8 Easy Ways To Completely Secure Your WordPress Site
How to secure your wordpress website: WordPress is a very popular CMS platform to make websites. This platform is secure, rich in features, can be modified easily and more than this you really do not need to be a core coder to build a website. Yes, obviously if you have some coding knowledge then you can modify it as per your requirement. But still the popularity of this platform is increasing day by day due its easy modification features. Bundles of ready themes available online, just install and activate…BOOM… your site is ready. As I already said it is a secure CMS, at least much better than any other. Due its popularity thousands of sites are being made on this platform every day, which in terms made wordpress site an easy target of hackers. Today’s topic is on this only, that how can we protect our beloved wordpress websites from hackers. Now let’s start today’s topic 8 Easy Ways To Completely Secure Your WordPress Site.
Website Hackings are two types mainly:
- Personalized Web Attacks or PWT
- Random Web Attacks or RWA.
Personalized web attacks: When a group of people or someone objectively attacks any perticular website that is called PWT or Personalized Web Attacks. This kind of attacks happen on reputed websites by hacking their servers, due to various reasons, sometimes financial, political etc. Today I will not focus on this type of attacks at all.
Random Web Attacks: Our today’s topic is based on this type of attacks only. In this type of attacks hackers send some random virtual robots, cookies through-out the web, whenever you go online and go to their targeted sites or download their targeted files, you come under their coverage. You may not also know that your computer has already been hacked and being used by someone else. When you use pirated softwares in your computer, nulled website themes and plugins, your computer or website becomes puppet in their hand. Always remember nothing comes in free in this world. If you think those pirated materials are totally free of cost then you are right, but in that way you are becoming the puppet at their hand. When hackers need to get access to some sites for various reason they start using those already hacked computers to create auto generated traffic and attack on the certain important pages (login, admin etc.) of the targeted website. This system of attack is popularly known as ‘brute force attack’.
How I have discussed till now, this is very basic of attacks, just to give you a basic idea on RWA. Nowadays the hackers have become smarter than before.
Now let’s move to the main topic. The wordpress platform is very secure platform itself. But still we need to take some actions from our end too to secure some very vulnerable doors of WordPress. Otherwise that day is not too far that apparently you seem to be the owner of your website but it will be controlled by some other group just to use it as their tool to regulate their illegal activity from the backend.
Common WordPress Vulnerabilities
Common Vulnerable Doors Of WordPress & How To Close Them:
- Before starting, my first advice would be to keep your wordpress site always updated. Time to time wordpress release its updated security features. This is the first and the foremost rule to update and upgrade your wordpress version always to keep your site secure.
- How to secure wp admin, because you need to secure wp-admin: This is the most important door of wordpress what is most vulnerable. If you go to any normal wordpress site and just add /wp-admin (www.yoursite.com/wp-admin), hit enter, you will be able to see the backend admin login page, because it is redirecting to login.php to enter the admin panel. Hackers first attack this page, because this give them the easy access to your website’s admin panel.
So first we need to stop the access to this page publicly. We cannot remove the page, because in that case we will lose control on our own website. There is a very easy solution to it. Just to change the wp admin url. This process is also called ‘hidden wp-admin’. If you are a coder so you can change the coding of wordpress and implement it. But if you are just an amateur, do not try to touch the coding part at all. You can lose the access of the admin panel. In that case you can use a plugin what will do the same work but very intelligently. It will not actually change the real code, it will just redirect it into some other url as per your choice. The plugin is WPS Hide Login.
Some other 2 or 3 plugins are also there, but believe me they may contradict with other plugins and some features of your website may not work properly due those plugin’s complex coding factors. But, you can use ‘WPS Hide Login’ plugin will work with any theme and any plugin without any conflict at all.
- Secure Your Theme’s Functions.php: This file is very important to secure, it is also another access point of hackers. This file can be seen in your theme’s main folder and child theme’s folder. You can easily stop it from public access by just changing the permission in cPanel.
Login to your cPanel > select your wordpress site > Wp-content > Themes > select your activated theme > functions.php (right click on it) > select ‘change permission’ > change permission to 444. Do the same in child theme also (if that exists). Now this file has become a ‘read only’ file what cannot be edited or executed at all from the frontend. If you want to implement any code in functions.php, you also need to do this from cPanel.
4. Secure wordpress Post.php: This is also an easily targeted file. This file is located in W-includes folder. Just change the permission to 444.
5. Secure wordpress Wp-includes folder: sometimes you can see that your website is not opening at all. You can be scared that your all your hard work have gone forever! First of all it is highly recommended for you to keep a backup of your website.
Secondly, let’s find out why does this happen? There could be various reasons. I will discuss on this in my future article in more detail. Here I want to stick to the topic only. In that case I would request you to firstly check the ‘Port80’ option of your cPanel. See whether that is blocked or not. If that is blocked already (you can see by clicking on ‘port80’ option), you will be able to see a list of corrupted file needs to be modified there. Just modify or remove (with caution) to unblock the ‘Port’. Here I came to know the ‘random file inclusion or insertion’ vulnerability.
Hackers are replacing the original wordpress post.php with their own coded post.php and that time the server’s security scan is blocking the activity and hence blocking the public communication port of the server, so that the vulnerability cannot spread the whole server. In one of my client’s website it started happening in daily basis. First they did not inform me about that, they thought they can handle it but at last when they fail to solve the problem then they contacted me. The same thing was repeating at a fixed time slot every day. It was a real challenge for me to solve it. Firstly I thought the theme my client was using that has a vulnerability, I changed it to some others but the result was same.
This was all about the Wp-inclueds folder, everything was happening inside this folder only, according to the ‘port 80’ report. Finally I solved it by applying some coding rules. Some of them are very much of core coding, I am not going into that. I will discuss that in a different article in a descriptive way, otherwise this article will become very lengthy. But basic level of security coding I am going to discuss now.
To secure wp-includes we can take the help of .htaccess. You can see this file in the root directory. If you can’t see you can create one. In this case we will not use the .htaccess file of the root directory or folder of the site. We need to create a .htaccess file inside ‘wp-includes’ folder. Create one and just insert the following code there:
# Kill PHP Execution
deny from all
You can use a very useful plugin to enhance the security of your website. That is WordPress Security Enhancer Plugin. But, this plugin is not compatible with all themes and plugins. So, before using all features of this plugin just check once by applying all features one by one, and see whether it is conflicting with other plugins or your theme or not.
6. Secure config.php file: This file contains all configuration informa5tion (database) of your wordpress site. To secure it just add the following code to this file:
- define(‘DISALLOW_FILE_EDIT’, true);
- The above code will disallow code editing from the front end.
7. Use Wordefence Security Plugin: To make your site more secyre, you can use this plugin. But, remember this is very resource hungry plugin and can slow down your site if your website is not running in optimized server. This plugin implement a firewall system to secure a website.
8. Use Cloudflare: Use Cloudflare that can take the security of your website to the next level.
- By following above steps you will be able to secure your site reasonably. If you need more security then use SSL or Secure Socket Layer what uses https protocol. You can see that FatSage is also running on SSL.