Security Methods for WordPress, Prevent Hacking your Website (Part 2)Last updated on
In part 2 of series “Security methods for WordPress, prevent hacking your website” (20 WP security tips), we will continue with 10 security methods. They will help you prevent hacking website (avoid being attacked) or losing control of the website.
If you don’t know how to do or encounter difficulties or get some problems when processing don’t hesitate to contact us for help.
11. Two-Factor Authentication for your website
Nowadays two factor authentication is widely applied for such primary accounts as Google, Facebook or bank account. Are you looking for a way to secure your WordPress login page with two-factor authentication method?
Once setting two-factor authentication for WordPress, though your password is hacked by the hacker, it is still a challenge to log in because it requires your mobile phone to go through one more layer of authentication.
You can set the two factor authentication for your website with the plugin: Google Authenticator
12. Using SSL
When your website uses SSL (https) then all of your data will be encoded before being transferred through Internet (safe data when being transferred from server to user’s browsers). This data format after being encoded becomes safer, since nobody else can use it except for us.
Furthermore using SSL also helps your website SEO better, helping you ran higher on Google keyword searches.
There are many hosting providers providing free SSL at the moment. We can install and use SSL after a few simple steps.
13. Don’t use null Theme and Plugin (Themes, Plugins premium that are shared online)
Null products that we are mentioning are paid products such as paid plugins or paid themes, which are publicly and widely shared and the websites specializing in sharing WordPress Themes and Plugins.
It is important to know that using shared paid produces like that seriously violates copyright and also directly leads to malicious codes. The majority of null themes, plugins on the internet have malicious codes and they can illegal exploit your hosting resources, add hidden blacklink or even worse,your website is down.
You can buy WordPress Themes and Plugins from MyThemShop, it’s very reliable and too cheap.
14. Turn off File Editing function
As you know, for WordPress, you can directly edit files when you log in your administration panel. Despite being convenient, it can cause damages. You can cause errors when editing and cannot backup what you have done.
If hackers gain the rights to access you administration panel, the first thing they think of is File Editors in order to interfere website’s files. You should entirely turn off this function after installation to secure your WordPress files more. It can be turned off by editing
wp-config.php by adding the following command:
15. Disable directory browsing with
For example if you want to display the plugins you installed you can check out by going to: in your browser. Thus makes it easy for website to have information easily revealed and gotten attacked.
You can prevent this by adding the following code to
Options All –Indexes
16. Remove WordPress version
Certainly finding out what WordPress version you are using helps hackers to find the weaknesses more easily and they have more time to learn how to attack. When we delete the WordPress version we’re using it would be different the spoilers. They don’t know what version of WordPress you’re using, which causes more difficulties for them to attack.
In order to do this, you can add the following code to
functions.php file as following:
17. Disable XML-RPC
Since 3.5 version XML-RPC function is defaultly activated to help connect your WordPress with mobile applications specifically for WordPress. For example, to post an article from a far distance.
However, hackers can take advantage of XML-RPC to execute attacks via brute-force to continuously log in the admin panel.
This is the reason why shouldn’t use XML-RPC. Deactivate it to make it safer.
To do this, we can add this code to
<Files xmlrpc.php> order deny,allow deny from all </Files>
Or you can add this code to the file of
18. Use secured plugins like Sucuri Security or iThemes Security
Sucuri Security is created by Sucuri.net, which is one of the top website security companies in the world. Sucuri Security is perfect for paid customers and is considered good for free customers. If your budget is low then the free version already secures your website very well.
With Sucuri Security you can use security functions:
- Failed Login Password Collector: collect data of failed logins
- User Comment Monitor: collect comment data, prevent spamming comments
- Audit Log Statistics: collect data of file editing history
With Ithemes Security you can set up security:
- Write to File: This option allows other plugins automatically add content to
.htaccess, you are recommended to choose it to install other functions of iThemes Security or auto cache plugins.
- Notification Email: your email address receives notifications concerning iThemes Security, you can add various emails separated by a line
- Host Lockout Message: a message to notify errors for failure of logins due to IP lock
- Log Type: record activity log of plugin. It is recommended to choose Database Only.
- Allow Data Tracking: allowing iThemes to collect your usage datas to be analysed
19. Update Operating System, Browsers, FTP Client you are using
This is not noticed by many people. Securing your website starts by guaranteeing the safety of your computer.
If your computer, browser, FTP Client you’re using to access server, hosting or admin panel are not updated (or Operating System (OS) doesn’t contain good Antivirus software) then they are likely to be affected by virus, malware or vulnerability. Your computer or website can be attacked for information or other purposes.
Therefore, the most important is to follow the very primary security principles
- Constantly update OS, browsers, FTP Client…
- Install antivirus software on your computer and usually scanning.
- Don’t log in your website via public WiFi or computer.
20. Back up your website often
This doesn’t lower the possibility of WordPress being attacked but instead it helps lower the damaging degree after the attack. If you backup your data often then after being attacked and losing database you can still restore the website by restoring the backup data.
Furthermore, this method helps you restore your blog after editing your database.
You can make use of such plugins as WP Complete Backup, BackupBuddy to back up your website.