No doubt that today world’s greatest content management system is WordPress . More than 75 million websites built on WordPress till now and nearly 6 new posts / blogs are published every second. We at W2S solutions offer WordPress website development services for Enterprises, SME and startups.
WordPress is most popular business website today because it is,
- Open source
- Easy to access and manage
- More theme and plugin options
- SEO friendly
- Blog
Over 29 thousand plugins developed, 98 versions and 75 million websites runs on WordPress. There are chances of websites are vulnerable to security attacks. Being an open source there is a possibility for someone to exploit your code, plugins. There are over 30 thousand hacked sites reported everyday.
How to avoid security breach:
Protect you login:
- Strong user name and password: 8% of the total website is being hacked due to weaker password. Make sure you don’t use common default user name “Admin”. Most of the hackers try this default user name for hacking. Once purchased change user name and password. I recommend having strong password with pattern as upper/lower keys, numbers and symbols. Something like “catchSahara12!@”. Keep changing it every 60 days.
- Limit login attempts: Limit the number of failed login attempts and restrict IP after that. There is a plugin called “Limit Login Attempts”, even you can customize this plugin based on your need. By blocking access to wp-login.php we can block unauthorized users, for this you need to edit .htacess file.
- Delete Inactive User accounts: Inactive user account is a security risk. Malicious user can use this account to get access for wordpress. So its good to delete inactive use accounts
Update WordPress version, Themes and Plugins:
Exploits may occur within days, its necessary to keep wordpress version, themes and plugins up to date. You need to update when there is an update published. Its better to delete unused plugins and images. For plugins you can reply on Shield WordPress Security plugin for auto updates. Also scan the plugins for virus after download. Its better to keep wordpress latest version 4.7.3.
Secure wp-config.php:
All the keys and access information will be in wp-config.php file. By editing .htacess file in the root directory of wordpress we can secure wp-config.php. The following code denies everyone access to the wp-config.php file,
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
You can also add wordpress authentication keys to wp-config.php it helps better encryption of user data.
Secure wp-content directory:
Specific users should only able to access specific files types within this directory. This file type includes .jpeg, .gif, .png, .js, .css, .xml. You need to limit the access, below code with help to allow access only to pictures, Javascripts, CSS and XML files not other data. This code should be implemented in .htacess file within the wp-content folder.
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
Block search engine spiders in admin:
You should not index the admin section otherwise search engine spiders crawl over your entire content unless they are told no to do so. To prevent wordpress hack from blocking spiders from indexing, create a robots.txt file in root directory with following code,
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
Protect .htacess file:
.htaccess files are used to specify the security restrictions for the particular directory. Hypertext access allow for decentralized management of configuration when placed inside the web tree. To avoid .htaccess hacks include the below code in domain root .htaccess file.
# STRONG HTACCESS PROTECTION</code>
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
Install SSL certificate:
It allows you to login securely via https. This encrypts the data you and users to your site transfer via the site, such as when submitting contact forms or using login in pages. Otherwise, data is transferred like a postcard in the mail, meaning anyone who’s looking can read it.
If you want to use HTTPS when logging into your WordPress dashboard, then you can use one of the codes below and add them to wp-config.php.
define(‘FORCE_SSL_LOGIN’, true);
The code above forces WordPress to use SSL when logging into your administration panel but only when logging in. It does not enforce the use of SSL while using your dashboard.
Instead of doing this manually you can also just add a plugin like WordPress HTTPS (SSL)
Other Best Practices:
- Backup your files on regular basis
- Install WP Security Scan
- Change table prefix
- Prevent directory browsing
- Prevent script injection
- Proper server without any virus
- Don’t login in public wifi networks
- Use secure hosting
- Hide dashboard login errors
- Install WP firewall
- Use SSH instead of FTP.