead Of Resume (Perhaps The Most Important Part Of This Article)
If you prefer just a short guide about WordPress security, then read this section. if you need a more detailed description about anything specific, just read a corresponding chapter above.
So, here’s a short list of recommendations that you must do to avoid the biggest risks of being hacked:
- Have backups
- Use strong password
- Keep WordPress, themes and plugins up-to-date
- Install Login Limit Attemps or similar plugin to fight with brute-force attacks
- Remove outdated plugins that you don’t use (even if they’re not activated) or at least make sure they don’t have vulnerabilities
- Use themes and plugins from trusted sources to decrease the possibility of code vulnerability and infected software
- Use antivirus software on your computer
It’s super basic, easy to do, does not break your theme/plugins, but it’s quite effective. Surprisingly, many people don’t do it. So, you’ll be better protected than most WordPress users if you follow the simple recommendations in the list above.
The next level of hardening your website security, considering the balance between effectiveness and inconvenience of using or implementing, is implementing all or some of the following (still highly recommended to do):
- Add security tweaks to .htaccess and wp-config.php files, check permissions (I’ve put all necessary instructions in this post)
- Use SFTP instead of FTP (e.g. use FileZilla)
- Don’t use a super cheap kind of $1/mo hosting
- Don’t use admin user name
- Add plugin for two-factor authentication (see for some details above in the post)
If you follow the recommendations mentioned above in this chapter (at least some of them), then you may consider yourself protected pretty well compared to most WordPress users. A very good thing is that you can do it for free without being an expert in WordPress.
And If you want comprehensive solutions for your WordPress security to have some more advantages in addition to what you have already done (e.g. SSL or web application firewall), then consider
- Installing security plugins or using services (free or premium versions – see my reviews and comparison here)
And you’ll be able to do monitoring, scanning, cure your website easily if it’s infected and do other useful stuff.
After all, if the tips and recommendations from this article are too much for you (or maybe not enough) for some reason, too difficult or not worth your time, then the best choice for you can be
- Applying to managed WordPress hosting
It will let you get rid of headache connected with technical stuff including security issues.
And one more security point:
In addition to protecting your WordPress, don’t forget to protect yourself. Your passwords and other sensitive data can be compromised when you least expect it. That’s why I’m repeating here these simple things:
- Use antivirus software on your computer
- Don’t write down passwords on pieces of paper, in your paper notebooks, in your mobile phone etc in unprotected way etc if you can loose them or get stolen
- Don’t use passwords and other sensitive data when working via wifi in public places (especially if no SSL is used)
- Don’t use sensitive data when working on someone else’s computer
And if anything is not clear or you are not sure about anything, or you got issues when implementing the tips – don’t hesitate to write about it in your comments below. I’ll do my best to assist you.
P.S.: Here’s the promised post in which I compare comprehensive security plugins and solutions for WordPress. So, if you don’t want to miss articles like that, then subscribe to the updates to my blog in the box below or in the sidebar.