Ways to Secure Your WordPress Site Youâ€™ve Probably Overlooked Kenya Print
WordPress security is often referred to as â€œhardening.â€ Makes sense. After all, the process is like adding reinforcements to your castle. Itâ€™s all about bolstering the gates and putting lookouts on every tower. But that term doesnâ€™t always allow you to realize the details that go into improving site security.
Even if youâ€™ve done next to nothing to improve your siteâ€™s security, itâ€™s likely that you have at least a cursory familiarity with some popular tactics. Itâ€™s also likely youâ€™ve heard of a plugin or two that can get the job done. Weâ€™re not going to be talking about those things today, however.
This article is going to focus more directly on the ways you can secure your siteâ€™s admin, and more specifically than that, the ways that arenâ€™t discussed over and over in every list out there. Because security is seriously important.
Did you knowÂ 73% of the popular sitesÂ that use WordPress were considered â€œvulnerableâ€ in 2013?
Or that of the top 10 most vulnerable plugins,Â five were commercial pluginsÂ available for purchase?
Worse yet, one of those five plugins was actually aÂ securityplugin, which is just, well, pretty awful.
While the core installation of WordPress is very easy to use and relatively secure, the more you add on top of it via plugins, themes, and custom code, the more likely it is to be hacked. And the more users you add to any given installation, the likelihood increases further, still. Thatâ€™s bad news all around for individuals and businesses, alike.Â
With that in mind, letâ€™s spend some time today exploring the 12 ways you can secure your siteâ€™s backend to ensure your information (and that of your customersâ€™) remains safe.
What You Should Know Already
I know I just said that I wasnâ€™t going to talk about the more commonly referenced security solutions here, but just in case someone reading this isnâ€™t well-versed in WordPress, Iâ€™d be remiss if I didnâ€™t at least list them out. Even if youâ€™re a WordPress pro, having this list to refer to can be helpful as you set about implementing security strategies on your sites.
Keep WordPress up-to-date.Â Something so simple can have a big impact on site security. Whenever you login to the dashboard and see that â€œUpdate availableâ€ banner, click it and update your site. If youâ€™re worried about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.
Keep plugins and themes up-to-date.Â Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your siteâ€™s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like anÂ open doorÂ to your personal info.
Delete any plugins or themes youâ€™re not using.Â Along the same line of thinking as whatâ€™s listed above, getting rid of any plugins or themes you donâ€™t need will reduce the likelihood of being hacked. If youâ€™re not using them, youâ€™re not going to want to update them, so itâ€™s a much better idea to delete them.Â Read: Deactivating plugins isnâ€™t enough; you must actually click â€œDelete.â€
Only download plugins and themes from well-known sources.Â When you can, downloading plugins and themes from WordPress.org is actually your best bet since they will have been thoroughly scanned before being admissible to theÂ Theme DirectoryÂ orÂ Plugin Directory. If you want a premium theme or plugin, only download them from reputable sources likeÂ ThemeforestÂ or from a highly respected developerâ€™s website.
Change file permissions.Â Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according toÂ WordPress.org. While youâ€™re at it, set files to 640 or 644 andÂ wp-config.phpÂ to 600.
Donâ€™t use â€œadminâ€ as a username.Â If youâ€™ve already installed WordPress using â€œadminâ€ as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin or byÂ following the instructionsÂ laid out in our latest post on the subject.
Change your password often (and make it good).Â Random strings of letters and numbers are best. If you donâ€™t feel like coming up with something manually, you can use a password generator to accomplish the task likeÂ Norton Password GeneratorÂ orÂ Strong Password Generator.
Passwords have been given the special treatment for the upcoming version of WordPress 4.3 and will by strong by default.
Make sure your users establish strong usernames and passwords.Â Itâ€™s all fine and well if you create a good username and password but if your users donâ€™t, your personal efforts wonâ€™t matter and your site will be just as vulnerable.
Add two-step authentication. A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature includingÂ Clef,Â Google Authenticator, andÂ Duo Two-Factor Authentication.
Install a firewall on your computer.Â Itâ€™s one extra step, yes, but easy to do. And once installed offers another layer of protection from hackers and security breaches. A few firewall software providers to check out includeÂ Comodo,Â Norton Internet Security, andÂ ZoneAlarm Free Firewall.
Limit logins.Â The brute force attack is tactic #1 for hackers. If you let them, theyâ€™ll try to login to your site over and over again until they crack your password. Thatâ€™s why itâ€™s called â€œbrute forceâ€ because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time.Â Login LockDownÂ is great for offering this feature but other plugins that offer a whole set of security features often include login limiting likeÂ iThemes SecurityÂ andÂ Sucuri Security.
Limit user access.Â Sometimes site security is run through the wringer because of something very simple: granting too many people access. A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks. Giving all of your contributors administrative permissions is just asking for trouble.
Backup your site.Â I donâ€™t just mean every once in a while. I mean predictably on a schedule. Scheduled backups are an essential part of any siteâ€™s security strategy because it ensures that if your site is compromised, youâ€™ll be able to restore it to a version prior to the damage with ease. Choose an automated solution likeÂ VaultPress,Â BlogVault,Â BackupBuddy, orÂ WordPress Backup to DropboxÂ for simple backups and with built-in restore options.
Check for theme authenticity and conduct security scans.Â Just as you install an antivirus software on your computer to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider includingÂ Sucuri Sitecheck,Â CodeGuard,Â Theme Authenticity Checker, andÂ AntiVirus.
Now that weâ€™ve brushed up on the things you should already know about securing a WordPress website, we can move on to some of the more obscure things as well as those that you just might not have thought of yet.
But first, make sure youÂ create a child themeÂ before making any changes to yourÂ functions.phpÂ file.
1. Cut Back on Plugin Use
I know I already mentioned in the list above that you should delete plugins and themes youâ€™re not using. But itâ€™s worth noting that you should make an effort to limit the total number of plugins you install in the first place. To keep your site secure, you need to be scrupulous in the criteria you use to select plugins.
This isnâ€™t just about security, either. Itâ€™s about site speed and performance, too. Loading your site up with too many plugins can slow it down dramatically. So if your site can function without a particular plugin, skip it. Or, look for plugins that check off several items on your must-have features list. The fewer plugins you have, the fewer chances you give hackers to access your info.
2. Donâ€™t Download Premium Plugins for Free
Though I totally get what itâ€™s like to be a business person on a budget, itâ€™s just a bad idea overall to try to download premium plugins from anywhere other than where they are officially for sale.
Itâ€™s lame to download pirated plugins anyway, but if you needed more of a deterrent than that, totally legitimate plugins are often corrupted with malware by the time they hit these illegal download sites. That means what was once a great premium plugin with excellent code is now a hackerâ€™s direct line into your siteâ€™s backend. And for what? All because you wanted to save a quick buck.
Skip the illegal downloads and torrents, people. Just donâ€™t do it.
3. Consider Automatic Core Updates
Iâ€™ve already talked about the importance of updating your WordPress installation whenever a new version is released, but it bears repeating. In fact, if youâ€™re running an older version of WordPress than what is current, all of the security flaws in the version youâ€™re running is common knowledge to the public. That means hackers have that info, too, and can easily use it to attack your site.
But updating your site might not be enough, especially if you donâ€™t make site maintenance a regular habit. In these cases, the more automated you can make these tasks, the better. While I recognize itâ€™s not for everyone, automatic updates might be a good option for those who want to take a more hands-off approach to site management but want a secure site, just the same.
Ever since WordPress 3.7, minor WordPress updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into yourÂ wp-config.phpÂ file, however, to configure your site to install major core updates automatically.
It doesnâ€™t get much simpler. Just insert this in the file and major core updates will happen in the background without the need for your approval:
|Â||# Enable all core updates, including minor and major:|
|Â||define( 'WP_AUTO_UPDATE_CORE', true );|
Be warned, however, that auto updatesÂ canÂ break your site, especially if youâ€™re running a plugin or a theme that isnâ€™t compatible with the latest version. Still, setting up the auto updates might be worth the risk if you donâ€™t regularly log into your site.
4. Set Plugins and Themes to Update Automatically
Now I realize this one also isnâ€™t for everyone, but itâ€™s worth mentioning anyway. Typically, plugins and themes are things youâ€™ll need to update manually. After all, updates are released at different times for each. But again, if youâ€™re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention.
Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code intoÂ wp-config.php. For plugins youâ€™ll use:
|Â||add_filter( 'auto_update_plugin', '__return_true' );|
For themes, use:
|Â||add_filter( 'auto_update_theme', '__return_true' );|
5. Eliminate the Plugin and Theme Editor
If youâ€™re the kind of developer who routinely makes changes and tweaks to plugins and themes then you may want to disregard this section. But if you donâ€™t use the built-in plugin and theme editor in the WordPress dashboard on a regular basis, youâ€™re better off disabling it altogether.
Why? Because authorized WordPress users are given access to this editor and if their accounts are hacked, the editor can be used to take down an entire site just by modifying the code found there.
So you can remove this editor byÂ inserting another bit of codeÂ into theÂ wp-config.phpfile. Itâ€™s another simple one:
|Â||define( 'DISALLOW_FILE_EDIT', true );|
6. Eliminate PHP Error Reporting
Beefing up your siteâ€™s backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesnâ€™t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but hereâ€™s the problem: these error messages often include your server path.
Hackers would only need to view your error reports to get your full server path, which means youâ€™d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, itâ€™s a better idea to disable it altogether. This oneâ€™s another code snippet to be added toÂ wp-config.php.
7. Protect Your Most Pertinent Files UsingÂ .htaccess
If youâ€™re into WordPress security at all, youâ€™ve heard of theÂ .htaccessÂ file before and have likely accessed it. Still, the changes you make in this one file can have such a huge impact on your entire siteâ€™s security, I canâ€™t leave it off the list.
Why is this file so important? Itâ€™s at the heart of WordPress and directly affects how your site structures permalinks and how it handles security. You can insert many different code snippets into theÂ .htaccessÂ file anywhere outside theÂ #BEGIN WordPressandÂ #END WordPressÂ tags to modify what files are visible within your siteâ€™s directory. These snippets are sourced directly from theÂ WordPress Codex.
For starters, youâ€™ll want to hideÂ wp-config.phpÂ because itâ€™s a central hub for your site and includes your personal info and many other details related to security. Hide it by adding this bit of code toÂ .htaccess:
|Â||deny from all|
You can also restrict admin access by creating a newÂ .htaccessÂ file and uploading it to theÂ wp-adminÂ directory. Youâ€™ll thenÂ insert the following code:
|Â||allow from 192.168.5.1|
|Â||deny from all|
Insert your own IP address in the appropriate spot. You can allow access toÂ wp-adminfrom multiple IP addresses by listing them out asÂ allow from IP Address, each on a new line.
You can restrict access toÂ wp-login.phpÂ in much the same way. Just add the following code intoÂ .htaccess:
|Â||Deny from all|
|Â||# allow access from my IP address|
|Â||allow from 192.168.5.1|
If you donâ€™t want to block every IP but your own and instead wish to just block specific people attempting to accessÂ wp-adminÂ orÂ wp-login.php,Â you can do so by blocking those IP addresses individually using this bit of code:
|Â||deny from 4220.127.116.11|
|Â||allow from all|
Another way to prevent people from viewing your siteâ€™s directories is to make them non-browsable. This simple bit of code will do the trick:
|Â||Options All -Indexes|
There are many other ways to modifyÂ .htaccessÂ to heighten your siteâ€™s security as wellâ€”weâ€™veÂ written on them extensivelyÂ hereâ€”but these are just a few of the more important ones you should implement.
8. Hide Author Usernames
If WordPress defaults are left intact, itâ€™s really easy to find out each authorâ€™s username for your site. And since more often than not the main author of a site is also the administrator, itâ€™s also easy to find out the adminâ€™s username. Which isnâ€™t good. Anytime youâ€™re giving away info to hackers, you run the risk of seeing your site compromised.
According toÂ DreamHost, itâ€™s a good idea to hide the authorâ€™s username to ensure you arenâ€™t making the hackerâ€™s job easier. To do this, all you need to do is add some code to your site. Once inserted, this code will make it so when someone inputsÂ ?author=1Â after your main URL, they wonâ€™t be presented with the administratorâ€™s information and will instead be sent back to your homepage.
Just copy and paste the following into yourÂ functions.phpÂ file:
9. Keep Track of Dashboard Activity
If you have many users on your site, it might be a good idea to keep track of what theyâ€™re doing on your dashboard. Not that you suspect them of any wrongdoing, but sometimes when you have a lot of people involved in your site, a simple misstep can cause something to break. Thatâ€™s why logging dashboard activity is so useful â€“ it allows you to retrace your userâ€™s steps up to the point of site breakage. You can even retrace your own steps.
This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.
A great, free plugin option for checking over activity on your site.
Yes, WordPress logs this information automatically but itâ€™s not easy to use. Itâ€™s a much better idea to use a plugin to organize all of that data. So you can see if installing a certain plugin, making a specific code change, or uploading a file caused the issue youâ€™re dealing with. But even if youâ€™re not handling a site issue, being able to see what your users are doing on your site at all times can offer some peace of mind.
According toÂ Pagely, a good plugin to check out isÂ WP Security Audit Log. This free plugin maintains a log of everything that happens on your siteâ€™s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.
10. Obscure the Login Page
Though security that focuses on obscurity isnâ€™t complete, itâ€™s still an important part of your overall strategy. After all, hiding certain elements of your site wonâ€™t prevent hackers from accessing them, but itâ€™ll make it harder for them to get to. And thatâ€™s good, right?
Lockdown and lockout intruders with this free plugin.
Relocating or renaming your login page is a quick way to make a hackerâ€™s job harder. Brute force attacks are typically automated, so if your login page is anything different thanÂ www.websitename.com/wp-adminÂ orÂ www.websitename.com/wp-login.phpÂ then theyâ€™re going to have a really difficult time attacking. Many plugins are available that make this simple change for you includingÂ Lockdown WP AdminÂ as well as several of the major WordPress security plugins.
11. Pick the Best Hosting You Can Afford
You can trick out your site all you want with all the latest security hacks but if you donâ€™t have a good hosting provider, your efforts arenâ€™t going to matter all that much. In fact, security experts WP White Security reported thatÂ 41% of WordPress sites were hacked due to a security vulnerability on the hostÂ itself. Thatâ€™s edging on half there, which means you need to do something about your hosting plan, ASAP.
If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone elseâ€™s site on the server from affecting yours in any way. But I think itâ€™s a much better idea to use a service thatâ€™s catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server thatâ€™s designed for running WordPress, and a customer service team that knows WordPress inside and out.
12. Keep Your Computer Up-to-Date, Too
Sometimes hackers can gain access to your site due to security vulnerabilities on your computer. The best way to combat this is to keep your computer up-to-date. When software patches are released, install them. When a new operating system is released, do your best to upgrade as soon as possible.
Likewise, make sure you use an anti-virus software on a regular basis. You can run a free antivirus software likeÂ Avast,Â Panda Free Antivirus,Â Comodo, orÂ AVGÂ to see if there are any viruses or malware on your computer and to eliminate them.
Securing a WordPress site is about so much more than installing a security plugin and walking away. There are subtle nuances that fill out a complete strategy. Some you mightâ€™ve known about before but it is my hope that some were new discoveries. Sometimes, itâ€™s the simple things you havenâ€™t thought of yet that spell the difference between a mediocre security strategy and a great one.
What are some things you do to secure your WordPress sites? Did I miss a detail here that you think is vital? Feel free to sound off in the comments below.Â
Was this answer helpful?
The Best Web Hosting Company in Nairobi, Kenya.
Kenya Website Experts Ltd is the best website hosting company in Nairobi, Kenya that offers; cheap web hosting services in Kenya, domain registration in Kenya, co.ke domain names, email hosting services in Kenya, G Suite Emails for work, asp .net windows web hosting, vps servers, dedicated servers and website builder. We offer ultra fast, reliable, affordable and secure shared website hosting services, email hosting, cloud hosting and SSL certificates. We make registration of Kenyan domain names (.co.ke, .or.ke .ac.ke) and international domains (.com, .org, .net) fast, simple, and affordable. Our expert team is always on hand to help answer your questions, get you started, and grow your presence online. We deliver on performance, security, reliability and customer service day in, day out, and we’re a trusted partner for our thousands of clients.