Illegal hacking is a serious offense. Just Google, ‘prevent WordPress hack” and you will see more than 5 million results, which shows how people are so worried about keeping their websites and blogs free from hacking. Is your WordPress safe from hacking?
How To Make Your WordPress Safe?
Check out the following 10 ways to keep your WordPress site safe:
Note: Wherever plug-ins is mentioned, they are applicable for paid WP sites. Free WP sites cannot install plug-ins.
1. Update to the Latest WordPress Version
WordPress lets you know whenever there is a relevant updated version of WP. Sometimes many of us tend to ignore it; however, these updates are important because they contain the latest security fixes. By not updating WP, you expose the blog for hacking in the future.
2. Change WordPress Password Often
This is an often overlooked feature. You should change your WP password at least twice a month. Try to make the password difficult to decipher by including both upper-case and lower-case letters, symbols, capital letters, and numerical. If the password is jumbled up, it becomes difficult for the hacker to break into it.
Moreover, if there is more than one WP user for the same blog, ask the other admin people to follow the same. Refrain from using names, birth dates, favorite movie names and others as your password.
3. Weekly WordPress Backup
You should have a backup of the entire WP database before and after you make any changes to it. You can either do this manually or you can use the Backup Buddy plug-in that will email you the backup of the entire database. By “entire database,” we mean everything like files, images, digital media and others.
If you are using this plug-in, do not forget to update it as well when the updates are shown.
4. Use WP Security Scan
It is one of the best WP security plug-ins available. Install it on the blog and scan your blog every week. The scanner will scan the entire WP database and tell you if it finds any malicious codes or vulnerabilities. It will either say “You have the latest stable version of WordPress” or “You do not have a stable version of WordPress” and will list out the problems.
5. WordPress Username Change
The username with which you login to WP should be different from the username displayed on the WP posts. This is necessary because hackers will always target your username first and try to decipher the correct password. If the username is different then it complicates the process further which is exactly what you need.
You can change the username this way.
- Go to the Dashboard.
- Select Users.
- Select Profile.
- Make the changes and click Save.
6. Do not Display WordPress version and Plug-In Details
Never ever display what plug-ins you are using or which WP version you are using because it becomes easier for hackers to hack into your site.
To cover the WP version details, you need to modify,
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
To
<meta name=”generator” content=”Powered by WordPress” />
For a plug-in list, check http://yoururl.com/wp-content/plugins.
Replace your url.com with your real URL. Hit enter and see whether the list of plug-ins is being displayed. If it is, you need not display this list as hackers can use codes to infiltrate the plug-in, which will affect your blog. How can you hide the list?
Visit the cPanel and create “.htaccess” file in /wp-content/themes/thesis and paste the following code:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
Save the file, click browser refresh and refresh the plug-in page. Now if you click on http://yoururl.com/wp-content/plugins, you will see none of the plug-ins are displayed.
7. Use Login Lockdown Plug-In
If you install the Login Lockdown plug-in and if a hacker tries to crack the site password through force, the plug-in will immediately disable the site’s login function and permanently block the IP address from which the hacker is trying to force access.
This is a must have plug-in for any paid WP sites.
8. Use Secret Keys
Secret Keys are used in the WP-Config file which stores every detail like the name and password of the MySQL database. You can restrict access to these files by using the Secret Keys. These are encrypted keys that protect the information in the MySQL database. These keys are long, complicated and random. You don’t have to remember it.
Some Secret Keys examples are:
t`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|’)
‘MGKi8Br(&{H*~&0s;{k0<S(O:+f#WM+q|npJ-+P;RDKT:~jrmgj#/-,[hOBk!ry^’)
‘I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #’)
9. Restrict Directory Browsing
If hackers have access to your directory, they can easily make out the pattern of your directory structure and use the information for hacking.
To deactivate directory browsing, just visit .htaccess file and in the root directory add the code given below:
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
This code will deny any attempted access to the wp-config.php file.
10. Disallow the Indexing of the WordPress Admin section
Your WP admin section contains sensitive information. Unless the search engine spiders are told that the admin section should not be indexed, the automatic bots will scan and index them as well. This should be avoided as the hackers can use the admin indexes to hack your website.
How to avoid it? Create a robots.txt file in the root directory and insert the following code:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
After the code is installed, the search engine spiders will not attempt to index the above pages.
PS: To make the above code changes, you need access to the cPanel directory. If you do not have this access, ask the webmaster to do the changes.
Conclusion
Protecting your WP site is necessary from hackers. We are most of the time unaware of this or simply assume that the site is safe. Follow the above ways and implement them ASAP.
Has your WordPress site ever been hacked? Share below…
Leave a Reply