15 Things to Prevent Your WordPress Websites From Being Hacked

Looking at the inventive methods the hackers employ these days, your WordPress website has pretty much chances of being one of those many websites that end up being hacked every single day.

This would mean losing all your investment you put on your website in terms of money and time. Moreover, Google will mark your site dangerous and de-index it to stop it from showing in the search results. More than 30,000 sites that hacked are blacklisted by Google every week in this process.

Although WordPress is regarded as a secured content management system, you can follow some more ways to make it even more secure to rule out the remaining chances of any disaster with your website. We have listed these simple and easy ways that you may implement to keep your website protected from the hackers.

What leads to the hacking of WordPress sites?

WordPress is a highly secured platform, thanks to its regular updates addressing the security risks. If the WordPress site is hacked even then, it is mostly due to the mistakes in user handling of the site. WordPress backed by a competent security team releases the fixes to its loopholes and vulnerabilities as fast as possible, mostly within 24 hours.

Running an un-updated WordPress site is one of the main reasons for it to get hacked. The old WordPress version carries the vulnerabilities that are easily exploited by hackers to gain control of your site.

It is quite easy for hackers to find such WordPress sites. All they have to do is look for the outdated websites with vulnerabilities. Once found, they can plan attacks by targeting the vulnerabilities that the particular version of the WordPress site has in its code.

To deal with this, WordPress security team works day and night to bring latest bug fixes the moment they are found. This comparatively enhances the security of the updated WordPress websites. Failing to update your website regularly, you only increase the risk of it getting hacked in a matter of time.

Furthermore, un-updated themes or plugins on your website are equally capable of putting your website in a dangerous situation.

This makes it necessary to choose your themes or plugins. Use only themes or plugins that come from the reputed developers who keep them updated with their regular vulnerability fixes. Also, avoid using premium themes or plugins obtained from unauthorized sources.

15 Things to prevent your WordPress websites from being hacked

1. Update your WordPress core as its update is released

This is a highly significant move in order to make your website hack-proof. Rest of the things in this article will matter only if you make sure to do this one.

WordPress security team releases updates regularly that you should apply ASAP. Failing to do so only leaves your website weak on the security end.

Although the auto-update feature of WordPress relieves you of the worries of manually updating it on a regular basis, it might sometimes cause harm to your site. The newer update of WordPress may come with the compatibility issues that can, in turn, damage your website.

Therefore, either go for a management service or if you are going to do this by hand, do it in combination with our next tip.

2. Keep your WordPress website backed up regularly

Getting your site hacked is a nightmare, a website owner could ever get. They lose their hours of hard work and money they invested in it.

Regular backups save you from losing your digital content of your website. You can restore them with ease if unfortunately, your WordPress internet site gets hacked.

While the managed hosting will keep you reliably and regularly backed up automatically, a regular hosting requires you to go for the dedicated backup plugins rather than leaving it to your web hosts or luck. The automatic backup services provided by your web host are not always efficient and sometimes can make a mess of your site.

Either update your WordPress website manually or install a plugin, for instance: BackupBuddy, UpdraftPlus or BackWPUp and set them to back up your website automatically. When required, these backups can be easily stored with a click.

3. Set your username other than ‘admin.’

This noob mistake could be given the place next to the mistake of keeping your password as ‘password.’ By keeping your username as ‘admin,’ you have made it 50% easier for the hackers to hack your website. Now they have just to figure out your password to take control of your site.

Be smart, keep a username which is unguessable, or, you can also include the numbers. Make it strong and don’t forget it.

4. Rename wp-admin directory of your WordPress website

Your WordPress internet site keeps its dashboard in the wp-admin directory. Its default URL is:

http: //your-site.com/wp-admin

Being a default URL, a hacker can easily use it to reach your login panel. The things become easier for him from there.

With an entry to your dashboard, the hacker can delete your website content, or change its appearance, or inject any exploit code into themes or plugins.

By renaming the admin directory, you make it challenging to locate the login panel and thereby your WordPress dashboard.

Other than renaming wp-admin directory, you also need to rename wp-login.php file.
The ‘Protect Your Admin’ plugin helps in renaming your URL. Once installed, you can change your default wp-admin URL with a custom URL. You can also rename this file- wp-login.php. Just include some randomized words and make it stronger.

5. Protect your wp-admin directory with a password

Being an extremely sensitive URL, the wp-admin directory is the location of your WordPress website files and is also the location of your admin panel. This is usually a primary target for hackers.

Your Apache server has a built-in password protection feature for your directory that you may employ to beef up its security.

Simply install ‘AskApache Password Protect.’ The plugin creates ‘.htpasswd file’ that adds an extra authenticating panel to your admin login panel. Thereafter, you can log in with an extra username plus password.

6. Change the default table prefix

The WordPress database tables use the prefix that you choose while installing WordPress. With the exact names of these tables, a hacker can easily exploit your database’s data. The prefix of database tables, being the default, is quite easy to guess.

So, use a table prefix that is unique and contains numbers and letters both, you can make your WordPress website even more unhackable.

You can either modify it when you are installing the fresh WordPress or can use ‘WP DB Manager’ if you already have a WordPress site. With this free plugin, you can easily rename your table prefix from default to your desired one.

7. Disable the File Editing feature in your WordPress website Dashboard

The ‘File editing’ functionality comes handy at times when you need some editing done, without having to go all the way to your cPanel. It is quite a convenient feature but may also become a risk factor for your site.

With just getting into your site dashboard, a hacker can inject exploit or vicious code into the themes or plugins using this file editing feature.

By disabling this feature, you can modify your WordPress website files using FTP only and thus increase your WordPress website security.

Insert the code written in wp-config.php file, at the end:
define(‘DISALLOW_FILE_EDIT’, true);

8. Limit your login attempts

By default, WordPress lets you attempt logins for unlimited times. A hacker could use this liberty in combination with the Brute force attacks to zero in on your username & password.

What the brute-force does is, it guesses from random combinations of usernames and passwords until it finds the ones that work.

When you limit the login attempts, the brute force method doesn’t get the opportunity to try on those numerous combinations and therefore is a great way to make your WordPress security strong.

Use ‘Login Lockdown’ plugin that limits the login attempts and blocks the user after it has made unsuccessful login efforts for specific times. This will make your site safe from brute-force attacks.

9. Keep a strong password

It is the fundamental thing one can do to fortify the security of their WordPress website, but still, people lack in it.

Not only WordPress but also the accounts on social media networks such as Twitter, LinkedIn, and Facebook get hacked due to weak passwords. Weak passwords could be guessed easily either manually or by using a computer with brute-force tools.

A good password is one that contains more characters in combination with the special characters. You can use Password Generator tool to bring forth one that is insanely strong. It gives you a long and complex hard-to-crack password.

Although this tool generates strong passwords, it can be quite challenging to memorize them due to their complexity. So, try using LastPass that saves your password and lets you log in with ease on all your devices without having to remember those complicated passwords.

10. Keep your wp-config.php hidden

Wp-config file containing all the sensitive information about your WordPress website is the most important file. With this file in the hands of the hackers, they can use it to change or delete the content on your WordPress website.

Although this file is highly secured already, it should be moved from the public directory to rule out that last possibility of it getting hacked.

Public directory houses all the user accessible files such as posts, images, pages and login page. By default public directory named ‘public_html’ contains this data.

By moving the wp-config file to another location preferably in the folder other than ‘public_html’ directory, it makes it tough to find it.

11. Use additional security layer; two–factor authentication (2FA)

2FA enhances the security level and is used at almost all of the platforms nowadays.

Working of 2FA: when you enter the credentials, you are sent a random code on your phone that you need to enter to log in.

So with a double layer of security of password and a random code or barcode, the Two-Factor authentication secures your account more efficiently.

With 2FA, even if the hacker manages to guess your password, he would never get through accessing your account without entering that random code.

This free Google Authenticator (unofficial) plugin adds 2FA to your WordPress website.

 

12. Choose a trustful web hosting provider

While all of the hosting providers claim to be extremely secure, most of them are not. There have been cases when even the web hosting companies claiming to be high on security got hacked. As a result, the sites hosted on those hosting services got easy to be accessed by a hacker.

Once the hacker hacks your web-hosting server, all the data of your website is in their hands to use as they wish, and deleting all of it is also one of the options for them.

It, therefore, becomes essential to invest in the web host that has a good reputation and has implemented advanced security measures.

13. Deactivate the PHP Error Reporting feature

PHP Error reporting is a great way for the developers to detect vulnerabilities in their programs. The downside of it is that PHP Error reporting creates a detailed report that if gotten into the hands of a hacker, can be used to gain control of your servers. Therefore, make these changes to avoid your WordPress from being hacked:

• Disable PHP error reporting in the production server setting.
  Most of the web hosts disable PHP error reporting already, but many don’t. You will need to disable it manually:
• Create php.ini file (or you can edit the existing one) in root public directory.
• Place this code line into that php.ini file: error_reporting = off
• This will easily disable the PHP Error reporting feature for your website.
  

  Source-www.sitepoint.com

14. Use your email to log in to your WordPress dashboard

WordPress lets you log in with both username and email. Username being shorter is easier to guess compared to the email address. An email with its more characters makes the guesswork difficult.

Use this free plugin- Email Login. After this plugin is activated, you and your users can log in with email on your WordPress website.

15. Conceal the variant of your WordPress

Once a hacker gets to know your WordPress variant, he can easily tailor-made attacks for your WordPress website targeting the vulnerabilities that your version of the WordPress has. The vulnerabilities for each version are all documented and could be found easily.

Even though you update your WordPress regularly, it is still an excellent move to conceal the version number of your WordPress.

With this code, you can easily hide your WordPress variant (Credit: WPMU DEV). Place the following code in this file of your theme- functions.php, at the end.

/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query[‘ver’]) && $query[‘ver’] === $wp_version ) {
$src = remove_query_arg(‘ver’, $src);
}
return $src;
}
add_filter( ‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’ );
add_filter( ‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’ );

/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpmudev_remove_version’);

Conclusion

These were easy to use & follow tips that will hardly take few minutes for their implementation. The security of your website shouldn’t be overlooked, especially if your site is the main source of your earnings. Try these tips now and improve the security of your WordPress website to protect it from the hackers.

Did you get your website hacked ever?

What other tips you have or tricks that you want to share with us? Post your comments down below.

Good Luck!