Even though you might think hey I just started my website and it’s not worth hacking it, you’re thinking wrongly. The same can be said for some more established blogs or websites. If you have already a well-established website, don’t risk losing your hard work, your profit, by making them easy to do it.
In most of the cases, hacking a website has nothing personal with your website, it’s more like hackers trying to exploit weaknesses for their own gains which might be things like using your server as an email relay for spam, serving files of an illegal nature, exploiting site visitors, black-hat SEO, mining for Bitcoins, stealing data which is stored on your web server, or trying to get ransomware. The list can go on, but we only mention these to change your mind at the start.
When we say hackers, we don’t necessarily mean that one person is trying to do that, because often it’s not how it works as those tasks are performed by automated scripts, which search the internet for website security issues in software and then try to exploit the same.
If your website is having some sort of membership or payment options, having a secure site is your must goal. It will benefit you, by not losing your customers’ trust, your money, and visitors. Even worse, they can exploit your client’s information like emails, passwords, as well as yours. WordPress today it’s not like WordPress many years ago, security is one of the top priorities with every update which rolls, and we can say that WordPress today it’s pretty safe, but that’s not enough.
Many web hosting providers protect the server on which your website is, not your website. That’s often up to you. Avoid losing your visitor’s trust, dropping in rankings, and again, losing your hard work and money because of not protecting your website enough. Before we start as we’ve mentioned it all starts from you. Be sure to have a fully secured PC as it can be an infection vector and cause your website to get hacked.
What your website should be ready for?
The most common vulnerabilities & threats for your WordPress website are SQL Injections, Brute Force Attacks, Malware Infections, XSS Attacks, and DoS/DDoS Attacks.
SQL injections are those when an attacker uses a web form field or URL parameter to gain access and insert some code to manipulate your database, that’s why again, it’s important to have your forms secured and bought from plugin’s author.
Brute Force Attacks means that hackers by using a programmed script try with multiple combinations of usernames and passwords to keep trying to gain access to your admin area until that script finds the one that works. When they find it they start with a variety of malicious activities.
XSS Attacks is an injection of malicious client-side scripts into a website. In other words, an attacker injects content into your website and modifies a display of it, in some cases can lead to your website being takeover by an attacker.
Malware Infections can happen with any method we listed so far and a goal behind them is again to gain access and then inject what they want on your website, spam it for their SEO, steal your user information like credit cards data, show their ads, redirect to their scam websites, upload and host unwanted files, pretty much whatever they want. Most often even if you catch this, be aware as they tend to leave a “backdoor”, which allows them to maintain their access to your website. So while you clean, be sure to check all twice and compare everything with the original files, and for this, you need your website backups taken regularly.
DoS/DDoS Attacks most commonly these attacks happen to take down your website or slow it down with fake traffic and they are non-intrusive internet attacks.
How to secure your WordPress website?
There are several ways to secure your website, but everything starts with yourself and then expands further to tools that you could use. WordPress as you already know has a system that allows you to extend your website functionality by using plugins. When you are using plugins there are a couple of things you need to be aware of and things which you can do to narrow the issue with plugins.
CMS or Content Management System which WordPress is, are at a higher risk of compromise due to vulnerabilities and security issues often found in third-party plugins.
A MUST RULE! Never use plugin illegally obtained, meaning not bought from the plugin original source or in other word’s plugin author. Plugin’s downloaded from other sources might be altered and could contain malicious code and that’s one of the easiest access to hackers into your website. The same stands for WordPress themes. It’s just not worth a risk.
Keep your WordPress, your theme, and plugins updated. Older versions it’s easier to exploit. If you have outdated plugins or themes, go update those, now! If you have installed plugins that you don’t use, delete those, lower the risk further. Same stands for WordPress themes.
After you have prepared all with security measures, it’s time to go online. The first step is to host somewhere your website. Before choosing your web hosting providers do a research on them, about their quality about their support and how they are protecting their servers and your website. Don’t go for the cheapest service just because it’s cheap, again, do your research. The future of your website depends on your patience to chose a good one.
Many hosting providers that offer VPS and Dedicated Servers have two options, fully managed or self-managed. Usually, if you pay an extra you get security measurements as well, which includes proactive monitoring, extra layers of security, and automatic backups. An alternative to this is managed WordPress hosting where top companies offer and take care of everything for you regarding servers and some go even further. Some of them start relatively cheap and you can get one for 10$-15$ per month. Just because you’re in the budget it doesn’t mean you have to save on the key parts of having a secure and well-optimized server and website, because those do impact on your website speed as well which is another big factor in web industry.
Read our article 6 Ways to make your WordPress Website Blazing Fast to learn more about it.
Usually, starters go with shared hosting plans, the cheapest ones, but also the less secured as your website is hosted on the same server as websites of many other people, and if you are one of them, it’s not late, research your hosting, see how they handle security, check if they are using the latest PHP version as well as the latest version of MYSQL or MariaDB. Your website content is stored in a database and those two handle your database.
Once you have your hosting and your WordPress site is ready to go online, the next step is to choose your login information. It’s important that your username it’s not easy to guess and even more important, that your password is super strong to guess. Please don’t name your username, admin, because that’s a classic mistake that many people do.
The next step you can do is to protect your wp-config.file. What you can do with this file is to move it to a higher level than your root directory, because this file is one of the crucial files as it holds information about your WordPress installation. You can disable file editing trough wp-admin inside this file simply by adding this line of code inside.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
While you’re at the root of your website, be sure to give your database a unique name and not leave it on default which is wp_. Give your database a solid password.
Even though you might already used a default prefix for your database it’s not too late as there are plugins with which you can rename it. If you’re going to manually do this via cPanel, search the options table for any other fields that is using wp_ as a prefix and run a query to rename those tables as well.
Be sure to take a full backup before this, just in case. Do password-protect of the wp-admin directory which is the backbone of your website. At the same place, given you’re on cPanel, you can change directory permissions for your files, which is a good move to secure the website at the hosting level. Directory permissions set to “755” and files to “644” and those will protect the whole file system – directories, subdirectories, and individual files. If you’re not comfortable with this, ask your hosting provider to do this. As the last step inside your .htaccess add this line of code.
Options All -Indexes
It will disable directory indexing and browsing. Hackers might use those to look at the files at your website and search for known vulnerabilities inside them, with one goal of course, exploiting those. Inside the same file, you can add the code as well to disable PHP execution where it’s not intended like you upload folders.
Once you have your hosting and your WordPress site is ready to go online, the next step is to choose your login information. It’s important that your username it’s not easy to guess and even more important, that your password is super strong to guess. Please don’t name your username, admin, because that’s a classic mistake that many people do and the first thing hackers try to guess.
The next thing is to hide your WordPress version which can be found if one inspects a source of your website. WordPress security plugins usually offer this option. Further with some plugins, you can even hide that your website is powered by WordPress.
Further, customize the login page URL, which is a well-known thing, which can be used for login attempts (brute force attacks). To hide login url you can use a plugin like WPS Hide Login or Defender (offers plenty more options to secure your WordPress website). A good article in more details on this you can find here. Use plugins that limits login access (this way if they don’t know the login after several attempts they get an IP ban and can’t try to log in constantly for an amount of time you set up), and log out idle users.
Some like to disable the REST API to protect their websites against brute force attacks. REST API is needed for use of third-party apps or some WordPress plugins and for developers to securely use HTTP requests to perform actions on a WordPress site. It’s recommended to not disable it, but it’s your choice.
Don’t give admin access to everyone. Just because someone writers for your website they don’t need admin access for that. WordPress have predefined roles of access which cover all scenarios. Sometimes you just have to give a stronger role to people, so in those cases be sure for other people you’re giving access, to have a strong password, or even install a plugin that will force them to make one.
An additional layer of unwanted logins could be by adding one more extra layer of security with a security question to your WordPress login screen because it makes it even harder to get unauthorized access. As for the last one even if you’re the only one that has access to your website is to enable the Two-factor authentication technique. The same requires users to log in by using their username and password, and then as a second step requires users to authenticate using a separate device or app. As the last tip here, if possible avoid having an option for users to upload files via your website.
If your WordPress website already it’s not using SSL it’s time to upgrade that. Not only because of security matter, but Google also values site which uses https more. SSL (Secure Sockets Layer) is a protocol that encrypts data transfer between your website and user browser. This encryption makes it harder for someone to steal information. Once you enable SSL, your website will use HTTPS instead of HTTP. Ask your host if they can help you with this, and do they offer it. If they don’t, you can purchase one SSL certificate for your website. If you can’t/won’t spend any extra for this, a non-profit organization called Let’s Encrypt offers free SSL Certificates to website owners.
Always, always, always, sorry but we really can’t point this out, always have a regular backup of your website. Many providers now do offer those for free with some plans, but if your’s does not, install a backup plugin like VaultPress, BackupBuddy, Duplicator (free), or UpdraftPlus.
The last step in building a fortress of your WordPress website is to monitor activity on it. Plugins like Sucuri, MalCare, and Wordfence can do a pretty good job at this. They keep track of everything that happens on your website, do malware scanning, check for failed login attempts, and monitor your files. You can sleep much calmer by having one of these.
Even though having a CDN to speed up your website is today very affordable and highly recommended, some like Cloudflare even free, they can make the last additional step for your website security as some of them provide security by protecting Internet properties from a malicious activity like DDoS attacks, malicious bots, and other nefarious intrusions.