Back in 2003 when WordPress was developed by Matt Mullenweg it was meant to be an easy to use platform for bloggers to share their thoughts over internet. But the easy to use interface and extreme scalability of the program got attention of a lot of webmasters around the world and just in few years of its launch, WordPress became the most popular CMS in the world. Now a ways the WordPress we use is actually far more advanced than what it was before, in fact though they kept the name of the program same as before, but WordPress is now so advanced that you can build almost any kind of website you can think of using WordPress.
As WordPress is so popular CMS for building new website for both newbies as well as tech nerds, hackers all around the world spend a lot of their time to find new loopholes within WordPress websites and constantly tries to hack them. In fact now-a-days this is one of major concerns among new businesses and some of them try to avoid using WordPress for this hackphobia. But today in this post I’m going to share 10 tips with you which can make your site super secure and almost impossible to hack. I’ve been using these tips on my own site and my client sites for 4 years now and in this 4 years none of these sites gets ever get hacked for once.
1. Get a fast & secure hosting
When it comes to hosting people always look for the unlimited plan accounts with unlimited space, unlimited bandwidth and unlimited domains because they think that it will be cheaper that way. But what they never understand is that what a trap they are falling into. In short there is nothing unlimited in this universe. Not even sun light, it is also going to run out one day one way or another. Big brand companies uses the “UNLIMITED” tag to lure newbie users to get them online and after that provide such a pathetic service that they will almost feel forced to upgrade to a more costly VPS server.
If you are looking for a blazing fast full SSD based hosting solution, I will suggest you to try out BigScoots Pure SSD hosting plans (NOT the SSD accelerated one). Because always remember this as a thumb rule of web, no matter how much you make your website secure from code level, a major part of the security responsibility lies on the servers where your sites are hosted.
2. Never use the default “admin” username
Now-a-days installing WordPress in any server has become so easy that most people just overlook these minor things at the installation process. No matter whether you use the default WordPress installer or any one click installer that comes with your server control panel, make sure you change the primary admin username to anything else from the default “admin”. This is very important.
The reason it is mostly important is because most hacker use Brute Force Attack tools to randomly guess your username and password for successful login. Now if your admin username is actually “admin” then you already have made the life of the hacker extremely easy as now they only have to crack your password.
3. Always use a super strong password
I know this is very basic thing and everyone in internet already knows this, but trust me not everyone use this when it is needed most. Make sure your WordPress admin password contain a combination of Uppercase, Lowercase, Alphanumeric (e.g. @, #, ?), Number and is at least 9 character long. In this way you can give the hacker a real pain to actually decrypt your password.
4. Always keep your WordPress core, themes & plugins updated
Trust me this is one of the most common thing I find on almost every client website I work on. Some just keep WordPress updated but not the themes and plugin as the fear that it may break their well operational site and some just update the WP core and plugins but not the themes in the same fear.
Though it is true that updating WordPress core, theme or plugins may break your site sometimes but it only occur for 0.001% of the website who uses badly coded themes and plugins. The reason things get broke after update is because sometimes the developer of the theme you are using or some plugin in your site has stopped supporting and updating it’s code. So, when WordPress deprecate any function, those theme/plugins still tries to access it and end up having lots of PHP error.
This is why I always suggest to use a backup system like UpdraftPlus Premium or BackupBuddy and create a backup of you entire site before updating. This way if things get messed up you can restore back to your previous working version of your site and then you can either hire a developer to look for what things are causing the breakdown or can investigate it by yourself in your localhost if you are comfortable with coding.
No matter what the case is, always keep your site updated with the latest version of WordPress, installed themes and plugins. Developer releases patch every other day to fix the vulnerabilities in their software as soon as they get spotted or notified.
5. Delete the themes & plugins that you don’t use
I’ve seen many WordPress site full of installed themes and plugin which they don’t even use on their site. They just keep these things disabled and thought they are not gonna hard anyway as they are disabled. This is completely a wrong idea. It is much easier for any hacker to target old themes/plugins or things that are installed but disabled to get pass the security of your website by targeting the vulnerabilities in those themes and plugins.
As these things are already disabled in your site, so you are not gonna notice any subtle change in the code of those themes/plugins and hackers use this as their advantage. Also many times when you install a plugin in your site and then disabled it overtime the actual developer of that plugin stop updating that plugin and hackers use vulnerabilities within those old theme/plugins to hack your site.
So, always keep the things that you actually use in your site, if there are list of plugin and themes which are installed in your WordPress installation but you don’t use it, just DELETE them. Whether it is a theme or plugin that comes with default installation of WordPress or something you have separately installed earlier. This same rule applies for them all. Only keep the things you need and get rid of the rest.
6. Use Jetpack Protect filter
That’s right. I know many people think that Jetpack plugin is a very resource hogging plugin but let me tell you that all of you are wrong about this plugin. Jetpack is actually an amazing plugin that has been made for WordPress. The problem is that people use it in the wrong way and end up with a slow website and they point the finger to this plugin.
After installing Jetpack plugin most people just enable all the filters available within the plugin, which is not a good thing to do. Instead what you should do is go to Jetpack Settings in your WordPress dashboard and enable specifically those filters you truly need for your site and disable the rest.
But don’t forget to enable the “Protect” filter of Jetpack as it will help your site from getting attacked by Brute Force attackers and also safeguard your site from fake login attempt. This is a really useful filter which will not only protect your site from hackers but also safeguard your site from server slowdown due to multiple random requests by hackers.
7. Use Advanced noCaptech reCaptcha plugin
The Google noCaptcha reCaptcha is the predecessor of the original Google reCaptcha (v1) which used to show up annoying illegible captchas to do simple task. But noCaptcha reCapcha doesn’t show any annoying captcha instead it just ask you to click a checkbox and if Google thinks that your IP is suspicious then it ask you to select some specific picture from a list of picture. This is really great and make solving captcha a painless process.
In WordPress there is an awesome plugin named Advanced noCaptcha reCaptcha which will allow you to enable noCaptcha reCaptcha in your WordPress login page, signup page and even in comment form which is great as now hacker bots cannot just keep trying to guess the proper login credential of your site because they can’t get pass the captcha.
Also as noCaptcha reCaptcha is a Google project so you can always expect that their fraud detection algorithm is also getting improved on par with the latest hacking trends. I will suggest you to enable this plugin for your comment form to which will not just reduce the number of your spam comment, but also save your site from hacker bots who tries to do SQL injection via comment forms.
8. Only install trusted themes and plugins
Never install themes or plugins from some marketing video or spoofy marketing websites because in most of the cases though provide completely built free website, there is a high chance that those themes and plugin has malicious code which can compromise your website security.
If you are installing free themes or plugins, only install them through your WordPress plugin installer or download them from WordPress plugin repository. Purchase or download themes and plugins only from trusted website like themeforest, codecanyon etc.
9. Disable directory listing
On most webservers directory listing has been enabled by default for many good reason, but after your website development has been completed, just open the
.htaccess file present in the root directory or under
public_html directory of your server and add this following code at the top of your existing htaccess code.
This will disable the directory listing feature of your server and anyone who tries to access a server directory that doesn’t have a
index.php file will return a 403 Forbidden error. The above code will work for Apache as well as Lightspeed servers but if you have an nGinx server, contact your server admin to enable this on your website.
This is very important because if you do not disable this feature in your website hackers can easily follow along your directory structure and find out what exact files you have in your server and how they are arranged. This give them an advantage of knowing your site perfectly. So, you must enable it.
10. Set the proper permission for files and folders
If you have cPanel access log in to your file manager and make sure all the files of your site has permission set to 644 and all the directories has permission set to 755, unless some plugin specially ask you to set some special permission to some special folders. Like some cache plugin ask users to set the permission to
/wp-contents/cache/ folder to 777. These are exceptional case, but for rest of the file follow the above permission structure.
What about plugins like Sucuri Scanner or Wordfence?
I know many people use plugins like Sucuri, Wordfence in their website because they think that these plugins will save their site from getting hacked, but I personally don’t use these on my website or my client’s site and will not recommend anyone to use these plugins on their WordPress site either.
The reason behind it is that these plugins will not save your site from getting hacked besides these will just show you some malicious activities and might help your to recover some core WordPress files after your site is already been hacked. There is no point installing these plugins on any WordPress site whatsoever.
Also as these plugin constantly scanning your site, these plugins are actually very resource consuming and in my opinion they actually waste your server resource instead of properly utilizing it. Besides using these plugins if you just follow the above 10 Thumb Rules that I’ve shared, I can assure you that you don’t have to worry about getting your WordPress site hacked and moreover none of my above tips is resource hogger.
What if I use Hide WordPress plugins?
Yes, there are a few plugin available (bother free and paid) which claims that it will hide your WordPress site, but trust me it only hides it from newbie or noob users, if any hacker or anyone with good knowledge in WordPress and its structure can still identify your site as a WordPress site. So, there is no actual benefit of using plugins like these.
Besides these plugins has quite a few downside, like in future if you decide not to use these plugin anymore, the change url structure might break your site and it can be really hard to get your site back to its own track. Also I’ve seen these plugin causing a lot of issues while migrating the site to other host or location. So, I will suggest everyone not to use these plugins ever in your life.
Why didn’t you said anything about blocking default WordPress meta tags?
I know many sites out there deliberately ask their users to disable the default WordPress meta tags which shows your site using WordPress along with the version number and also claims that this will help their site from getting hacked.
But as I said above that you cannot hide your site’s CMS from hackers or knowledgeable programmers, so this is nothing but a waste of code. Besides I think as it will not help you from your site getting hacked, why blocking the good words about WordPress? Developers around the world spend countless hours from their valuable time to keep the WordPress project running and fix the issues still offer it for free of cost. So, shouldn’t we have a minimum responsibility to spread the good words about the CMS? You are not providing any backlinks, just a few meta tags, what’s the harm in this? I do not use this on my own site and will not suggest anyone to do so either.
If you are really worried about getting your WordPress site hacked (which you should be), you better follow my 10 tips that I’ve described above besides installing bunch of plugin and slow down your site for no good reason.
As I said in the beginning I’ve been using these tips on my own site along with my client’s site from 4 years now and none of them get hacked ever. Not for a single time. But no matter what you do, don’t forget the importance of point 1, because always remember that a fast and secure hosting is the base of your site’s speed and security and please never ever use hosting services like GoDaddy, Bluehost, Hostgatore, JustHost, Hostdime etc. These companies are just bunch of crap who sells crappy hosting at an extremely cheap price. But you will end up having a slow and insecure hosting experience.
The list that I’ve provided above all of them are great hosting providers with fast and secure server like my own server and hosting plans.
Have your site ever get hacked before? What you did to restore your site back? Do you already follow all of my above instructions? Is there any other method you use to protect your site? Let me know your thoughts in the comment section below where we can carry on this conversation.
You can also connect with me via twitter @iSaumya. If you like this post, please don’t forget to share it with others who might enjoy reading it. Also if you have any other ideas or request about future posts, you can let me know in the comment section below or via twitter.