WordPress has become the world's most popular content management system. Easy to started with and extremely versatile. One of the best website and blogging platforms ever. The biggest drawback of WordPress's popularity is it's a prime target for hackers
Keep WordPress Updated
Make sure you are always running the latest stable build. WordPress updates and improves its build often. Make sure that your version is the most up to date to stay ahead of old vulnerabilities and exploits. RSH Web Services WordPress accounts update automatically. If yours doesn't keep an eye on your Admin panel or In-box to be notified of when new updates are available. Hackers look for outdated sites, and only about 25% of sites are running the latest version. And since WordPress runs almost 30% of all websites that's a lot of outdated websites
Not Updating Plugins or Themes
Running outdated versions of WordPress plugins and themes can also leave you vulnerable. Updates often include patches for security issues. It is important to run the latest versions. Make a practice of regularly running backups and updates for your WordPress site. This is a important WordPress security "Best" practice
Install only trusted plugins and house clean regularly
Poorly-written, insecure, or outdated plugins is one of the most common ways attackers exploit your site. Plugins and themes are the most potential sources of security vulnerabilities. Only download and install WordPress plugins and themes from reputable sources. Avoid bootleg or torrent "Free" versions of premium themes and plugins, as the files may have been altered to contain malware
Not using those old plugins any more?
Get rid of them!
There's a temptation to install as many plugins as you can or have problems to solve, But too many plugins can cause bloat and just one unreliable or outdated plug-in can cause a major security risk. Regularly delete unused themes and plugins, as even a deactivated plug-in can be a security risk if a vulnerability is found and exploited. Review your plugins periodically to make sure you still have the best one for the job. There could be a new plug-in that combines the features of a few that you already have and might be better supported, more secure and easier to maintain
Add Extra Security to User Accounts
Lock down user permissions to prevent unauthorized access to admin areas A great deal of vulnerability comes from the user accounts that intentionally give access to your site, particularly administrator and editor roles. If a hacker gains access to one of these accounts. Always make sure accounts only have the access they need. It's also good practice to remind users to use secure passwords (over eight digits, with upper, lowercase, numbers etc), and to change them every so often. Remind them never to write their passwords down, and log out when they are finished with their session to avoid unauthorized access to their accounts
Change the "Defaults"
Changing the name of your admin account will make a hacker's job a lot harder. New WordPress installs make you choose a custom username for your admin account, but if you installed your site a while ago, your admin account may have the default name of "admin" This makes it easier for hackers to guess your login credentials as half the work is already done for them. Change the default admin user-name to something else to improve security. You should also change the default database prefix to something other than "wp_" to add a further layer of obscurity to your default setups. The easiest way to do this on an existing install is via a plug-in, but backup your databases first
Hide your WordPress version number and change the name of your login page. Hackers have less leverage if they don't know where to start. In this way hackers will not know which vulnerabilities they are able to exploit. Move your login page from /wp-login to something that's not default. This makes a huge stumbling block for DOS - Brute Force Attack Bots that look for login forms to target. It also adds a more aesthetic value, in that you can change the URL to something more memorable for your users
Deny external access to wp-config.php and .htaccess using the following code in your .htaccess file
Here is a example of such a file
deny from all
deny from all
You can also disable file editing from the Admin panel if your themes are only going to be edited via FTP or cPanel. This prevents anyone with access to the Admin panel from directly editing files accidentally or as a hacker with malicious intent
Insert the following into your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file
Options -IndexesBan Suspicious IP Addresses
<Limit GET POST>
deny from xxx.xxx.xx.x
allow from all
Security and anti-spam plugins
A good set of security plugins will keep your site safer. Many security features can be added with comprehensive security plugins. Some security plugins come with a suite of tools to lock down vulnerabilities on your site such as those already mentioned here. These types of plugins can be invaluable in making your WordPress site more secure, Some security plugins also come with backup options, for that all-inclusive service
Brute Force Attacks
WordPress, by default, doesn’t limit login attempts, so bots can attack your WordPress login page using the brute force method. Even if a brute force attack is unsuccessful, it can still wreak havoc on your server, as login attempts can overload your system. While you’re under a brute force attack, some Web Hosts may suspend your account, especially if you’re on a shared hosting plan, due to system overloads
File Inclusion Exploits
After brute-force attacks, vulnerabilities in your WordPress website PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.) File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion exploits are one of the most common ways an attacker can gain access to your WordPress web site's wp-config.php file, one of the most important files in your WordPress installation
Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data. With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites
Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your web-site's files, so if you suspect malware on your site, take a look at recently changed files. Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them.
The four most common WordPress malware infections are:
Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup
Using Poor-Quality Hosting
Since the server where your WordPress website resides is a target for attackers, using poor-quality hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the server-level
Cross-Site Scripting (XSS)
Using a weak password is one of the biggest security vulnerabilities you can easily avoid. Your WordPress admin password should be strong, include multiple types of characters, symbols or numbers. In addition, your password should be specific to your WordPress site and not used anywhere else. If you’re currently using a password that contains fewer than 6 characters, change it now. If you’re currently using a password on more than one login, change it now. If you’ve had the same password for more than six months, change it now. Start practicing good WordPress password security, especially if you’re an admin user
Never use a "Random Password Generator"
Most of these programs are made by Hackers, and you guessed it, you just gave then your new password!!
Tweet Share Pin Tumble Email