How to protect your WordPress Website?

In this article, we shall speak about protection of your websites on popular engine WordPress from hackers and other malefactors. Here goes!


Change your login

Do you still have admin? When creating a website it is the most popular one. It is the first thing the bots check when searching for the security flaws. Enter the admin panel and create a new admin account with some other name. Then log out the control system, log in again and delete the admin account.

Unusual password

No one wants to memorize 20 different passwords, but for your website is essentially important to be unique. Use uppercase and lowercase letters, punctuation marks, etc.

Example: Vg8uB6Z.<4 – is a great password.

There are programs that keep and generate passwords – it is exactly what you need.

Update WordPress

One of the most common reasons of website hackings is the usage of outdated scripts. WordPress will inform you about the release of their new version directly in the dashboard. Update it. Having lost a minute you will save hours in the future – a new website developing costs both, money and time.

Avoid free themes

Many websites offer to download the ready-made themes for your web-resource designing. Some of them contain unpleasant hidden “surprises”. Use only proven websites, like for theme downloading or create your own with the help of free frameworks.

Be afraid of plugins

Of course, plugins give you a functionality, different from a basic one, however, some of them open doors to hackers. Download them only from WordPress official website and pay attention to all warnings that appear. Also, do not forget to update plugins.

Keep only what you need

Do you have a couple of unused plugins? Even being inactivated, they can be a threat. Delete everything you do not use: plugins, themes, readme file from the website root. There is a simple rule: the fewer scripts, the fewer vulnerabilities.

Perform backup copies

Not all hackers’ attacks can harm you, but even the one successful one will spoil your life. Perform backup copies of your website on a regular basis! Many hosting companies provide such a function by default and in the case of problems; you will be able to recover your website from a month ago-, a week ago-, and yesterday copy.

Check your computer for viruses

It is necessary to look for not only your WordPress website but for your own computer. It is necessary for you to have frequently updated antivirus. Don’t you want to infect your site, having placed there a couple of virus files?

SFTP is not FTP

All the files downloading to your site are to occur via SFTP if your provider allows performing that. If not, change your hosting company to a more protected one. The connection will occur via protected protocol and “bad guys” will not be able to intercept it.

Protect your configuration files

Having added a special file .htaccess to the site’s root, you will increase the security significantly. If you don’t have such a file, create a text file with this name and then rename it (no file extension!). The following code will not give the malefactor the login from database in case of malfunctions with PHP.

<Files wp-config.php>
order allow, deny
deny from all
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Change the tables’ prefix in the database

Instruction for new websites

Having removed the default wp prefix, you will significantly complicate the search for malefactors. Open file wp-config.php and find the lines, concerning the prefix. Change it to some another. For example, $table-prefix=’movie_’;

How to change the prefix in working websites

You will need PHPMyAdmin and Dreamweaver (to download the database dump, to perform the search/substitution, and download the dump again). If this looks too complicated for you, it is better to apply for help of professionals.

Protect the catalogs from scan

In order, hackers cannot scan the folders on your server, having typed their full path, protect them with the help of .htaccess (add Options – Indexes) or place to the directory an empty file index.html.

Protect the .htaccess file

It looks a bit strange, that someone might change this file, but it is a core of your protection, that’s why it is better to prepare it beforehand. Lock every door you can. Place there the following code:

<files .htaccess>
order allow, deny
deny from all

IP-address restrictions

If you have a static IP-address, you can restrict the access to the website dashboard. It is a great way to protect yourself. Add the following lines to the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny, allow
deny from all
allow from ??.???.???.???

Limit log in attempts

Hackers usually, when trying passwords, perform many log in attempts. It is possible to set the system in such a way, that after a second unsuccessful attempt the malefactor’s IP-address will be blocked for a couple of hours.

Disallow HTTP header tracking

Add the following lines to the .htaccess:

RewriteEngine On
RewriteRule .* - [F]

Protection from SQL-injections

It is the most frequent form of attack on WordPress websites. Many hosting companies cover these possible “holes” in protection, but no one stops you to protect yourself. Again, add the following lines to the .htaccess:

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC, OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0 - 9A-Z]{0, 2}) [OR]
RewriteCond %{QUERY_STRING}  _REQUEST(=|\[|\%[0 - 9A-Z] {0,2})
RewriteRule ^(.*)$ index.php [F.L]

Leave a Reply

Close Menu