10 Free and Essential Tricks to Secure Your WordPress Website Against Hackers and Malware
We are sharing with you expert tips for Strengthening Your WordPress Website Security Against Hackers and Malicious Attacks. If it comes to WordPress security, there are various things you can do to protect your website and prevent attackers and vulnerabilities from damaging your site. If you are serious about your site, you should pay attention to the basic security practices of OWASP.
While the core of WordPress software is very secure and hundreds of developers check it regularly, there is a lot that can be done to keep your site secure for free without the need of spending money.
We don’t want your evening coffee to get missed due to shagging of your website or another nuisance breakdown. Therefore, today we are going to share many tips, strategies, and techniques that you can use to increase your WordPress security and keep it safe.
In this guide, we’ll share all the essential WordPress security tips to help you keep your site safe & secure from hackers and malware.
Believing in safety is better than cure: that web security is not just about eliminating risks, but also applies to risk reduction.
As a website owner, there are many things you can do to improve WordPress security (even if you’re not a tech nerd). We share some noobs steps to make it happen easily with a few sips of coffee. We have several practical steps you can take to protect your website from security vulnerabilities.
Why do you need to think about your WordPress Website Security?
A hacked WordPress site can severely damage your business’s income and reputation. Hackers can go very nasty and steal user information, passwords, send out spam emails using your SMTP, install malicious software, and even distribute malware to your users.
Search engines prefer safe websites.
Website security directly affects search visibility on Google, Bing, Yahoo (and other search engines). To keep the internet safe Google’s Safe Browsing technology checks billions of URLs a day looking for unsafe websites. A Safe and searchable website is easier to rank high. Moreover, it protects your visitors and gives everyone peace of mind.
Why do hackers hack websites?
- Hacking into your server and use it for bitcoin mining or insert Malicious js to use your visitor’s traffic for crypto mining.
- Steal out important data from your website like- Databases of user’s containing real-time data, financial records, and other private information. Moreover, Malicious software can hijack credit card data in real-time while user checkout.
- There may be a chance of having a Ransomware attack.
- Using your webserver to shoot webmail spam worldwide.
- They can use your server to store and pass out illegal files.
WordPress Security Best Practices
Have your themes, plugins, and WordPress version up to date
Hackers aggressively target security flaws so it is important to keep Software And Plugins Up-To-Date. Make a practice to always keep your operating system and the software on it, like your web browser, up to date this will you to protect from security vulnerabilities.
Similarly, for your website and webserver, it is essential to keep all programs (including your web-os, PHP version, SQL, etc) or scripts you’ve installed up-to-date. You can ask your hosting provider for help in server-side updates.
How To Look For Updates
- Simply log in to your WordPress dashboard and Go to Dashboard -> Updates.
- There you see the currently installed version of WordPress, as well as the latest WordPress version, released.
- If it says that the site didn’t have its latest version, make sure to back up the site before upgrading WordPress.Click on update
Apply username and password best practices
Cybercriminals have several tactics for cracking passwords, but the simplest of them is just to buy your passwords on the darknet.
As it is human at end choosing passwords, this is where physiology comes into play. We often use it to choose easy and rememberable passwords.
like- QWERTY, SUPERMAN, KittyCAT, etc.
Some examples of passwords and username attacks.
- Brute force attack
This attack tries to guess every combination in the book until it meets yours. The attacker automates the software to try as many combinations as possible in the shortest possible time.
- Dictionary attack
In this type of attack, the hacker attacks you with a predefined dictionary with a list of possible passwords and usernames gathered from a worldwide database. When the Brut Force attack attempts any mix of symbols, numbers, and letters, the dictionary attack tries to get a predefined list of words as you can find in a dictionary.
Use a password manager and a random password generator, usually strong passwords & usernames generated via tools are hard to crack. Even many Hosting panels also provide options for the same.
Try these password ideas to make your accounts unbreakable.
- Always use random passwords, with combinations of alphanumeric and use a different password for each site.
- Passwords managers are getting popular these days, try to use a secure & open-source password manager which will help in creating and remembering passwords easier.
- Try to use “two-factor authentication” there are many solutions available for the same.
Disable Directory Indexing and Browsing
Hackers are constantly looking out for website vulnerabilities — whether they are in old WordPress themes or some plugins, directory browsing is a vulnerability you need to be aware of.
Sometimes there happens some sensitive information stored that needs not be disclosed publically, With directory listening enabled it can become vulnerable.
For Example- You might not be interested in showing your contact form upload data or any invoices generated and stored in.
A directory list is a web server task that displays the contents of the directory while there is no index file in the directory of a particular website. When enabled the web servers list the content of a directory when there is no index file (e.g. index.php).
Easy Solution -
- Disable directory browsing at the site level (with .htaccess)
- Place an empty index.php in every directory
Secure .htaccess file for WordPress Security
Use Of Only Trusted Sources | Unknown Sources May Have Backdoors & Other Risks Involved
Many so-called free-to-download ‘nulled & free’ WordPress themes contain base64 encoded files,(usually get undetected by malware and virus scanners) which are often used to hide malicious code. Such can be used to put backdoors and other entry points.
So, with such themes or plugins, you can easily upload malware into your website or this is how you invite an intruder yourself. This is how most of the ‘hackers’ get access to your files and site.
We also suggest you read out an amazing article by WordFence regarding WP-VCD: The Malware You Installed On Your Site.
https://www.wordfence.com/blog/2019/11/wp-vcd-the-malware-you-install-on-your-own-sites/
We suggest always use resources only from official websites like http://wordpress.org/ as it’s the safest place to get themes and plugins.
Changing file permissions
File permissions determine who can read and do, write, modify and access them. WordPress may need access to files in your wp-content directory to enable certain features.
Read at
Secure .htaccess file for WordPress Security
Enable The SSL/HTTPS Connection On Your Website
Secure Sockets Layer (SSL) is a conventional security technology for building an encrypted link between a server and a client — basically a web server (website).
SSL ensures the security of data transmitted between the web browser and the server.
Another advantage of having an SSL certificate is the improved SEO ranking your website will get.
You can use force HTTPS in the .htaccess file. Optimal .htaccess file for WordPress Security
Disable your xmlrpc.php file
WordPress XML-RPC is an API that allows you to transfer data between your WordPress site and other systems.
The main damages associated with XML-RPC are Brute force attacks: attackers attempt to log into WordPress using xmlrpc.php
Latently REST API issued by WordPress is being used for API-related work in various plugins and systems, XML-RPC is still used for backward compatibility.
In addition to transferring data, xmplrpc.php is also responsible for including backlinks and backlinks.
You can use the .htaccess file to disable the XML-RPC file.
Optimal .htaccess file for WordPress Security
Disable File Editing
By default, WordPress admin allows users to edit plugin and theme PHP files in the WordPress admin interface.
An attacker may try to gain access to your server or wp-admin and try to edit your files and include custom code which can allow him certain admin privileges or even some timer Trojans can be installed. It is being seen that hacked or attacked websites have custom codes wrote in functions.php files of some plugin or theme file.
File editing can be disabled using wp-config.php. More restrictions can be applied using the .htaccess file.
Disable PHP File Execution for Improved WordPress Security
The presence of any directories writeable inadvertently makes your site vulnerable to hacker intrusions. Hackers can use this feature to upload backdoor or malware access files to your WordPress site.
Malicious files will mostly be written in PHP and can be developed as background processes to give you full access to everything on your site. This is not what you would like, is it?
In most cases, hacked WordPress sites usually contain backdoor files.
Examples of common web shells:- China Chopper, WSO, C99, and B374K.
These files are often uploaded to /wp-includes/ or /wp-content/uploads/folders.
An easy way to increase the security of your WordPress is to disable PHP execution for some WordPress directories.
How to Disable PHP Execution in WordPress Directories
Place the following code in your .htaccess file.
<Files *.php>
deny from all
</Files>
Protect Your WordPress wp-config.php Configuration File Or The Heart Of WP Installation
WP-CONFIG.PHP is a core file of WordPress installation. It contains many details such as DB name, Username, The WP_SALTS, other permissions, and core secrets.
It can be intruded easily, if so then custom code can be added to provide user admin access. Therefore, it is necessary to protect it.
We can use the.htaccess file to make it hide and non-write able.
With this in mind, we’ve looked at how to secure your WordPress site in 2021 without a lot of investment by simply changing some features and codes. Like using a .htaccess file, but this is just one of many ways to improve the security of your site.
A few other security measures you can take are to invest in are good hosting with default firewalls, free SSL, customized security solutions. But before applying any of these methods, you should back up your site. If something goes wrong, you can simply restore the backup and launch our site in no time. Feel free to comment on your experience, and if you encounter any security issues on your WordPress site, we’ll be happy to help.
Resources
https://wordpress.org/support/article/hardening-wordpress/
https://woocommerce.com/posts/improve-your-wordpress-security-with-these-10-tips/
Image Credits — Canva.com
