how to make wordpress secure

8/18/2019 How to Make WordPress Secure

1/10

31 May How to make WordPress Secure

www.shounakgupte.com /how-to-make-wordpress-secure/

How to make WordPress Secure

WordPress has become the content management software of choice for blogging and non-blogging websites. It hasa great interface and it is very easy to use. Adding new blog posts, pages, images, etc. regularly is a cakewalk and

can be done quickly. It also offers advanced security features that prevent hackers from accessing your site.

In spite of the fact that WordPress is the most secure software used by the world’s most reputable companies such

as Facebook, NASA, Mozilla and eBay, it has continued to remain vulnerable to hackers. WordPress sites are

among the most frequently hacked.

Whether you like it or not, a determined hacker will always find a way to compromise your system. It is a terrifying

scenario. You go to your site only to see a disgusting message from a hacker boasting about attacking your site.

You will notice that content is gone and you can’t even access your dashboard. Your website will end up being shut

down. That is exactly the situation that you will find yourself in.

The good news is that there are several measures that one can implement to protect their WordPress sites. Here

are a few ways to make your site or blog less vulnerable to hackers.

1. Setup Google Search Console(Webmaster Tools)

Setting up Google Search Console(Webmaster Tools) is very important. Google gives out warnings if your

site is compromised with sample compromised URL’s. If your site is compromised, you can submit a

reconsideration request once your site has been cleaned through the “Security Issues” section.

1/1

http://www.shounakgupte.com/how-to-make-wordpress-secure/http://www.shounakgupte.com/how-to-make-wordpress-secure/


2/10

2. Add a new user account

It is strongly recommended to create another username and delete the default admin. Right now, most

hackers are taking advantage of default usernames to attack WordPress sites. Changing it will increase your

protection.

Just remember that this is not enough. Hackers can track down usernames quite effortlessly from posts or

somewhere else. That is why you will need to protect it with a strong password.

While switching to a new user account, be sure to give it the complete authority of an admin. Before deleting

the default admin account, transfer all your posts to your new user account.

2/1


3/10

3. Choose a Secure Password

The best approach, and one that is often recommended, is to use a strong password. Your password must

not only be difficult to guess, but must also be more difficult for hackers to crack. The ideal length of password

should be at least eight characters. Most people think that passwords with fewer characters are easy to

remember. Nevertheless, smaller passwords are pretty easier to break.

The most secure and strongest passwords are those which have a unique combination of symbols, special

characters, numerals and alphabets. Most of us prefer to create passwords that are entirely numeric or

alphabetic. But such passwords are very easier to break.

Also, do not use one password for multiple accounts. I suggest creating a unique password for each account.

In addition to this, keep changing your password on a regular basis. Do not stick to the same password for a

long time. Ideally, change your password after every three months.

3/1


4/10

4. Avoid Exposing Your Username by setting a nickname

Never ever use your username as your author name. If your username is your WordPress author name, then

you are letting hackers know almost 50% of your login information. So, choose a new nickname and use it as

your author name. You can go to settings and search for the “Nickname Field” under “Your Profile”.

5. IP address

Restrict WordPress login page to your own IP. Block all other IP’s.

## Restrict WordPress Login Pages to Your Own IPs##

order deny,allow

deny from all

allow from 192.168.1.1


order deny,allow

deny from all



6. Move the login page

The default installation of WordPress uses wp-admin and wp-login.php to login to WordPress. This is very

easy for the hacker to guess. You can change the default login page to something more secure like

domain.com/newloginpage by using HC Custom WP Admin URL

7. Limit Login Attempts in Your Site

4/1

https://wordpress.org/plugins/hc-custom-wp-admin-url/


5/10

You can have as many failed login attempts in WordPress site as you want. This wouldn’t be an issue if there

is no hacker trying to access your account. Sadly, hackers exist. Hackers sometimes may think they know

your password or might use software to guess your password. So, it is imperative to limit login attempts. This

will prevent the hacker from making more attempts in case they entered the wrong password more than the

stated times. You will also get notified if someone tried to access your account. So, you can choose to block

the IP address that tried to hack your site.

You need to install and activate plugin “Limit Login Attempts” in order to monitor failed login attempts.

Alternative to this is “BruteProtect” plugin. It also identifies and blocks IPs that attempts to access your site.

8. Block Bots From Accessing Your Login Info

Hackers are not the only one visiting your website. There are also invisible visitors that crawls your site and

most of them are out for no good. These visitors are sent to exploit security loopholes, and steal vital login

information. They are normally referred to as bots. Blocking evil bots is fairly harder. But it is possible to block

them.

9. Do not allow Guest Accounts on your site

There are sites that let guest users to submit posts. This means that you will need user registration. Theregistered users can login to your site and use the WP admin area to submit their content or posts. Allowing

guest-user registrations is highly discouraged. It may leave your site at the mercy of hackers. Therefore,

ensure that “Anyone can register” option under “Settings” is disabled.

10. Disable Pings

Many WordPress bloggers use trackbacks and pingbacks to get notifications whenever someone links to their

post. However, pingbacks can compromise your site’s security. Enabled pingbacks can be used in the

Distributed Denial-of-Service (DDoS) attack. Currently, there is no solution. The only thing you can do is to

disable your pingbacks from your WordPress.

11. Harness the Power of WordPress Security Plugins

There are several security plugins that are designed to help keep WordPress sites secure from attacks.

These plugins are effective and offer peace of mind to website owners. Better WP Security, for instance,

attempts to prevent hackers from knowing too much about your site, such as by removing error login

messages. Also, they prevent you from creating weak passwords, assist you perform regular security scans

and prevent bot traffic.

Download and install plugins that are from trusted sources or marketplaces. Remember, these plugins vary in

quality, meaning some are better than others. Then again, many of the WordPress plugins were created by

regular individuals, which mean some are not worth the money and some are perfect.

Here are a few plugins which can improve your websites security.

Keep Your WordPress Updated

The major reason why WordPress sites get hacked is because their owners do not keep up with updates. Older

versions of WordPress might have known or obvious security loopholes. The loopholes are normally fixed by the

updated software. If you do not update your site, your website becomes vulnerable to attackers.

These updates are not only released to patch security holes. They are released to introduce new features and fix

5/1


6/10

bugs. There are no excuses not to regularly update your website. This holds true with themes and plugins as well.

Sure, many people fear updating their WordPress sites as there are certain risks involved. For example, some

people think that updating will do away with their current theme. Some things are likely to go wrong, yes. However,

they can be minimized. An upgrade is necessary and should be done. The website security is more important than

the theme.

Beware of Malicious Plugins or Themes

Some plugins and themes contain malicious or buggy codes. This malicious code is not easily noticeable because i

is hidden using encryption. That is why it is always advised to download them from trusted sources. Never

download and install pirated plugins or themes. Avoid the free themes if they are not from the official WordPress

themes source. Malicious themes or plugins can add hidden backlinks to your websites. They may even steal

essential login information and compromise your site’s security.

Back up your site

If a hacker is determined enough to access your site, then he or she is going to access it. A 16 year old boy from

London hacked American military systems and a 15 year old hacked NASA computer. So if you think your site isn’t

vulnerable to hackers, think twice.

In order to avoid becoming a target of such attacks it is important to back up your site. In case it is hacked and

everything wiped clean by the hacker you will be able to restore everything. You need to backup media uploads,

plugins, theme files and database.

Do not leave your backup inside public_html folder with the name backup.zip. The backup file will have your

database connection details and if someone downloads the zip file, they can easily gain access to your site.

Use secure hosting

You need to use a host that considers security as the top priority. Avoid free hosting packages. They do not have th

money to spend on security. However, this should not mean that all expensive host companies spend lots of money

on security. It is your responsibility to find a secure hosting company that takes security of your site very seriously.

Hide Indexes 6/1


7/10

Make sure public access to indexes is disabled. If unauthenticated users are allowed to access files in your

website’s directory, it is easier to break into your site through plugin weaknesses. If your servers runan operating

system that uses .htacess files or Apache, it is simple to do it.

Report Vulnerabilities and bugs

If you ever notice security vulnerabilities, be sure to send a comprehensive email the WordPress community. Their

email address is [email protected].

Delete old plugins and themes

Delete all themes and plugins that you are not using. This is especially true if they aren’t updated. Cleaning and

organizing your site will keep you safe. A clean site also makes it much easier for security specialists to operate in

the event your website is compromised.

Disable file editing through the WordPress Admin

The default installation of WordPress allows you to go to Appearance -> Editor or Plugins -> Editor and change the

template or plugin files. If your site is compromised, the hacker also can get access to your template or plugins. Youcan block access to the editor by adding the code below to wp-config.php

define( 'DISALLOW_FILE_EDIT', true

);

Sensitive Files

WordPress by default generates the version number in the source code. The version number looks something like

this

You can remove this version number from the source by adding the code below to your theme’s function.php file.

function remove_version() {

return '';

}

add_filter('the_generator', 'remove_version');

Block sensitive files which show the WordPress version or Plugin versions. Hackers can gain access to your site if

they know the version numbers and if there is a known vulnerability with that version of WordPress or Plugins.

7/1


8/10

Options All -Indexes

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Order allow,deny

Deny from all

Remove Spammy Query Strings

Sometimes spammers will append their own query strings at the end of the URL to try to gain access to your site. A

simple 301 redirect can solve this issue.

RewriteCond %{QUERY_STRING} enter|separated|query|strings|here

[NC]

RewriteRule .* http://www.%{HTTP_HOST}/$1? [R=301,L]

Protect from spam bots

Automated bots trying to post comments to your blog can be stopped by using the code below.

8/1


9/10

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .wp-comments-post\.php*

RewriteCond %{HTTP_REFERER} !.yourwebsite.com.*

[OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

SQL Injection

SQL injection is the most common method used to hack a website. You can block the SQL injections using the code

below.

RewriteBase /

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]

RewriteRule ^(.*)$ - [F,L]

RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]

RewriteCond %{QUERY_STRING} tag\= [NC,OR]

RewriteCond %{QUERY_STRING} ftp\: [NC,OR]

RewriteCond %{QUERY_STRING} http\: [NC,OR]

RewriteCond %{QUERY_STRING} https\: [NC,OR]

RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]

RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$||ê|"|;|\?|\*|=$).* [NC,OR]

RewriteCond %{QUERY_STRING} ̂ .*("|'||\|{||).* [NC,OR]

RewriteCond %{QUERY_STRING} ̂ .*(%24&x).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).*

[NC,OR]

RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]

RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$

RewriteRule ^(.*)$ - [F,L]

Monitor your Server and Login logs

Keep an eye on who is visiting your site. Is it a crawler, bot or human?

Monitor your file changes

WordPress plugin CodeGuard will send you emails whenever your WordPress files are changed. The plugin also

allows you to roll back any changes made.

WIFI and Hotspots

Avoid logging into your website using public WIFI’s or Hotspots if your computer doesn’t have a good firewall and a

antivirus program.

9/1

http://www.codeguard.com/


10/10

Change your password periodically

Changing the password every 3-6 months is a good practice.

If your site is already compromised, you can contact sucuri.net and ask them to scan for malwares. They even clea

the website for you for a small fee. Click here for more information on sucuri.net.

Final Thoughts

Do not think that the chance of getting attacked by a hacker is low. It happens more than more than you think. The

27 steps above are not the only security measures you need to consider. Even if you implement all of them you can

never be completely protected. But the above points should be enough to minimize the chances of getting hacked.

10/1
http://www.shounakgupte.com/go/sucurihttp://www.shounakgupte.com/go/sucuri

how to make wordpress secure

Documents