The security of a WordPress site is not to be taken lightly. Hacking of WordPress site can happen to anyone and with these 14 tips will help limit potential damage. This is when everything works correctly we should take action for prevention beforehand.
Backup your site fully and regularly WordPress
Before any work, do a regular backup of your WordPress site. You must save the following items:
- Your MySQL database;
- Your FTP account;
It may be that your host has a full backup directly accessible via cPanel for example. Take this opportunity to get a ZIP full backup of your site!
The management platform your host may have a backup tool
You can also use the backup system in the cloud proposed by Automattic – the organization behind WordPress, which is named VaultPress. It can downloaded as a full backup or partial (plugins, themes, MySQL) at regular intervals (several daily backups). This is paid option.
Online backup has good free alternative.
Remember to put in place a system of automatic backup of your MySQL database.
Keep your WordPress site updated
85% of WordPress sites those are hacked are sites that have not been updated for several months or even years. Each update brings the heart of WordPress security patches. It is the same for your plugins!
Note that WordPress has a system update and resettlement feature, which is fully automated. Sometimes we think back regularly as this feature is problematic: the solution is to change provider.
Use secure passwords
An administrator account with elevated privileges – whether on your WordPress site or your personal computer must have a password of at least 8 characters including:
- Special symbols;
- We wrote about how to create a strong password, you might be interested to read it too.
This will prevent you from being attacked by hackers by method of intruding in to the directory.
Avoid any data with reference to your personal life as a date of birth, department number. Nowadays, privacy is very poorly protected on the Internet.
Of course, use unique passwords for your various accounts. One password to rule them all and we see how it ends (cf. The Lord of the Rings by Tolkien)!
Change the prefix of your database
When you are installing WordPress, the prefix assigned to your MySQL database is wp_
If you do not pay attention to this parameter, it is not too late. To do this, use the WP Security Scan plugin .
Close browser access to the files of your WordPress installation
By default, anyone can access the contents of your files by default – like / wp-content via a simple browser.
Block access to directories of your WordPress installation .
Delete the account ‘admin’ created by default
By default, WordPress allows you to create an account called admin during installation. If you do not change this common identifier, a hacker will only have to find your password.
Simply create a new account with administrator privilege, log out from the admin (old) account; log in with new account credentials and delete the old.
Take are of secret security keys in the file wp-config.php
Ensure your configuration of the file wp-config . php – a file located strategically at the root of your WordPress installation that contains your data connection to the MySQL database, does contain security keys generated randomly.
Hide the version of WordPress
If you view the source code of your WordPress site, you will notice the presence of a meta tag indicating the version of your WordPress.
<meta name="generator" content="WordPress 3.1.x" />
The problem is that a hacker can easily identify faults on the version you use – hence the advice to update your WordPress installation.
Prevent access to the wp-config . php. via Htaccess
Open the file. Htaccess at the root of your FTP server and then add the following line. It will prevent a hacker to recover your username and password in case of problems with PHP on the server.
<FilesMatch ^wp-config.php$>deny from all</ FilesMatch>
Block brute force attacks
By default, it is possible to test as many couples username / password that want to connect to your WordPress administration.
So install the plugin Login LockDown to restrict the number of attempts allowed for a certain period of time.
Use a scanner for checking security flaws
WP Security Scan plugin provides handy tools to identify your vulnerabilities. It will show you including CHMOD your folders and CHMOD advised. If everything is green, your data is safe. A red dot, you must be with an FTP client.
This plugin also allows you to change the prefix of your WordPress database.
NB: However, we warn you about certain actions that could damage your site. Being able to change a few clicks of the sensitive parameters can be a hazard to untrained users. Testers may therefore play on testing facilities! We have written how to create offline installation of WordPress in your Hard disk; you can create such offline blog to test these.
Hide the connection errors
During the login process, WordPress will display explicit error messages after an error. It is therefore necessary to hide these errors involved in the functions.php file of your WordPress theme.
Then just add the following line of code:
add_filter ('login_error' create_function ('$ a', "return null ;"));
Note that this security is distinctive to the subject and should therefore be used to repeat in case of change.
Disable Windows Live Writer
Windows Live Writer is a blogging software for Microsoft from a desktop application. However, for compatibility reasons, WordPress adds an extra line of code in the header of your blog. Unnecessary and insecure!
You can easily disable via Ultimate Security Checker plugin.
Check the security of your host
Finish with a hint of broader security agenda. It is important that your host offers relatively recent version – you can not be continuously updated, Apache, MySQL (database) and PHP.
Check with your provider or use a PHP file to get this vital information.
We recommend the NameCheap host (their business plan is great with >99% uptime) which is affordable yet cheap.