With over 74,6 million websites powered all over the world, WordPress is always an attractive target for hackers. While no major vulnerabilities have been found on the platform since 2012 when over 170.000 websites have been hacked, protecting your website is not a matter of choice. It is a must. It is not complicated to put in place a few very basic security measures which can prevent your business from: losing money, exposing sensitive customer data and weakening the reputation of your brand. Check the list bellow for a few simple, but lifesaving tips on how to improve your WordPress security level.
1. Customize your “Admin” and use a SSL connection
The latest WordPress versions allow you to change the username used to login into your WordPress admin account. Why should you change it? Hackers work on predictability and patterns, using the admin username makes it easier for them to identify and use your password. The trick is to change when you install WordPress.
Also, use an encrypted connection when you are accessing your admin account. This way to reduce hacker attacks of Man in the Middle Type (MITM)
2. Install a lockdown plugin
Does your website have a lockdown option to block the login system on your website after a specific number of failed attempts? It should. It protects the website from forced login attempts. Make sure you have your password somewhere safe, so you will not forget it and install a lockdown plugin. It will make your website a lot safer.
3. Create an IP whitelist
Ask the persons which have admin credentials to give you the IP address they usually use to access the website. You can create a whitelist which includes the IP addresses where your admin account can be accessed from and so, limit the access and prevent attacks.
4. Privileged and unprivileged users
Probabilities don’t lie: the more users with privileged access you have, the more are the chances one of them has a very weak password. Keep their number to a minimum and use unprivileged access for users who need to access your website, but have limited roles in administration or editing.
5. Give wp-content directory a new home
The wp-content directory holds all the constructive and functional elements of your website such as themes, installed plugins, and uploads. By default it is hosted in the application directory, but since the WordPress 2.6 version you can move it somewhere else. As with the Admin change, this protects your website from automated attacks using defaults settings as a vulnerability.
6. Use a minimum number of plugins and only from the official WordPress directory
WordPress plugins are the weakest link in your security since many of them are vulnerable to attacks such as SQL injection or Cross-Site Scripting. Avoid installing plugins just for the sake of testing them. The fewer plugins you install on your website, the safer you are. Plugins included in the WordPress directory are evaluated and therefore safer than plugins installed from unknown sources or directories.
7. Keep your website up-to- date
It seems obvious, but it is not. Statistics show that while you are reading this, a little more than 20% of the WordPress websites are actually using the latest version of the platform. Make a habit from regularly update your WordPress version and plugins and your site will be better protected against attacks.
8. Change the wp-config.php file location
The wp-config.php file will be less exposed to Internet if you move it outside the web root directory. Moving it will not interfere with its functionality since WordPress is searching it by default, both in the web root directory and within the directory above.
9. Get rid of the readme.html file
This file contains information about your website that can help hackers attack it easier. Remove it from your site.
10. Hide version number
The HTML meta tags generator includes by default the WordPress version used to create your website, both on the index page and in the RSS feed, if you are using one. Remove them to avoid letting know your attackers what WordPress version they are dealing with.
11. Create a strong password
Combine letters, numbers and symbols. Avoid using the same password on more than one website and don’t choose obvious combinations.
12. Protect your database
Change the default prefix of you database table. Standard prefix is „wp-” and it can be used by hackers to guess your database name and attack.
13. Avoid public directories for storage
You are surely keeping some backup files online just to make sure all your work is safe. Avoid keeping them in public web directories because they will become a vulnerability.
14. Inactivate verbose errors
One type of vulnerability of your WordPress website you need to take into account and take measures for is the Full Path Disclosure (FPD) type. One thing you can do about this is turn off verbose errors on your web server by disabling PHP reporting with the line “error_reporting = off” added in the php.ini file.
15. Secure the theme/plugin editor vulnerability
The theme and plugin editor represent an important vulnerability because they are frequently used as gateway to attack the website. A very good solution is to disable them from the wp-config.php.
16. Get rid of “Powered by WordPress”
You will usually find it in the footer of your website and it can be used by hackers to establish an active connection with the target host and gather information such as: usernames, hostnames, IP tables and routine tables, etc.