How To Avoid Your WordPress Website Being Hacked
Whether or not you use security measures now within your website or blog or not, the fact of the matter is that you will soon use online security is a very real issue and many people forget to update or even add it to their online blog or website which can mean disaster if you are not careful. nowadays there are many hackers and spammers out there that are trying to make a few bucks from your misery, some even destroy other peoples websites because they think it’s fun to do. Well let me tell you, it is not fun if you are on the receiving end of it!
Losing your blog or websites content can destroy a business, reputation or just the online presence you have been trying to scale up; imagine having a blog which had hundreds of posts, comments and even affiliate links only to find that it has been destroyed the very next day! Not a nice feeling. However there are ways of making your websites security all that more stronger than beofer. You can add plugins, update your blogs framework, basically there are many ways of going about getting your blog or website secure. So to help you out I have written this short but informative article. I hope it helps some of you out.
This post was put together by of course myself, but also my genius blogging friend, Julius who runs And Break! Check out his blog for my great tips.
Back Up Your Blog
Before making any changes to your blog be sure to backup your blog. The problem with most of the free plugins is that they don’t backup all of your data. For example if your WordPress blog gets deleted and you restore the backup from a free plugin, you will still have lost a lot of your data such as the images, as they are not backed up with these plugins. That why I would recommend to use Backup Buddy which backs up your complete WordPress blog and let’s you easily restore it at a later point in time.
If you have concerns as to whether your blog could get hacked then be sure to take a look at Backup Buddy.
Use Strong Passwords
Strong passwords are essential for high-privileged users such as administrators. Without them your blog will be vulnerable to brute force attacks. Essentially these are attacks in which the attacker tries to guess the password by going through lots of password – user combination’s. If you use secure passwords then the chances of successful brute force attacks become extremely low.
Here are some tips as to what secure passwords should include:
- use at least 1-2 numbers use upper and lower case characters
- use special characters such as !@#…
You should also not use passwords such as your birth date or hobbies of yours. These kind of passwords are very insecure since hackers can find personal information easily.
Another important step you have to take is to have lots of different passwords. It is nice to have just one single password and access everything through it, but imagine what happens if someone knows this password. He can basically access all your accounts.
For that reason use lots of different passwords.
Keep Up with Patches and Updates
This is another vital step in securing your blog. Patches and updates are created in order to fix security holes and to add to the software’s functionality. There is no reason not to install them.
Essentially you should also keep yourself informed about changes in WordPress and vulnerabilities in general. I therefore advise you to follow these two feeds:
The first one is the WordPress development feed where new releases and latest updates for WordPress are posted. The other is the feed from BlogSecurity.net. These guys often post vulnerabilities existing in plugins or in WordPress.
Use SSH instead of FTP
FTP in general is not as secure as people think it is. Your FTP credentials are usually not encrypted and easy to capture.
A very secure alternative to FTP is SSH. SSH uses a straight forward algorithm to encrypt all the data sent through it, including files. Read this story and you might change your mind about using FTP to upload!
Use Supported WordPress Themes
Most people think that WordPress themes itself don’t pose a security risk but some do. Themes can pose a security risk because not every web developer knows how to write secure code.
For this reason it is good to stick with a theme that is supported and updated from time to time. Supported WordPress themes are generally available for some money, but it’s better to be safe than sorry. These paid themes are called premium themes. Such themes are offered by web sites such as Woo Themes or Thesis.
Another advantage about professional templates is that when you run into trouble, you have a place that you can turn to.
Scan Plugins for Viruses After Download
Today you can so easily download plugins and install them within seconds on your blog. But you have to be careful with what kind of extensions you download. Plugins can contain malicious code. Because of this it makes sense to scan for malware right after downloading them.
You especially need to do that with plugins that you downloaded some places other than the WordPress plugin directory.
For this task it’s best to use anti-virus software. Newer operating systems automatically check for viruses after downloading files. If you use an old operating system I would recommend scanning your download directory maybe once a week or right after downloading new files.
Change the Database Table Prefix
In order to make your database more secure you should change your database table prefix. The default prefix is wp_ and it should be changed to something different, something more complicated and harder to guess like 5rt30k_.
That’s where WP Security Scan is useful since it will do this for you. You should install the WP Security plugin anyway as it will show you potential security risks on your blog.
Limit Access to the Wp-Content Directory
Wp-content is an important WordPress directory. Users should only be able to access certain file types within this directory. These file types include pictures (.jpeg, .gif, .png), Javascript (.js), CSS (.css) and XML (.xml).
It therefore makes sense to prohibit access to all other types of data. The code below will allow access to pictures, Javascript, CSS and XML files but will not allow access to any other data. The code below should be placed in the .htaccess file within the wp-content folder.
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
That’s all you need to do.
Secure wp-config.php
Wp-config.php is a very important file since it contains all the access information and keys that are vital to securing your blog. We can secure the file by adding these lines to the .htaccess file in the WordPress root directory (where the wp-config file is):
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
This code denies everyone access to the wp-config.php file.
No Directory Browsing
Another vital change concerning WordPress security is to prohibit people from browsing your website’s directory structure. If you want to see what this looks like just enter “index of” into Google and Google will list all the web sites that allow the browsing of directories.
In order to stop this behavior all you have to do is add the line of code from below to your .htaccess file in the root directory of WordPress.
Options All -Indexes
This will stop the behavior once and for all.
Keep Search Engines from Indexing the Admin Section
Search engine crawlers index almost every content as long as they are told not to do so. Your admin section being indexed in search engines can be a major security threat.
Therefore it is good to just keep crawlers away from all WordPress directories. The easiest way to do it, is to create a robots.txt file in your root directory. Then place the following code in the file:
Disallow: /wp-*
Secure Your Plugin Directory
The plugins you use can tell a malicious user a lot about your web site therefore it is wise to hide them.
You can easily hide the plugins. First of all open up a text editor and just create an empty file named index.html . Then upload this file to your wp-content/plugins/ directory.
Delete the Default Admin Account
By deleting the admin account malicious users do not get to know your user name so easily. As every WordPress installation comes with a admin account, hackers will have an easier time breaking into your account since they already know the user-name.
You cannot delete your administrator account right away if you do not have a new admin account, so follow these steps:
- Create a new administrator account (with a user name that’s harder to guess)
- Log out
- Log in using the new administrator account and password
- Delete the old account
Change Default Access Rights for Users
The default access rights are pretty secure but if you want to be on the safe side and have more control over the rights every user on your blog has, then this is essential.
It is pretty simple to set it up. All you have to do is:
- Download the Role Manager plug-in
- Upload it to your WordPress blog
- Activate it
Then go to the Users section of your blog. There you can set up the Role Manager plugin to suit your needs.
Delete Inactive User Accounts
Inactive user accounts are annoying and also a security risk. Some people choose weak passwords when they sign up for your blog. If the account is inactive but still on your blog, malicious users could use this account to get access to your blog.
Therefore the best thing to do is to just delete inactive user accounts in WordPress (though you need to ensure that it doesn’t break anything). In order to do that go to your WordPress dashboard and click on Users. This takes you to the page where every user will be listed.
Then go ahead and delete the ones you know are inactive.
Add WordPress Authentication Keys to wp-config.php
Adding WordPress keys is another important security measure. These keys should be random and work as salts for WordPress cookies thereby insuring better encryption of user data.
Use the WordPress Key Generator to generate these keys and just replace, in the wp-config.php file, the lines below with the generated ones:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
That’s actually all you have to do.
Install a WordPress Firewall
There is a plugin out there called WordPress Firewall 2 which actually protects your blog from malicious hackers. What it does is to alert you whenever someone is trying to hack your blog. It will also of course block the attempt of the hacker.
The problem with this plugin is that it does its job too well. That means that it usually also blocks you from making any changes to your blog. If you edit your WordPress theme file and then click save the Firewall plugin will block it. This also happened to me when using the Smush.it plugin manually.
This is extremely annoying but at least it shows you that the plugin indeed works. The only thing you can do if you want to edit files like these is to disable to plugin and reenable it later.
Drop the WordPress Version String
<meta content=”Wordpress 2.5″ />
The version string that WordPress automatically adds to your theme is important because it gives a malicious user the information about whether a blog is patched or not. If it is an outdated version the attacker will immediately start to look for security holes that were made public about that specific WordPress version.
WordPress usually automatically adds this version string to your theme. The line of code below will tell WordPress to not to add the version string to your header. All you have to do is add the code to your functions.php file.
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Now take a look at the source code of your web site. If the generator meta tag is still in there then you should check whether your header.php contains such a line:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
If that’s the case then go ahead and delete it.
Use HTTPS When Logging in to Your Dashboard
HTTPS is the secure version of HTTP. When using HTTPS your data, i.e. passwords and user names, are not send in clear text, instead they are encrypted. This makes it harder for people to intercept and rightly decode your password and user name.
If you want to use HTTPS when logging into your WordPress dashboard, then you can use one of the codes below and add them to wp-config.php.
define(‘FORCE_SSL_LOGIN’, true);
The code above forces WordPress to use SSL when logging into your administration panel but only when logging in. It does not enforce the use of SSL while using your dashboard.
Instead of doing this manually you can also just add a plugin like WordPress HTTPS (SSL)
Block Access Attempts to wp-admin Directory
The wp-admin folder is one of the most important directories on your blog. You can access your dashboard through it. Blocking other people from accessing this directory is an essential step in securing your blog.
You can do this by creating an .htaccess file in the wp-admin directory. Add the code below to it but change the IP-addresses to your own ones. If you don’t know what your IP-address is then just visit WhatIsMyIP.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
It does not make sense to use this code if you have lots of people writing on your blog, especially if they constantly change. The problem is that you always need to add/delete ip-addresses, based on who needs access to your blog at the moment.
Another drawback is when your Internet provider assigns you a dynamic IP-address, meaning that your IP-address is changing constantly. If that’s the case then don’t add the code to the .htaccess file.
Restrict the Number of Failed WordPress Login Attempts
Restricting the number of failed attempts prevents users from using brute force techniques on your WordPress account. A brute force attack is an attempt to find out the user password through trying out every single possible password.
As a counter measure there are plugins that automatically ban a user for an hour if he got the password wrong three times in a row. Login Lockdown is one of these WordPress plugins.
Hide Dashboard Log-In Errors
Have you ever noticed that when you try to login with an existing username and a wrong password you get a message saying Error: Incorrect Password. If you login with a non-existent username and some password a different message shows up reporting Error: Invalid Username.
This helps malicious users to figure out what kind of usernames exist.
Therefore I advise you to add the following line to your functions.php file:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Every time an error now occurs a blank line will appear. Try it out.