40 Easy Steps to protect your WordPress website From Hackers (+1 bonus tip!)
My WordPress website is being hacked. Now what? Here, I am trying to present “40 Easy Steps to protect your WordPress website From Hackers“.
It’s very easy to blame “World’s most popular CMS” platform “WordPress” when yours or your client’s site gets hacked. But there is a solution to it, I would recommend to apply following strategies in order to protect your WordPress website from hackers.
40 Easy Steps to protect your WordPress website From Hackers
- Refer security bible by WordPress Codex located here: http://codex.wordpress.org/Hardening_WordPress
- Choose a quality web hosting. Choose it wisely.
- Check with your chosen hosting service provider whether they using latest version of Server’s operating system, Apache Web Server, MySQL Databases and PHP.
- Ask your hosting provider to provide you “written” service level agreements to understand wha’ts process they follow for data backup, failover and emergency management.
- Keep your WordPress installation, wordpress themes and plugins all up to date.
- Check code quality, performance, ratings and how many downloads before downloading any plugins.
- Don’t keep user name as “admin” but keep it something little more complex – how about your favorite pet’s name!
- Create a strong password for wp-admin logins. Learn more about password strength here: http://en.wikipedia.org/wiki/Password_strength
- Refer this nice article on WordPress Codex – http://codex.wordpress.org/FAQ_My_site_was_hacked
- Remove any themes or plugins which are not in use on your curent website.
- Create an .htaccess file in wp-admin folder and add the following piece of code:
AuthName “Access Control”
deny from all
#IP address to Whitelist
allow from 188.8.131.52
Allow from all
- Whenever possible, please use SFTP / SSH pass over standard FTP.
- Use SSL if possible on your WordPress website. To enable secure SSL connection to your website add the following code to wp-config.php file:
- Install this plugin: http://wordpress.org/plugins/login-lockdown/
- Install this plugin: http://wordpress.org/plugins/bulletproof-security/
- Do a free scan at: http://sucuri.net/ & take action accordingly
- User a service like this for backup / restore – http://vaultpress.com/
- If you want a free service for backup, I would recommend create a free account at http://Dropbox.com, Install this plugin: http://wordpress.org/plugins/wordpress-backup-to-dropbox/ and configure this plugin properly to have daily / weekly backup to your dropbox folder.
- Don’t neglect setting up file permissions – http://codex.wordpress.org/Changing_File_Permissions
- Further to Point # 19, Set file permissions as 644 for all files and 755 for all folders.
- Refer sucuri’s security blog: http://blog.sucuri.net/
- Refer Google’s Online Security Blog: http://googleonlinesecurity.blogspot.com/
- When your website is being hacked – install this plugin: http://wordpress.org/plugins/ultimate-maintenance-mode/ or keep a static website page mentioning that website is down maintenance to avoid any negative ratings from Search engines and customers.
- Keep your computer clean from viruses and malwares. As the files which you upload it to your wordpress site from your local computer gets infected and become more vulnerable to security attacks.
- If you find it different to remember passwords, use – https://agilebits.com/onepassword or http://keepass.info
- Learn how to make necessary changes to wp-config file – refer this documentation from WordPress codex: http://codex.wordpress.org/Editing_wp-config.php%23Disable_the_Plugin_and_Theme_Editor
- Do proper data validation – learn more at: http://codex.wordpress.org/Data_Validation
- Search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers. – http://wordpress.org/plugins/exploit-scanner/
- Check your server access logs immediately and observe is there any malicious activity going on your website.
- If you can’t fix the infected files restore recent clean backup.
- Check the plugin / theme developer’s website to see whether they’ve upgraded their product recently. If they did, apply those changes to your website immediately by upgrading it accordingly.
- Look for plugins that use nonces instead of browser cookies.
- Change your wp-admin, FTP and control panel passwords once a month. Set a reminder in your personal calendar.
- If you’re managing more than 1 wordpress website, create different passwords for different websites.
- Disable any unused user accounts. If you are not going to use that user account, delete it.
- Backup your website before you upgrade with latest WordPress CMS version, theme or plugin.
- If you’re unsure about how to update WordPress, themes, and plugins, hire someone to do it for you. – Look at our WordPress Maintenance Plans
- Allow your website users the minimum privilege they need to do their jobs.
- If two plugins do similar things, choose the one with the higher download count.
- Keep the contact details of your hosting provider handy! (including answer to the security question which they ask before providing a support.)
Bonus tip: Install WP Super Cache plugin (http://wordpress.org/plugins/wp-super-cache/) to load your WordPress website faster.
Conclusion of my post – 40 Easy Steps to protect your WordPress website From Hackers
I’ve taken inspiration to write this post from codepoet’s team. I hope you have enjoyed my post on 40 Easy Steps to protect your WordPress website From Hackers”.