WordPress-Security---20-Tips-to-Keep-your-website-Safe!-header

WordPress Security – 20 Tips to Keep Your Website Safe!


While an online presence helps reach a mass audience and expand your business, it comes with certain threats and risks. Top-rated open-source CMS platforms like WordPress can be even more vulnerable and demand prioritization of optimum security. 

Fortunately, if you take the proper steps, you can secure your WordPress site and prevent breaches and leakages. In this article, we’ll let you know about threats and risk factors that your WordPress website poses and what measures you can take to make sure that your WordPress site stays secure.

Is WordPress Secure?

Although WordPress is a safe content management system, it can easily fall prey to security breaches. Since WordPress is a popular CMS, it’s become a hot target for cyberattackers. A firewall service named Wordfence reported that it blocked 18.5 billion password attack requests on WordPress websites.

According to the Common Vulnerability Score System, every 8 out of 10 WordPress websites fall into “medium” or “high.” This data shows that WordPress is probably not as secure as you might think based on its popularity. However, we still recommend using WordPress. Nearly 50% of websites use WordPress as their primary CMS. 

You should know that WordPress is not entirely at fault here. In fact, they have a world-class team of researchers who regularly release new security updates to make WordPress a more safe platform. But the problem arises with how WordPress is available to its users. 

Since WordPress is an open-source platform, the source code can be modified and distributed anywhere – its software is indefinitely customizable. While this flexibility is a massive reason behind WordPress’s popularity, it also makes it prone to many security issues. 

It’s the user’s responsibility to ensure their website is secure if they optimize and customize it according to their preferences. But since many users shrug this off, have the chance to sneak in and take advantage of vulnerabilities.

For instance, for medium and high-scale websites, some users try to manage the whole website by themselves instead of trusting a managed WordPress hosting service. Since users possibly cannot oversee everything by themselves, they compromise security and website infrastructure.

Understand that you can’t entirely eliminate risk factors, but you can make sure you reduce them as much as possible by taking specific measures. 

WordPress-Security---20-Tips-to-Keep-your-website-Safe!-inner-1

Why is WordPress Security Important?

If a WordPress website isn’t secure, it poses several risks and threats to your business. For starters, your website is prone to get hacked if it’s not optimally secured. Hackers can steal your private information, passwords, and customer data and leak or change it.

Secondly, hackers can install malware on your site, which can be distributed to your users, risking your site’s authenticity and reputation. What’s more, if your website is hacked, you can find yourself paying ransom to hackers to get your site’s access back. 

Have you ever gone to a website and seen a search engine popup that says “not secured”? That popup significantly increases the bounce rate, as users will leave the site when they see it’s not secure. 

A business-based website should not take these risks – it can negatively impact your revenues and rapport. Just like locking the store, keeping the cash register attended, and installing cameras everywhere are the responsibilities of a physical business store, you need to take equivalent measures to keep your online business place safe and secure.

Types of WordPress Security Vulnerabilities

  1. Backdoors

As its name suggests, this vulnerability provides hackers and stealers with hidden passages or “backdoors” to enter your website, bypassing encryption and security measures. They apply unorthodox methods to access websites, such as wp-admin and SFTP.

Once these backdoors are successfully used, hackers can wreak havoc on hosting servers with contaminations and attacks. It can affect every website at once that is hosted on the same server. These backdoors may look like legitimate system files and smoothly make their way into WordPress databases, where they install bugs in outdated platform versions. 

Fortunately, you can prevent this vulnerability by integrating your website with security tools like SiteCheck that can easily detect common backdoors. You can also use managed WordPress hosting by HostPapa, which comes with security measures to detect and delete backdoors, including blocking IPs, two-factor authentication, restricting admin access, and prevention of unauthorized execution of PHP files.

  1. Pharma Hacks

Pharma hacks insert rogue codes in outdated versions of WordPress and its plugins. It causes search engines to return ads for pharmaceutical products when a compromised site is searched. 

This vulnerability is more like a spam menace than a malware complication, but it gives search engines enough reason to block the site on reports and accusations of spam distribution. In other words, Pharma Hacks can get your site permanently blocked. 

You can prevent Pharma Hacks if you use recommended WordPress hosting with updated servers and proper management.

  1. Brute-Force Login Attempts

A brute-force login attempt uses automated scripts to exploit weak passwords to gain access to WordPress websites. This is why you should make your passwords as strong as possible.

Two-factor authentication, limited login attempts, blocking IPs, monitoring unauthorized logins, monitoring unfamiliar devices, and using strong passwords can be effective in the prevention of brute-force login attempts.  

  1. Malicious Redirects

Malicious redirects create backdoors in WordPress using abnormal methods like FTP, SFTP, and wp-admin and inject redirection codes into websites. These redirections are often put in your “.htaccess file” and other core WordPress files, which redirect your visitors to malicious sites. The security measures we discuss in this article will help secure your website against malicious redirects.

  1. Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) occurs when a malicious script is injected into a trustworthy application or website. The hacker or attacker would send a malicious code to the user without them knowing, which would grab the cookie or session data that the hacker can use.

WordFence reported that cross-site scripting is the most common WordPress plugin vulnerability.

  1. Denial of Service

Denial of Service (DoS) may be the most dangerous WordPress vulnerability. It overwhelms the memory of website OS through errors and bugs in the code. Hackers have exploited DoS on millions of websites for millions of dollars through outdated and buggy WordPrsversions of WordPress. DoS is usually used by financially motivated cyber attackers, which puts large-scale companies at risk. 

The first step against this vulnerability is always having an updated version of WordPress. That being said, even the latest version can’t completely defend against a pro-level DoS attack. However, it can protect you from being caught in a crossfire between financial institutions and cybercriminals.

Are you wondering what can be done to make sure that your site is as safe as possible from these vulnerabilities altogether? Follow this guide and implement each of our WordPress security tips and measures to get the highest level of security for your site, starting from getting secure WordPress hosting. 

Choose Secure WordPress Hosting

WordPress security is more than just getting a couple of certificates to encrypt your site. The actual process begins with choosing a secure WordPress hosting. This is because your host is responsible for the web server-level security, and if a security breach impacts your site at a server, your server host would be at fault. 

A thoroughly-secure WordPress environment can be created through server hardening, which takes multiple layers of hardware and software security measures to ensure that the physical and virtual infrastructure is safe and can defend itself against threats. 

Server hardening isn’t easy – it takes a lot of time, effort, and money, especially if you only have one website to secure. This is why people don’t opt for such security measures. 

The best way to eliminate this issue is to get managed WordPress hosting, which comes with enhanced security. Your host will give you your own space on the web and take responsibility for keeping your site safe and updated. 

Use the Latest PHP Version

PHP is the most critical part of your WordPress website, so you need to use the latest version. Each version of PHP is supported for two years, starting from its release. During this period, security issues and bugs are fixed regularly. PHP 8.1 is the latest version, and PHP version 7.3 or any version below are no longer supported. Anyone using unsupported versions is exposed to different security vulnerabilities.

Unfortunately, according to WPTavern, PHP 5.6 is still the most used version of PHP, while 95.3% of websites with PHP are still using series 5 versions. In other words, most websites registered on WordPress aren’t using the updated versions of PHP and are working on versions no longer supported or secured. Considering this, WordPress isn’t to blame for the security breaches in websites – website owners are.

Sometimes businesses and developers need time to test and check if their website is compatible with the code, but running their website on a code no longer officially secure is foolish. Apart from that, old PHP versions aren’t as optimized as the new versions and negatively impact performance.

If you don’t know which PHP versions you’re using, see if your host has made the request heading option available. A lot of hosting providers don’t show this for security reasons. However, you can still check and switch PHP versions, depending on the permissions your hosting provider has made available to you.

Set Smart Usernames and Passwords 

One of the simplest ways to harden your security is to set a strong username and password. Surprisingly, a lot of people don’t do this. According to SplashData’s top 50 passwords 2019, the most popular password was “123456,” followed by an incredibly naive “password.” Others on the list are “iloveyou” and “12345678.” This is one reason why some hosts force a strong and complex password when you are signing in. 

Security basics start with your username and password. While you should always create the strongest passwords, make sure that you keep them noted somewhere so you can gain access to your website if the password escapes your mind.

If you have more than one website, set different passwords for each one. You can even use an online password manager to manage passwords of different sites and platforms and get out of using sticky notes. HostPapa has great tips for creatively setting and managing usernames and passwords

Always Update the Version of WordPress, Plugins, and Themes

WordPress and its plugins and themes can cause you problems if they’re not updated to their latest versions. These need to be updated for a reason – updates often come with security enhancements and bug fixes. 

Choosing not to update could lead to security breaches, hacks, and exploitation of different vulnerabilities. Surprisingly, millions of websites are running outdated versions of WordPress and plugins.

Common excuses given by website owners for not updating WordPress and plugins and themes is that their site will break, the plugin won’t work, their core modification will be gone, or they don’t need new functionality. 

In fact, one of the reasons websites “break” is that they’re not updated to more secure versions. Core modifications are risky, and WordPress developers and experts would never recommend them. If they’re stopping you from updating to a new version, they’re not worth it. 

WordPress updates mostly come with must-have security fixes and patches and additional functionality to run the latest plugins. If updates bring any change to functionality, it only improves it more.

Not intentionally updating your WordPress or its themes and plugins is foolish. A report showed that plugin vulnerabilities represent around 56% of entry points for hackers. Updating your plugins can ensure you don’t fall victim to this – the same goes for themes and WordPress software. 

If you have managed WordPress hosting, you don’t have to worry about making updates – it will be taken care of by your host. However, if you’re not subscribed to that service, read on to learn how to update your WordPress, themes, and plugins. 

WordPress-Security---20-Tips-to-Keep-your-website-Safe!-inner-2
  1. Updating Your WordPress Version

WordPress has made it pretty simple for its users to update your WordPress version. You can do it right from your WordPress dashboard.

To update your WordPress software, go to Updates in your WordPress dashboard and click Update Now.

You can also manually update WordPress by downloading the latest version on your device and uploading it via SFTP, but be careful. Overwriting the wrong folders can break your site. If you don’t know how to do this, stick to automatic updates.

  1. Updating Your WordPress Plugins

First of all, make sure that you install trusted plugins. Plugins labelled “featured,” and “popular” are usually the ones you can trust.

Make sure you download the same plugin from WordPress, not its copy or its namesake. Or, you can download the plugin you want directly from the website that developed it. That way, there won’t be any chance of downloading the corrupted version.

Secondly, beware of free plugins. While most of them are good to use, some are harmful and can gradually affect your site’s security. We always recommend you get premium plugins. 

The process of updating a plugin is very similar to updating your WordPress. To update a WordPress plugin, go to your WordPress dashboard and click on Updates. The plugins with updates available will be shown. Select the plugins you want to update (by marking them) and click on Update Plugins.

Similarly, you can also update your plugin manually. You can get the latest plugin version from the developer or the WordPress repository and upload it via FTP. Ensure you’re overwriting the existing plugin within the “/app/plugins” directory.

You should always get a plugin that is kept up to date. According to a report by WPLoop, nearly 50% of plugins haven’t been updated in two years. This doesn’t mean that a plugin won’t work, but a plugin that hasn’t been updated in a while will have some security vulnerabilities. 

To avoid that, look at the “last updated” date whenever downloading a plugin. Check its ratings and labels to be sure. Look out for WordPress’s warning at the top of plugins that haven’t been updated for a long time.

  1. Updating Your WordPress Theme

Updating your WordPress theme is as straightforward as updating WordPress or its plugins. Before we learn how to update a theme, let’s get familiar with how to install a theme the right way.

A theme changes your website’s looks. It can also accompany a unique feature or provision, depending on the theme. People take themes very lightly, but the truth is that themes can help your website grow. Downloading the wrong theme (one not verified or updated correctly), can put your website in a risky position. Therefore, you should know how to choose the right WordPress theme

The current version of WordPress comes with four pre-installed themes, which are:

  • Twenty Nineteen
  • Twenty Twenty
  • Twenty Twenty-One
  • Twenty Twenty-Two

When you log in to your WordPress for the first time, you’ll see the default theme, but you can install a new theme. There are two ways to install a new theme in WordPress. One is to do it through the dashboard, and the other is to upload your own theme.

To install a new theme from WordPress, go to Appearance from your WordPress dashboard and select Themes > Add New. Use the search and filter options to find the theme you’re looking for.  

Click on Preview to see how the theme will look on your site. If you like it, click Install Now, and the theme will be added to your site. Once the theme is installed, select Activate Theme.

The second way to get a theme on WordPress is to install it – you can do this if you’ve downloaded a theme for a WordPress website from somewhere else and want to apply it on your WordPress site.

To do that, go to Appearance > Themes > Add New > Upload Theme.  

Next, click Browse to find your theme from your device and click Upload. Once your theme is uploaded, you can click on Activate Theme to set your new theme as active.

Themes you’ve downloaded from WordPress can also be updated. Like plugins, we recommend downloading themes that are kept up to date regularly. 

You can update your theme in a similar way to plugins and software. To update your theme in WordPress, go to Updates on your dashboard and select your theme. Click on Update Themes and your theme will be updated.

Manage Your WordPress Login

Securing your WordPress is a lot simpler than you might think. If you make it harder for hackers to find backdoors and other vulnerabilities in your site, you’re much less likely to be hacked. 

However, some people don’t pay attention to the login page. Keeping your admin and login page secure are WordPress security basics, and there are some really easy ways to do it. 

  • Change your WordPress login URL
  • Limit login attempts
  • Add basic HTTP authentication
  • Lockdown a URL path
  1. How to Change Your WordPress Login URL

By default, your WordPress website’s login page URL is “domain.com/wp-admin.” The problem is that everyone familiar with how WordPress works knows this too, including hackers and bots. If they want to find your login URL to try your website, there’s nothing stopping them.

By changing your WordPress login URL, you make it less likely that cybercriminals will find your website, and protect yourself from vulnerabilities like brute-force attacks. While this solution does not exactly guarantee safety, it puts you in the right direction in terms of your website’s security. 

To change your WordPress login URL, use the free WPS Hide login plugin. This official WordPress plugin has a simple input field – all you have to do is think of something unique.

  1. How to Limit Login Attempts

While changing your login URL can decrease the chances of a brute-force login, putting a limit on logins can further enhance security. Luckily, there’s a plugin for that as well. The free Cerber Limit Login Attempts plugin on WordPress can set up limited login attempts, lockout durations, and IP whitelists and blacklists. 

However, if you’re looking for something simpler, the Login Lockdown plugin can record every failed login attempt’s IP address and timestamp. If the limit of the login attempts crosses in a short range of time from the same IP address, then the login function will be disabled for all requests from that range. This is also possible with the WPS Hide Login plugin mentioned above. 

  1. How to Add Basic HTTP Authentication (htpasswd protection)

Another way to secure your WordPress login is to add HTTP authentication, which requires a separate set of usernames and passwords to access the login page. It’s a very effective way to stop bots and scammers. There are two platforms (HTTP servers) that can help you with a password-protected directory.

Apache 

You can enable password-protected directories from the control panel if you’re using a cPanel host. But to set it up manually, you’ll need to create a “.htpasswd file.” You can use a “htpasswd generator” tool and upload the file to a directory in your “wp-admin” folder. It will look like “home/user/.htpasswd/public_html/wp-admin/htpasswd/”

Next, create a “.htaccess” file with the following code:

AuthName “Admins Only”

AuthUserFile /home/user/.htpasswds/public_html/wp-admin/htpasswd

AuthType basic

require user yourusername

Upload this file in your “/wp-admin/” directory. Remember to update the directory path and username. 

One limitation is that this will break AJAX (admin-ajax) on the frontend of your website, so you also need to add the following code to the “.htaccess” file above.

<Files admin-ajax.php>

Order allow,deny

Allow from all

Satisfy any

</Files>

Nginx

Running Nginx allows you to restrict access with basic HTTP authentication. Depending on your host, you’re most likely to use your password protection tool in your website’s dashboard. You can enable this tool and be good to go.

After Nginx is enabled on your WordPress website, your website will require authentication before you can access the login page. You can change the credentials or disable the tool anytime you want.

  1. Lockdown a URL Path

Last but not least, if you’re using a WAF (web application firewall), such as Sucuri or Cloudflare, you’re eligible to lockdown a URL path. With that, only your IP address would be able to access your WordPress admin login URL. 

Generally, website owners, especially in eCommerce or membership sites, don’t use this method as they often have to rely on backend operations to get the work done. Still, it’s a great way to harden your website’s security. 

Two-Factor Authentication

You’ve probably heard the term “two-factor authentication” frequently. Let’s look at why it’s one of the most critical and easiest methods to implement to harden your website’s security. 

No matter how secure, strong, and complex your password is, there’s always a chance that someone can discover it and try it to access whatever you’ve placed your password on. Two-factor authentication is a two-step process to log in, where you need not only a password to log in, but also a second way. Generally, this second way is a text message with a one-time password (OTP). 

There’s no doubt that this method is safe from brute-force attacks – it’s nearly impossible that the attacker who succeeds in breaking your password would also have your phone number and OTP.  

When we talk about the two-factor authentication of websites, there are two sides to it. First is your account and dashboard registered with your hosting provider. If someone has access to this, they can change your passwords, change your DNS records, and even delete your website. Therefore, it’s critical to choose a reliable hosting provider.

The second is related to the two-factor authentication of your WordPress installation. There are some plugins you can use for this, including Duo Two-Factor Authentication and Google Authenticator.

Take advantage of two-factor authentication. Not only is it one of the easiest methods to implement a more secure protocol, but it can prove viable against vulnerabilities.

HTTPS – SSL Certificate

People usually overlook the importance of installing an SSL certificate and running the website over HTTPS. HTTPS (Hypertext Transfer Protocol Secure) is a system that allows your browser to connect with a website securely. SSL is a certificate that places a “lock” on your website, showing visitors that it’s secure.

A popular misconception is that you don’t need an SSL if you’re not accepting credit cards on your website, but this is far from the truth

  1. Security

HTTPS is mostly used to provide additional security to the sites involved in eCommerce, but this isn’t the only reason HTTPS is crucial. Ask yourself, how important is your login info? Those running multi-author websites need to understand that if you’re running over HTTP, every time a person logs in, the information will go to the server in plain text. Sophisticated cybercriminals can easily hack this text.

However, HTTPS makes sure that the connection between the browser and the website is secure and completely encrypted, preventing hackers from accessing your site. Therefore, whether you’re running a blog, service-based site, or eCommerce business, HTTPS-SSL will ensure prime-level security so nothing passes in plain text.

  1. SEO

It’s officially been declared that HTTPS is a ranking factor in Google. Sites powered by HTTPS – SSL are preferred by Google to come on top of SERPs. Google recommends visitors land on secure and encrypted sites instead of unsecured ones.

While it’s only a small factor in your site’s ranking, it’s worth taking advantage of so you can beat your competitors in SERPs (search engine result pages).

  1. Trust and Credibility

A survey conducted by GlobalSign reported that about 29% of visitors make sure they have a green address bar in their browser, and 77% of them are concerned about their data being misused or intercepted while they are surfing. 

When you implement SSL security measures, you get a green padlock on the left corner of your address bar, which tells the user that the site is secure and their data is protected. That increases the credibility of the site, and customers or visitors will instantly have peace of mind knowing that whatever information they are giving on the website is secured. 

If you don’t have an HTTPS website secured, you should read a guide to redirect website visitors from HTTP to HTTPS.

Protect Your wp-config.php

The backbone of your WordPress installation is your wp-config.php file, and it must be protected at all costs. This file is the database of your login information and security credentials that encrypt the information in cookies. To protect this file, below are some of the actions you can take.

  1. Move wp-config.php

Your wp-config.php file is in the root directory of the WordPress installation by default (/public_html folder). However, this can be moved to a non-www accessible directory to keep it safer.

To move this file, copy everything into a different file, then place the following snippet in your wp-config.php file to include your other file. 

<?php

include(‘/home/user/wp-config.php’);

Note: Based on your web host and setup, the directory path may be different.

  1. Update WordPress Security Keys

WordPress security keys are a collection or set of random variables used to encrypt information stored in the cookies of the user. There have been four different keys since WordPress 2.7, these are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

These keys are randomly generated for you when you install WordPress. However, if you’ve migrated your website multiple times or bought it from someone else, it’s better to create a new set of keys for maximum security. You can find the keys in your wp-config.php file. 

  1. Change Permissions

Typically, the files in the WordPress root directory are set to 644, meaning that they’re readable and writable by the owner of the file, and readable by everyone else. 

WordPress documentation states that the permission of wp-config.php file should be 440 to 400 so other website owners on the same server don’t read it. This can be changed easily with your FTP client.

Some hosting platforms have different permissions because the webserver user doesn’t have permission to write files. To be sure about permissions, contact your hosting provider.

Disable XML-RPC

XML-RPC has become a large target for brute-force attackers in the past few years, according to Sucuri. One of the hidden features of XML-RPC is that you’re allowed to use the system.multicall method to execute multiple methods inside a single request.  

This is a useful feature because it allows the application to pass multiple commands within one HTTP request. However, one drawback of this feature is that it can also be used for malicious reasons.

Few WordPress plugins, like Jetpack, rely on XML-RPC, but most WordPress users don’t even need it. Therefore, it would be beneficial for your website to just disable it. You can even install the Disable XML-RPC plugin to disable it automatically. 

Hide WordPress Version

The idea of hiding your WordPress version may sound like it wouldn’t make any difference, but it would not let people know about your site configuration, which can play a big role in securing your site.

If your WordPress version is not hidden, people can see if you’re running an outdated WordPress version, allowing intruders to enter your site.

The WordPress version is visible in the header of the website’s source code by default. Although we recommend you always keep WordPress updated in the first place, so you don’t have to worry about the visibility of the WordPress version, you can hide it by using the following code to your WordPress theme’s functions.php file.

function wp_version_remove_version() { 

return ”; 

add_filter(‘the_generator’, ‘wp_version_remove_version’);

If not done correctly, editing source code can break the site. Check with the developer first if you’re not comfortable doing this. You can also download a plugin to hide your WordPress version. 

Add Updated HTTP Security Headers

Your HTTP security headers are usually configured at the server level and let the browser know how to behave when handling your website. To harden your WordPress website security, you can use HTTP security headers.

Although there are many HTTP security headers, below are the ones that are typically the most critical.

  • Content-Security Policy
  • X-XSS-Protection
  • Strict-Transport-Security
  • X-Frame-Options
  • Public-Key-Pins
  • X-Content-Type

By launching Chrome dev tools and looking at headers on the initial response of your site, you can check the headers currently active on your website.

Add WordPress Security Plugins

While plugins are not the best-ever measure of security you can take, the best WordPress security plugins can play an important job in securing your site. Some security plugins prove to be a great solution to protect your WordPress site against threats and compromises.

Here are a few:

  • Sucuri Security
  • iThemes Security
  • WordFence Security
  • WP fail2ban
  • SecuPress

Database Security

Everything about your website is stored on the WordPress database. It’s important to take measures to secure your database. There are a couple of ways you can do that.

One, use a clever database name. If your site is named cheap car covers, your database would most likely be named wp_cheapcarcovers. However, you can change your database name to protect it from hackers who try to hack your database by attempting names similar to the website’s domain. Make your database’s name as obscure as possible. 

Two, use a different database table prefix. The default prefix of your WordPress database is “wp_.” You can change it to something like “lbw9_.” to make it more secure.

Always Use Secure Connections

We can’t stress enough how critical it is to use secure connections. First of all, be sure your WordPress host is taking precautions, including offering SFTP. 

SFTP (secure file transfer protocol), also known as SSH, is a network protocol used to transfer files with a faster route. It’s more reliable than standard FTP.

Secondly, you need to ensure that the router at your home or office is set up correctly. If someone hacks the network at home or workplace, they can gain access to all sorts of info, including the info about your WordPress site. 

Here are some tips to prevent that:

  • Don’t enable remote management (VPN). Most users don’t even use it, so by keeping it off, you can keep your network from being exposed to the outside world.
  • Routers use default IPs in the range, such as 192.168.1.1. Use a unique range, such as 10.9.8.7. 
  • Enable the highest encryption level on your wifi. 
  • IP white-list your wifi so only people with the password and certain IPs can access it.
  • Keep the firmware on your router updated.

Always be careful whenever you’re logging into your WordPress website in public locations, such as schools or internet cafes, as these locations are often unsecured. Check security, such as verifying SSID, before you connect.

File and Server Permissions

File and server permissions are crucial to your WordPress security, and if these permissions are loose, a cybercriminal can easily get access to your site. That being said, too strict permissions can make your site unfunctional, so it’s important to know which permissions to set.

File Permissions
  1. Reading permissions are given if the user has the right to read the file.
  2. Writing permissions are given if the user has the right to write the file. 
  3. Executing permissions are given if the user has the right to run the file or execute it as a script.
  4. All files should be 644 or 640, except wp-config.php, which should be 440 or 400.
Directory Permissions
  1. Reading permissions are given if the user has the right to access the contents of the folder or directory.
  2. Writing permissions are given if the user has the right to add or delete files in the directory.
  3. Executing permissions are given if the user has the right to access the directory and perform commands, including the right to delete the data from the directory.
  4. All directories should be 755 or 700. No directory should reach 777. 

Disable File Editing in Dashboard

A lot of WordPress websites have multiple administrators and users, which makes security more complicated. Some website owners even give administrative access to authors and owners, which is a bad practice and a security threat.

All users should have correct permissions so they don’t cause disturbances on the site. One way to do that is to disable the Appearance Editor in WordPress. Many users go quickly edit something on the Appearance Editor and are suddenly presented with a white screen. It’s recommended that you edit the file locally and upload it via FTP or SFTP. 

If your WordPress is hacked, the first thing that a hacker might do is try to edit the theme or the PHP file via Appearance Editor, which is the quickest way for them to install malicious code on your site.

However, if this option isn’t even visible in the dashboard, it can be used to prevent attacks. Place the following code in your wp-config.php file to remove the edit_themes, edit_plugins, and edit_files options for all the users. 

define(‘DISALLOW_FILE_EDIT’, true); 

Prevent Hotlinking

Hotlinking is when you take an image from the internet and copy its URL directly on your site to display it on your website served from the original location. While it doesn’t seem like a big deal, it’s theft and can cost you a lot of extra money. There are multiple ways to prevent hotlinking on your site.

Prevent Hotlinking in Apache

To prevent hotlinking in Apache, add the following code to your .htaccess file.

RewriteEngine on 

RewriteCond %{HTTP_REFERER} !^$ 

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] 

RewriteRule \.(jpg|jpeg|png|gif)$ https://dropbox.com/hotlink-placeholder.jpg [NC,R,L]

Prevent Hotlinking in NGINX

Add the following code to your config file to prevent hotlinking in NGINX.

location ~ .(gif|png|jpe?g)$ {

valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;

if ($invalid_referer) {

return 403;

}

}

Always Make WordPress Backups

Although the security measures listed above can help protect your site, it will never be bulletproof. So, in case something happens to your website, you need a backup.

Some managed WordPress hosting providers provide daily backups, but if your host doesn’t have a provision of backup for your site, you can use services and plugins to automate the process.

WordPress site backup services, including VaultPress and CodeGuard, are usually the most reliable ones and charge a low monthly fee to backup your website in the cloud. 

On the other hand, there are plugins that allow you to get your site backed up via FTP or integrate it with external cloud storage, such as Amazon S4, Google Cloud Storage, Dropbox, Google Drive, and more. Some reliable plugins to do that are Duplicator, WP Time Capsule, BackupBuddy, and WP BackItUp.

DDoS Protection

DDoS attacks are not new, but there have been advancements in the measures to prevent these attacks. Unlike other attacks, DDoS attacks don’t hack your site but take it down for a few hours or days.

To protect yourself from DDoS attacks, use a third-party security service, such as Cloudflare or Sucuri. If you’re running a business, then you should invest in premium plans and not take any risks that can compromise your business.

These security services come with advanced DDoS protection that can be used to eliminate all kinds of DDoS attacks, including those that target UDP and ICMP protocols, SYN/ACK, DNS amplification, and Layer 7. 

Other perks of these services are hiding your origin IP address by putting you behind dedicated proxies. To understand these attacks better, make sure to read more about the prevention of DDoS attacks.

Key Takeaways

As we’ve shown in this article, there are many ways to improve the security of your WordPress website. To sum it up; use a clever and strong password, keep software, plugins, and themes updated, keep track of your permissions, and get reliable managed WordPress hosting, which can make your work ten times easier by protecting your site and taking all the necessary measures for you.

For many of us, a website is not just a website – it’s a source of income. If it gets compromised, it can do a lot of damage, making it critical to spend time, effort, and money to implement the security practices mentioned.

Last modified on: August 23rd, 2023

Categorized as Web Hosting

Julia is a Content Coordinator for HostPapa, with a special focus on editing copy and all things blog-related. In her spare time, she enjoys reading, watching Oscar-nominated movies, and drinking iced lattes.

decorative squiggle

Skyrocket your online business with our powerful Shared Hosting

Shared Hosting from HostPapa is suited for all your business needs! No‑risk 30‑day money‑back guarantee. 99.9% uptime guarantee. 24/7 support. Free setup & domain name.†

Related Posts

HostPapa Mustache