How to improve WordPress website security

Nowadays we face many security problems with most content management systems (CMS) and web applications. There are several reasons for it:
– CMS uses typical files for passwords and settings located in the same directories for each account (wp-config.php, wp-admin/ directory etc) so they are very easy to locate, modify after gaining partial access.
– The admin panel (wp-admin) runs under the same domain and uses the same codebase/permission as the rest of the application.
– Admin users can install a plugin/theme, which can then modify any file or change anything in the database (this is related to corrupted, non-official, non-updated, self-modified or fraudulent themes or plugins).

To improve security level of your WordPress installation, please follow some recommendations and instructions below to disable WordPress from modifying its own files, remove from admin users write permission to all files, disable possibility for the themes / plugins to modify any file. It can be done manually or using secure plugins.

1. Backups

This is the first step and the most important. Before you apply any changes, make sure to back up your entire WordPress installation or databases.

For creating backup you can use Softaculous WordPress Backup option.

http://www.softaculous.com/docs/How_to_Backup_an_Installation

Also it is recommended to create regular backups for your entire cPanel account using cPanel -> Backup Wizard tool and creating Full cPanel Backup.

Even more advanced and convenient solution for creating backups is CodeGuard (later, CG). It’s main advantage is the possibility of creating *automatized* backups of your WordPress site. Using CG you can partially completely restore your site if there any changes arose, which you wish to get rid of. As CG is fully integrated in your cPanel, only several clicks are required for you to start taking advantages of this great feature we have!

 

wordpress_hack_00

2. Updates

Keep you WordPress installation ant themes/plugins updated to the latest version. Make sure that your blog’s version is up to date. WordPress team works on creating patches for fixing security “holes” and backdoors on a constant basis. Follow WordPress feed (link to WP feed) to find out about the latest updates.

PS: it is possible to import your current installation into Softaculous to upgrade with it later. For that we recommend checking out the Softaculous’s instructions on that:
http://www.softaculous.com/docs/How_to_Import_an_Installation

3. Avoid “free” themes and plugins for WordPress.

Many custom “free” WordPress themes included base64 encoding, which is often used to hide malicious code. So with these themes you can easily upload malware into your account. This is how most of the “hackers” get access to your files and site.

We recommend using content only from official resource at WordPress.org site http://wordpress.org/extend/ . It is the safest place to go to get themes and plugins.

Additionally: If you are still not convinced with our proofs, please, make sure you check the following thread – http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else

 

4. Secure Login/Password.

The default WordPress login is “admin” and most hackers know that. It should be changed to custom one with a strong password which include upper/lower keys, numbers and symbols.

Assuming you use Softaculous, you specify the username on the install screen.

 

wordpress_hack_01

 

Also it is not recommended to use passwords similar to your accounts from other web-resources.
Same suggestions for admin email account.

You can change your Password from /wp-admin area -> users -> edit.

And usename with a password  it is possible to change with phpMyAdmin.

Please find details at: http://codex.wordpress.org/Resetting_Your_Password

 

5. Change Table Prefix(not related to our hosting – all hosting )

The default table prefix for WordPress is wp_ . SQL Injection attacks are easier with the default table prefix because it is easier to guess.

If you install WordPress from Softaculous, you can set custom “table prefix” and “database name” at installation screen:

 

wordpress_hack_01-1

If you have already installed WordPress you can still change database prefix. We do not recommend doing it manually. You can use some plugin, for example “Better WP Security” for this purpose:
http://wordpress.org/extend/plugins/better-wp-security/

Once it is installed in Dashboard you can find:
“6. Your table prefix…” option and “Click here to rename it.”
Then you can change prefix for your database with this tool.

NOTE: please create backups of your databases before applying any changes.

 

wordpress_hack_01-2

6. Security Plugins.

Please note that it is not recommended to make any changes to .htaccess and other config files on your own.

We recommend you to download and enable the following security plugins. These help keeping your WordPress website secure:

– WordPress Firewall 2:
http://wordpress.org/extend/plugins/wordpress-firewall-2/

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks.

 

wordpress_hack_02

Main settings:

1. You can choose options and actions that will be blocked by firewall.
2. Here email address can be specified to receive warnings and notifications from plugin.
3. With this option you can whitelist your and some trusted IP addresses.

- BulletProof Security
http://wordpress.org/extend/plugins/bulletproof-security/

BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.

 

wordpress_hack_03

There are many options available with BulletProof Security plugin, you can find details using “Read Me” option. But the main one we are going to use is .htaccess protection that can be enabled with “BulletProof Mode” radio button for each .htaccess.

– Better WP secrurity:

http://wordpress.org/extend/plugins/better-wp-security/

As most WordPress attacks are results of plugin vulnerabilities, weak passwords and obsolete software, Better WP Security will hide the places, where those vulnerabilities live, preventing an attacker from learning too much about your site and keeping him away from sensitive areas like login and admin areas, etc.

 

wordpress_hack_04

Many different security options are available with this plugin, but you can simply enable basic security mode using “Secure My Site From Basic Attacks” (1.)
Or enable each separate option you need (2.)
7. Account and external security.

Do not forget to keep your local environment updated and clean from viruses. It is also very important to protect your hosting (cPanel account).

Please use secure passwords and SFTP connection + type for FTP/files upload

Change cPanel password regularly. Please use strong passwords (with high and low register Aa-Zz and special symbols) and we recommend you to change all the passwords for all your email accounts, as well.

Do not store passwords in places where they can be obtained easily (e.g. passwords.txt file on desktop is not very secure).

Update all third party scripts to latest versions.

Enable CloudFlare in cPanel  CloudFlare is a broad security solution that is designed to provide protection from many forms of malicious activity online including: comment spam, email harvesting, SQL injection, cross-site scripting, credential hacking, web software vulnerability and DDoS (denial of service) attacks.

Always have a backup copy of your entire website and its databases.

 

Additionally:

Free online real-time scanners.

http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/

 

Tips provided above do not guarantee 100% secure of your WordPress web-site, however, they drastically decrease chances of getting hacked.

We sincerely hope this article helped you enough in securing your online business and becoming a trouble-free and happy customer :)

 

 

 

How to improve WordPress website security
Written by: AFRIDA YANTI
Reting: 4.9


Cheap Best Hosting is a leading provider of web hosting, shared hosting, resellers hosting, virtual private servers, vps hosting, dedicated servers and domain name registration.


Follow me on Google+ | Twitter | Facebook | Linkedin | YouTube

Share This Post

Recent Articles

Leave a Reply

© 2017 Cheap Best Hosting Blog. All rights reserved. · Entries RSS · Comments RSS
Hosting By Cheap Best Hosting