How to Keep WordPress Secure

1 – How to Secure WordPress – WordPress Security

Well, you will have detailed information about how to secure WordPress, after reading through this article. You will definitely be able to make your WordPress website or blog nearly impossible to be hacked. The hackers will find it a hard target to get control of the back-end of your website or blog.

A true hacker, that is a master of 01000100 tricks, still has abilities to get control of your website. However, most of the script kiddies can be kept away from your perimeter by following this guide that can ultimately minimize the chances of suffering from any hacking attack. Well, I don’t claim to be a guru but have plenty of experience in this field that has been learned though seeing my websites, which have been playgrounds for:

  • Sneaky redirects
  • Cloaking
  • Various SQL injections
  • Clickjacking
  • Infected malware or viruses scripts
  • Injected links

Even I got my websites totally erased some of the time and hackers injected purely adult-natured content on them. Thus, I got flagged my websites numerous times only due to virus containing materials and search engines also kicked them out of rankings. It really made me thousands of dollars’ financial loss and therefore I took it as a serious matter.

I would highly recommend employing every possible counter measure at your earliest to secure your website or blog running on WordPress platform. Make it a habit of taking backup every time you have to make a change in your blog security. Skip the below mentioned step if you know how to backup, otherwise please scroll below to know this process.

 2 – File Permissions

Locking down the directories as well as files is considered as a wise step. You should withdraw writing permissions to wp-content and wp-config.php files immediately and rest of the files or directories should be writable only by you.

  • CHMOD – All files to 644
  • CHMOD – All directories to 755
  • CHMOD – wpconfig.php to 750

Well, CHMOD – wp-content can’t always be 777 and it varies on different conditions like if any plugin requires changes in this folder, a proper numerical value can be assigned manually to every directory or file requires by that plugin. Ideally 644 should be used for wp-content folder. But it will not allow a plugin to make updates in this folder. You may change permissions to 777 to allow your plugin to modify changes in the folder but please immediately revert these permissions to 644 after the plugin gets it done.

3 – MySQL Database

You must choose a different password and username for every single database in your WordPress, if you have more than one databases on the same server. If any hacker, somehow, gets into any database of your website on your server, he may have access to other websites as well and it may result in serious damage to all websites only because of same password and username. So keeping different login details for every website or database is a wise thing.

4 – WordPress Security Plugins

1 – Exploit Scanner

This is a smart plugin that searches every comment and post of your website for anything suspicious. The current active list of all your plugins is also examined by this plugin to find any unusual filename. The plugin doesn’t remove anything itself but it leaves this step on user.

2 – Secure WordPress

The installation of your WordPress gets beefed up through this plugin as it removes any error it finds on login pages. It also hides the actual version of WordPress running on your server and adds a file to plugin directories called “index.html”. Some other functions of this plugin are listed below:

  • It removes wp-version from everywhere except admin-area
  • It removes Windows Live Writer
  • It removes a directory called Really Simple Discovery
  • Theme update information that can be seen by non-admin users is also removed by this plugin
  • Plugin update information also gets removed through this plugin for non-admin users
  • Core update information also gets removed through this plugin for non-admin users
  • It also works efficiently in blocking all bad queries that could harm your website
  • It also amends scripts and stylesheets that contain version on URLs (only on frontend)
  • Backend dashboard of all non-admin users don’t get wp-version details because of this plugin
3 – WordPress Firewall

Web requests are normally investigated by this plugin with simple heuristics (specific to WordPress) just to recognize and stop any malicious attack. Though some powerful modules can also be used for this purpose but usually these generic modules don’t get installed on your server and are also difficult to manage by beginners. But several pathological-looking phrases are intelligently blacklisted and whitelisted by this plugin, based on their appearances in a page request. It actually alleviate 0-day attacks and doesn’t work towards upgrading or replacing prompt, but still can bring you a tension-free sleep at night.

4 – Block Bad Queries

Black Bad Queries plugin, which is also renowned with abbreviation BBQ, works efficiently against malicious URL requests to protect your WordPress website. Excessively long strings in URLs are carefully checked by this plugin that reduces chances of malicious attacks.

5 – Login Lock

Numerous security enhancing features can be achieved through this well-popular plugin, including:

  • It blocks IP addresses if it is involved in making excessive failed login attempts
  • It strongly monitors login attempts
  • It ensures enforcing strong selection policies while creating your WordPress admin password
  • Idle users are forcibly log out from the backend panel after a considerable number of minutes (that are specified during configuration)
  • You may forcibly log out all of your website users and also enforce them to change their respective passwords before their next login attempt
  • You can easily unblock any IP address manually which was previously blocked by this plugin
6 – AskApache Password Protect

You should not use this plugin if you are a beginner as it is purely for advanced users and therefore is optional in this list. But if you are comfortable using AskApache Password Protect plugin, then I recommend using it because another layer of protection is added by this plugin after configuration which gives you even more secure website.

5 – Securing your wp-config.php File

The security of your wp-config.php file can be improved by adding authentication salts and unique keys. The information that actually is stored by different system cookies will be encrypted by these security keys. WordPress becomes smart enough in identifying your PC because of this encrypted information. If, somehow, a hacker manages intercepting your WordPress cookies, the control over backend-panel would not be given by an efficient obfuscated cookie created by this plugin.

The following code should be inserted or added anywhere within your wp-config.php file (better putting it on top):

define(‘AUTH_KEY’, ‘_@*#^I:E’);
define(‘SECURE_AUTH_KEY’, ‘6YF0UH`Y’);
define(‘LOGGED_IN_KEY’, ‘yuM{IAjT’);
define(‘NONCE_KEY’, ‘3=kz9=1N’);
define(‘AUTH_SALT’, ‘#+Cc@48R’);

6 – Restricting Bruteforce Attacks

Bruteforce attacks are normally defined as numerous possibilities of hacking user / pass of a WordPress website. The log files over your server can be checked to view all such failed attempts. Well, “Login Lock” plugin can be your best choice in this situation as it may prevent all bruteforce attacks to become successful. The plugin blocks an IP address after making a specific number of failed login attempts.
I must recommend you using unusual symbols(like @![]\=)_+*%^)in combination of alphabets and numbers while creating your password. Choosing a proper username is also a wise thing to do because “root”, “administrator” or “admin” are the more common usernames that are targeted by bruteforce attackers. So I recommend using a different username.

Well, this setting can’t be changed within your admin panel of WordPress website and mysql tool must be used to make this change happen in your phpmyadmin area. First find the database related to your WordPress installation, then search wp-users, locate username “admin” by clicking on the browsing icon, then the word “admin” should be replaced with your new desired username written under the “user_login” column.

Create .htaccess File in WP-ADMIN

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Save the above-created file with the name .htaccess which then should be uploaded to wp-admin folder in your WordPress installation.

7 – Do Frequent Backups

Make a habit of taking frequent backups of your WordPress website and if you, somehow, don’t do this, then a serious damage or a successful hacking attempt may result in losing your website. There are number of advance as well as powerful and simple plugins that can be used for this purpose.

8 – Hacked WordPress

If you have lost your website because someone has hacked it, the first step should be “TAKING DOWN YOUR BLOG IMMEDIATELY”. You may get rid of any injected malicious code on your website by performing this step only because most of the hacks are backed or run through executable scripts. These scripts get installed with several files in your WordPress installation.

You may also prevent your readers or viewers to get affected through these malicious scripts as they may harm their computers immediately after they visit an affected page over your website. You must take your site down immediately and creating “.maintenance” file is an easiest way for this purpose. It may be created in your root path of WordPress installation. Just write the reason of taking your website down at the moment. Write some technical reason like “maintenance mode and will be live back in couple of hours”, because mentioning the word hacked may upset your visitors.

The website visitors may also be notified by renaming the existing index.php file with any other name (that doesn’t exist in the same path) and creating another index.php file. This newly created file will be carrying your message for your website visitors to explain current situation.

All the above-mentioned steps should be employed and plugins should be run. The next step should be changing everything in your MySQL, WordPress and hosting (password and username). Normally footer and / or header files contains the injected malicious codes and therefore both of these files should be thoroughly checked for such codes. Immediately remove them.

After making sure that everything has been changed and every above-mentioned step has been employed, you may put your WordPress website back into action. If the problem is still there, you must immediately go for a fresh WordPress installation.

9 – Webmaster Tools Aid

Google’s webmaster tools are the efficient way of checking crawl errors, keyword significance and malware reports. Therefore get your WordPress blog or website listed there at earliest. If you see some unusual words like pharma or adult nature words in your keyword significance reports, then consider that your site has been hacked.

Though you have been hacked but you are unaware of this fact only because your pages are appearing to you normally the same contents are appearing differently on search engines like Google. An option “Fetch you website as Google” can be used within your webmaster tools admin, it will bring you the exact picture of your website which is seen by Google search engine and you will understand that if your website is being clocked or not. Anything suspicious to your website may also be checked through having a look at your cached version in different search engines like Bing, Yahoo or Google.