On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and outdated version of the software. Most WordPress admins don’t even know they’re vulnerable, but with alertness and security measures, an expert can help you fix common holes, stop automated attacks and strengthen user credentials.
Top 10 important steps to start securing your website immediately:
- Change the urls for WordPress dashboard including login, admin etc. This will hide the login page (wp-login.php, wp-admin, admin and login) making it harder to find by automated attacks. Also rename “admin” account username. This will improve the security of your WordPress installation by removing common user attributes that can be used to target your site.
- Completely turn off the ability to login for a given time period (away mode). As most sites are only updated at certain times of the day it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. Disable access to the WordPress Dashboard for the specified period. Of course this depends on your work timings and access levels at multiple locations but this is a good practice.
- Remove theme, plugin, and core update notifications from users who do not have permission to update them. Change wp-content path and rename the directory so that the most important directory can be saved from possible attacks.
- Prevent public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess. These files can give away important information on your site and serve no purpose to the public once WordPress has been successfully installed.
- Scan your website theme or plugin files regularly for malware to make sure that there are no injections to the files. Use server log files to obtain data on which files got changed recently. Ban troublesome bots, user agents and other hosts immediately. Prevent users from seeing a list of files in a directory when no index file is present.
- Change the WordPress database table prefix. By default, WordPress assigns the prefix “wp” to all tables in the database where your content, users, and objects exist. For potential attackers, this means it is easier to write scripts that can target WordPress databases as all the important table names for 95% of sites are already known. Changing the “wp” prefix makes it more difficult for tools that are trying to take advantage of vulnerabilities in other places to affect the database of your site.
- Prevent brute force attacks by banning hosts and users with too many invalid login attempts. If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is acutely susceptible by default as the system doesn’t care how many attempts a user makes to login. It will always let you try again. You should install tools or functions for enabling login limits to ban the host user from attempting to login again after the specified bad login threshold.
- Force users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user’s login usernames from the code on author pages. You can enforce password expiration; add a strong passwords generator to user profiles. For more advanced security to dashboard, force SSL for admin pages (on supporting servers).
- Take or schedule backups of the websites on regular basis. There are automated tools available which can actually schedule backups of the entire site including database and migrate the site to another server or same server within minutes if required.
- Ban users hitting a large number of non-existent pages which results them getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (most probably vulnerability) and locks them out accordingly.
These are few of the most important steps to help improve the security of your WordPress installation from many common attack methods. For further steps take a look at 30 Ways to Secure Your WordPress Website. You cannot prevent every possible attack but nothing replaces diligence and good practice. Continuous monitoring is essential. There are many more known practices which you can implement on your WordPress site to prevent malicious injections to your site. We recommend hiring an expert to help secure your WordPress site. Don’t hesitate to contact us for your questions.