WordPress is running 43% of the entire website in the world but WordPress is the most hacked website according to the reports. This does not mean that WordPress software is not secure by default. Default WordPress installations are secure but once you start installing themes and plugins you are making things easy for cybercriminals to hack your website easily.
You can do the following things to harden your WordPress security so that hackers may find it difficult to give threats to your website.
- Update the PHP version of your web server
- Update the WordPress version to the latest version
- Install SSL certificate especially if you are running an e-commerce website with WooCommerce
- User trusted and licensed WordPress theme and plug-ins. Never used nulled theme or plugins because these scripts can come with malware
- Remove all nulled themes and plug-ins from your website.
- Use a strong username and password for the admin section of your WordPress. You can use two-factor authentication with the help of a plug-in.
- Limit the login attempts to prevent brute force attacks by hackers. There are a couple of plug-ins to limit login attempts named
- Limit Login Attempt Reloaded
- Loginizer
- You can change wp-admin’s default URL to something that others can not guess. Normally you have www.yoursite.com/wp-admin but you can change it to www.yoursite.com/something . You can simply use the following WordPress Plugins to do that
- WP hide logins
- Change wp-admin login
- Log out the idle users from your WordPress site. Most of the time when users log in and perform actions on your site as admin, they leave the website without logging out. If someone gets access to your device it is very easy to access your WordPress admin section. So make sure you log out all the idle users from your website.
- Regularly check your files to identify malware being injected into your code. Most of the time JavaScript codes are injected into your code so that they can hijack your session.
- Never display PHP errors to public users because cyber criminals know a lot of things about these errors and if you show those errors to them, they can easily enter your website using various methods. You can edit the wp-config.php file to disable showing error messages.
Use the following PHP command to disable showing errors.
error_reporting(0);
@init_set(“display_errors”,0);
- Applying the correct file permission to PHP files is very important to prevent unauthorized PHP file changes.
Here are the recommended file permission for the WordPress installation
- Root directory (usually public_html): 755
- wp-admin: 755
- wp-includes: 755
- wp-content: 755
- wp-content/themes: 755
- wp-content/plugins: 755
- wp-content/uploads: 755
- .htaccess: 644
- index.php: 644
- wp-config.php: 640
These file permissions are dependent on the hosting environment of your server. But it is very important to follow these best practices to improve the security level of your WordPress file.
You can use the FTP client tool or File Manager of the cPanel to set these permissions.
You can also disable the file editing feature of thhe WordPress site by adding the following PHP code in to wp-config.php
defile(“DISALLOW_FILE_EDIT”, true);
In addition to the above mentioned points, you can do some advanced things to secure your WordPress site. But if you can add these security features to your site you can secure the website from most of the attacks.