In this article, we shall speak about protection of your websites on popular engine WordPress from hackers and other malefactors. Here goes!

Change your login
Do you still have admin? When creating a website it is the most popular one. It is the first thing the bots check when searching for the security flaws. Enter the admin panel and create a new admin account with some other name. Then log out the control system, log in again and delete the admin account.
Unusual password
No one wants to memorize 20 different passwords, but for your website is essentially important to be unique. Use uppercase and lowercase letters, punctuation marks, etc.
Example: Vg8uB6Z.<4 – is a great password.
There are programs that keep and generate passwords – it is exactly what you need.
Update WordPress
One of the most common reasons of website hackings is the usage of outdated scripts. WordPress will inform you about the release of their new version directly in the dashboard. Update it. Having lost a minute you will save hours in the future – a new website developing costs both, money and time.
Avoid free themes
Many websites offer to download the ready-made themes for your web-resource designing. Some of them contain unpleasant hidden “surprises”. Use only proven websites, like WordPress.org for theme downloading or create your own with the help of free frameworks.
Be afraid of plugins
Of course, plugins give you a functionality, different from a basic one, however, some of them open doors to hackers. Download them only from WordPress official website and pay attention to all warnings that appear. Also, do not forget to update plugins.
Keep only what you need
Do you have a couple of unused plugins? Even being inactivated, they can be a threat. Delete everything you do not use: plugins, themes, readme file from the website root. There is a simple rule: the fewer scripts, the fewer vulnerabilities.
Perform backup copies
Not all hackers’ attacks can harm you, but even the one successful one will spoil your life. Perform backup copies of your website on a regular basis! Many hosting companies provide such a function by default and in the case of problems; you will be able to recover your website from a month ago-, a week ago-, and yesterday copy.
Check your computer for viruses
It is necessary to look for not only your WordPress website but for your own computer. It is necessary for you to have frequently updated antivirus. Don’t you want to infect your site, having placed there a couple of virus files?
SFTP is not FTP
All the files downloading to your site are to occur via SFTP if your provider allows performing that. If not, change your hosting company to a more protected one. The connection will occur via protected protocol and “bad guys” will not be able to intercept it.
Protect your configuration files
Having added a special file .htaccess to the site’s root, you will increase the security significantly. If you don’t have such a file, create a text file with this name and then rename it (no file extension!). The following code will not give the malefactor the login from database in case of malfunctions with PHP.
<Files wp-config.php>
order allow, deny
deny from all
</Files>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
Change the tables’ prefix in the database
Instruction for new websites
Having removed the default wp prefix, you will significantly complicate the search for malefactors. Open file wp-config.php and find the lines, concerning the prefix. Change it to some another. For example, $table-prefix=’movie_’;
How to change the prefix in working websites
You will need PHPMyAdmin and Dreamweaver (to download the database dump, to perform the search/substitution, and download the dump again). If this looks too complicated for you, it is better to apply for help of professionals.
Protect the catalogs from scan
In order, hackers cannot scan the folders on your server, having typed their full path, protect them with the help of .htaccess (add Options – Indexes) or place to the directory an empty file index.html.
Protect the .htaccess file
It looks a bit strange, that someone might change this file, but it is a core of your protection, that’s why it is better to prepare it beforehand. Lock every door you can. Place there the following code:
<files .htaccess> order allow, deny deny from all </files>
IP-address restrictions
If you have a static IP-address, you can restrict the access to the website dashboard. It is a great way to protect yourself. Add the following lines to the .htaccess file:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny, allow deny from all allow from ??.???.???.???
Limit log in attempts
Hackers usually, when trying passwords, perform many log in attempts. It is possible to set the system in such a way, that after a second unsuccessful attempt the malefactor’s IP-address will be blocked for a couple of hours.
Disallow HTTP header tracking
Add the following lines to the .htaccess:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Protection from SQL-injections
It is the most frequent form of attack on WordPress websites. Many hosting companies cover these possible “holes” in protection, but no one stops you to protect yourself. Again, add the following lines to the .htaccess:
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC, OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0 - 9A-Z]{0, 2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0 - 9A-Z] {0,2})
RewriteRule ^(.*)$ index.php [F.L]
