Blog

How to Secure Your WordPress Website in 2017

Having your WordPress site hacked could be a nightmare.  It can damage the reputation of your business and lower consumer confidence. Sadly, many people pay a little attention to the security of their websites and end up being victims of systemized WP hacking. In this article, I discuss a few security measures which can improve website security and prevent hacking.

Update Your WordPress Framework

The most basic security measure that you can take is to update the WP framework of your website. It is a simple and straightforward way of boosting the security of your site. Just log into your admin panel then check for WordPress updates. If you are using an old version or WordPress framework then you should consider upgrading to the latest version.  The good thing about WordPress is that there are periodic updates to fix security holes.

Use Strong Log in Details

Unless you are working in the Local WordPress Test Environment, you have no excuse or reason for using a crappy login password or ID.  Most hackers know that the default login ID is “admin”. If you have been using the default login ID then you need to change that immediately to an id that is hard to guess. For the login ID, it is advisable to combine letters with numbers say “rumpelstiltskil93”.  The same applies for passwords, but since passwords are more sensitive, include special characters ( *#&^<>) in your password.  This will deter all kinds of brute force targeting your site.

Secure the Wp-config.php

The Wp-config.php is an important file in your WP site. Since it contains sensitive data and the configuration for your website, it should be secured through .htaccess. You can protect this file by adding the following code to the .htaccess file in your website’s root directory,

# protect wp-config.php

Order deny, allow
Deny from all

The above code restricts access to your  wp-config.php  file.

Prevent WP Injection

WP injection is a common technique that hackers use to breach the security of WP sites. To protect your WP site or blog from script injection or unwelcome modification of GLOBALS and _REQUEST, copy and paste the following code to the .htaccess in the root.

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\\<

 

%3C).*script.*(\\>

 

%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=

 

\\[

 
 
 

\\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=

 

\\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Secure the WP Admin Files

Unless you have a webmaster or web admin, you are the only person who should have access to the Wp-admin. Since this file is sensitive to the overall security of your WP site, you should use the .htaccess to restrict access to only specific IP addresses.  This options works greater if you have a static IP address or if you manage your website from a single PC.  However, if you run a multi-user website then you should allow access to a specific IPs.  Below is a code that you can use to secure your wp-admin. Just copy and paste it to the .htaccess file in the wp-admin folder.

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

The code above will restrict browser access to files in these directories instead of your IP address. Alternatively, you can restrict access to the directory by using a strong password.

Secure your WP-CONTENT

Without a doubt, the wp-content is your weakest link in your web directory and the easiest point of entry for hackers. This is understandable since it is part of the web directory that has to be writable.  While this is the case, you can still secure it by disabling execution of PHP files via the .htaccess. Copy and paste the following code into the .htaccess file.


Order Deny, Allow
Deny from All

*caution: depending on your theme or nature of plugins, the code may or may not break your site. If it breaks just disable or remove the code.

Use Secure FTP and SSH

Though FTP and SSH are common terms, many people are not familiar with the importance of these protocols/communication mechanisms.   The FTP is basically a File Transfer Protocol or mechanism through which servers exchange files. On the other hand, the SSH or Secure Shell is a protocol that establishes a secure connection to another server so that it can communicate securely. If you are presented with the option to transfer files between two servers, then it is advisable to use the Secure File Transfer Protocol which allows you to tunnel to any server through an SSH connection. Besides transferring files securely, this protocol allows you to work on securely on a server.

Protect Htaccess file

The .htaccess file of your WordPress site is a very critical component that should be secured at all costs.  This file is often modified when dealing with redirects and therefore is commonly used to rewrite files to make them executable.  Since .htaccess file gives you immense power to control some function, you have to secure it by restricting permissions or denying access. To apply low permissions, you should set the number to a 640.  Alternatively, you can discourage external attacks by adding the following .HTACCESS Directives

#PROTECT HTACCESS

Order Deny, Allow
Deny from All

Conceal the WordPress Version

Intruders and hackers normally target websites that run on older versions of WordPress. They know what security flaws each version carries. If you can’t update your website regularly, the best thing to do is to conceal the version number. Remove Version and Hid WordPress versions can help you hide the version details that shows on enqueued style and scripts URLs.

Change Login Area Slugs

It may not sound like a foolproof solution but it will certainly help you conceal the login page from people who want to attempt forced login. You can change the default login in WordPress from /wp-admin & wp-login to something that intruders won’t be able to know.

Install WordPress Security Plugins

There are so many WP plugins on the market so you can’t run short of options. Security plugins can lower the risk of forced entry to your website. Before you install any of them, log into your dashboard then remove any unused plugins. Try to reduce the number of plugins that you’re using at a time.

Going back to security plugins, there are more than 20 of them in the WP plugin repository. I know it may be tough choosing amongst the ones available. Below are some good plugins that can help keep your website secure in 2017 and beyond.

  • All in one WP security – This is an awesome plugin for checking for vulnerabilities and implementing various security measures. You can use it to scan for malicious code.  The good thing about it is that it comes with a dashboard that shows you the security score of your site. Free and premium versions are available.
  • Wordfence – it’s another good plugin that allows users to implement login security, block specific IP addresses and scan for malicious code in WP core. Once you install it, you can set up monitoring and web firewall. The plugin also provides feeds on real-time threats thus alerting you of any unusual activity.
  • iThemes security –  This is a good plugin with awesome security features that can keep intruders out of the bay. You can use it to modify database prefixes, scan for malware, track user activity, and generate strong passwords for your site.
  • Sucuri – This plugin allows you to scan for malware, monitor user activity, audit security activity, set up web firewall among other things. It’s a really good option for those who want to harden the security of their WP sites.

Only Buy Themes from Trustworthy Vendors

There are many online market places which offer Free WordPress themes. Some of them are developed by very good developers while others are done by amateurs. But just to be safe, always go for premium themes from trusted vendors such as ThemeForest, Theme Isle, and Mojo Marketplace. Why is that? Trusted vendors normally update security flaws in their themes promptly. They also perform rigorous scans and tests before they roll out any theme. So you’re not only assured of a quality theme but a secure one too.

Sign Up with a Host who has High Security Standards

Not every security flaw or risk comes from the website. Some of the vulnerabilities arise from the host. If you want to set up a website then go to a hosting service provider who has robust security measures in place. A good host will actively fight off hackers, provide routine updates, and help you resolve security issues that could jeopardise website security.

Be Vigilant

Just because your WordPress site runs on the latest WP framework or has security plugins installed doesn’t mean it’s foolproof. Hackers never sleep. They are are always looking for security flaws and devising new ways of compromising WordPress sites. Check for updates, reset your password from time to time, and monitor site activity. Most importantly, stay abreast of what’s happening in the industry.

Conclusion:

Hackers will stop at nothing to have their way.  So you must be alert to secure your WordPress site. Check and install WP updates, use security plugins to setup web firewall, buy themes from trusted vendors, and restrict access to sensitive files by blacklisted IP address. Whatever it takes to secure your site, do it.

Get free web consultation
Call us today 093901010

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This