Saturday, 5 March 2016

How to secure WordPress websites?



No one like their website is hacked by someone else. Securing a WordPress website is not an easy job. In this article we will see how to secure our WordPress website and what are steps we need to take if our website is hacked.

What types of WordPress websites / activities - will hacked easily?
  1. If you have lots of vulnerabilities available on your site, then your website is 90 to 100% chance to hack
  2. Poor password like your pet name, phone numbers, easily guessing passwords (car number, lucky number)
  3. If you didn't have HTTPS on your website URL.
  4. robots.txt file enabled on your site
  5. Uploading your files without scanning by Virus scanner
  6. Sharing passwords to others without proper guidance
  7. Using same password for long time
  8. Installing FREE and unauthorized plugins, themes
  9. Forget to changing passwords often.
  10. Forget to changing passwords after the development (cpanel, wp-admin)
  11. Forget to update security patches on theme, plugin, WordPress.
  12. Social Engineering -> Some of them will talk with you at social media or somewhere else, And getting your password from your speech. 
  13. Poor Web hosting, and not updating hosting security patches
  14. Showing your domain details.(whois.com, you can find domain details, So hide or secure them when registering domain)
  15. Bad encryption system at your database password
  16. Using WordPress files in the same folder, You can separate them some other sub folder.
  17. Giving full access permission to all files
  18. WP_DEBUG is enable after the development
  19. Allowing spam comments on your post and page.
  20. Disabling firewall
  21. Accessing your WordPress admin at FREE wifi network, or some poor networking system
  22. Giving direct wp-admin link. You can use  or set alternate link instead of wp-admin.
  23. Themes and plugins which is developed security not in mind.
How to avoid and secure your WordPress website:
  1.  Always place your files at good hosting companies
  2.  Keep one copy of your site files on your hardisk
  3.  Install this plugin "Wordfence Security". It helps to protect your WordPress site.
    Link: https://wordpress.org/plugins/wordfence/
  4. Limit access control - wp-admin
  5. Do not use untrusted plugins and themes
  6. Use hard or complex passwords. Change it every month or two weeks
  7. Be clean your computer with virus scanner. Scan whenever you need.
  8. Don't compromise to update WordPress, themes, plugins.
  9. If find any bugs, please report it here .
  10.  Find your webserver and network vulnerabilities, try to resolve them as soon as possible.
  11. Use SFTP to send files.
  12. Give proper file permissions. Don't compromise with permissions
  13.  Change your default admin URL.
  14.  Put your WordPress files on separate folder.
  15. Disable file editing with the following code.
    define('DISALLOW_FILE_EDIT', true);
  16. Use some good firewall plugins like iThemes Security, All in One WP Security, WordFence, Sheild 
  17. Do not allow any unauthorized access to your Cpanel, FTP, wp-admin, Database.
  18. Do not access your Cpanel/Admin at different computers, public places, browsing center. 
  19. Disable debug code at wp-config (set as false)
  20.  Monitor your website through security plugins
  21. Learn about social engineering, it helps you how they are getting passwords from you.
  22. Care  PHP and WordPress version. If there any updates and conflicts, do it properly.
  23. Learn something about hackers, intruders, crackers.


No comments:

Post a Comment