If you have a WordPress website, there’s a good chance it’s under attack at this very moment by all manner of hackers, phishers, malware, and other malicious attempts to create chaos. It’s not a matter of IF the cyber attack will come but WHEN. All you have to do is look at the numbers:
- There are more than 20 million active WordPress sites
- Hacking attempts rose 32% between 2015 and 2016
- Neither of the preceding statistics is expected to decline
It doesn’t take a brainiac to realize that all WordPress site owners need to be thinking right now how to secure their website. Rather than regurgitate the same suggestions to install a plugin or two, we’re going to dig deeper and more directly into the heart of the matter.
The reality is that the actual WordPress framework is pretty secure out of the gate. The problem is when you start adding 3rd-party plugins, themes, and code customizations. You need a way to combat all the security holes this additional code creates.
Here are 10 Effective Methods to Lock Down Your Website Against Hack Attacks.
#1. Limit Plugins
It’s probably unrealistic to ask WordPress owners to refrain completely from 3rd-party plugins and themes, but at least delete the ones you’re not using and think very hard before adding any more. The functions and features available are almost irresistible but understand you increase the chances of a successful hack with each new installation.
#2. Stay Away from Pirates
Ethical considerations aside, downloading a premium plugin from a torrent or illegal site leaves you wide open to the malicious code that a hacker could easily have added. When you install it on your WordPress site, you have invited the Barbarians into your house. Sure, it costs something to buy it directly from the developer, but the peace of mind is easily worth it.
#3. Update Regularly
It’s a good idea to update your WordPress installation with each new version released. It’s so easy to do, and the people at WordPress will plaster a reminder all over your dashboard. Think of it like this. All the security flaws associated with an older installation are known to the general public, including hackers. Don’t make their evil plans simple to execute.
#4. Purge the Editor!
I know it sounds severe, but unless you’re the kind of developer who’s always tweaking plugins and theme code, why not disable these editors altogether? The reason is simple. Authorized WordPress higher-ups have access to these editors, and if their accounts are hacked, yours is immediately at risk. All it takes is a tiny bit of code inserted in the wp-config.php file as follows:
define( 'DISALLOW_FILE_EDIT', true );
#5. Track Dashboard Activity
Whether it’s just you using the website or you have a team of editors and administrators, it’s a good idea to log keystrokes of what everyone is doing. The goal is not necessarily to catch bad people doing bad things, though that’s a benefit. The real gain here is to be able to track accidental missteps one click at a time to see what caused a breakage. A great plugin for this mission is WP Security Audit Log.
#6. Kill PHP Error Reports
A malfunctioning plugin or theme normally generates an error report. This seems like a good thing but can create a hole in your security if a hacker is able to view these reports that probably include a path that leads straight to your server. With that information, there’s no limit to the amount of trouble he or she could create. It’s best to disable error reporting completely. Here’s the code to put in the wp-config.php file:
error_reporting(0); @ini_set(‘display_errors’, 0);
#7. Change the Login Page Address
Renaming your login page from the standard www.websitename.com/wp-admin is an under-utilized but effective way to foil hackers. Since so many attacks are of the automated, brute force variety, simply changing your login URL increases your security immensely. In case you have no clue how to accomplish this, check out either Lockdown WP Admin or any of the other popular WordPress security plugins.
#8. Your Web Host Matters
You can work your fingers to the bone-protecting your website against every cyber threat that rears its ugly head, but if your web host doesn’t take security as seriously, you might as well put a flashing HACK ME sign on your front page and supply login credentials to the world. Look for companies that are familiar with what a WordPress site needs and show a solid security track record.
#9. Don’t Forget the Computer Updates
The third leg of the security triangle is the computer you use to access the Internet. Secure WordPress software and a security-minded web host won’t do you much good if your computer, laptop, or mobile device has security holes the size of Swiss cheese. Keep an eye peeled for operating system upgrades as well as software patches and (obviously) install a free anti-virus program like Avast or AVG to run regular virus and malware scans.
#10. Don’t Give Away Author Usernames
By default, WordPress makes it easy for a hacker to find out each author’s username. Since the main author is often the administrator as well, you’re handing information to a bad guy or gal on a silver platter. A few lines of code in the functions.php file will put an end to this software weakness:
add_action(‘template_redirect’, ‘bwp_template_redirect’); Function bwp_template_redirect() { If (is_author()) { wp_redirect( home_url() ); exit
Final Thoughts
The preceding WordPress security recommendations come with the caveat that you’ve already taken no-brainer actions like not using “admin” for a user name, changing your password often and making it complex, limiting login attempts, backing up your website regularly, and using a WordPress scanner to check the actual software for malware. If you do any of these, you’re ahead of the trusting masses who are lambs being led to the hacker’s slaughter. Implement them all and that makes you one smart cookie.
Read Also
DIY WordPress Security TIPS You Should Know!
How Can I Improve the Security of my WordPress Site?
WordPress Hacks to Style Out Your Blog Theme
How to lean a Hacked WordPress Site
Easy Guide to Recover your Hacked WordPress Website