There are certainly many content management systems in the world, but none of them are comparable to WordPress. WordPress security and its practical tips to prevent WordPress Hacking websites are some of the reasons for its popularity.
Of course, you should note that the millions of sites we have mentioned are always involved in finding a way to avoid the potential risk of being hacked by hackers, because no lock is completely and forever impenetrable, which is what we want to do today and give you some tips to so you can keep your website safe in advance, and you will surely agree that prevention is better than cure. So, make sure you follow the tips in this case. If you do not as we tell you, sooner or later your website will be easily hacked by hackers.
In this article, we will review 17 relatively simple ways to make WordPress more secure.
ways to prevent Hacking websites
- Do not use the “admin” username.
During WordPress installation, never use “admin” as your username for your main admin account. It is easy for hackers to guess such a username. In that case, what hackers need to know to manipulate your entire site is just a password. It is best to use a username that combines letters and numbers. For example: s96r2v or w61sSy.
- Frequently update to the latest version.
Always have an up-to-date website. To close the gaps that can be penetrated by hackers. New updates will usually be available on the main WordPress website [http://wordpress.com/] or the admin homepage (wp-admin). Updates you need to do: Like plugins, themes, and everything else, so don’t forget to update them regularly.
- Delete your WordPress version number.
Your current WordPress version number can be easily understood. In fact, it is located in the viewable section of the site source.
In the source of the site, there is a version number of your WordPress that if hackers find out, they can easily carry out a perfect attack.
You can hide your version number with almost any of the security plugins mentioned above.
The “readme.html” file contains your WordPress version. Delete the file immediately after upgrading WordPress.
- Delete the “install.php” file.
The “wp-admin / install.php” file is only used when installing WordPress. It is No longer needed if WordPress is already running. so, delete the file from your WordPress.
Do not use the default WordPress template.
Do not use the default WordPress templates including “2010”, “2011” and “Classic” and just delete them. Because without any user, Hackers still can attack , So use a secure template.
- Use a strong password.
Change site passwords regularly. Improve their power by adding uppercase, lowercase letters, numbers, and special characters, it can help us so we can get the maximum power of the password.
7. Protect the “wp-config.php” file.
We must make sure that no one has access to these files. The wp-config.php file stores important information about your WordPress setup, and this is actually the most important file in your site’s root directory.
Protecting it means protecting the core of your WordPress blog. If the wp-config.php file is inaccessible to hackers, it can be difficult for them to compromise your site.
The good news is that this is really easy to do. Just import your wp-config.php file and move it to a higher level than your root directory.
Now the question is, if the file is stored elsewhere, how will the server access it? In the current WordPress architecture, the configuration file settings are set to the highest priority list. So, even if it is saved once above the root directory, WordPress can still figure it out.
Another way to improve the security of your WordPress, is to disable the editing of these files through the editor. You can do this within your wp-config.php file by adding this line of code:
define (‘DISALLOW_FILE_EDIT’, true);
- Use two-step authentication.
Putting 2FA on the login page is another good security measure. In this case, the user creates the login details with two different components that the website owner decides what those two components are. The component can be an ordinary password with the understanding of the secret question, the secret code, the set of characters, and so on.
9. Change the WordPress database table prefix.
This method is quite effective. But it is very difficult. Especially if the website is already running. The trick is to back up your database first. For example, change each prefix “wp_” to another prefix such as “newp_”.
If you have a WordPress website with a default prefix, then you can use several plugins to change it. Plugins like WP-DBManager or iThemes Security can help you with just one click. (Make sure you have a backup of your site before doing anything in the database)
- Back up your site regularly.
No matter how secure your website is, you can always improve it for better. But at the end of the day, save the backup off-site, which is probably where the best safe places are.
If you have backups, you can get your WordPress website up and running whenever you want. Some plugins can help you with this.
If you are looking for a great solution, then I recommend Automattic VaultPress which is great. I have installed this plugin that backs up every 30 minutes and I can easily restore any bad thing that happened to the site with one click. Most importantly, it scans my site for malware and reports anything suspicious.
- Connect properly to the server.
When setting up your site, just connect to the server via SFTP or SSH. SFTP is always preferred over traditional FTP because its security features are not the same as FTP.
Connecting to a server like this can ensure the secure transfer of all files. Many web hosting providers offer this service as part of their package, otherwise, you can do it manually (Google is just for training, but there is a lot outside of Google).
- Set directory permissions carefully.
Wrong directory permissions can be malicious, especially if you use a shared web hosting environment.
In such a case, changing directory files and permissions is a good thing to secure the website at the web host level. Setting directory permissions to “755” and files to “644” can protect all system files, directories, subdirectories, and personal files.
This change can be done either manually through the file manager inside your web host control panel or through the terminal (connected to SSH) where you have to use the “chmod” command.
Learn more about the WordPress license rule or installing the iThemes security plugin to check your current license settings.
- Disable the directory list with htaccess.
If you have created a new directory for a part of your website and did not include the index.html file, you may be shocked to learn that your visitors can access all the contents of the directory listing.
For example, if you create a directory called “data”, you can see all the contents of that directory in your browser by typing www.example.com/data. You do not need a password or anything else.
- Monitor your files.
If you want more security, you can monitor changes to website files through plugins like Wordfence or even iThemes Security.
- Add user accounts carefully.
If you run a WordPress blog or preferably a multi-author blog, then you need to deal with the few people who have access to your admin panel. This can make your website more vulnerable to security threats.
If you want to make sure all users’ passwords are secure, you can use a plugin like Force Strong Passwords for them. This is just a precaution.
- Use Network Security to prevent WordPress hacking.
Using an insecure (unencrypted) connection may cause loss data or may be before you can say “unencrypted ” hackers hack your website. thats why you need to focus on secure and encrypted network communications: server-side, client-side, and all sides. Find a host that allows SFTP / SSH encryption to protect your data against malicious intercepts.
- Scan your computer.
If our computers get into the malware, then it becomes a tool for malware writers to access our system/host website. So, you should always scan the computer/laptop that you use regularly.
Here are the best security plugins for WordPress security:
Install and activate one of the following 3 plugins.
- Better WP Security
- Bulletproof Security
- Automatic Updater
Learning how to secure WordPress cannot 100% secure your website. most of them do not fill the security gap completely. There is no complete security forever. This means that not all settings can be saved afterward, because tomorrow they may no longer be considered safe and secure.