As part of the Website Management service, I also take care of the security of customers’ websites. Thanks to this proactive prevention, the sites I manage have not been infected so far. Therefore, I want to share with you at least some of my recommended tips that will help you sleep better and make your WordPress site at least partially (no tool can give you 100% certainty) secure from possible infection. Along with securing the site, don’t forget to back it up regularly.
1. Update regularly
Have you made or had a website made? How are you doing with updates to WordPress itself, the theme used and any plugins installed? Do you update them regularly? Is everything in the state you started the page? WRONG! This is the first and basic rule of security – don’t underestimate updates.
The most common reasons for infecting your site are various security holes in un-updated WordPress, themes, or. its plugins. These are used by various bots (automated scripts) that scan pages on the Internet and look for security holes, through which they insert malicious code into the page, which can completely disable your site, or start to exploit it, for example. to spread spam.
It is the updates that will ensure that if the WordPresse itself, or the WordPresse a plugin has such a hole, its creators will fix it in an update and “close the door” to the possibility of inserting malicious code into the page. In addition to fixing known holes, many times updates will also bring speedups or new features to your site.
2. Provide an SSL certificate on the site
Nowadays, this is already a necessity. A site without an SSL certificate is not only marked as “insecure” in most modern browsers, but such sites, e.g. Google is moving down in the search rankings. A properly configured SSL certificate secures the browsing of your site via the https:// protocol, so that the communication between the server where the site is hosted and your browser is encrypted. For common types of sites, a free Let’s Encrypt certificate, which the hosting company where your site is hosted can install on your site (mostly) free of charge, is fully sufficient. If you use e.g. Websupport makes it a matter of a few clicks in their admin panel.
3. Use strong passwords
I firmly believe that after all the password leaks that have been flooding the internet lately, no one needs to be reminded to use strong, non-verbal passwords that are not easily guessed. Ideally, you should use a unique password for every single account you have on the Internet on each site that you don’t use anywhere else. To avoid having to remember all your passwords, it’s a good idea to use a password manager, I recommend the free program KeePass.
4. Do not use the “admin” account
The “admin” account is usually predefined in most systems, WordPress is no exception. So when a malicious person tries to hack into your site, the first thing they will try to do is log in with the username “admin”. If such an account exists on the site, it already has 50% of its success behind it… all he has to do is guess the password. And if you even have a weak password set up for that account, it’s only a matter of moments before someone manages to hack into your site. And so there is nothing stopping it from infecting your site. But if you use non-standard usernames, it’s even more complicated for attackers because they have to guess the correct username in addition to the correct password.
5. Do not use the table prefix “wp_” in the database
In older versions of WordPress, the default prefix of the tables in the database was set to “wp_”, in newer versions it can be changed during installation. Precisely because most WordPress databases use this standard prefix, potential attackers have an easier job when trying to infect your site, e.g. via the so-called SQL Injection method. When installing, therefore, always choose some other prefix of your own devising.
6. Disable editing of themes/plugins
By default, WordPress allows you to edit the source code of installed themes/plugins directly through the admin interface, which can pose a security risk. It is therefore appropriate to disable this functionality. You do this by editing the wp-config.php configuration file and adding the line:
define('DISALLOW_FILE_EDIT', true);
7. Disable PHP file launching
If an attacker manages to upload an infected PHP script to the directory where Multimedia is stored by default (/wp-content/uploads), he can easily execute it through the browser and cause damage. It is therefore advisable to disable the execution of PHP files in this directory. To do this, upload a file called .htaccess (including the dot at the beginning) to the /wp-content/uploads directory, where you write:
deny from all
8. Install a security plugin (firewall)
Even if you have applied all possible security tips to the site, it can still be infected. It is therefore more than desirable to have a security plugin installed on your site that will act as a firewall and automatically block all suspicious activity that happens on the site. The most famous plugins of this type include:
Personally, I recommend WordFence, which I also use on this site.
9. Only use themes/plugins from official sources
I’m sure you’ve come across sites that offer access to various premium themes/plugins for just a fraction of the price of their actual value. You say to yourself, great, at least you’ll save money. But beware! Such “fake” sites either sell cracked versions or sell off their multilicenses. By installing such a plugin, you can easily infect your website. Often, in addition to the original functionality, they also contain various malicious code that has been added in order to control your website, e.g. for sending spam, etc. Also, with such a theme/plugin purchased from an unofficial source, you will most likely not have access to automatic updates and support. Therefore, I do not recommend buying themes/plugins outside of official sources. It’s really not worth the few euros saved.
10. Change the URL for logging into the administration
I have written a separate article on this topic.
Conclusion
While you may be telling yourself that your site is insignificant enough for someone to bother infecting it, that’s not true. I dare to say that in 99% of cases the infection of the site is not due to some hacker tapping on the keyboard, but due to various automated scripts (bots) that crawl the Internet pages one by one and look for security holes in them. This is why the security of the site should not be underestimated. Entrust it to an expert before one day, when you open your site in the browser, you find that the page is broken or automatically opens instead, for example. some porn site.
Do you know any other useful tips for securing WordPress? Write them in the comments.
TIP: Increase site security. Use two-factor authentication.
