Hackers. Vulnerabilities. Brute-force. Malware. Denial of service. Man-in-the-middle. Phishing. All scary words. We live in a dangerous online world!
Has your site been hacked? I have, and we’re not alone. In 2012 more than 70% of WordPress sites were vulnerable to attack, and not much has changed since. What have you done to protect your site?
In this article we’ve pulled together security tips from previous SitePoint articles, our own experience, and from around the web, and organized them in a way I hope you find useful and understandable. And most importantly, easy to act on.
All-in-one WordPress security plugins are useful (and we’ll be covering them in our next article), but security requires more than just installing a plugin and walking away. It requires a careful strategy and constant vigilance. Be proactive, not reactive. In other words, don’t assume your site is safe—work out a security plan before you are hacked!
That being said, there is no such thing as 100% security. What you can achieve is risk reduction, and find the balance (for you) between security and convenience.
Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.” — codex.wordpress.org
Where should you focus your attention? In an article last year, WP White Security reported the following statistics about hacked websites:
- 41% were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password
That’s where the holes are in your defence. Keep that in mind while you’re creating your security strategy.
OK. With all that in mind, here are 40 ways you can keep your WordPress site secure. Choose the ones that make sense for you and your site.
1. Keep WordPress Up to Date
The latest of WordPress is most likely more secure than the last one, and has less vulnerabilities. So keep it up to date—it’s a one-click operation. Make sure you back up your site first!
WordPress updates rarely cause problems, but if you like to be careful, update it on a test server first. Or, if you’d just like WordPress to auto-update itself, apply the following code to your
#Enable all core updates, including minor and major: define ( 'WP_AUTO_UPDATE_CORE', true );
2. Back Up Your Site Regularly
Make sure you make regular backups of your WordPress site. A backup of WordPress data and files can play a crucial role in an emergency. If all else fails, you won’t have to start from scratch!
Schedule your backups so you won’t forget them, and do a test restore from time to time.
- 5 WordPress Plugins for Backups and Migrations
- The Best WordPress Backup Plugins Compared
- How to Manually Backup Your WordPress Website
- Your Regular WordPress Maintenance Checklist
3. Enable SSL for WordPress Data Security
Enable SSL to secure your WordPress site. A Secure Sockets Layer encrypts all information sent to and from your site, keeping it private and preventing man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. As a bonus it can also boost your Google PageRank.
The address of an SSL-certified site will start with an HTTPS, while a site that’s not SSL certified will begin with HTTP. It’s best to activate HTTPS before installing WordPress, but it’s possible to update your WordPress settings if you add it later. Hosting providers like SiteGround offer free SSL certificates.
4. Secure wp-config.php
wp-config.php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.
To deny access to this file, you should add the code below at the top of the
<files wp-config.php> order allow,deny deny from all </files>
5. Move wp-config.php
wp-config.php file into the folder above your WordPress installation. This will make it inaccessible to anyone using a browser, meaning a cracker has less chance of locating it.
6. Hide the WordPress Version Number
Some versions of WordPress have known vulnerabilities. Someone familiar with those vulnerabilities can discover which version you’re using because it’s shown in the HTML head of every page.
Remove that information by adding the following line to your theme’s
You should also remove the
readme.html file, which also contains the WordPress version number.
7. Remove WordPress References from Your Theme
Someone will only try to hack WordPress if they know you’re using it. So keep it a secret! Remove all references to WordPress from your theme files.
Find and delete the references from the
header.php that look like this:
<meta name="generator" content="WordPress" />
8. Disable PHP Error Reporting
Hackers can use error messages to their advantage. For example, an error from a theme or plugin might display your server path.
To disable error reporting, add the following code to your
error_reporting (0); @ini_set ('display_errors', 0);
9. Change the Default Secret Keys
When you install WordPress, four secret keys are written to your
wp-config.php file. They improve encryption of information stored in the user’s cookies and make it harder to crack your password.
Use WordPress’ Secret Code Generator to get some new keys, and copy them into your
Continue reading %40 Ways to Keep Your WordPress Site Secure%