Hackers and spammers are everywhere and your website is not spared too. Being one of the largest CMS platforms, WordPress also happens to be frequented by hackers. WordPress websites which attract a lot of traffic are ones which are targeted most. The hackers use your server to spam the emails of your customers. A proper security system in your WordPress website will ensure that your site is safe and invulnerable to such attacks. Here are some WordPress security tips which would help you create a security wall along your website and keep it safe from spammers and hackers.
Have Your Website Hosted with a Good Hosting Company
Hosting companies play an important role in safeguarding your website. About 40% hackers attempt to compromise your website from vulnerabilities in hosting platforms. Remember to look for the below points while you select a hosting company for you.
- Has trained staff who knows how to take care of WordPress security problems if the situation calls for one.
- The latest version of MySQL and PHP is supported by them.
- They have WordPress optimized firewall.
- Intrusive file detection and malware scanning is present.
- The hosting company is optimized to run WordPress.
Account isolation should be opted for if you are looking forward to using shared hosting plan. Account isolation makes sure that a single account doesn’t overload the server and cause difficulties for your site. Usually all good hosting companies provide daily backups however, you should take your backups too.
Scanning Your Website
The next advice in WordPress security tips is to scan your website. As discussed earlier, hackers use websites to use server to send across spam emails. If you know that your website has been compromised then along with your hosting company you would be able to remove the malicious files uploaded by the hacker. But in case you are unaware about the compromise the hackers will continue to use your server and send spam emails without you discovering it.
The only way you could check whether or not your website is safe is to scan your theme files at regular intervals. There are some useful plugins which could be of your service. Plugins such as WP Antivirus Site Protection helps in locating Trojan horses, adware, backdoor rookits, PHP mailers, spyware, fraudulent tools, worms and much more. Some of the other plugins with same such abilities are SucuriSitecheck, Ultimate Security Checker and CodeGuard, AntiVirus. You could select one for your site.
A plugin by the name of WP Changes Tracker should also be installed and kept in your website. Even though this is not an anti-virus scanner it displays any changes done on your website. The change log enables you to see any changes that have been made in your website.
Regular scans keep your website safe and free from any malicious activities that might be happening on your site.
Limit Login Attempts
An obvious way the hackers try to break through your admin area is by logging in several times by using random username and passwords.
Limiting your login attempts is the best way to avoid this type of attack. Login Security Solution plugin helps in limiting the number of logins from a certain IP range. There are many other plugins meant for WordPress website which offer the same functions such as the mentioned plugin, they can be looked up on the internet and the one you like the best can be used.
When a user fails to log in for a certain number of times that you have opted for they will instantly be logged out of the WordPress site for a certain time. The time of lockout can be fluctuated to more or less according to your choice.
There are times when users who you know have been mistakenly locked out, there is an option to unban them which can be done manually.
The IP addresses of people who are making failed attempts of login are recorded by the plugins. Using this information and you could have these people blocked from your website for an indefinite period.
In a report generated by a security company, some time back among the millions of accounts which were breached in the Yahoo security breach, about 17% had passwords ‘1234567’. Keeping a password according to your convenience is inviting hackers to compromise your website. Keeping strong passwords is one of the WordPress security tips to keep your site safe. Brute force automated scripts are used by hackers to get through your website in case your passwords are not strong.
Earlier for the primary administrator account, WordPress had set the default username as ‘admin’ , this has been changed now and you can choose to keep a username of your choice yet hundreds of people continue to use admin as their username. The hackers are not unaware about this situation and in many cases, they just have to make their way through the password with the help of brute force scripts and they can access your administrator account.
Remember to change the default username, this is for the security of your website. Run the below command in PHPMyAdmin. WP-DBManager is plugin which you can use to run the below command in the admin area. Once done make sure that the plugin is uninstalled else there could be other who could use the plugin to change your username.
UPDATE wp_users SET user_login = ‘newusername’ WHERE user_login = ‘admin’;
Another important information in the list of WordPress security tips is to backup always. Since the time storage and computers have been in use it has always been recommended that we backup the data. Irrespective of the tight security which you have used or build up for the safety of your website you should always backup your website.
Good companies who offer hosting services always backup your website but you never know when misfortune could hit. Maybe the data center of the hosting company is damaged because of flooding or power surge, your internal backups and the main website would both be lost in the process, but you would be safe if you take external website backups.
WordPress backup services such as CodeGuard or Blog Vault which could be of assistance here. These are automated backup services and the procedure of backup and restoring is made hassle free by them.
You could also use a plugin for this – Backup Creator or WordPress Backup to Dropbox are good choices although there are hundreds more which offer to provide you with backup service.
Relying completely on internal backups is not the solution if your website is compromised then the entire content can be deleted or altered which means an external backup is the safest.
WordPress is frequently used by newbies who are not quite technical and would like to consider defending their site with a strong security solution which would take care of all the security measures. Besides scanning your WordPress site and patching the loopholes they also provide your site with firewall and keep a check on malicious files.
Here are some of the security plugins which could be of assistance to you.
One of the well-known plugins which is Wordfence Security which offers a firewall that blocks security threats, has mobile phone two-factor authentication login, scans for phishing attempts, malware, doesn’t take weak passwords, detects DDoS attacks, sends email notifications if there are failed login attempts and features several more features to keep your site secure.
The Acunetic WP Security plugin features some powerful functions which fortifies the defence system of your website. Besides checking admin area, theme files and strength of passwords you also get to monitor live traffic with this plugin. Features such as removing update notifications, PHP error report disabling and getting rid of WordPress version are some of the useful options which comes along with it.
Once of the most downloaded and popular security plugins is the iThemes Security. The plugin observes file changes and detects bots and sends notification to the user. It also checks for security threats, scans your entire site, repairs all damaged files and displays random version numbers users who are not administrators.
Having such security plugins will give you peace of mind as you know your website is safe from attackers.
Some Common Preventive Actions
The security of the site depends on how you handle it on a daily basis. Your daily actions determine its safety and security. This can be further boosted if you follow some precautions such as WordPress security tips given below:
- If you are uploading files to your website then a Secure FTP client should be used.
- Avoid logging in to your website on networks that are not secured
- Also avoid using your website from the computer of a cyber café to avoid people tracking your login details. Also if you are in public place ensure no one sees you entering your login details.
- Don’t share your login details with people who are not trustworthy neither make anyone the editor for your website who you think are unreliable.
- Installing a firewall on your system will give you an added protection.
- Don’t let others upload files to your website as someone could upload malicious scripts.
- If you suspect authors or editors doing something to harm your website then you can track their activities with plugins like Audit Trail.
- Use anti-virus software’s like Avira, Norton or anyone which you find suitable for your system.
- Don’t give access to website hosting area to just anyone.
Following these small precautions will help you keep your website safe.
Always Keep Your WordPress Updated
Updates are there for a reason and forgetting to update or purposely not updating is the biggest mistake that you can make. Every updated version comes with fixes and helps you fix all glitches and issues in the earlier version. Using an old version of WordPress will only make your site more vulnerable, giving an open invitation to the hackers. WordPress usually releases two versions in a year and can be easily distinguished as the updates come in increased numbers such as 4.0,4.1,4.2,4.4,4.5,4.6…. and so on. Every big update will give you added features and functions with which you can improve your website. With every big update follow smaller updates which are usually released to fix small issues or bugs which come up in these big updates. These smaller updates will be seen in numbers like 4.9.1, 4.9.2 … and so on. This is why neither the big nor the small updates should be ignored or left out.
Using the code below will let you be carefree while all the updates both major and minor are applied automatically. You need to add the code to your wp-config.php file:
1# Enable all core updates, including minor and major:
2 define( ‘WP_AUTO_UPDATE_CORE’, true );
While there are safety measures which are already in place to ensure that the website doesn’t break while an auto update is happening, there always remains a risk. There is only one reason to why a website would break after a major update is when you have plugins which are not consistently updated. Ensure that all the plugins that have been installed on your system are updated else a major update might break your WordPress site. This is also why some people prefer to handle the updates themselves. If you think auto updates could pose a problem you can disable all the auto-updates using the below code in your wp-config.php file:
1 # Disable all core updates:
2 define( ‘WP_AUTO_UPDATE_CORE’, false );
Besides these above WordPress security tips, you should also ensure that you take care of the installation settings. Small things kept in mind will help you to keep your website safe from the hackers and spammers. Whether your site is a small one or one which attracts huge traffic leave no loopholes in the security system.