A common misconception is that newly launched websites are problem-free, never go offline, and never need an update. Many website owners will ignore required WordPress updates and upgrades to the programs running their website; Until their website gets hacked and they now need to pay hundreds of dollars to get the server cleaned up and the site back online.
There are measures you can take in order to prevent — as much as possible — your WordPress site from getting hacked in the first place. This is, of course, a short list of things you can do right now in order to help secure your WordPress site.
1. Secure your wp-config.php file
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection (login) information.
When you first install WordPress, the wp-config.php file isn’t included. The WordPress setup process will create a wp-config.php file for you based on the information you provide. The install does, however, come with a sample file named “wp-config-sample.php” that you can use if you’re doing a manual install (instead of a one-click install).
After your wp-config.php file has been created, delete the sample file from your server. To help secure the wp-config.php file you can add the below code to to the top of your .htaccess file. BE VERY CAREFUL when making changes to your .htaccess file; You could end up taking down your entire website. So, BEFORE you make any changes to that file make sure you have a backup copy ready to replace your edited copy.
Locate and open the .htaccess file to edit it in the default text editor on your computer (or in the Edit window if you’re doing this in your cPanel).
Add the Deny from all code to the very top of the .htaccess file to secure the file from being seen by any bots or search engines:
Save the file.
While you’re already editing that file, you can also hide your .htaccess file by adding this to the top of the file:
2. Strong passwords
Weak passwords continue to be one of the key ways that hackers gain access to your website.
You can change your WordPress login password by visiting Users >> Your Profile and scroll down to the Account Management section.
3. Install the Wordfence plugin
Wordfence has been downloaded more than 15 million times so they must be doing something right.This is one of a few plugins that get installed on every WordPress site I set up. There’s a free version available, however, if your business is not global, I highly recommend their paid version. Reason being is that the paid version comes with added features, one of which is Country Blocking. You can block every country on the planet. I’ve found this extremely useful considering the non-stop hacking attempts from Russia, China and Ukraine.
Wordfence recently introduced a Web Application Firewall. I’ve not yet had a chance to implement this feature, however, I will be doing so within the next couple of days. According to the good folks at Wordfence, the Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
4. Change your login username if you’re using ‘admin’
Every time hackers try to perform one of their brute-force attacks on any WordPress site, they will go for ‘admin’ as the username. Words like “admin,” “info,” and even “wordpress” are the first usernames used in hacking attempts. If you’re using “admin” to log into your site change it to something more complex.
You can change your WordPress username by:
1. Manually creating a new user with administrator rights
2. Changing the username in phpMyAdmin or
3. With the help of a plugin
The easiest way to change your username is by creating a new user and assigning the role of administrator. To do that, log into your Dashboard, and click on Users > Add New.
Create a new user with your desired username and assign yourself as an administrator. Make sure to use a different email address, or change the old admin email address if you want to use it for your new admin name.
Then Logout and Login with your new username and passowrd. Next, go to Users, and simply delete the old user with the name ‘admin.’ It will ask you what to do with the existing user’s content; assign it to the new admin that you just created.
5. Keep WordPress core files, theme and plugins updated
Whenever you login to your site, you can check for available updates by going to Dashboard >> Updates. Keeping the core WordPress software, theme and plugins updated is an important MUST DO security measure.
If you’re using a plugin that hasn’t been updated in over a year (or longer) you may want to search for one that is better supported.
If you’ve installed the Wordfence plugin you will receive email notices whenever there’s an upgrade that needs to be done, or whenever there are login attempts from unauthorized users.
If your theme files have been directly edited (i.e. code changes or customization) by yourself or a developer, then updating will over write those changes unless you’ve made changes from an interface on the theme admin.
6. Don’t use Free Themes
Many free themes can have malicious code in them. Also. Remember to remove inactive themes and plugins. Inactive plugins and themes present potential entry points for hacking attempts since (most likely) you’re not updating them. Deleting all of them will save you time and also helps speed up your website.
7. Setup scheduled backups
OK. This may not be a “security” tip, but it’s definitely something that needs to be included under the Safe and Secure umbrella. If anything goes wrong with your site, even if it’s not a security issue, you’ll be able to revert back to your backups. There are many options for backing up your site. My personal fav is to simply use the VaultPress plugin. This plugin has come to the rescue for a few of my clients.
Need help with any of the above? Feel free to contact me for assistance!