Security Methods for WordPress, Prevent Hacking your Website (Part 1)
Last updated onBelow are 20 effective security methods for WordPress blog that you should use. It will help you prevent hacking website (avoid being attacked) or losing control of the website or data.
These 20 security methods target at WordPress websites. Every method has its own distinct function of enhancing website security, however it is of the best effect to combine these methods together.
You can easily implement them even you’re newbie. If you don’t know how to do or encounter difficulties or errors at some steps don’t hesitate to contact us for help.
In this part 1, we begin with 10 simple security methods but effective for WordPress (WP security tips):
Explore more: Security Methods for WordPress, Prevent Hacking your Website (Part 2)
1. Don’t set your account name as “admin”
When hackers try to plan an attack towards WordPress websites they would choose “admin” as username
It was the default name of WordPress for many years until WP version 3.0, when you finally are able to choose your favorite username throughout the installation process.
In reality, the majority of hosting companies nowadays instruct how to install WordPress with just 1 click, like Softaculous or Fantastico De Luxe providing you many options to choose your username. It is advised to choose something except using “admin” for username.
2. Set a strong password
Similar to setting username “admin”, setting a too simple password is easily attacked by password tracking methods like Brute Force Attack which reveals your username after a particular period of time.
The best option is to set a password including uppercase and lowercase letters, numbers and special characters (should use general password when installing and setting up theme). You don’t have to worry about memorizing the password, since you can use such software as LastPass, Sticky Password to save the password and log in automatically the next times.
3. Don’t save login information on the browsers and change your password once in a while
Chrome, Firefox or Safari saving your password has the advantage that you don’t have to type in username and password in the next login times, along with that are some weak spots.
If your computer is used by many people or you lend it to someone. With just a few simple steps they can steal your account (username and password) that you save before, not mentioning that browsers have some security hole or vulnerabilities, which can be hacked.
Therefore you can be revoked the rights of getting access to website or hosting at any time. So don’t save login information on the browsers and change your password once in a while if necessary.
4. Continuously update WordPress, Theme and Plugins to the newest version
Another vital advice is that you should update your theme, plugins and theme WordPress you are using to the newest version. The old versions might have some errors and vulnerabilities. Punctuation update can help you avoid suck risks.
Update them (Themes, Plugins and WordPress version) is simple, every time it has a new version notifications will be displayed whenever you log in to the dashboard. Choose update and it will automatically update to the new version.
5. Choose trustworthy hosting
For such website as WordPress there are a lot of hosting options for you to go for such as Free Hosting, Shared Host, VPS, Dedicated Server, etc.
If you are using shared host then it is important to use hosting provider for the best warranty, reliable. Because shared host packages are all located in one server, which means one website bring affected by malicious code will likely to have another websites in the server being affected via the Local Attack method. However, for hosting providers using CloudLinux OS such as StableHost, Hawkhost, etc then you don’t need to concern about this because every user has their own virtual files system, which is not affected when the server is under attack.
Although there are many of hosting providers you should choose trustworthy and secured hosting providers. You can use Google to search for providers and review their products and services before considering to buy, which can help you avoid buying from unverified providers with just a few users.
6. CHMOD for files and folders
The first file that needs protecting is wp-config.php
because this file saves your login information and database. If you rarely edit this file, then CHMOD
it to 444 or 440 (if you want to edit it then change it into 644)
If you want to optimise it, CHMOD
folder wp-admin
, wp-includes
as 101. The other files can be CHMOD
as 644 and 755 for folders
To CHMOD
for files and folders you should go to File Manager section in the hosting control panel and choose Change Permission.
Note: avoid CHMOD
files and folders as 777
7. Avoid using plugins and only use reliable plugins
You should avoid installing and over using plugins. Firstly, it would make your website slower. Moreover, if you use many plugins then they might not be compatible to one another, and overusing plugins also makes your website poor secured.
You only need to use necessary and popular plugins. Whether a plugin is reliable depends on the number of downloads, reviews and rating in the plugins download page of WordPress. They can also be sold at trustworthy websites (such as Themeforest or MyThemeShop)
8. Change the default login, administration address
During the installing process, WordPress usually creates 2 login URLs as default. I believe you are familiar with at least these two links below:
wp-admin.php
wp-login.php
This happens every time we install WordPress. The default login URLs consist of potential security risks. When you change your login URLs you are making it more difficult for hackers to attack your website. This is a simple WP security tip but effective.
It is also needed to note that even I attackers cannot unlock your login data accurately, they can still make use of scores of bandwidth. Changing your WordPress login page URL can prevent this problem.
You can easily change login address and default administration with the following plugins: Custom Login URL, WPS Hide Login, Better WP Security.
9. Change the prefix table of Database
When installing WordPress, the wp_
prefix would be default set for every tables it creates. Every WordPress user knows that thanks to this hackers are very easy to attack the data. Hackers can query and change the data in the wp_options
table, causing website settings interface to change (SQL injections). They can even redirect to their website.
To strengthen your website security and avoid attacks of important files from hackers, you should change the prefix table of DB by editing the configuration file wp-config.php
or edit it in database using phpMyAdmin in cPanel.
Note: if you don’t know how to change prefix table of DB then please contact us. We can help you, or you can just wait for the next articles.
10. Turn off PHP error notification
PHP error notification should be turned on if you are programming your website and want everything to go smoothly. However, displaying errors for everyone to see is totally not recommended, especially when you want to secure WordPress website.
You don’t need to be a programmer to do this on WordPress. Many hosting providers allow you to turn off PHP error notification on the control panel. If you can’t find it, you can find and replace this line in your wp-config.php
file (set value of WP_DEBUG
to false
):
define('WP_DEBUG', true);
to
define('WP_DEBUG', false);We will continue the remaining security methods for WordPress website in the next article.