21+8 Best WordPress Security Tips & Tricks 2020 [UPDATED]

Updated on

Best wordpress security tips and tricks 2020

 

WordPress is one of the most widely used content management system (CMS) these days. With an increased usage, its reliability and wordpress security has become more problematic over time and its complexity has increased in 2020. Thanks to the hackers who are ever evolving with new hacks.

There are certain security measures you can take to fix a hacked WordPress site. Our team of wordpress security experts have collected information and data on thousands of websites to present you with most detailed WordPress security tips to improve the security of your wordpress site in 2020 and prevent it from being hacked.

Download our latest WordPress Security Guide which includes checklists to safeguard your wordpress installation and prevent future hack attempts.

Common WordPress Security Issues

  • Weak Passwords.
  • File Inclusion Exploits.
  • SQL Injections.
  • Brute Force Attacks.
  • Cross-Site Scripting (XSS).
  • WordPress Malware attack
  • Outdated WordPress, Plugins or Themes.
  • Plugins and Themes from Untrustworthy Sources.

Is your site secure. Let’s Find Out

wordpress security scanner online

WordPress Hacks

Even industry leaders don’t always use best practices. Reuters was hacked back in 2012 because they were using an outdated version of WordPress. Check out some of the different types of below.

WP Backdoor

The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server.

Pharma Hacks

The exploit is used to insert rogue code in outdated versions of WordPress websites and plugins, causing search engines to return ads for pharmaceutical products when a compromised website searched for.

Brute-force Attack

 use automated scripts to exploit weak passwords and gain access to your site. Two-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks.

Malicious Redirect Hack

During a WordPress malware redirect hack, a hacker creates backdoors in WordPress installations using FTP, SFTP, wp-admin and other protocols and injects redirection codes into the website. The redirects are often placed in your .htaccess file and other WP core files in encoded forms.

To ensure that your site is free from any kind of malware:

>> Scan Your site for malware using a WordPress malware cleaner here.

wordpress-security-scan-for-malware>> Follow these steps to .

WordPress DDOS Attack

Perhaps the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems via .


21 WordPress security Tips & Tricks 2020

WordPress-Security-Tips-2020

Listed below are some of the best wordpress security tips you must know to increase the security of your WordPress website in 2019.

1. Cleanup your WordPress installation

Ensure to delete unused versions of WordPress on your server. Unused WordPress themes, plugins, files etc even if they are not active or are not being used should be deleted.

Try to keep your server clean and follow a simple rule ‘Delete delete delete’! the unwanted files or installs.

2. Use Updated WordPress plugins, themes

Maintain safe WordPress themes and  plugins. Also, use the proper API’s provided byWordPress.org to avoid the direct actions and manipulations.

A user needs to take security into consideration when opting for the WordPress themes and plugins.

Approximately 30% hacks occur due to the same reason so it’s definitely a good decision to stick with a theme/plugin that is updated timely.

Also, you must before installing a nulled theme, to ensure that your theme is fully secure and is not compromised in any way.

3. Change WordPress table prefix

wp-table-prefix

For WordPress, the default table prefix is wp_. Everyone is aware of the prefix and so is the hacker. Changing your table prefix is recommended to make your website more secure and protected from SQL injections.

Just change the table prefix and you will be one step close to your secure site. With the use of this plug-in you can easily replace your database default prefix to any other prefix in single click.

4. Use SSH2 (SFTP) connections for WordPress Upgrade

SSH2 (SFTP) connections are much more secure than the regular FTP connection to Upgrade Your WordPress. The shell method is more secure as it encrypts all the data transfer.

You can also use “SSH SFTP Updater Support” wordpress plugin which uses phpseclib – it is the best way to utilize SSH, SFTP, RSA and X.509 in PHP.

5. Use SSL certificate

The SSL (Secure Socket Layer) is one the best option for the users to secure their WordPress admin panel. SSL certificate for your site makes it difficult for the hackers to spoof your information and also affects your WordPress website Google rankings.

It’s really beneficial as Google has announced recently that it uses https as a ranking signal, so SSL sites are awarded with high rankings in search results.

Having SSL installed on your WordPress website allows you to login securely (via HTTPS). The users can purchase it from the renowned companies or ask their host providers to hook up with the one.

6. Backup Your WordPress Website

Although backups are not that helpful in recovering from WordPress hacks but they are beneficial for the recovery of your WordPress website.

Ensure to backup your site before it’s too late as your entire website content is stored in the database. The users can backup wordpress datatabse manually or can also use plugins such as updraftplus.

7. Protect .htaccess

.htaccess is basically used to specify the WordPress security restrictions for a particular directory and is the default name of a directory level configuration.

In order to secure your blog from the attack of hackers, simply place the below mentioned code in the domain’s root .htaccess files.

# STRONG HTACCESS PROTECTION</code>

<Files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all

</Files>

8. Secure wp-config.php

The wp-config.php file is the most important file of your website’s root directory and basically stores the crucial information about your WordPress blog.

Securing wp-config.php means you are protecting the core of your blog as it becomes way more difficult for the hackers to breach the information from your site as it becomes inaccessible to them.

A user can secure wp-config.php by simply placing the below mentioned code in the root directory.

# protect wp-config.php

<files wp-config.php>

Order deny,allow

Deny from all

</files>

9. Configure .htaccess to prevent directory browsing

Configure-.htaccess

Another concerned issue for the WordPress security is to avoid people from browsing your website’s directory structure.

If you are curious to know what this all looks like, you just need to enter ‘index of’ in Google and then Google will provide the list of all the websites that generally allow the directory browsing.

In order to avoid directory browsing with.htaccess add ‘Options All – Indexes’ to your .htaccess file in the root directory.

10. Protect WordPress admin

The wp-admin directory is one of the major part of your WordPress website. Any damage in this part may damage your entire site. To protect the WordPress admin section from the attack of hackers, ensure to have password-protection for the directory.

WordPress files should be accessed only by a person who is designated or only by you. You can restrict the access by using .htaccess to allow only specific IP addresses to this directory. Just add the below code to the .htaccess in the wp-admin folder.

# deny access to wp admin

Order deny,allow

Allow from xx.xx.xx.xx # (This is your static IP)

deny from all

Any access from other IP’s will be disallowed.

11. WordPress security keys in Wp-config.php

WordPress security keys in Wp-config.php is one of the important security measure to avoid your blogs from getting hacked. The keys in wp-config.php ensures better encryption of user’s data.

Use WordPress Key Generator to generate the keys and replace them in wp-config.php file.

define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’);

12. Use HTTPS To Log-in Your Dashboard

HTTPS is a secure version of HTTP. When you are using HTTPS, your data is sent into an encrypted form instead of a clear text.

This makes it difficult for the hackers to decode and intercept the data (password, user name). Use define(‘FORCE_SSL_LOGIN’, true); code in wp-config.php when logging into your dashboard to use HTTPS.

13. Remove Inactive User Accounts

Inactive user accounts may be a security threat for your website. The best thing is to delete the inactive user’s accounts in WordPress.

To do this,

>> Go to your WordPress dashboard >> Click on ‘Users’ this will take you to the page where each user will be listed >> Delete the ones that are inactive.

14. Use email as login

As you open your WordPress website you have to input the username to login your account. Logging in by a username instead of an email ID is more secure approach to avoid your website from being hacked.

This can be done by on Login page.

15. Prevent Script Injection

Users can easily protect their WordPress blog from script injection. Just apply the code mentioned below into your .htaccess root directory.

This will protect your blog from unwanted modification of _REQUEST and/or GLOBALS.

You can find various tips here.

# protect from sql injection

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

16. Strong Passwords

Strong password is the first layer of protection to your WordPress site. Use lowercase, uppercase, special characters and numbers to set the strong password for your account.

strong-wordpress-password

You can also use Force Strong Passwords, which enforces strong passwords for users with publish_posts, upload_files & edit_published_posts capabilities

Few basic requirements for a strong password:

  • Include numbers, capitals, special characters (@, #, *, etc.)
  • Can include spaces and be a passphrase
  • Change passwords every 120 days, or 4 months
  • Be long (10 characters – minimum; 50 characters – ideal)

17. Restrict Failed WordPress Login Attempts

wordpress-lockedout-login

Restricting the number of failed attempts basically prevents the users from using the brute force techniques on their WordPress site.

Brute Attack is an attempt to know the user’s password via trying out each and every single possibility. You can add an extra layer of security to your WordPress login page by implementing two-factor authentication in WordPress or add HTTP authentication

18. Remove/disguise login error messages

When you enter an incorrect username and password combination into a WordPress login page the error messages give you hints about what you got wrong.

For example, if you enter an incorrect username AND an incorrect password the error message says “Error: The username or password you entered is incorrect”.

However, if you enter the correct username but an incorrect password the error messages says” Error: The password you entered is incorrect”.

That’s bad for business. If you’re a hacker, you now know that you have a valid username and you just need to crack the password. For that reason it’s much better to keep the first error message all the time, “Error: The username or password you entered is incorrect”.

19. Hide WordPress Version number

The WordPress Version is placed into your website’s source view and can be an easy target for the hackers. If your WordPress version is known, the hackers may easily build up a perfect attack technique.

Use this WP plugin to remove the WordPress version number from Meta, RSS, and Javascript & CSS parameters for increased security of your wordpress site.

Just place that single line into your theme’s functions.php

remove_action('wp_head', 'wp_generator');

20. Change Default WordPress Login/Password

change-default-wordpress-admin-log-in

A user may i.e ‘admin’ to reduce the chances of login attempt by the hackers. One of the best thing to do is to delete the default admin and create a new custom login for the account. If the password is really strong, you must be perfect with your account.

21. Block Search Engine Spiders from Indexing the Admin Section:

Search engine crawlers like the Google, basically crawl over your entire blog site and indexes each content placed there unless they are asked not to do so. It is to be kept in mind that the use?rs do not want to index their admin section as all the sensitive information is placed there. One of the easiest ways to prevent crawlers from indexing the admin section is by creating a robot.txt file in the root directory. Just place the code provided below.

#

User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins/

Disallow: /wp-content/cache/

Disallow: /wp-content/themes/

Disallow: */trackback/

Disallow: */feed/

Disallow: /*/feed/rss/$

Disallow: /category/*

Additional WordPress Security Tips for Advanced Users – Updated

 WordPress Automatic updates

The automatic updates got introduced in WordPress 3.7, providing minor updates and security plugin and themes aches of WordPress that can be automatically installed on your website.

Adding the below-written code in functions.php file will  activate automatic updates of themes and plugins on your site:

add_filter( 'auto_update_plugin', '__return_true' );

add_filter( 'auto_update_theme', '__return_true' );

Verify updates in a staging environment first

For the safer side, it is recommended to always update on a staging site first and verify that updates work correctly. This would be a hassle-free action to ensure no surprise problems arise when updating your live website.

Uninstall inactive plugins and themes

Intruders all the time look for the unused data, inactive plugins and themes. Hackers can exploit known vulnerabilities in inactive plugins and themes. The inactive plugins always keep getting alerts for an update which is even riskier for the working site.

From now onwards, we strongly urge to keep removing inactive plugin and themes.

Use the right (restrictive) file permissions

In the Word Press, the administrator can provide the file permissions to read, write and modify the pages. He has the right to restrict the access to make use of the internal security provided by Word Press. The strict way of allocating file permissions is an indication to the hackers that modifying your site is not easy. any easy technique will not work.

3 numeric digits specify file permissions such as where each digit represents a user group and what that group has the permission to do.

The first group from the left is “user” (or “owner”) rights, the second is “group” rights and the third group is “others” rights.

Simply explained, one can say that the higher the number the more rights the user has. For the interested, here is an explanation of what the different numbers actually mean:

  • 4 = read (r)
  • 2 = write (w)
  • 1 = execute (x)
  • 0 = no permission (-)
  • Read + write + execute = 7
  • Read + write = 6
  • Read + execute = 5

All folders should have 755 or 750.

All files should have 644 or 640, except wp-config.php that should have either 440 or 400 to prevent anyone else from access it.

No folders should ever be set to 777, giving all users full rights. It should never be necessary as the PHP process is run by the file owner, and thus it can write in folders with 755.

Unyielding file permissions are essential in a “shared hosting” environment, where you share a server with other websites. You have to be sure of protecting your files from other users who are sharing web space with you.

Disable the built-in file editor

 Word Press comes with own built-in editor for themes and plugins. The convenience to edit files on your website directly in WP-Admin is bliss, but it can also pose some risks.

When the built-in file editor is enabled, administrators and developers can edit the code in the themes and plugins directly in the browser. It poses a potential security risk because it is prone to mistakes. The consequences can be dangerous as the entire page might stop working after making changes. Besides, it also gives hackers quick access to all files of your website.

The experts recommend to completely disable this built-in file editor and instead edit via files over SFTP. The built-in file editor can be easily disabled in wp-config.php by adding the following code snippet:

define( ‘DISALLOW_FILE_EDIT’, true );

Set a custom database prefix

 setting WordPress custom database prefix

WordPress files start with a prefix ” wp” in front of all the database tables. The hackers aware of the same try to attack files with the wp prefix. However, if you change the prefix, you can protect your file from hackers.

In this way, no doubt you will increase the protection level, but changing the prefix especially for the existing files is not risk-free. Thus, we recommend that changing prefix for the new installation of WordPress is a wise decision. but don’t try doing it for the old database prefix.

Change security keys in wp-config.php

 

WordPress security keys are a collection of randomly generated variables to improve the encryption of data stored in visitors and administrators cookies.

Four special security keys are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

At the time of the WordPress installation process, these keys are generated randomly for your website. In case, you move from one web host to another, or if you have taken over your website after another owner, then generating new security keys would be a good idea.

The keys can easily be replaced at any time. Their main purpose is to provide login and logout facility to your website. A smart tool can be used to generate security keys on WordPress.org and then paste them into wp-config.php.

Replacing the security keys in wp-config.php after moving to a new host is a smart choice.

Disable XML-RPC in WordPress

To communicate with other systems WordPress used XML-RPC feature. In recent years, the fuse of this feature has been steadily declining. In future, it can be completely removed and replaced with WordPress’s API instead.

Today,  XML-RPC has become a popular “tool” for hackers, thus its use is minimized. As it allows testing hundreds of password combinations with a single command.

You can either disable XML-RPC using a plugin or by pasting some code into one’s theme’s functions.php file:

add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );

.. or even better is to disable it using .htaccess:

<Files xmlrpc.php>

order deny, allow

deny from all

</Files>


We cannot guarantee that your WordPress blog will not be hacked after the implementation of the above discussed points but we ensure you that the chances of getting attacked by the hackers will be minimized. The more you strengthen your WordPress security, the harder it will be for a hacker to breach into your information.

Any suggestions.?????????????????????????

Any piece of advice related to the wordpress security from your side can help masses to refrain their WordPress website from being hacked.

Please use the comment box below to share your thoughts!

 Simple WordPress Security Tricks to Keep Your Website Safe_secure-your-wordpress-website

Common WordPress Errors:

WordPress Security DO’s & DONT’s in 2020

WordPress Security DO's & DONT's in 2020

 

Leave a Reply

Your email address will not be published. Required fields are marked *