How to keep your WordPress site secure

Why is WordPress security so important? Well it’s simple, your reputation depends on it! If you run an e-commerce site and it’s hacked you could lose valuable customers and of course money!! Even web hosts are likely to suspend accounts that are hacked, taking your site offline.

You naturally don’t want to waste time patching your site after hacks or ping hosting when your site is down.

WordPress provides free, open and endless options for extending functionality through additional plugins, themes and widgets which makes it prone to hacks. It’s easy to explore the core code or search through any of the popular themes and plugins in which we expose our site to attacks.

Let’s dive in and learn how to keep your WordPress site secure.

What makes WordPress vulnerable?

There are a few conditions that account for every successful WordPress powered site hack:

1. Web host security breach

Web host security has more to do with what host you choose and what kind of services they you provide. You need to consider speed, backup solutions, server type and security while you choose a host for your WordPress site.

Hide the WordPress version number

WordPress versions are updated and the previous versions are made public making them more susceptible to hacks. By employing basic security through security tactics you can remove or hide the version number of the WordPress installation from displaying.

WordPress security

WordPress security

2. Unsafe WordPress plugins/themes

Due to open source nature of WordPress many plugins and themes are distributed under GNU General Public License so its easy for plugins and themes to be redistributed on plugin and theme sites with the addition of hidden and malicious code that may add virus, hidden backlinks  or even redirect your WordPress site.

Choose safe themes and plugins

When using free plugins you should research the author and only download the plugin files from the author site or from the WordPress plugin repository.

  • Ask advice regarding the safety of a plugin or theme from a trusted WordPress community or WordPress support forms.
  • If you’re going to use free trusted plugins and themes check the version compatibility listing and verified that the plug on a theme is still being supported an updated. Many free themes and plugins are slow to receive updates or are simply abandoned.
  • If you are not using a particular plugin or theme then lose it. Unused themes or plugins leave vulnerabilities, so it’s better to delete them.
  • Lastly and arguably the best way to protect yourself from weaker malicious code is to use paid supported themes and plugins.

3. Outdated WordPress core

Always keep a backup of your WordPress site before updating it. With a trusted server and an updated version of your site, your WordPress site should be secure. Limiting file access permissions  is a good way to ensure only the right people are accessing files on your server

The WP_configure.php file in the root directory of your site stores information about your site as well as database details. If a hacker to get a hold of this information there’s nothing to stop them from manipulating the content on your whole site.

You can easily block access to the file by adding a few short lines of code to your .htaccess file.

These code snippets should be placed just after the line “END WordPress”.

Place code snippets in the WordPress htaccess file

Place code snippets in the WordPress htaccess file

Another measure you could try is whitelisting your IP address to keep users away from the WordPress dashboard. Whitelisting will only work if you have a static IP address that you always work from or if you have a static IP that you have set up as a virtual portal to work from.

Unlike whitelisting, blacklisting allows access for all users and denies access to specific IP addresses. This can come in handy if hacking attempts on your site are coming from one specific IP address.

4. Brute force attack

Brute force attack is a trial-and-error method that involves software built specifically to crack your password by attempting to get your password over and over again. If an opening is found, your entire site will become susceptible to malicious activity depending on the permissions of the hacked account.

  • If it’s an administrator account, the  hacker will have complete access to upload and download your information destroying your site, making you and your users susceptible to identity theft.
  • To avoid such attacks firstly you need to make sure each of the users on your network create a unique username.
  • When installing WordPress if left to a script or some sort of automatic installation the administrator at the site will typically be given the username admin. Make sure that your administrator account username is not your admin name as it easily guessable for the hackers.
  • It’s important to create a secure password. For the most secure password use a password generator which create passwords by randomly selecting letters numbers and symbols. This combination will help ensure your password is harder to crack.

 5. Wassup WordPress Plugin

 This WordPress plugin can monitor any malicious activities like code/sql injections. WassUp detects and omits referrers spammers and comment spammers. It also detects and records unauthorized users’ login attempts, script injection, and other exploit attempts. This plugin records exploit attempts but does not block them or protect your site. You need a separate security plugin for that.



Author at onlineshouter
Christine writes for people who seek for knowledge about SEO, blogging, online marketing, gadgets and web apps.

Leave a Reply

Your email address will not be published.