The popularity of WordPress is a success, but it comes with consequences. More than 34% The site is created using the WordPress platform, of course this results in the WordPress site being vulnerable to malware attacks. In 2018 Sucuri recorded 23,000 WordPress sites to be victims of the attack.
Does that mean WordPress has a bad security system?
Absolutely not. Conversely, the main cause of a security breakdown in a WordPress site is a lack of user security awareness.
As a reputable CMS, WordPress does its part by releasing security patches and updates regularly. That said, those patches and updates won't make a significant difference unless we know what to do to fortify our WordPress site.
In short, we play an important role in securing our WordPress site.
Here are 14 tips that I collected from various sources, so that our WordPress site is more resistant to attacks.
1. Use a Strong Username & Password
Creating a strong WordPress login is the easiest security practice anyone can do, but many WordPress users still fail to do so. Believe it or not, more than 23 million accounts still use “123456” as their password. This is also found in the use of usernames, where many use standard usernames such as "admin" and "administrator."
If you need help creating a strong password, there are lots of password generators out there that can be used for free, for example Lastpass Password Generator. As for usernames, we can combine letters of the alphabet and numbers to make usernames more unique and hard to guess.
Using a weak username and password will make a WordPress site vulnerable to attacks brute force . Brute force attacks use trial and error to guess our usernames and passwords. Therefore, you should avoid using passwords that are easy to guess.
If we have a habit of forgetting passwords frequently, then consider using a service LastPass to save our username & password.
2. Hide WordPress Login
This simple trick can protect your WordPress site from attackers targeting brutal attacks. Use a free plugin WPS Hide Login to change the login URL to something unique.
3. Enable Two-Factor Authentication
Take your WordPress login security even further, by enabling two-factor authentication. This security system provides an additional layer of protection requiring the user to obtain a unique code from the authentication application. I recommend that your WordPress site use two-factor authentication.
4. Change the WordPress Database Prefix
A website's database is the most favorite target for SQL injection attacks. This type of attack forces the database to execute malicious code, allowing hackers to freely modify or delete the data on it. Don't take this attack lightly, as nearly 80% attempted hacks used this path.
One of the factors that make a WordPress site database vulnerable to SQL injection attacks is the use of a default database prefix
wp_ . Using predictable database prefixes allows hackers to guess database table names and this is the start of a site owner's nightmare. Therefore, I highly recommend that you change it before things go wrong.
Use plugins Change Table Prefix to change your WordPress database prefix.
5. Disable PHP Error Reporting
PHP error reporting function helps us find errors in PHP files faster. However, it also allows other people to see the vulnerabilities of the site. Therefore, I recommend disabling this function.
WordPress disables the error reporting function by default. If it is enabled for some reason, we have to disable it manually by modifying the wp-config.php file, and making sure there is code
define ('WP_DEBUG', false); in that file.
6. Always Update WordPress
To keep up with the increasing attacks, WordPress regularly releases updates along with the latest security patches. These improvements apply not only to the WordPress core, but plugins and themes as well. In other words, using out-of-date apps is the recipe for opening the door to online attacks.
Even though WordPress automatically implements minor updates, you will still need to perform major updates manually. So, make sure to look for new updates in the section Updates WordPress admin panel regularly to avoid security vulnerabilities on WordPress sites.
Free plugins available Easy Updates Manager , which can be used to control how we want to update the WordPress core, themes, and plugins.
7. Disable Directory Browsing
Enabling directory browsing can provide quick access to site and directory structures. However, it could turn into a double edged sword if other people could also access it. Attackers often use it to find vulnerable files, plugins, and themes, then use them to gain access to WordPress sites. So, disable this directory browsing feature to minimize attacks.
8. Delete WordPress Version Information
WordPress constantly releases updates to patch security vulnerabilities in previous versions. Older versions usually have many vulnerabilities. Because of this, making the WordPress version public is not a good idea for the WordPress web security system.
To hide the WordPress version, edit the
functions.php in the theme folder, and add the following code:
function remove_wordpress_version () (return ''; } add_filter ('the_generator', 'remove_wordpress_version'); function remove_version_from_style_js ($src) (if (strpos ($src, 'ver ='. get_bloginfo ('version'))) $src = remove_query_arg ('ver', $src); return $src; } add_filter ('style_loader_src', 'remove_version_from_style_js'); add_filter ('script_loader_src', 'remove_version_from_style_js');
9. Disable File Editing
WordPress' built-in file editor allows easier modification of plugins and theme scripts. But this feature can be dangerous if it falls into the wrong hands. For this reason, it is best to disable this feature. We can do this by adding this code in the
define ('DISALLOW_FILE_EDIT', true);
10. Perform Regular Backups
Creating backups is one of the best ways to secure a WordPress site. In the worst case scenario, backups can save us from reconstructing a WordPress site build.
The process may seem tedious, but there are many backup plugins like UpdraftPlus which can make it easier.
11. Stop Spam and Negative SEO
Spammers are everywhere, and nobody likes them, not even Google. If we run a popular site and don't have a proper spam prevention system in place, then we are probably attracting thousands of spammers every day. Too much spam is bad for SEO and site visitors.
12. Use WAF
WAF or Web Application Firewall helps protect websites by filtering and monitoring HTTP traffic between the site and the Internet. WAF usually protects sites against attacks like cross-site forgery, cross-site-scripting (XSS), file inclusion and SQL injection, etc. WAF is a layer 7 defense protocol and is not designed to defend against all types of attacks, such as DDOS attacks.
13. Use Themes and Plugins Wisely
One of the biggest benefits of using WordPress is the huge pool of plugins and themes. Ironically, WordPress plugins and themes are the biggest source of vulnerabilities that can harm our site. So, choose themes and plugins wisely, and carefully manage the ones we have installed.
The easiest way to prevent hackers from accessing our WordPress site is to use plugins and themes that have excellent reviews and ratings. These are the main indicators that will tell us that they are well managed and functioning. Also, make sure to check for updates regularly.