Ultimate WordPress Security – TOP 20 Tips To Make Your WP Site Hacker-Proof
Why You Need To Secure Your Membership Site IMMEDIATELY
After Reading This Lesson
As a web owner, the security of your WordPress site must be one of your top priorities. Don’t wait until some of your websites get hacked and then to panic and put all the blame on your hosting. It is YOU who need to be aware of the WordPress security measurements for your WP site even before the WordPress installation itself.
“By failing to prepare, you are preparing to fail.” – Benjamin Franklin
Today we will assist you in all the possible preventions making your WordPress site hacker-proof. But before doing so, let’s discuss a little about the few possible ways of how you can be hacked. WordPress is the most powerful platform on the Internet and the most user-friendly for creating a beautiful website, but also it is very popular among hackers and spammers.
If you think your site is immune to hackers and spammers just because it is small and with low traffic, think again. As soon as you become visible to the search engines, your site will become vulnerable to hackers and spammers who are always using automated tools for getting into your server, sending spam emails, building spammy backlinks, etc.; UNLESS you do something about it.
Here’s How You Can Be Hacked:
- Security issues within your hosting platform cause most of the WordPress attacks. The hackers can use many techniques, but the most popular one is the SQL injection. This method allows the hacker to compromise your database, enabling him to change your data (your password for example) or even delete the whole data (all posts and pages).
- Another big WordPress security hole, are the themes and plugins you are using. Be extremely careful with your themes and plugins especially if you are using some pirated or nulled version. Hackers can leave a backdoor somewhere in the code of the nulled plugin or theme allowing them to get access to your website later. Make sure to install only trusted plugins and themes with good reviews on your WordPress site. If you will use only our recommended themes and plugins that we cover in our Academy, then you are good to go!
- And the third way for ending up hacked is using a weak password. Today hackers have many automated tools for checking every possible combination of your password until they gain entry. It is a method called brute force. That’s why to make sure to use only strong passwords with letters, numbers and special characters.
We know that reading this article may take a small portion of your time, but make sure to read it through the end. We guarantee it will be worth it.
TOP WordPress Security Tips For 2020
The proverb “Better safe than sorry” applies here as well. At this point, we came to the part where we will do our best to help you to make your site hacker-proof from the very beginning. Follow our simple prevention tips and you will have almost NOTHING to worry about concerning your WordPress security (regardless of how paranoid you are) …
Tip #1: Choose a Reliable And Secure Hosting Company
We mention the SQL injections that are related to your hosting company. Security vulnerabilities within your hosting platform cause over 40% of attacks. Not all hosting companies are created equal; that’s why you don’t need to rush and buy the cheapest one you can find (that’s a rookie mistake!). You are building a serious online business, and you need a well-established hosting company with excellent reviews and proven security measures. It’s always better to pay a little extra and to sleep better knowing your site is in safe hands.
Also, you will save a lot of nerves by NOT dealing with lousy customer support (the nightmare of every web owner). Keep in mind those security measurements from your hosting provider:
- Latest PHP and MySQL versions
- Web Application Firewall
- Malware scanning and intrusive file detection
- Account isolation
- Professional technicians always ready to assist you on important WordPress security issues
Please follow our Hosting Lab Analysis for recommended hosting companies for your membership website!
Tip #2: Themes, Plugins And Being Up To Date
As some of the latest researches have shown, it’s better to avoid using free themes, if possible, especially if a trustworthy developer doesn’t build them. Also, avoid using nulled themes! The main reason behind this claim is that these themes often contain things so-called base64 encoding, which may be used as a sneaky way to insert backlinks, backdoors or other malicious code that can cause severe damage to your site. In case you MUST use a free theme:
- First, read our lesson about using a free WP theme.
- Make sure it is available in the WordPress theme repository.
- Trusted developer or company develop it.
- It has positive ratings.
- It is regularly updated.
Before activating a theme, we recommend you to use Theme Check plugin to test your theme for all the latest WordPress standards and practices.
The same applies to the plugins. Make sure to install plugins that are listed on WordPress.org plugin repository, that have many positive reviews and that are built by a reliable developer. Also, NEVER trust nulled plugins!
We can’t stress enough how IMPORTANT is to keep your theme, all of your plugins and the WordPress core files, updated to their latest versions. It is one of the safest ways to keep your WordPress site hacker-proof. Make a habit always to check the orange notification that appears when a new update is available. Don’t just ignore the ‘Please update now’ messages. Log in often to your Dashboard and keep yourself updated to the latest version of WordPress core files. By doing so, your site is much less likely to get compromised.
Deactivate and remove the old and unused plugins. With outdated plugins, you are exposing yourself to an unwanted potential security risk. Also, it is also a good idea to subscribe to WordPress Releases RSS.
Tip #3: Username “admin” with password “123456” – Terrible Combination!
As we mentioned, hackers use brute force consisting of repeated login attempts by combining the username “admin” with common passwords like “password” or “123456”. If you find your password in those WORST common passwords, then change it immediately!
So don’t EVER use “admin” as your username, and PLEASE, strengthen your password with letters, numbers and special characters if you don’t want your site to be vulnerable to malicious attacks. Use common sense and put something less obvious. If you already installed your site with “admin” username, just create a new, different username and give the Administrator role.
Go to Users -> Add New. After that simply delete the original admin username and assign all the posts/pages to your newly created username. It’s a simple trick but it may save your website.
Tip #4: Limit Login Attempts – No More Brute Force Attacks!
Another prevention against brute force is to limit the login attempts from a single IP address.
One way of doing so is to use the AIO security plugin All In One WP Security & Firewall, which includes login security mechanism to lock out brute force hacks and to stop WordPress from revealing info that will compromise your site.
Another plugin specially designed for this purpose is Limit Login Attempts. As the name implies the plugin does just that, allowing you to specify how many retries will be permitted, and how long an IP will be locked out for after too many failed login attempts.
The third option for limiting the login attempts is to use the plugin Login LockDown. With this plugin, you can restrict the number of login attempts from a given IP range. Don’t wait until something terrible happen. Choose and install your favorite plugin for limiting the login attempts TODAY. What is great about these plugins is that they keep track of the IP address of anyone who fails a login attempt. Later you can use this information to block those people from your website using the .htaccess technique that we will describe later in this article.
Tip #5: Hiding wp-config.php And .htaccess – Always A Good Idea
Go to SEO -> Tools -> Files Editor and find the .htaccess file. You need to add the following code to protect wp-config.php file from being accessed:
For preventing the access to your .htacces file itself you need to use this similar code:
It is very easy to make those changes and since we are at .htaccess file now, let us show you how to restrict the access to your WordPress login form.
Just change the xxx to your IP address and ONLY you will have access to your WP login.
Tip #6: Disable File Editing
Just in case, it’s nice to disable file editing after you’ve done developing your site. The idea is to restrict access to Appearance -> Editor in case some hacker managed to enter your WordPress admin dashboard. All you need to do is to add the following code to your wp-config.php file:
Tip #7: Change Default wp_ Database Prefix
We know that by reading so far, you are “security-smart” and from now you won’t leave the default wp_ prefix for your database when installing new WordPress site. It is a very predictable prefix (since it is default) and your database will be very vulnerable when using the wp_ prefix. But if you already installed your site with the default wp_ database prefix, we have a quick solution for you. You don’t need to make all the changes from PHPMyAdmin manually. Just install iThemes Security plugin which has an integrated tool for easily changing the database prefix and your job for this WordPress security measure is DONE.
Tip #8: Use Correct File Permissions
When you bought your hosting, you are provided immediately with cPanel. From there (File Manager) you can easily get access to the WordPress installation and all folder and file permissions. It can also be done through your FTP client. By changing the values for the permissions, you can limit the access to your files and folders. An excellent in-depth explanation for file permissions you can find on The WordPress Codex. Of great importance is to configure the file permissions CORRECTLY!
Common sense is that if you allow everything to be readable, writable and executable (777), then someone can easily modify some WP file and cause tremendous damage to your site. According to WordPress official documentation, you should use the following permissions on a WordPress website:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
Just remember to NEVER give full access to everyone – 777 (which is a common mistake for setting the Uploads folder with those permissions). If you are not sure how to properly set your WordPress file permissions, ask your host to check them for you.
Tip #9: Consider Adding Two-Step Verification
Yes, we know that two-step authorization login process can be a little bit frustrating. However, it is one of the most effective ways of preventing unauthorized access your website. It is a trend among the big companies today (Gmail, Hotmail, PayPal) for providing extra security when logging from unknown device/browser, so it is an excellent idea to implement the same idea to your WordPress site.
This two-step login authentication process will make the job tough for the hackers to access your website through a brute force attack. Our list of recommended free authentication WordPress plugins include:
- Google Authenticator – You can use this plugin for two-factor authentication by using the Google Authenticator app for Android/iPhone/Blackberry. It requires you to enter a secret key or QR code that is provided to your smartphone application.
- Stealth Login Page – The plugin works with a secret login authorization code that is asked on the WP login page.
- Duo Two-Factor Authentication – The plugin works in a principle like Gmail by offering multiple ways to access your website including mobile phone application, an SMS or a phone call.
Tip #10: Hide Your Login Page And Enhance Your WordPress Security
Hackers are very familiar with the default login page for entering in the WordPress Dashboard. You are not the only one that knows the login to your site is by following the default paths:
So by using our common sense again, we can conclude that the actual moving of the login location can make hacker’s life harder. Here are our tested solutions for hiding your login page:
- Rename wp-login.php – A multisite friendly plugin that allows you to change your login page. Once activated, the wp-admin directory and wp-login.php page will be NOT accessible. Note that the code you’ve entered previously in the .htaccess file WON’T work now. You need to change the name of the new wp-login file in .htaccess according to the new wp-login that you’ve entered here.
- Lockdown WP Admin – This is another useful plugin for hiding your admin area and login page.
You also have this option in iThemes Security plugin.
If you are managing a lot of websites and you accidentally forget your new logins, you can reverse them BACK to default by deactivating the plugin. And you can deactivate the plugin by simply renaming its folder from wp-content -> plugins by using your cPanel File Manager or your FTP client. The other option is to delete the plugin and reinstall it once you have logged back into your website.
Tip #11: Hide Login Page Error Messages
Something else the general public shouldn’t be able to see is the error feedback on your login page. You need to remove the error feedback to stop anyone from accessing the potential logins. Go a step further and hide what DON’T need to be seen by the general public.
The logic is simple. When you try to login, and something didn’t add up, WordPress give you some warning such as your username or password is incorrect.
Although this is helpful for you and your members, it can also be very useful for the hackers who can use the warning information for the possible intrusion to your site. However, this WordPress security measure can easily be achieved by adding this simple code in your theme functions.php file:
Tip #12: Remove The WordPress Version Number
The sneaky hackers always have some tool in their toolbox for finding your WordPress version number. We HIGHLY advise you to hide it completely, especially if you are using an older version of WordPress, which may have a security hole.
Tip #13: Use SSL certificate
The most popular websites like Facebook, Twitter or Google, use SSL certificates. You can see the HTTPS in front of a link in your address bar; it indicates that the site you are browsing is highly secure, and the connection is encrypted. Starting from 2019, your WordPress membership site MUST have an SSL certificate.
The good news is, you can even get a FREE SSL from your hosting or you can install it for free from Cloudflare.
The transition of your site from HTTP to https once your certificate is installed can be easily done by using some of the following plugins:
Choose your favorite plugin and move to the next step.
Tip #14: Force SSL Usage
You’ve already installed the SSL certificate, and now you need to open wp-config.php file and add the following code:
By using HTTPS to your login area, you are adding another layer of security to your WordPress site.
Tip #15: Use Secure FTP
Hackers attack your FTP connection as well. If you are transferring your files to your site through FTP, make sure to ONLY use secure FTP client like FileZilla.
Tip #16: Disable XML-RPC
XML-RPC by definition is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. Since WordPress 3.5, the developers had XML-RPC enabled by default. This mechanism allows you to connect remotely via blogging clients. It is mostly used for trackbacks and pingbacks.
Trackbacks and pingbacks are methods for alerting blogs that you have linked to them. Unfortunately, hackers use this mechanism for DDoS attacks. If you don’t like the idea of using trackbacks and pingbacks, and you don’t want to risk this potential threat, then we have a perfect plugin for you: Disable XML-RPC Pingback.
Tip #17: WordPress Security Gem – Make Back-Ups Regularly
By now your website is hardened in a great measure, but you still don’t have some 100% proof that some dangerous hackers won’t compromise it. That’s why you need to keep your backups on a regular basis. It is VERY Important! Don’t wait until it is too late. Your hosting company may keep backups, but it is not recommended to ALWAYS rely on them. Keep the matters in your hands!
What we recommend is to follow our guidelines for choosing your perfect WordPress backup plugin that provides scheduled automatic backups for your database and all the other data.
Tip #18: You’ve Been Hacked? Don’t Panic And SCAN Your website
It’s NOT the end of the world if somehow your site gets hacked. Usually, hackers are taking over websites for sending spam emails from your server without you ever knowing it. Imagine this scenario: The hacker gains access to your server in some unknown way, he doesn’t touch any of your data and just uploads some files to your server for using the resources you are paying for. It’s of his interest you to NOT be aware that you’ve been hacked, and everything seems fine. But however, by already reading this, you are smarter than THAT! The prevention for discovering malware and suspicious files on your website is to use SCANNER for scanning your theme files regularly. Our range of the most efficient WordPress scanners include:
- Anti-Malware Security and Brute-Force Firewall – We use this scanner on many of our websites, and it does a very nice job. The scanner searches for viruses, malware vulnerabilities and threats on your server and it helps you quickly fix them.
- AntiVirus – The Antivirus plugin can perform an automated daily scan of your theme files and database tables and can help you to protect your blog or website against exploits and spam injections.
- Theme Authenticity Checker (TAC) – What this plugin does is scanning all of your theme files for potentially malicious or unwanted code.
- WP Antivirus Site Protection – Adds a lot more security layers to your website. It allows server-side scanning and deep website scans of all the files. Besides, it can detect and remove all viruses and malware.
Tip #19: Once Again – Our Common Sense In Action… For The Last Time
We mention using common sense while securing your site a few times through this article. That’s why at this point we don’t want to insult your new awesome “security-intelligence” just to advise you to be aware of these additional precaution measurements:
- Hackers can find a thousand ways to dig your personal information. If you are a fan of the reality TV show Hacking The System, then you are more than aware that you shouldn’t login to public and unsecured Wi-Fi hotspots.
- The same applies for internet café. You’ve might be watched!
- Make sure your computer is well protected with antivirus & firewall and clean of any viruses especially key-loggers.
- Constantly monitor what is uploaded to your website (And NO, Kardashian-Leaked-Photo.php is NOT something that you want to be present on your site).
- Never give FTP access to people unless they are professional WP developers who are working 5 years for you.
- Keep your login and password only to yourself.
- Be very cautious about who you have admin access to your website. Make admins only the people you personally know and trust.
Tip #20: Use AIO Security Plugins
We’ve covered almost every possible way to protect your site. But you don’t need to install all of the mentioned plugins. In addition to all of the measures that we’ve covered so far, we will give you the list of our favorite AIO security plugins for tightening your site’s security and reduce the risk of being hacked just by few clicks. But we’ve gone even a step further. We are providing complete in-depth lessons for each and every one of the plugins along with their proper configuration for maximum WordPress security. So pick one of our popular options in the next lesson and you are good to go.
Take a good look and pick your favorite plugin immediately after reading this lesson.
Congratulations on getting so far. You’ve gained a great “security-intelligence” and now you have nothing to be afraid of! Go ahead and apply our best recommendations for achieving unbreakable TOP WordPress security for your website. You will save a lot (time, money, nerves…) and make the hacker’s life a lot more difficult. Regardless of whether your business depends on your website or not, you’ve MUST be always prepared. Even if you get hacked, don’t PANIC. Follow our “hacking-survival” guide:
- Keep calm
- Reset your password
- Scan your website with some of our recommended scanners
- Reach your backups and contact your hosting for putting everything back to normal.
That’s it. No matter how paranoid you have been before, now your site is hacker-proof, and you can sleep better. Take care!