What is WordPress
Today, WordPress is one of the most popular and widespread content management systems in the world. Based on this convenient and simple engine, many blogs, sites, and portals are built. But such simplicity and prevalence attract the attention of not only honest users but also attackers. Any student can create a site now, but in order to protect it competently, it will require knowledge and at least a little experience.
That is why the security and safety of WordPress is one of the most important aspects of working on your website. Protecting WordPress from hacking includes many ways which are important to use for anyone who doesn’t want their site to suffer.
Why would anyone break WordPress protection?
To begin with, WordPress sites can be hacked automatically using various robotic programs and manually.
The first is the most common because it has a massive impact. Moreover, your site can be either a huge portal with the traffic of several thousand users per day or a personal blog, which has a dozen readers, including you.
From time to time, the network flashes information about such massive attacks on WordPress sites.
WordPress security lack of the platform is used for auto hacking. Especially susceptible to it are resources that use the old version of the site engine, as developers are constantly analyzing the reasons for successful WP hacks and eliminate shortcomings in new versions.
There are different reasons why attackers try automatic hacking WordPress sites:
- site theft – full copying of a resource and transferring it to a new domain in order to appropriate the results of the developer’s labor, monetize the resource, and so on;
- receiving links from a resource for compiling a satellite grid, improving the link profile;
- obtaining personal data of users or other useful commercial information;
- replacing payment information and card numbers can lead to extra profit-making;
- using the site to infect users of the resource by sending letters or programs with viruses;
- redirecting your traffic to their resources (redirect);
- the use of system resources to store their data, more efficient hacking of other resources.
When manually hacking sites, in addition to the listed reasons, hackers are also guided by personal motives, among which the following may be present:
- elimination of a direct competitor
- hacking the WordPress website by order
This is only a small part of the possible motives of attackers, among which there are both commercial motives and human qualities.
That is why WordPress security settings are a must-have stage in the development of any website. If you neglect it, sooner or later you will become a victim of the attack.
How to bypass WP protection?
- 40% – hosting hacks. The site owner can have little effect on the security of the hosting platform, so initially, you need to choose high-quality hosters with positive reviews and a proven reputation.
- 30% are carried out through unsafe topics in which vulnerabilities are intentionally or accidentally present. Conclusion: you must use paid themes from reliable suppliers.
- 20% of WordPress hacks due to vulnerable plugins. Even the best WordPress protection is leveled out by installing plugins with an intentionally placed vulnerability. This also includes installing clean code on a site from unverified sources by users with little knowledge of programming. We recommend using our plugins (https://www.booking-wp-plugin.com/product/bookly-pro/).
- 10% WordPress hacks due to an unreliable password. Hackers simply pick up or brute force passwords by hacking sites in automatic or manual mode.
The security of the WP site should be addressed comprehensively, that is, even if you use WordPress Security plugins, but you install unverified code on your resource, you are at risk.
Steps to make your WordPress website secure:
Maintaining the current version of WordPress
One of the most important steps to improve WordPress security. If you need a clean, malware-free website, you need to make sure your version of WordPress is up to date. This tip may seem simple, however, only 22% of all WordPress installations are in the latest version.
Use your email address to log in
By default, you need to enter your username to log into WordPress. It is more secure to use an email address instead of a username. The reasons are obvious. User names are easy to predict, but email identifiers are not. In addition, any WordPress user account is created with a unique email address, which makes it a valid login ID. Several security plugins allow you to customize login pages so that all users use their email addresses to log in.
Use strong passwords
Create complex passwords and change them regularly. Complicate them by adding letters and numbers in upper and lower case and special characters. Some people use long phrases as passwords because they are difficult to guess but easier to remember than a set of random numbers and letters.
Using two-factor authentication
Another good security measure is connecting a 2-factor authentication module (2FA) to the login page of the site’s administrative panel. In this case, in order to enter, you need to use two types of data. The website owner can choose which components they will be. This can be a regular password followed by a security question, secret code, character set or the more popular Google Authenticator application that sends the secret code to your phone. Thus, only the person with your phone (you) can enter your site.
Modification of the URL of the WordPress login page
Changing your login URL is one of the easiest ways to protect your site from hacking with a password. By default, access to the WordPress login page can be easily obtained through wp-login.php or by adding wp-admin to the main URL of the site.
When hackers know the direct URL of your login page, they will try to search the username and password in order to get to the admin panel. This is most often done using GWDb (Guess Work Database, i.e. a database of estimated usernames and passwords, for example, username admin and password: p @ ssword … with millions of such combinations).
At this point, we have already limited user login attempts and replaced usernames with email. Now we can replace the URL of the login page and get rid of 99% of attacks by password guessing.
This little trick restricts unauthorized users access to the login page. This can only be done by someone to whom you provided the address of the login page.
Setting up site blocking and user ban
The lock feature for failed login attempts can solve the huge problem of continuous password attempts. Whenever there is a hacking attempt with repeated incorrect passwords, the site is blocked, and you receive a notification about this unauthorized activity.
Disabling PHP Error Reporting
PHP bug reports can be quite useful if you are developing a site and want to make sure everything is working correctly. However, showing errors to everyone is a serious omission in WordPress security.
You must fix it as soon as possible. Don’t be alarmed, you don’t have to be a programmer to disable PHP error reporting on WordPress. Most hosting providers provide this option in the control panel. If not, just add the following lines to your wp-config.php file. You can use the FTP client or File manager to edit the wp-config.php file.
Transferring a site to a more secure hosting
Perhaps this advice may seem strange, but statistics show that more than 40% of WordPress sites were hacked due to security holes in the hosting account. These statistics should encourage you to migrate WordPress to more secure hosting. A few key facts to keep in mind when choosing a new hosting:
- If this is virtual hosting, your account needs to be sealed from other users and there will be no risk of infection from other sites on the server.
- On the hosting, there is a function of automatic backup (backup).
- The server has a third-party firewall and a scanning tool.
Back up your data regularly
Even the largest sites are hacked every day, despite the fact that their owners spend thousands to improve WordPress security.
If you follow best practices in this matter and apply the tips from this article, you still need to regularly back up your site.
There are several ways to create a backup. For example, use the tools offered by your hosting company or you can manually download the site files and export the database.
Automatically log out for inactive users
Logged-in users leaving your site open can pose a serious security risk. Any outsider can take advantage of this and harm your site by going to the admin panel. This can be avoided by setting up automatic logout after a period of user inactivity.
Protect the wp-admin directory
The wp-admin folder is the most important part of any WordPress site. Therefore, damage or deletion of this folder can lead to the complete inoperability of the site.
Use a password to protect the wp-admin directory. Using this security measure, the website owner can access the control panel by sending two passwords. One protects the login page and the other protects the WordPress admin area. If website users need access to some parts of wp-admin, you can unlock these parts while leaving the rest of the components protected.
Use SSL certificates to encrypt data
Implementing SSL (Secure Socket Layer) is an effective way to protect the admin panel. SSL provides secure data transfer between users’ browsers and the site server, which makes it difficult for attackers to crack the connection or fake your information.
Obtaining an SSL certificate for a WordPress site is quite simple in the control panel of most hosting sites. You can buy a security certificate from companies that provide SSL, or get a free Let’s Encrypt certificate.
As a rule, companies providing hosting services offer a free certificate and renewal Let’s Encrypt.
The presence of an SSL certificate and a secure https connection also affects the ranking in the search engines of your site. Google ranks sites with SSL higher than without it. It will bring more traffic to your website.
Keep track of the quality of user credentials for your WordPress site
If you own a multi-author WordPress blog, multiple users have access to the admin panel. This can make your site potentially more vulnerable than if it had only one administrator.
Change the default WordPress database prefix
When installing WordPress, the system offers to set the prefix for the database tables by default: wp-. We recommend changing the table prefix to your own, unique, different from the default.
Using the default prefix makes the site database vulnerable to SQL injection attacks. You can prevent attacks by assigning your prefix, for example, mywp or wpnew-.
If you have already installed the database with the default prefix on the WordPress site, you can change it using some plugins, such as WP-DBManager or iThemes Security. However, be careful when performing such operations on a working site, and always keep a backup copy of the site and database, and best of all, the user from the hosting control panel. In addition, when creating a site backup, make sure that the data from it can be successfully restored, and you know how to do it. After all, as you know, people are divided into three types: those who do not make backups, those who already make backups, and those who know how to recover from them.
Ban editing files
If users have administrator rights in the WordPress control panel, they can edit any files, including WordPress system files. This also includes plugin and theme files.
If you prohibit editing files, no one will be able to accidentally or intentionally change any of the files – even if the hacker gets administrator access to your WordPress dashboard.
To disable the ability to edit files from the WordPress dashboard, add the following line to the wp-config.php file (at the very end): define (‘DISALLOW_FILE_EDIT’, true).