20 Steps to Protect WordPress: Anti-Hack Security
We have compiled a recommendation to protect your WordPress to the maximum. Being the most used content management system in the world it is quite common that WordPress receives attacks from hackers. If you have all the options and settings marked by default you could have a security problem that leaves you with a compromised website. Here are some quick actions you can take to be much more protected while using WordPress.
20 Steps to Protect WordPress: Anti-Hack Security
1. Do not use the wp_ prefix for the database
From the first moment of WordPress installation you have to specify a series of information that you have to enter in order for WordPress to communicate with the database.
Most of this information is provided by your hosting provider, such as the name of the database, its username and password. But there is a decision to make: decide the prefix of the tables that will be created for WordPress.
By default, WordPress displays wp_ as a prefix, so that your tables will be such that wp_options, wp_comments, wp_posts, etc.
And of course this is something every hacker knows. By not changing the default prefix you are giving free information to any potential attacker.
So the first place you should start is by securing your database at the time of WordPress installation itself. In this step, change the prefix for the default tables ( wp_) for another of your choice, for example , wptabla_or X1jM_or whatever you want. The important thing is not how long or complicated it is, but at least do not leave the default prefix. If you have somehow missed this step at the time of installation, you can still change your db prefix just by installing a multi-functional WordPress plugin like – WP-Hardening.
2. Do not use the “admin” user to access WordPress
Another of the decisions that we have to make during the installation of WordPress is the name of the first user to access the administration of our website, a user who by default will have full management permissions.
For years WordPress has offered a default username, which of course you shouldn’t use. So when choosing the name of your first user to access WordPress do not choose those common names for this task, such as admin , Admin , root , etc., since they are the first ones that a hacker who wants to take possession of will check your website.
3. Use a strong password
I know it is hard to get you to listen to me with this very basic trick, but it is essential that you are aware that the easier it is for you to remember a password, the easier it will be for automatic brute force access systems.
WordPress, in its latest versions, incorporates a strong password generator and “suggests” you to use them. This will always be the best option. You can, however, skip that recommendation and put a simple, and insecure password, but you would be making the main and most important security mistake of all possible.
Currently it is unnecessary to use easy passwords, since all browsers offer the possibility of remembering them for you on your computer. So always use strong passwords, containing lowercase, uppercase letters, numbers and special characters.
In case of having many registered users you can even force the change of passwords so that they are all secure, including that of the administrators. For example:
4. Always use the latest version of WordPress
If there is something dangerous it is to network with obsolete or insufficiently updated software. Hackers tend to mainly attack sites with older, outdated versions, as they are often more vulnerable by not incorporating sufficient protection into known attack types.
Fortunately, WordPress offers an automatic update system, both for the WordPress core itself and for plugins and themes.
By default, you won’t have to worry about WordPress security and maintenance updates, because it does them without your intervention. It will simply notify you when it has been updated. But you will have to perform, even with a simple click, the updates to the versions called “major”.
For example, it does not take your intervention to update from version 4.3.1 to 4.3.2, WordPress updates them for you. But yes from 4.3.x to 4.4, although the process is as fast and as simple as pressing a button.
5. Update the installed plugins
WordPress is safe, and it is normal that it is because there is a large community that takes care of its maintenance, development and growth, but the same does not happen with plugins.
As much as a plugin is used, many times behind there is a single programmer who, for obvious reasons, does not have the resources or time to always have his plugin up to date.
It is for this reason that the main route of entry for attacks on a WordPress installation is mostly through non-updated plugins.
WordPress offers us a system of warning and automatic updates of the installed plugins, so when you see that some need to be updated, do not think about it.
If you do not use plugins from the official directory, WordPress may not automatically identify if updates are available. In that case you should be aware of the developer’s website.
6. Update the active theme
Equally important is always using an updated version of the active theme, as hackers know that they don’t usually change very often, giving them time to learn their code and invent ways to make your life more complicated and even get you in trouble.
If you use a theme from the official directory, again, WordPress will notify you of updates. And if you use a plugin that you have purchased from another site, you should be aware of the news from its creator to update it when there are news.
7. Do not use obsolete plugins or themes
One of the most important sources of vulnerability are plugins and themes that are obsolete or abandoned by their developers. Frequently check the programmer page of your theme and plugins to check if they have recently updated their product and, if not, look for an alternative that offers the same benefits.
If you use themes and plugins from the official WordPress directory, you will find all the information available, such as the date of the last update and compatibility with the latest versions of WordPress.
In addition, the official WordPress directory automatically removes plugins and themes that have not been updated for more than two years, which is an additional guarantee.
If you use themes and plugins downloaded from other sites, you should check it on their own website and manually install any update.
8. Delete the plugins and themes you don’t use
In line with the previous action, it is a danger to have inactive plugins and themes installed, for the simple reason that we will pay less attention to them when they are not active. Not only do they take up space in your accommodation, but they are an entry point to possible vulnerabilities on your website.
The only active theme that you should leave installed is the last default WordPress theme available (right now Twenty Fifteen ), which is an additional protection rule for your website, since if WordPress detects a problem in your active theme and cannot load it will try to automatically activate the default theme if it is installed.
9. Download plugins and themes from safe sites
The safest place to download plugins and themes is the official directory, where you have updated, verified and secure versions of the latest developments.
Of course, never download plugins and themes from P2P networks like Torrent or eMule, they are usually all infected with viruses and malware.
10. Protect the WordPress configuration file
The WordPress configuration file, the wp-config.php file, contains very sensitive information about your server:
- Database name
- Database user
- Database password
- Prefix of the database tables.
For this reason it is vital to protect it from outside eyes and, of course, from unwanted modifications.
For this you can perform the following actions:
- Move it to a higher folder, so if it is located in the path … / public_html / mydomain.es / you move it to the folder … / public_html / .
- Write protect it by changing the permissions to 444.
- Add the following rules to the Apache .htaccess file to prevent unwanted access:
- <Files wp-config.php>
- order allow, deny
- deny from all
11. Protect the folder from uploaded files
The uploads folder, located in the path your site.es/wp-content/uploads where the images and documents you attach to your WordPress posts are uploaded, is the most susceptible to attack. So it is very important to protect it to prevent it from running from the same virus or malicious scripts.
WordPress does not allow uploading executable files to this folder by default, but there are techniques that hackers use to bypass this rule. So we must apply extra protection, expressly defining which file extensions can be uploaded to it.
To do this, we will add the following lines of code to the hidden Apache .htaccess configuration file, located in the folder where you installed WordPress:
<Files ~ “. * \ .. *”>
Order Allow, Deny
Deny from all
<FilesMatch “\. (Jpg | jpeg | jpe | gif | png | bmp | tif | tiff | doc | pdf | rtf | xls | numbers | odt | pages | key | zip | rar) $”>
Order Deny, Allow
Allow from all
12. Make backup copies
If there is a fixed rule in security, it does not matter what measures you apply, there will always be a new vulnerability for which we are not protected, we will always be one step behind malicious attacks. So, in the event of a disaster, the only thing that can save us from the eventual loss of all our content is having backup copies .
Verify that <arel=”nofollow” href=”https://aulacm.com/mejores-hosting-web-alojamiento/”>your web host has full automatic backups. And, in addition, it installs a backup plugin like BackWPup , which allows you to schedule different backup tasks, being able to save your copies on another server, send them by email, or even automate their saving on Cloud services such as DropBox, Amazon S3 or Google Drive, among others.
13. Limit access attempts
Most of the current attacks against WordPress sites are made through massive attempts to access through the login screen, so it is essential to protect internal access to your WordPress.
For this, we can apply different security measures:
- Disable user registration, thus preventing malicious users from taking advantage of possible vulnerabilities to obtain extra permissions on your installation and the possibility of making changes to it.
- Add a human verification system like reCaptcha , which prevents unwanted access from automated machines that try to gain access to your site.
- Install some plugin to avoid massive access attempts such as Limit login attempts , the Protect module of JetPack or the utilities of this type of most security plugins, so that they block these types of attacks.
14. Install a security plugin
Many of the protection measures that we can apply to our WordPress installation are included in plugins specialized in securing WordPress.
Most of them contain settings to avoid brute force attacks, code injections and modifications of system files, including warning systems so that you are informed of any possible attack in progress.
The most recommended are the following:
- Astra Security
- iThemes Security
15. Use secure file and folder permissions
By default, WordPress applies read and write permissions to files and folders that can sometimes be modified, either automatically by some plugins, or manually by uploading files yourself from the cPanel utilities or even through FTP clients.
The default permissions that files and folders must have in WordPress are the following:
- Files: 644
- Folders: 755
If any file or folder has more permissions it would be a possible source of vulnerabilities. That being said, there are some files that may need a different permission. This guide on WordPress files and folder permissions shall help you with this. You will need to change them to the default permissions from the cPanel file manager or your favorite FTP client.
16. Use a reverse proxy like CloudFlare
A measure that will add immensely to the security of your WordPress website is to use a CDN service , or remote content delivery network like CloudFlare. CloudFlare comes with a very complete free plan and plugins that facilitate its integration with WordPress.
In addition to offering a very powerful cache system, it also incorporates protection measures such as the following:
- Email obfuscation, avoiding the capture of email addresses displayed on your website
- Blocking IPs of visitors with behaviors suspected of being attackers
- Always online, to show a cached version of your website even when you are the object of an ongoing attack
17. Create an account in Google Search Console
The old Google webmaster tools, now known as the Google Search Console, in addition to fundamental analytics and analysis tools for your website, offers extra protection for your WordPress.
In short, it is essential that you register your site in the Search Console so that Google informs you of:
- WordPress updates
- Code injections
- Notices of usability problems
- Speed problems
Plugins like Yoast SEO or All in one SEO pack allow WordPress integration with the Search Console in a simple way.
18. Prevent access from sploggers
If for some reason you allow user registrations on your WordPress, you must protect yourself against those known as sploggers, users who register massively on websites to try to access their settings, add spam comments or even inject malware .
The definitive solution for this type of user is, of course, not to activate the user registry (WordPress default behavior). But if you have registration enabled for loyalty or marketing reasons, you should install the best plugin that exists to detect and eliminate this threat : Akismet.
19. Protect the .htaccess file
We have seen several actions that we can take from the Apache .htaccess file, but for the same reason it is equally important to protect this same file.
The .htaccess file is a file on the Apache server that applies rules to any application installed in your hosting, in our case WordPress, being able to apply security and safety measures, among others.
To also protect the .htaccess file from unwanted access, you can include the following lines in the same file:
order allow, deny
deny from all
20. Protect yourself from spam
One of the usual tasks of any administrator of a content manager, such as WordPress, is to control spam in the comments. First, because it is a source of distractions and unwanted links on comment forms. And second, because some hackers use these forms to inject code that could compromise the security of your WordPress installation.
For this we can, and we must, apply different strategies:
- Add a Captcha human verification system using Really Simple CAPTCHA plugins or the previously mentioned WangGuard.
- Activate a spam checking plugin like Akismet .
- Protect forms from injecting special characters .
And, of course, and without the need to install anything, apply spam control rules from the Settings -> Comments of your WordPress installation:
- Manually approving all comments.
- Adding rules to automatically mark unwanted comments as spam.