WordPress, the best welcomed blogging tool and content management system(CMS), has been used by about 25% new websites all over the world. With the increasing usage of WordPress, its security and reliability has been one of the most important issues. In 2011, around 144,000 WordPress sites were hacked, and this number has increased to 170,000 in 2012, of course, the number continues to increase.
The reasons of hacks are various. According to statistics, nearly 40% hacks come from the hosting, about 30% hacks are from themes, 8% hacks happen because of the weak password and 22% hacks are owing to plugins.
Overall, the website owners and WordPress developers should both take responsibility for the security of the WordPress sites. Of course, the core developers of WordPress have done a lot of things to protect the security, then the website owners should also make the biggest efforts to keep the website safe. Actually, there are many things website owners can do, such as updating the WordPress to the latest version, backing up data regularly, reporting bugs to WordPress security, and so on.
The best efficient method is to avoid the WordPress sites from being backed from the sources. Taking the following tips to prevent your WordPress site, you can get safe website easily.
Choose a Reliable Hosting Package
As about 40% hacks are from the hosting, it’s essential for website owners to choose a reliable hosting package. In general, the reliable hosting is backed by a powerful web host with strong data center, advanced technologies and quality hardware and software. Besides, it should also come with security features like SSH, sFTP, Secure POP3, support for SSL, DDoS protection, and so on.
After reviewing more than 100 WordPress hosting packages, we recommend BlueHost WordPress hosting for bloggers and small businesses. Starting at affordable $3.49/mo, it features with SSH, Secure POP3 and even uses Wordfence for better security. And also, the following recommendations stick to offering budget-friendly hosting services.
Keep WordPress Updated
The websites using old WordPress core are more likely to suffer from hacks and attacks. And the latest WordPress has fixed many security holes. So, you should keep your WordPress installation up to date. Besides, we also suggest you hide the WordPress version in the header tag.
Backup Your Database and Files
Backup database and files is the most important part of WordPress security. Make sure you back up the whole database before doing any changes. As well, you can also backup it regularly manually or by using the automatic WordPress backup plugins.
Use a Safe WordPress Theme
A good WordPress theme not only can beautify your website but also brings better security. You need to take the security into consideration when choosing WordPress theme as it brings nearly 30% hacks. Generally, a good theme will use the proper APIs offered by WordPress.org to avoid direct database manipulations and other actions.
Change the Login Username and Passwords
The default WordPress login username and password are both “admin”, and almost all hackers know that. You should change them to others which are difficult to guess. The strong password should contain characters, numbers and hyphens. And do not use your birthdays or names as passwords as your acquaintances may know it. Eventually, the best is to create a custom new login and delete the default login.
Use WordPress Security Plugins
There are many plugins available to increase the WordPress security. Typically, Better WP Security is the No.1 WordPress security plugin, and one of the best WordPress plugins. Install this plugin on your site, it integrates the best WordPress security features and techniques to keep your site stay safe.
Every single tip has effect to keep a WordPress site secure, and you can also take all measures. We cannot guarantee that your WordPress site will no longer be backed after taking these tips, but we are sure that the chance of be hacked will be greatly decreased.
Lock down Your File Permission
Your site can be boiled down with a series of files and folders, which have been assigned a set of permissions to be read, written, and executed. Thus, the file that has been locked down is undoubtedly much more secure than the one that allows anyone to write and execute.
To set the necessary file permission, you need to log into your control panel and find the File Manager. Once inside, simply right click the folder or file you need to lock down, and select the “File permissions” option. After seeing a screen with a series of checkboxes, simply assign different permissions based on your own need and situation.
WP-Config.php contains the most sensitive information of your WordPress database such as username and password. That means this file cannot be accessible to anyone else. You can use WordPress secret key generation tool to generate random salts for WordPress cookies. Moreover, you can modify the WordPress table prefix to something else to replace wp_, such as random characters and numbers.
SSL is the short name for Secure Sockets Layer that can build a bond between browsers and servers. In the whole process, it encrypts and hides data when they are transferring on the internet. There is only one unique key to decipher the encrypted information. In this way, data of your website can keep safe in the transmission process.
Clear the Cookies
This step is essential, but always be ignored by the majority of webmasters worldwide. It is fine and inevitable that you may log in your site on some public computers or at the home of your parents or friends. Before you leave, however, never forget to clear out the cookies and cache totally. Note that a quick clean doesn’t hurt anyone, but can reduce the security vulnerabilities of your site effectively.
Avoid Virus Infection
Many hackers intrude your site by getting your site infected with virus like trojans, but you can lessen the chances by limiting access to your valuable information, blocking unreliable websites from being viewed, and uninstalling freeware that does not come with the safety guarantees. Besides, you can also utilize some advanced tools like virus detector, malware scanner, and virus remover.
Limit the Number of Failed Login
It is effective for increasing WordPress security by limiting the failed login attempts. By default, WordPress allows users unlimited login attempts, with which the hackers can try to crack the password again and again. So, you can prevent this case by limiting the failed login attempts.
Protect WordPress Admin Files
WordPress admin files should be accessed only by you and the person your designated. So you can restrict access by using .htaccess to allow specific IP addresses to this directory.
It’s a good option to have a static IP address and blog from your own computer. On the other hand, if you have a multi-user website, then you can use this or you can allow access from a range of IPs. Copy and paste the following code to the .htaccess in the wp-admin folder.
The xx.xx.xx.xx should be your static IP, and any access from others will be disallowed by this code.
Protect your .htaccess File
.htaccess, the default name of directory-level configuration, is often used to specify the security restrictions for the particular directory. However, you cannot simply leave it open to attacks after using it to protect other files. Copy and paste the below code in your domain’s root .htaccess file to prevent the external access to any tile with .hta.