In recent times, WordPress has been highly targeted by hackers. Since
WordPress uses MySQL and PHP, it’s not tough to find a vulnerability in
WordPress.
Here I’m sharing some newbie tips to secure your WordPress blog. These are basic tips, but sometimes missing these basic tips may lead to losing your WordPress blog to some hacker.
WordPress powers around 30% of the websites in the world & is currently the most popular CMS apart from dedicated blogging software.
I can quite confidently say that being a user of this awesome CMS for the past 9 years, I simply love the fact that I can choose from thousands of plugins from the WordPress plugin database. The plugin database has never failed me.
There are also endless options when it comes to themes, as well, right from the Genesis theme to Thrive themes to so many others.
That is the good part, but wherever there is good, there is also evil too. My site has been hacked nearly 6 times in the past by some Arabian and Turkish hackers (at least that’s what they claim). They infiltrated my site and left it with an ugly black background featuring GIF images of skulls and ravens.
Most hack attacks are done by something called an SQL injection.
Nowadays, it has become a necessity to do all the preliminary safeguarding measures to keep these hackers at bay.
Not having a proper WordPress backup solution in place is the biggest mistake you can make. When a big site like Sony or Dropbox can be hacked, your WordPress blog will be relatively easy to be cracked by a hacker.
So the first thing is to ensure you are taking a daily backup of your blog.
If you are earning money from your blog, I suggest using VaultPress for taking backups which only costs $5/month.
You might argue that your hosting company offers backups, but this is only a good option if they store the backup on a different server.
Your WordPress installation is just software installed on a server. The foundation of a secure website is a server which has enough protections that ensure your website is safeguarded against hackers. A free web-hosting company is a big no-no & something you should avoid.
Make sure your hosting company has proper rules set in place & has firewalls to stop an attack on your site.
I understand that it’s hard to know which hosting company is reliable against hackers & that’s why I have created this quick list of hosting companies that offer great security on their server:
Whenever WordPress is sending an update, it means that they have fixed some bugs, added some features, and most importantly, added some security features and fixes.
When you see the message: “WordPress x.x.x is available!”
Update it.
Nowadays, with one click updates, it’s very easy to upgrade your blog.
Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for 5-6 days before other users stop reporting bugs in the latest version.
As I mentioned above, WordPress releases an update to fix bugs and security holes, and the same goes with plugins.
Many times, a vulnerable plugin or script can cause an entry point into your WordPress site. One such issue which we have seen in past is the Timthumb vulnerability. This was because of a script, and many plugins which were using this script became vulnerable too.
It’s important to keep your plugins updated. Always use plugins which are continually updated and have good support. Being dependent on plugins which are not updated is a bad idea.
Also, always use the official WordPress repo to download plugins.
Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:
Please make your passwords complex, add a couple of special characters (%&*#), and keep changing it every 5 or 6 months.
I would also like to recommend a plugin called Login Lockdown. This plugin will record all IPs and time stamps of failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any brute-force attack. You can also use popular WPS hide login plugin to hide your login URL & make it hard for hackers to try brute forcing on your login page.
At your end, you should also start using a password manager like Dashlane that will help you further improve your password security.
Also read:
Go to the File Manager in your cPanel, or log in to your FTP software, and check the file attributes of your WordPress folder.
It’s good if it’s 744 (read only). If you find it to be 777, consider yourself extremely lucky that you haven’t gotten hacked yet.
When most bloggers change hosting, they don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting.
When you install WordPress, make sure you use a custom username and do not use “admin”.
You can create a new user with “Administrator” rights, and give this new administrator a nickname that will be publicly displayed in case he/she writes a post. Now, log out and then log back into the newly created admin account and delete the old “admin” user.
Make sure you attribute all usernames and links to the new user which you have created.
Here is an alternative way to change the default username:
Try visiting your plugins folder (replace domain.com with your domain name):
To hide these folders, you need to create a new .htaccess file and drop it in your plugins directory.
Also, take a look at this post for better understanding of how to edit the .htaccess file.
To prevent this, you need to update your WordPress to the latest version, so that it will only show a general error message like “Database connection error” instead of showing exactly what’s wrong
Log in to your WP dashboard and update your WordPress core files.
If you are serious about your blogging, download a theme from the official repo, or better yet, use a Premium WordPress theme.
Again, it’s a wise idea to take automatic backups of your WordPress blog at regular intervals to make sure you can always roll back your blog to a healthy condition.
Do let us know what other security tips you would like to give to other bloggers to keep their WordPress blog secure. Share your tips in the comments below!
Don’t forget to share this post!
Here I’m sharing some newbie tips to secure your WordPress blog. These are basic tips, but sometimes missing these basic tips may lead to losing your WordPress blog to some hacker.
WordPress powers around 30% of the websites in the world & is currently the most popular CMS apart from dedicated blogging software.
I can quite confidently say that being a user of this awesome CMS for the past 9 years, I simply love the fact that I can choose from thousands of plugins from the WordPress plugin database. The plugin database has never failed me.
There are also endless options when it comes to themes, as well, right from the Genesis theme to Thrive themes to so many others.
That is the good part, but wherever there is good, there is also evil too. My site has been hacked nearly 6 times in the past by some Arabian and Turkish hackers (at least that’s what they claim). They infiltrated my site and left it with an ugly black background featuring GIF images of skulls and ravens.
Most hack attacks are done by something called an SQL injection.
Nowadays, it has become a necessity to do all the preliminary safeguarding measures to keep these hackers at bay.
Proven Tips To Secure Any WordPress Blog
1. Configure Backups
Even
though I have given a lot of proven tips below to secure your WordPress
blog, you need to ensure that if something happens, you won’t lose
anything.Not having a proper WordPress backup solution in place is the biggest mistake you can make. When a big site like Sony or Dropbox can be hacked, your WordPress blog will be relatively easy to be cracked by a hacker.
So the first thing is to ensure you are taking a daily backup of your blog.
If you are earning money from your blog, I suggest using VaultPress for taking backups which only costs $5/month.
You might argue that your hosting company offers backups, but this is only a good option if they store the backup on a different server.
2. Use A Reliable & Secure Hosting Company
Your WordPress installation is just software installed on a server. The foundation of a secure website is a server which has enough protections that ensure your website is safeguarded against hackers. A free web-hosting company is a big no-no & something you should avoid.
Make sure your hosting company has proper rules set in place & has firewalls to stop an attack on your site.
I understand that it’s hard to know which hosting company is reliable against hackers & that’s why I have created this quick list of hosting companies that offer great security on their server:
- Bluehost: One of the top rated hosts which offers great security.
- InMotion Hosting: Founded in 2001 & are known for great hardware quality and security infrastructure. They also migrate your existing site for free.
- WPEngine: A managed WordPress hosting company which is recommended for business WordPress sites. They offer backups and security on multiple levels.
- Kinsta hosting: This one is perfect for WordPress blog with high traffic. ShoutMeLoud.com is also hosted on Kinsta hosting.
3. Update WordPress
Keeping
your WordPress software up to date is the most basic security tip for
any WordPress blogger. This is something that you never want to miss.Whenever WordPress is sending an update, it means that they have fixed some bugs, added some features, and most importantly, added some security features and fixes.
When you see the message: “WordPress x.x.x is available!”
Update it.
Nowadays, with one click updates, it’s very easy to upgrade your blog.
Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for 5-6 days before other users stop reporting bugs in the latest version.
4. Update WordPress Plugins
As I mentioned above, WordPress releases an update to fix bugs and security holes, and the same goes with plugins.
Many times, a vulnerable plugin or script can cause an entry point into your WordPress site. One such issue which we have seen in past is the Timthumb vulnerability. This was because of a script, and many plugins which were using this script became vulnerable too.
It’s important to keep your plugins updated. Always use plugins which are continually updated and have good support. Being dependent on plugins which are not updated is a bad idea.
Also, always use the official WordPress repo to download plugins.
5. Hide WordPress Version
Let’s
assume you don’t have those 2 minutes to update your WordPress core
files. The listed WP version can spark an idea for a hacker to break in.
If you are running an older version of WP and everyone knows it, trust
me, you are doomed.Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
6. Use A Complex Login Password
I shouldn’t have to mention this, but I know too many people who use ingenious and insanely complex passwords like:- password
- ilovejesus
- 123123
Please make your passwords complex, add a couple of special characters (%&*#), and keep changing it every 5 or 6 months.
I would also like to recommend a plugin called Login Lockdown. This plugin will record all IPs and time stamps of failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any brute-force attack. You can also use popular WPS hide login plugin to hide your login URL & make it hard for hackers to try brute forcing on your login page.
At your end, you should also start using a password manager like Dashlane that will help you further improve your password security.
Also read:
7. Check WordPress Folders File Permissions
It’s good if it’s 744 (read only). If you find it to be 777, consider yourself extremely lucky that you haven’t gotten hacked yet.
When most bloggers change hosting, they don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting.
8. Delete Default Admin User
This
is one of the most crucial tips for people who are looking to create a
secure WordPress blog. The default “admin” username is prone to
brute-force attacks because most people never change it.When you install WordPress, make sure you use a custom username and do not use “admin”.
You can create a new user with “Administrator” rights, and give this new administrator a nickname that will be publicly displayed in case he/she writes a post. Now, log out and then log back into the newly created admin account and delete the old “admin” user.
Make sure you attribute all usernames and links to the new user which you have created.
Here is an alternative way to change the default username:
9. Hide The Plugins Directory
The plugins folder /wp-content/plugins/ should not be showing the list of folders and files inside of them.Try visiting your plugins folder (replace domain.com with your domain name):
- domain.com/wp-content/plugins/
To hide these folders, you need to create a new .htaccess file and drop it in your plugins directory.
# BEGIN WordPressIf you already have a well written .htaccess file in your root directory, adding a separate .htaccess to an individual folder is not going to cause any harm.
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
Also, take a look at this post for better understanding of how to edit the .htaccess file.
10. Turn Off Database Errors
In
older versions of WordPress, if there were errors in the MySQL
database, it would show the exact error on the browser itself giving the
hacker valuable information about your database.To prevent this, you need to update your WordPress to the latest version, so that it will only show a general error message like “Database connection error” instead of showing exactly what’s wrong
Log in to your WP dashboard and update your WordPress core files.
Creating A Secure WordPress Website
This is not everything; there are many other tips which you should be following to create a secure WordPress blog. One tip which I highly suggest is that you stop using an encrypted footer WordPress theme.If you are serious about your blogging, download a theme from the official repo, or better yet, use a Premium WordPress theme.
Again, it’s a wise idea to take automatic backups of your WordPress blog at regular intervals to make sure you can always roll back your blog to a healthy condition.
Do let us know what other security tips you would like to give to other bloggers to keep their WordPress blog secure. Share your tips in the comments below!
Don’t forget to share this post!
0 Comments:
Post a Comment