+918017049042 info@7boats.com

How To Safeguard your WordPress Website- WordPress Security Tips

by | Tech Tips & Tech News | 6 comments

How to safeguard WordPress
How to secure Self Hosted WordPress Sites?

Securing your WordPress sites (Self Hosted WordPress site) is a major concern nowadays as too many sites have been hacked lately. We all know that wordpress is a very easy platform and hence it is very popular among non-techies. Managing WordPress sites or blogs are very easy which cuts the cost of having a webmaster. Keeping in mind its user friendliness, WordPress can also be hacked easily. That is why securing your WordPress site is always a mandate and following are the tips to improve the security of your WordPress website/blog.

How to secure your WordPress Site?

How to secure your WordPress Site? Step by step guide to harden security of your WordPress site

Secure WordPress Admin

Don’t use the default admin user. After WordPress installation, the default user comes as admin. Hackers try and hit that factor first. So it is always recommended to create a new username with administrator rights and then delete the default admin user. But if you are keeping the default user, make sure you change the role from administrator to subscriber.

And if creating a new user, then always try and create a username which is hard to be guessed and then you can also use your e-mail id to login. There is a plugin called All In One WP Security & Firewall which can help you for this purpose.

And always use strong passwords for the usernames to boost the security. You should always limit the number of unsuccessful attempts to log in. In this way you are keeping your site a step further from being hacked.

 Secure WordPress directories

You have to secure your WordPress directories from the outside world and for that you have to open your .htaccess file in WordPress root directory and provide the line “Options – Indexes” on top.

This will prevent others from viewing the files listed in the directories in case the index.html or index.php is absent.
Not only you have to prevent users from browsing the directories, you also have to make sure that you are not letting others write to your WordPress directory. And for that you have to do the following. First of all you have to login to WordPress Linux Shell and execute the following command to get a list of open directories.  The command is “find . -type d -perm -o=w”

After that you have to run following two commands to set the permissions.
find /your/wordpress/folder/ -type d -exec chmod 755 {} \;
find /your/wordpress/folder/ -type f -exec chmod 644 {} \;

755 (rwxr-xr-x) means the administrator has write permission but others can read and execute & for files 644 (rw-r–r–), the administrator has both read and write permission but others can only read files.

Hide WordPress Version

Make sure your WordPress website/blog does not display the WordPress version. This will notify the outsiders that you are running on outdated or non-patched version of WordPress.  You also have to delete the readme.html file from the directory as it also displays the version.

Always stay updated with the latest version of WordPress as the updates provide you the security fixes of all the time. You will get notification on your dashboard for all kinds of updates such as WordPress  version update, plugins update and theme updates. So make sure you don’t ignore the notifications related to updates thinking it can disturb your themes or plugins. Secure WordPress  

Secure WordPress database tables

WordPress database tables have default names like wp_users, wp_posts etc. It is ideal to change the names of default database tables by changing the prefix of tables to some random value.  Changing prefix means changing the “wp_ “ part. There is a plugin available called “Brozzme DB Prefix & Tools Addons” which can help you on this part.

Secure WordPress Security Keys

You should update the WordPress security keys. First generate six security keys and then open the wp-config.php file. And then overwrite the default keys with new ones. The advantage to this is if no one can logs in to your WordPress without your information as the cookies will go invalid.

Protect .htaccess

It is definitely required to protect your .htaccess file and wp-config.php file. For that we have to place the following code in your .htaccess file.
<Files .htaccess>
order allow,deny
deny from all
</Files>

Similarly  you can protect your wp-config.php file by providing the following code in your .htaccess file.
<Files wp-config.php>
order allow,deny
deny from all
</Files> 

Enable WordPress Error Log

By keeping error logs of WordPress php and database, you can get hints of invalid file request hitting your WordPress. To enable error logging, the following code has to be added. The error.log file should be placed in folder not accessible from the browser.

define(‘WP_DEBUG’, true);
if (WP_DEBUG) {
define(‘WP_DEBUG_DISPLAY’, false);
@ini_set(‘log_errors’, ‘On’);
@ini_set(‘display_errors’, ‘Off’);
@ini_set(‘error_log’, ‘/path/to/error.log’);
}

Protect WP-Admin Folder

You should protect the wp-admin folder of your WordPress as this section is not meant fro public. Even the authorized users will have to provide two passwords for logging in.

Find unknown IP addresses for logged-in users

To get the list of users who logged in your WordPress server with their IPs, you can use the “last –i” command. If you find an unknown IP address, its high time you should change the password.

Security Scan of WordPress

There are some plugins available to monitor your website. Some of them are Exploit scanner, WordFence Security,  VIP Scanner, WordPress Sentinel. These plugins will scan the files, detect the suspicious codes and spam links if any. You can also check online your website’s security for free by Sucuri Sitecheck

Right Backup

It is always advised to keep a back up of your site. If possible keep a weekly back up and that will keep your website safer. The free plugins available for back up are Backup WordPress & WP DB Backup. Another great paid one is vaultpress

Secure Web host

Last but not the least is you should secure your hosting. Avoid free Hosting because we know that to have something good, you need to shell out some money. So do a proper research before hosting your website. And then your own machine should be secured because if there is a malicious logger on your machine then that logger can help in getting your website hacked.

Keep Spam Free WordPress

Try to keep your WordPress spam free. You can use these 2 plugins – Spam free WordPress or Akismet

Fetch as Google Bot

In your google webmaster central, try to check your site as “Fetch as Googlebot” and check for any abnormality. Sometimes malicious scripts hide changed title tags or add some other text content or links to your site that are not visible from page source. This tool would help you to find that.

Use WP Security Plugins

Use WP security plugins such as WordFence, Limit Login Attempts, All In One WP Security & Firewall plugin.

Use HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as cookie hijacking. So when you use SSL with your self hosted wordpress site, make sure you use HSTS also. There is a plugin WP Force SSL that can help on this.

X-Frame SAMEORIGIN & X-Content NoSniff

Use these 2 lines in your htaccess file.
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
sameorigin: When the XFrame-Options header is set to sameorigin, content can only be loaded in a frame that has the same origin as the page itself.
 header XContent-Type-Options: nosniff . This prevents the client from “sniffing” the asset to try and determine if the file type is something other than what is declared by the server.

Always keep the Webmaster Tools at your fingertips. This will enable you to be the only one with authority to make changes to your website. Do not allow just about everyone in your office to have editorial access to your website’s WordPress. Keep that privilege only to yourself or to the head of the website designing and development, preferably the Webmaster. That way you will know who is making changes and at what time. Your website’s security and content will not be compromised in any way.

So above were some must follow tips to improve the security of your WordPress website/blog in order to make it difficult for hackers.

Tags:
Debajyoti Banerjee is the Founder, Director & CEO of Seven Boats - A leading digital marketing agency & digital marketing training institute in India since 2011. He is a Google & LinkedIn Certified Digital Marketer & Trainer, Brand Strategist, Consultant & Entrepreneur. Debajyoti has 17+ years of domain expertise & successful track records in Digital Marketing & emerging technologies. Learn more Schedule an appointment with Debajyoti Banerjee

Want to learn Digital Marketing?

Looking for a career change? Then you need Seven Boats Academy – awarded as the best digital marketing institute in India! Our Digital Marketing Courses will help you get ahead in today’s competitive job market. You’ll learn essential skills that will help you grow your business or find a new job.

With our easy-to-follow course materials, you’ll be able to upskill yourself and achieve your goals. If you are looking for digital marketing course in Kolkata, then Seven Boats Academy is the best digital marketing institute in Kolkata since 2011. So what are you waiting for? Enroll today!

Book a call / Schedule a meeting Or

Sign Up for our FREE Digital Marketing Certification Courses →

1. Sign up & start free courses  → 2. Start a blog  → 3. Read Digital Marketing Tutorials  → 4. Check Tools  → 5. Upgrade to Premium Courses

6 Comments

  1. WPSecurityCheck

    Hi Debajyoti,
     
    This is a great list of things to do to secure your WordPress…
     
    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
     
    I have written up my experiences in a WordPress Security Checklist which can be downloaded for free on wpsecuritychecklist.com.
     
    My checklist has a few more items on it and includes step by step instructions on how to get the job done…
     
    Hopefully the checklist can help other people securing their WordPress sites…

    Reply
  2. Jatin Rohatgi

    well worth a read
    Recently I facing a problem with WordPress. I’m finding of protecting .htaccess. Here I have found this code .
    I have also a Wordfence plugin for protection. But sometimes we have to add manual codes for better results.
    Thank you for this informative post

    Reply
  3. Priyanka Singh

    Hi Debajyoti sir,
    I never read such a detailed article on WordPress security. You have explained the topic in a brilliant way & shares valuable insights on hacking methods and prevention. I already seen some similar articles like security plugins, change login URL, limit login attempts etc. But I never heard about that you can Protect .htaccess. Thanks to your article, I will start doing that now.
    I appreciate your tips and guidance on hardening WordPress security. It will be handy for anyone who is running websites on WordPress.

    Reply

Submit a Comment

Your email address will not be published.