These days, WordPress-site hacking is becoming very common. Although this shouldn’t make you doubt WordPress (mind you that any site is prone to hacking, be it on WordPress or anything else), you should treat this as a wake-up call that everyone on the Internet should pay more attention to the security of their websites.
Hackers usually use a bug as a backdoor and this bug may come from WordPress plugins or themes that you use or from the WordPress engine itself. Here we have listed several tips on securing your WordPress site from hacking or malware:
- Use a strong password
Usually people use too simple a phrase for their password such as their phone number, birthday, or even names. However, what is worse is a word that is listed in the dictionary. Hackers have a technique named ‘brute force‘ and when doing this, they will try any possible phrase from the dictionary to guess your WordPress password. So, the best password is a non-dictionary phrase or a combination of numbers and alphabet liketh1s-p4ssw0rd
. - Modify the .htacess file
Modifying the.htacess
file may be dangerous if you do it without knowledge. Your site may stop functioning because of the error you make. So, make sure you’ve already got a backup before doing this. For some hosting like Yahoo.com, the.htacess
file is forbidden and cannot be created, deleted or modified. If your site is hosted on such hosting services, you cannot follow these steps. Create a new.htacess
file in yourwp-admin
folder like below. What this does is that it whitelists specific IP addresses and allows access to your WordPress Dashboard. This will deny access from IP addresses not listed in the.htaccess
file. Unless the hacker accesses your Dashboard from your home or office, this method will help a lot.AuthType Basic
order deny,allow
deny from all
# your home IP address
allow from xxx.xxx.xxx.xxx
# your office IP address
allow from yy.yyy.yyy.yyy - Change the wp-admin URL
WordPress has a feature to “mask” the URL of thewp-admin
folder. If your domain isexample.com
, hackers will, by default, first tryexample.com/wp-admin
to access your Dashboard because that’s where WordPress keeps the admin files. However, WordPress allows you to access your Dashboard from a different URL. You will have one URL publicly used to access contents on your site and another one to access your WordPress Dashboard. Let’s say,example.com
is your site’s URL andexample.org/wp-admin
is yourwp-admin
URL.
- Create a redirect file
If you go tohttp://www.your-site.com/wp-includes
, you will see an open folder and this is definitely not safe. You need to create a redirect file in order to forward visitors who access that URL to your main home page. If you ask yourself, who in the world would access that URL? Well, hackers would? To redirect visitors away from that URL, simply create a new file namedindex.html
and put this code in it:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="REFRESH" content="0;url=http://www.your-site.com/"></HEAD>
<BODY></BODY>
</HTML> - Do a daily back-up
Create a backup of your themes and your SQL database daily. If your site is hacked, your can restore it through FTP, cPanel, or usually through an app available on your hosting admin interface. Hackers usually target theindex.php
file of your WordPress theme and also thewp-user
andwp-usermeta
tables in your SQL database so they can change and/or create a new administrator username. - Update your WordPress copy
Always update your WordPress copy whenever an update available. It only takes a click! - Do a clean uploadMake sure that any files you’re uploading are clean from viruses. Not only you’re possibly infecting other files on the server (this becomes very complicated if you’re on a shared hosting environment), the infected file will be flagged by Google and a red warning page will be displayed when your site is accessed. You’re simply telling visitors to go away. You don’t want this, do you?
- Install a security pluginThe WordPress community also provides several security plugins that will help you protect your site. These plugins work on your site’s backend. This is a plugin that we really recommend.
- Don’t use an outdated plugin
If you wanted to use any plugin, you had better check and download it from WordPress.org and not from your WordPress dashboard. The WordPress.org plugin pages always notify you of an outdated plugin.
0 Comments
We appreciate your comment! You can either ask a question or review our blog. Thanks!!