WordPress is one of the most popular content management systems in the world, powering millions of websites. However, with great popularity comes great responsibility. hanks to the hackers who are ever evolving with new hacks with help of new wordpress google dorks. As a WordPress website owner, it’s important to take the necessary steps to secure your site from potential threats such as hacking, malware, and data breaches. In this article, we’ll discuss some essential WordPress security tips to help protect your website and keep your data safe. From basic security measures to advanced techniques, we’ll cover everything you need to know to secure your WordPress site.
There are certain security measures you can take to fix a hacked WordPress site. Our team of wordpress security experts have collected information and data on thousands of websites to present you with most detailed WordPress security tips to improve the security of your wordpress site in 2024 and prevent it from being hacked.
Download our latest WordPress Security Guide which includes checklists of things you should implement to help protect your website and prevent WordPress hacking attempts in 2022.
Table of Contents [TOC]
Is your site secure. Let’s Find Out
Even industry leaders don’t always use best practices. Reuters was hacked back in 2012 because they were using an outdated version of WordPress. Check out some of the different types of WordPress security vulnerabilities below.
The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, WordPress backdoors enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server.
The WordPress Pharma Hack exploit is used to insert rogue code in outdated versions of WordPress websites and plugins, causing search engines to return ads for pharmaceutical products when a compromised website searched for.
Brute-force login attempts use automated scripts to exploit weak passwords and gain access to your site. Two-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks.
During a WordPress malware redirect hack, a hacker creates backdoors in WordPress installations using FTP, SFTP, wp-admin and other protocols and injects redirection codes into the website. The redirects are often placed in your .htaccess file and other WP core files in encoded forms.
To ensure that your site is free from any kind of malware:
>> Scan Your site for malware using a WordPress malware cleaner here.
Perhaps the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems via DDOS attack on WordPress.
Listed below are some of the best wordpress security tips you must know to increase the security of your WordPress website in 2019.
Ensure to delete unused versions of WordPress on your server. Unused WordPress themes, plugins, files etc even if they are not active or are not being used should be deleted.
Try to keep your server clean and follow a simple rule ‘Delete delete delete’! the unwanted files or installs.
Maintain safe WordPress themes and plugins. Also, use the proper API’s provided byWordPress.org to avoid the direct actions and manipulations.
A user needs to take security into consideration when opting for the WordPress themes and plugins.
Approximately 30% hacks occur due to the same reason so it’s definitely a good decision to stick with a theme/plugin that is updated timely.
Also, you must check your wordpress theme for malware before installing a nulled theme, to ensure that your theme is fully secure and WordPress theme security is not compromised in any way.
For WordPress, the default table prefix is wp_. Everyone is aware of the prefix and so is the hacker. Changing your table prefix is recommended to make your website more secure and protected from SQL injections.
Just change the table prefix and you will be one step close to your secure site. With the use of this plug-in you can easily replace your database default prefix to any other prefix in single click.
SSH2 (SFTP) connections are much more secure than the regular FTP connection to Upgrade Your WordPress. The shell method is more secure as it encrypts all the data transfer.
You can also use “SSH SFTP Updater Support” wordpress plugin which uses phpseclib – it is the best way to utilize SSH, SFTP, RSA and X.509 in PHP.
The SSL (Secure Socket Layer) is one of the best options for securing a WordPress admin panel. An SSL certificate for your site makes it difficult for hackers to spoof your information and can also improve your WordPress website’s Google rankings.
To install an SSL certificate on your WordPress website, you can follow a few simple steps. First, purchase an SSL certificate from a reputable company that provides this service. Next, log in to your website’s hosting provider and navigate to the SSL installation page. Finally, follow the instructions provided to install the SSL certificate on your WordPress website.
Google recently announced that it uses HTTPS as a ranking signal, so SSL-enabled sites are awarded higher rankings in search results.
Installing an SSL certificate on your WordPress website allows you to securely login via HTTPS. Users can purchase SSL certificates from reputable companies or ask their hosting providers to set it up for them.
Although backups are not that helpful in recovering from WordPress hacks but they are beneficial for the recovery of your WordPress website. After a cleanup you might need to restore a wordpress site from backup.
Ensure to backup your site before it’s too late as your entire website content is stored in the database. The users can backup wordpress datatabse manually or can also use plugins such as updraftplus.
.htaccess is basically used to specify the WordPress security restrictions for a particular directory and is the default name of a directory level configuration.
In order to secure your blog from the attack of hackers, simply place the below mentioned code in the domain’s root .htaccess files.
| # STRONG HTACCESS PROTECTION</code> <Files ~ “^.*\.([Hh][Tt][Aa])”> order allow,deny deny from all satisfy all </Files> |
The wp-config.php file is the most important file of your website’s root directory and basically stores the crucial information about your WordPress blog.
Securing wp-config.php means you are protecting the core of your blog as it becomes way more difficult for the hackers to breach the information from your site as it becomes inaccessible to them.
A user can secure wp-config.php by simply placing the below mentioned code in the root directory.
| # protect wp-config.php <files wp-config.php> Order deny,allow Deny from all </files> |
Another concerned issue for the WordPress security is to avoid people from browsing your website’s directory structure.
If you are curious to know what this all looks like, you just need to enter ‘index of’ in Google and then Google will provide the list of all the websites that generally allow the directory browsing.
In order to avoid directory browsing with.htaccess add ‘Options All – Indexes’ to your .htaccess file in the root directory.
The wp-admin directory is one of the major part of your WordPress website. Any damage in this part may damage your entire site. To protect the WordPress admin section from the attack of hackers, ensure to have password-protection for the directory. You can also password protect a specific page in wordpress site.
WordPress files should be accessed only by a person who is designated or only by you. You can restrict the access by using .htaccess to allow only specific IP addresses to this directory. Just add the below code to the .htaccess in the wp-admin folder.
| # deny access to wp admin Order deny,allow Allow from xx.xx.xx.xx # (This is your static IP) deny from all |
Any access from other IP’s will be disallowed.
WordPress security keys in Wp-config.php is one of the important security measure to avoid your blogs from getting hacked. The keys in wp-config.php ensures better encryption of user’s data.
Use WordPress Key Generator to generate the keys and replace them in wp-config.php file.
| define(‘AUTH_KEY’, ‘put your unique phrase here’); define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’); define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’); define(‘NONCE_KEY’, ‘put your unique phrase here’); |
HTTPS is a secure version of HTTP. When you are using HTTPS, your data is sent into an encrypted form instead of a clear text.
This makes it difficult for the hackers to decode and intercept the data (password, user name). Use define(‘FORCE_SSL_LOGIN’, true); code in wp-config.php when logging into your dashboard to use HTTPS.
Inactive user accounts may be a security threat for your website. The best thing is to delete the inactive user’s accounts in WordPress.
To do this,
>> Go to your WordPress dashboard >> Click on ‘Users’ this will take you to the page where each user will be listed >> Delete the ones that are inactive.
As you open your WordPress website you have to input the username to login your account. Logging in by a username instead of an email ID is more secure approach to avoid your website from being hacked.
This can be done by setting up WordPress Two-Factor Authentication on Login page.
Users can easily protect their WordPress blog from script injection. Just apply the code mentioned below into your .htaccess root directory.
This will protect your blog from unwanted modification of _REQUEST and/or GLOBALS.
You can find various .htaccess hack prevention tips here.
| # protect from sql injection Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] |
Strong password is the first layer of protection to your WordPress site. Use lowercase, uppercase, special characters and numbers to set the strong password for your account.
You can also use Force Strong Passwords, which enforces strong passwords for users with publish_posts, upload_files & edit_published_posts capabilities
Few basic requirements for a strong password:
Restricting the number of failed attempts basically prevents the users from using the brute force techniques on their WordPress site.
Brute Attack is an attempt to know the user’s password via trying out each and every single possibility. You can add an extra layer of security to your WordPress login page by implementing two-factor authentication in WordPress or add HTTP authentication
When you enter an incorrect username and password combination into a WordPress login page the error messages give you hints about what you got wrong.
For example, if you enter an incorrect username AND an incorrect password the error message says “Error: The username or password you entered is incorrect”.
However, if you enter the correct username but an incorrect password the error messages says” Error: The password you entered is incorrect”.
That’s bad for business. If you’re a hacker, you now know that you have a valid username and you just need to crack the password. For that reason it’s much better to keep the first error message all the time, “Error: The username or password you entered is incorrect”.
The WordPress Version is placed into your website’s source view and can be an easy target for the hackers. If your WordPress version is known, the hackers may easily build up a perfect attack technique.
Use this WP plugin to remove the WordPress version number from Meta, RSS, and Javascript & CSS parameters for increased security of your wordpress site.
Just place that single line into your theme’s functions.php
remove_action('wp_head', 'wp_generator');A user may change the default wordpress login i.e ‘admin’ to reduce the chances of login attempt by the hackers. One of the best thing to do is to delete the default admin and create a new custom login for the account. If the password is really strong, you must be perfect with your account.
Search engine crawlers like the Google, basically crawl over your entire blog site and indexes each content placed there unless they are asked not to do so. It is to be kept in mind that the use?rs do not want to index their admin section as all the sensitive information is placed there. One of the easiest ways to prevent crawlers from indexing the admin section is by creating a robot.txt file in the root directory. Just place the code provided below.
| # User-agent: * Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: */trackback/ Disallow: */feed/ Disallow: /*/feed/rss/$ Disallow: /category/* |
The automatic updates got introduced in WordPress 3.7, providing minor updates and security plugin and themes aches of WordPress that can be automatically installed on your website.
Adding the below-written code in functions.php file will activate automatic updates of themes and plugins on your site:
add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
For the safer side, it is recommended to always update on a staging site first and verify that updates work correctly. This would be a hassle-free action to ensure no surprise problems arise when updating your live website.
Intruders all the time look for the unused data, inactive plugins and themes. Hackers can exploit known vulnerabilities in inactive plugins and themes. The inactive plugins always keep getting alerts for an update which is even riskier for the working site.
From now onwards, we strongly urge to keep removing inactive plugin and themes.
In the Word Press, the administrator can provide the file permissions to read, write and modify the pages. He has the right to restrict the access to make use of the internal security provided by Word Press. The strict way of allocating file permissions is an indication to the hackers that modifying your site is not easy. any easy technique will not work.
3 numeric digits specify file permissions such as where each digit represents a user group and what that group has the permission to do.
The first group from the left is “user” (or “owner”) rights, the second is “group” rights and the third group is “others” rights.
Simply explained, one can say that the higher the number the more rights the user has. For the interested, here is an explanation of what the different numbers actually mean:
All folders should have 755 or 750.
All files should have 644 or 640, except wp-config.php that should have either 440 or 400 to prevent anyone else from access it.
No folders should ever be set to 777, giving all users full rights. It should never be necessary as the PHP process is run by the file owner, and thus it can write in folders with 755.
Unyielding file permissions are essential in a “shared hosting” environment, where you share a server with other websites. You have to be sure of protecting your files from other users who are sharing web space with you.
Word Press comes with own built-in editor for themes and plugins. The convenience to edit files on your website directly in WP-Admin is bliss, but it can also pose some risks.
When the built-in file editor is enabled, administrators and developers can edit the code in the themes and plugins directly in the browser. It poses a potential security risk because it is prone to mistakes. The consequences can be dangerous as the entire page might stop working after making changes. Besides, it also gives hackers quick access to all files of your website.
The experts recommend to completely disable this built-in file editor and instead edit via files over SFTP. The built-in file editor can be easily disabled in wp-config.php by adding the following code snippet:
define( ‘DISALLOW_FILE_EDIT’, true );
WordPress files start with a prefix ” wp” in front of all the database tables. The hackers aware of the same try to attack files with the wp prefix. However, if you change the prefix, you can protect your file from hackers.
In this way, no doubt you will increase the protection level, but changing the prefix especially for the existing files is not risk-free. Thus, we recommend that changing prefix for the new installation of WordPress is a wise decision. but don’t try doing it for the old database prefix.
WordPress security keys are a collection of randomly generated variables to improve the encryption of data stored in visitors and administrators cookies.
Four special security keys are AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.
At the time of the WordPress installation process, these keys are generated randomly for your website. In case, you move from one web host to another, or if you have taken over your website after another owner, then generating new security keys would be a good idea.
The keys can easily be replaced at any time. Their main purpose is to provide login and logout facility to your website. A smart tool can be used to generate security keys on WordPress.org and then paste them into wp-config.php.
Replacing the security keys in wp-config.php after moving to a new host is a smart choice.
To communicate with other systems WordPress used XML-RPC feature. In recent years, the fuse of this feature has been steadily declining. In future, it can be completely removed and replaced with WordPress’s API instead.
Today, XML-RPC has become a popular “tool” for hackers, thus its use is minimized. As it allows testing hundreds of password combinations with a single command.
You can either disable XML-RPC using a plugin or by pasting some code into one’s theme’s functions.php file:
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
.. or even better is to disable it using .htaccess:
<Files xmlrpc.php>
order deny, allow
deny from all
</Files>
One effective security measure for WordPress websites is to install a Google reCAPTCHA plugin. This plugin can help prevent spam and automated attacks from bots on your login page, contact form, and other areas of your website. By adding a layer of security to these vulnerable areas, you can significantly reduce the risk of unauthorized access and potential hacking attempts.
Google reCAPTCHA works by verifying the user’s identity through various tests, including image recognition and audio challenges. It is a simple and effective way to enhance the security of your WordPress website and protect it from potential threats.
We cannot guarantee that your WordPress blog will not be hacked after the implementation of the above discussed points but we ensure you that the chances of getting attacked by the hackers will be minimized. The more you strengthen your WordPress security, in 2024, the harder it will be for a hacker to breach into your information.
Any suggestions.?????????????????????????
Any piece of advice related to the wordpress security from your side can help masses to refrain their WordPress website from being hacked.
Please use the comment box below to share your thoughts!