No matter how big or small your website is, there will always be people who will try to hack your site. These people will use bots to find your login pages and use a brute force attack tactic to access the administration area of your site.
Un brute force attack It means they will try multiple times using the most common username and password combinations in the hopes of gaining access to the admin area.
On a WordPress site the security holes are open and available for everyone to discover, that's the problem with open source software, if you look hard enough you might find a way to get around the security. But on the other hand if you know about the security issues, then you will know what you have to do to solve these problems.
In this article I am going to talk about what you should do on any WordPress site to protect it from being hacked. If you think that your site is not big enough to be hacked, you are wrong, to find out if your website has an attack attempt, look at your 404 error logs and you will see that some people are trying different ways to access your database. of data. And login pages.
Move the wp-config.php file
The first thing I do to protect WordPress is to move the file wp-config Up to one level above the root directory of the website, WordPress in the configuration first looks for the wp-config file in the root directory of the website, if it can't find it it will look for it in a higher level directory.
Delete WordPress admin user
On a default installation WordPress will provide you with a default user called admin. This access is the first one you will use when entering your WordPress installation. Since this is the first user, you need to make sure you change the admin user. This is the first access that hackers will use to enter your site. I know you can have a strong password so they won't be able to get in, but changing the admin user will make it twice as difficult to do this.
The admin user has full access to your WordPress site if hacked will be able to completely take down your entire site.
All you have to do is create a new user with administrator rights and delete the old user.
Use a strong password
This is kind of logical, but I have to include it just to make sure you don't forget it. You should always use a strong password on any of your accounts.
Since most hackers will use a passcode program to try password combinations, choosing a strong password will make it more difficult for them to find it.
If you find it difficult to remember strong passwords, use software that remembers them for you, use something like LastPass to remember all your passwords.
If you want help creating a strong password, you can use a strong online password generator.
Disable unused user accounts
If you have multiple users on your WordPress site, you should keep them up to date and delete any accounts you no longer use.
If a user has an account with access to your admin area they can do things on the site, they can add posts, delete posts, edit any file. People can reset their own passwords if you protect your password but other users can't and this is another door into your administration area.
If these accounts are not used you must delete them.
Always update WordPress as soon as possible
WordPress has so many features and so many plugins to add that updates don't come with security updates Mainly, most updates are to close open doors and to fix bugs.
When they find out about some security issues, they fix the issues and release a new update. This is why it is so important to update your WordPress as soon as possible, to ensure that your site can no longer be attacked.
Remove WordPress version number
Giving hackers the version of WordPress you are running will let them know exactly how to attack your website for success. Yeah you delete the WordPress version They can only assume that you are using the latest version and most likely won't waste their time trying to access your site.
Change file permissions
Make sure you change the file permissions to 0744, which means they are read-only for everyone except you. This ensures that other people cannot change any of the files on your server.
All you need to do is log in to your FTP server right click on the folder or files and check the permission. Make sure they are not 0777 as this gives others write access to your files.
Set file permissions to 644 and 755 for the folders.
Back up your database
Despite using all the security practices, things can go wrong, it is best to have the habit of making backup copies of your database so that if something goes wrong it can be recovered quickly.
A good plugin to use for automatic backups is WordPress Database Backup, you can configure it to backup your database weekly and it will send the SQL file to your email address. If you have a lot of space in your email account, you can use it to store your weekly backups.
Some of the best automatic WordPress backup plugins are:
- BuddyBackup
- VaultPress
You can set them and forget about them until you really need them.
Hide your plugins
A plugin is a piece of code that runs on your WordPress site, just like your WordPress site may also have some. security holes. They are just pieces of code that can access your WordPress database. If a hacker knows what plugins you are using, they can see if there are any security holes in these plugins and use this to attack your site.
Make sure to hide the plugins you are currently using.
Navigate to /wp-content/plugins/ and see if you can see a list of your plugins folders. If you can, be sure to add an index.php or index.html file to this folder.
Install AntiVirus
Viruses, worms and malware exist for WordPress and could easily attack your WordPress installation. AntiVirus for WordPress monitors malicious injections and warns you of any possible attacks. With multilingual support. Simply, the complement you must have.
Be careful with accessories
WordPress plugins are add-ons that help WordPress be great, but they are code that you are installing on your site. You trust the plugin developer not to do anything that will harm your site.
You don't want to download a WordPress plugin to delete all your email database tables and lose everything. Plugins are moderated, but things can always slip through the net, be sure to check the ratings and reviews of a plugin before downloading it. If a plugin has been downloaded millions of times, you can usually be sure that this plugin is going to be safe.
Secure WordPress with htaccess
Using htaccess you can protect your WordPress site in multiple ways.
Deny access to the wp-config.php file.
Order Allow,Deny Deny from all
Block access to the administration panel by IP
order deny,allow allow from IP Address (replace with your IP)
Block access to your site completely for certain IP addresses.
order allow, deny allow from all deny from 123.123.123.1 deny from 555.555.555.5 deny from 000.000.000.0
Block access to the wp-content folder
The wp-content folder contains all your images, plugins and themes, it is a very important folder for your WordPress site. If this folder is hacked, they can remove all your themes and plugins from your site leaving it blank.
To block access to the wp-content folder, create a new htaccess file and save it at the root level of the wp-content folder.
Now add the following code in this new htaccess file.
Order deny,allow Deny from all Allow from all
Disable directory browsing
If someone has access to your directories, they will be able to see all the folders in this directory if they do not have an index.html or index.php file. You can stop this with htaccess by adding the following line. This will ensure that a directory cannot be browsed even if an index file does not exist.
# directory browsing Options All -Indexes
Block access to wp-login.php with htaccess
Just as we can block access to the wp-config.php file, we can do the same with the login page to ensure that only certain IP addresses can access the login form.
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx
Protect against requests that do not have HTTP_USER_AGENT
RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http ://%{REMOTE_ADDR}/$ [R=301,L]
Block file types that are distributed from the uploads folder
The WordPress uploads folder should be used to publish images to the website, but because this folder is where all uploaded content will be stored, it is possible that a script can be placed inside this folder. The code snippet below is the code you can place in the htaccess file to ensure that only images in this folder can be used. Add this to an htaccess file and place the htaccess file inside the uploads directory.
# Secure /uploads/ directory from unwanted file types Order Allow,Deny Deny from all Order Deny,Allow Allow from all
Hide Error Messages on Login Page
On the WordPress login page if you type an incorrect username or password, it will return an error message to say that the username or password is incorrect.
The image below lets me know that the username I'm using doesn't exist and I need to try another one.
But if the username exists, I will get a message saying that the password is incorrect.
Now I know there is a user named admin and I can keep trying until I receive the correct password.
Yes, this is a very useful message for real users of the site, as they can see what has happened. But for hackers this means they get a nice message about where they went wrong, which means they also know what they got right.
There is a login hook to access and remove any error messages from the login page.
Copy the following into your functions.php file.
add_filter('login_errors',create_function('$a', "return null;"));
Disable the theme and plugin editor
When an admin user is logged in to WordPress, they can make changes to files installed in the CMS. This is great if the admin needs to make a very quick change to the theme, for example if they notice a spelling mistake they can quickly change it.
But with this access, if someone hacks your admin area they can make whatever changes they want to your themes and plugin files.
If you want the editor links to not appear in the admin area, you can add the following to your wp-config.php file so that people can't edit the theme directly in the admin area.
define( 'DISALLOW_FILE_EDIT', true);
Change the database prefix
Since WordPress is an open source application, all database table names are known to everyone. If someone knows the name of the database table, it is easier to guess a SQL injection script to delete all records from the database table.
If you want to help protect your WordPress site, you can do so by changing the prefix of your WordPress database tables. Changing the database table prefix means that they will not be able to guess the database tables.
The best time to change the table prefix is before installing your site, you can change the database prefix on the installation page or change the $table_prefix variable in the wp_config.php file.
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'you'll never guess_';
Warning! If you do this on an already installed site and don't change the database tables and the values in the tables you are going to break your site.
To change the table prefix safely, the best thing you can do is use a WordPress plugin.
Prevent direct access to your files
By using the WordPress ABSPATH constant you can ensure that files are not accessed directly. When WordPress loads the theme files an ABSPATH variable is defined if this is not defined then WordPress does not run. Place the following code at the top of the theme files to prevent direct access to the files.
Limit login attempts
It is important to avoid brute force attacks on your login page, there is a very good plugin called Limit Login Tentatives that will allow you to set how many failed attempts you can have before it is blocked.
This will log all login attempts to your WordPress admin area, the IP address and the username that used it.
If they tried to login and failed 3 times this plugin will block them from accessing the login page for a certain period of time. You can even set it up to send you an email when someone tries to access your login page.
This is a very useful plugin so make sure you install this plugin on all your WordPress sites.
Specialized WordPress Hosting
To have secure WordPress hosting you should always use a company that specializes in WordPress hosting, this means that everyone in the company is a WordPress expert and can provide your WordPress site with the best service.
Giving your WordPress site the best possible service is also a way to protect your website.
When connecting to your hosting with FTP make sure you are connecting on a secure connection instead of using FTP you could use SFTP. This is exactly the same as FTP except that all passwords and other data are encrypted when transmitted to the server.
You've made these changes to help protect your WordPress site, but this doesn't mean you're done. Be sure to keep checking server logs, 404 error logs, and analytics reports for any strange behavior.