40% of the websites are hacked by vulnerabilities in their hosting platform
How to secure WordPress website from hackers
It is true that WordPress software goes through many types of attacks on a daily basis; however it is able to handle most of these attacks due to its top notch security features. It is a fact that WordPress is the most widely used CMS in the world and powers 33% of the website today. In spite of WordPress being so secure, the question that comes to our mind is – What makes WordPress website vulnerable and how to secure your WordPress website from Hackers?
Any WordPress website that you access in your web browser has multiple working components that include – hosting, WordPress core, themes, plug-ins, and more. From security standpoint a breach can occur at any of these working components. The below Pie chart will help you understand the key vulnerable areas and what you need to focus on in order to achieve optimum security.
So let’s dive deeper into each aspect and learn how you need to prevent your WordPress website from hackers.
Hosting company
Always be super cautious while choosing your website hosting company. Never opt for cheap hosting services just because they suit your budget. Choose a hosting company keeping in mind your long term goals and how serious you are about your business. When it comes to hosting services you would want to check on the following points.
Once you have right hosting provider in place, it’s time to look into inner areas of the WordPress Software which is its most important selling point but at the same time to look at very carefully from security stand point which is It’s themes and Plugins.
Never use Nulled Themes
If you are unsure of what that means then check with your developer/company provided you the website that they have not used any Nulled Theme to create your website. The way to check this is see if your website was built by using some readymade / premium theme and check if your site uses proper license key for the same. This will ensure your website has all the best codes in it and will also help developers of the theme to continue doing good work after all it’s not that costly even to buy license for such premium themes.
Why not to go after Nulled themes?
Though It may look tempting as it can save a few dollars in first place but forever avoid downloading / using null themes as it can cause big harm to your website. Premium themes look additional skilled and have additional customisable choices then a free theme. Premium themes are coded by extremely virtuoso developers and are tested to pass multiple WordPress checks right out of the box. There are not any restrictions on customising your theme. Most of all you may get regular theme updates. But, there are some sites that offer nulled or cracked themes. A nulled or cracked theme could be a hacked version of a premium theme, on the market via illicit. They’re additionally terribly dangerous for your website. Those themes contain hidden malicious codes that might destroy your website and log your admin credentials.
Themes & Plugins check
Themes:
If you are not using any of the default WordPress themes or have not purchased one from premium marketplaces and someone has developed a custom WordPress theme for you than it becomes really essential for you to check that your WordPress theme is clean and follows all the standards laid out by WordPress community. Prior to making your website live you should always have local or live development environment and have done a few basic following checks, this will ensure your site was developed by reliable hands.
Plugins:
Through Plugins you can really take your WordPress website to the next level. For example within few clicks your simple website can turn into fully functional ecommerce store. Having said that after themes plugins are the third most important place you should always be careful of. For a hacker a weak coded plugin can easily give them a key to your website, database and sometimes it can infect other sites hosted as well. Paying attention to a few of the following points will help you make the right choice from security standpoint.
In general:
Always keep your themes, plugins and WordPress core updated with its latest versions.
Hide login page
It’s a good idea to change default WordPress login URLs. This gives some extra security against brute force attacks. It also helps in preventing from spam user registrations, If your site allows users to create free subscription account.
Login lockdown feature
You can make unlimited failed login attempts by default but this feature can expose your site for brute force attacks. By implementing lockdown feature to your site, you can restrict users for a given interval of time after a number of failed login attempts.
Don’t use weak password
I would recommend implementing strong password policy in place for your WordPress site because weak passwords and login data are chargeable for an honest range of hacks. This is very true for brute force attack that permits them to check uncountable login combos during a short quantity of your time. As stupid as this sound, it works!
| Terrible | Good | Excellent |
|---|---|---|
| Admin | Somename111 | ^7om@6Z3un3$ |
| Password | Name@123 | EWS3@a6GCQ67 |
| 123456 | &mhesuqv | ;5$m>()))*5`r)6# |
| Letmein | &mhesuqv | ;5$m>()))*5`r)6# |
You can check the list of most common passwords on Wikipedia
As a first line of defence, adhere to the following best practices for WordPress login information:
Disable directory listing with .htaccess
Add following snippet to .htaccess
Options All -IndexesDisable trackbacks and pingbacks
WordPress introduced Trackbacks and Pingbacks to enable blogs to send notification saying they have been linked. Today it is mostly being used by spammers to spam the sites therefore Disabling it is a good idea.
Add recaptcha to forms
Google recaptcha or any type of captcha will ensure that your forms are being submitted by actual humans. It will save you from Spam submissions and for poorly custom coded forms from SQL Injections as well.
Disable XML-RPC in WordPress
Xmlrpc.php file allows you to post content remotely. Example from your mobile devices, but lately these feature is mostly being used by hackers to execute mass attacks on your website. Therefore if you are not utilising this feature of WordPress then it’s a good idea to disable it all together. It will take down your resource usage upto great extent.
Check directories & files permissions are set correctly
This belongs to the most important checks, it becomes more vulnerable if your site is hosted on shared hosting. As a best practice all your directories should have “755” and files should have “644” level permissions.
Change the default database prefix
Changing default database prefix from WP_ to something difficult to guess gives protection against SQL Injections.
Setup SSL and have proper redirects in place for SSL
Adding SSL Certificate to your website not only adds great security but also provides SEO benefits to your website. Having SSL with proper redirects will ensure your site being served from port 443 and not port 80 which is not an encrypted port.
That all must go to https://www.example.com
Note: Your site falling back to www or non-www is your preferred choice, nothing better here.
Consider protecting your site against DDoS attack
In DDoS (Distributed Denial of Service) attack your site becomes unavailable, mostly multiple infected sites gets used to target one site so that it becomes unavailable. You can subscribe for free Cloudflare account they sits between Client browser and your server and provides great protection from this type of attacks.