Over the course of the last few years WordPress sites have come under a barrage of attacks from hackers and malicious code injectors. If you are running a WordPress-based website it is crucial that you take measures to secure your site before it’s too late. We’ve put together a list of tips to help prevent your WordPress site from being hacked. There are many more ways to secure your WordPress site, but by following these instructions, you’ll be well on your way to a safer and more secure site.

Take Regular Backups

This is extremely crucial! Be sure to make regular backups of your website content (database) and theme files. Imagine you lost several years worth of website content, blog posts and articles because someone thought it would be fun to hack your website. This could be disastrous to any business with an established online presence and could take years of hard work to regain your positioning.

Use Strong Passwords

Strong passwords are essential for high-privileged users such as administrators. Without them your site will be vulnerable to brute force attacks. Essentially these are attacks in which the attacker tries to guess the password by going through lots of password and user combination’s. If you use secure passwords then the chances of successful brute force attacks become extremely low.

Secure passwords should include:

  • use at least 1-2 numbers
  • use upper and lower case characters
  • use special characters such as !@#

You should never use passwords such as your date of birth or personal details. These kind of passwords are very insecure as hackers can find personal information very easily.

Another key point is to have several different passwords. It’s nice to have just one single password and access everything through it, but imagine what would happen if someone discovered this primary password that gave them access not only to your website, but to your email, banking information and other online accounts.

Keep Your WordPress Core Software and Plugins Current

WordPress is constantly making updates and patches to it’s core software and related plugins to ensure that vulnerabilities are eliminated. It is up to you to keep your software and plugins up to date. Hackers can very easily take advantage of your outdated software and exploit your website through these holes.

Updating your software may incur some costs form your web developer depending on the level of customization included in your website. When plugins are updated automatically they can sometimes overwrite customized functions within the plugins rendering your site broken.

As a general rule, we try to spend a day updating plugins quarterly to ensure that our site remains secure, without having to make updates on a weekly basis.

Use SSH Instead of FTP

FTP is not quite as secure as most people believe it to be. FTP credentials are not encrypted and are often quite easily accessible to hackers wanting to get into your server to attached your website.

SSH is a more secure alternative to FTP which uses a straight forward algorithm to encrypt all the data sent through it.

Delete the Default Admin Account

By deleting the admin account malicious users cannot discover your user name as easily. As every WordPress installation comes with a admin account, hackers will have an easier time breaking into your account since they already know the user-name.

You cannot delete your administrator account right away if you do not have a new admin account, so follow these steps:

  • Create a new administrator account (with a user name that’s harder to guess)
  • Log out
  • Log in using the new administrator account and password
  • Delete the old account

Limit Access to the wp-content Directory

The wp-content directory is crucial. Users should only be able to access certain file types within this directory. These file types include pictures (.jpeg, .gif, .png), Javascript (.js), CSS (.css) and XML (.xml).

Therefore, we want to prohibit access to all other types of data. The code below will allow access to pictures, Javascript, CSS and XML files but will not allow access to any other data. The code below should be placed in the .htaccess file within the wp-content folder.

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

Secure wp-config.php

The wp-config.php file is a very important as it contains all the access information and keys that are vital to securing your blog. We can secure the file by adding these lines to the .htaccess file in the WordPress root directory (where the wp-config file resides):

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

This code denies everyone access to the wp-config.php file.

Keep Search Engines from Indexing the Admin Section

Search engine crawlers index almost all content unless they are told not to do so. Your admin section being indexed in search engines can be a major security threat.

Therefore it is good to just keep crawlers away from all WordPress directories. The easiest way to do it, is to create a robots.txt file in your root directory. Then place the following code in the file:

Disallow: /wp-*

WordPress Hardening

Hardening WordPress is a great way to help secure your website as well. To read more about this solution, visit: http://codex.wordpress.org/Hardening_WordPress