The growing popularity of WordPress has also created more interest among hackers. Statistics show that out of the 80 million websites powered by WordPress, a large portion of them (70%+) are vulnerable to attacks.
If you think that your website is not part of the 70%, you are wrong. If you also think that nobody cares about your small business website or blog, you are again wrong. Attacks can happen because your site is vulnerable to attacks and not because a hacker decided to ‘break-into’ your business.
When your website is hacked, a lot of bad things can happen besides damaging your website’s reputation. You can lose customers, traffic, money, confidential information and not to mention the time, stress and effort that it will take to clean your website and get it back to a normal state.
Those that experienced this at least once, know exactly what I mean. It’s those times that you wished you have taken preventive measures instead of trying later to recover from the damage, especially when your income and business depends on your website.
To tell you truth, I didn’t bother about security, I was thinking like most people that this would never happened to my websites. But it did. And it was a terrible experience.
A few of my clients had faced similar issues and they lost money and business but at least we all now learned our lesson. When it comes to security issues, “Prevention is the best cure”.
If you have a WordPress website but did not take any measures to improve security, it’s now the right time to take action. Don’t delay it any longer but set this as your first priority above SEO or anything else you might be doing.
It won’t take you a lot of time but it can save you a lot of time, money and frustration in the future.
10 ways to protect your WordPress Website
#1 – Install Sucuri – I know that this may sound overly promotional for some but those following my articles know that I don’t recommend something (especially if it’s a third party service), unless it is very important and useful and sucuri is one of them.
In a few words, sucuri is a company that offers security services to websites (not only WordPress). They help you ‘clean’ and recover your website in case it is affected by malware but at the same time they offer a number of tools for securing and hardening your website so as not to get into trouble in the first place.
I have used sucuri a number of times for both my website’s and also my clients . One of the things I really like is that in case your website is compromised and affected by malware, all you have to do is register an account with them, submit a malware request and they take care of the rest in a reasonable amount of time.
Instead of spending time wondering what happened and searching the Internet to find ways to clean your website and recover your business, leave this to sucuri and spend your time following the prevention measures explained below to avoid having to deal with the same situation again.
A final note before getting into the features of sucuri and how to use them, is that Google in their guide for hacked sites are also recommending sucuri for prevention and protection and so does the official WordPress website in their hacked sites FAQ.
Which package to use? They have 3 packages but for most of the cases you only need to register for the BASIC plan which is less than $18 per month.
This will give you access to their malware removal service in case you need it and also their website antivirus prevention tools.
Follow the simple steps below to activate sucuri on your WordPress website:
The first step is to register for the basic plan and then ‘Add your website’ to the dashboard.
Next, you need to configure the ‘Server Side’ Scanner by giving them access via FTP to your website files and directories. The server side scanner is what will monitor your website (several times per day), identify affected files and also perform cleanup actions if needed.
You can either enter your FTP credentials in the ‘Enable Via FTP’ option or use the ‘Enable Manually’ by downloading the file provided and uploading it to your root folder.
The file method is better in case you decide to change your FTP credentials, you won’t break the functionality.
Install and configure their WordPress Plugin. Install the sucuri plugin from here (like you do with a normal WordPress plugin) and then go to dashboard and connect it with your sucuri account.
Once you perform the above steps successfully, sucuri is actively protecting your website.
What you can do now is click the SETTINGS (under Sucuri Security) and configure your settings as shown in the screenshot below.
This will ensure that you will get notified by email for any changes to your website files or any failed login attempts. In addition, it will also activate the web firewall feature that automatically blocks suspicious IP addresses from attempting to login to Wordpress.
Go to Dashboard (under Sucuri Security) and you will be amazed how many bots try to gain access to your website.
There are many other settings you can review (under Sucuri Security) but the above in combination with the steps described below will dramatically improve the security of your WordPress Website.
#2 – Use strong passwords – One of the things you definitely need to check right now is your wordpress passwords and especially the password you use for the administrator.
Don’t use simple, letter only passwords, but create strong passwords that include letters, numbers and symbols.
Here are a few examples of simple and strong passwords:
Simple | Strong |
SimplePassword | $1mpLePas$$w0rd! |
WordPress123 | W0rD!!Pr3$$123 |
Janiebrown | JAN1E$Br0wN |
You can change the password of any users by selecting USERS / ALL USERS from the left menu. From the list of users, select EDIT and scroll down to the password field.
#3 – Change the default admin user names – The first thing hackers will try and do is find out the administrator username so usernames like admin, administrator and host are too obvious and you need to change them to something more difficult to identify.
Also, review your user roles and make sure that there is only one administrator to the site. Other users (guest authors, writers) can be set as ‘Contributor’. Delete any other users that are not valid or set their role to ‘None’.
#4 – Protect your wp-login, wp-config, .htaccess and wp-admin folder – This is perhaps the most important step of all measures you can take to secure your wordpress website.
By protecting and restricting access to your wp-config, .htaccess, wp-login and wp-admin folder, you already made a huge step towards the right direction.
It does not require any technical knowledge, you only need access to FTP and to follow the steps below:
Step 1: Login to your website with FTP and locate the .htaccess file on the root folder (usually public_html or www). If you have installed WordPress on a directory then you will find the .htaccess file there.
Step 2: Download the file on your computer
Step 3: Use any text editor (notepad, brackets etc) to open the file
Step 4: Add the following lines at the top of the file:
Important: You should add your Public IP in the orange shaded area above otherwise you will not be able to login to your own website!
Step 5: Save your changes
Step 6: Upload the file back to your server and replace the existing one.
The role of the above lines is to restrict access to ALL ips trying to either access your .htaccess file, wp-config.php or your login page. In case your Public IP changes frequently you need to edit this file and type the correct IP in the orange shaded area above. If you type a wrong IP there, you will not be able to login to your WordPress dashboard. You can add more than one IPs (one per line, preceding by the words ‘ allow from’).
I know that for some this is too much BUT it’s the best and most efficient way to keep everyone (besides allowed IPs) from getting access to your website. This does not affect the functionality of your website or SEO but it re-enforces security.
The next step is to protect unauthorized access to your wp-admin folder. You can do this by following the steps below:
Step 1: Login to your website with FTP and locate the .htaccess file inside the wp-admin folder. If there is no .htaccess file then create one (using any text editor), add the lines shown below and update it to your wp-admin folder.
Step 2: Download the file on your computer
Step 3: Use any text editor (notepad, brackets etc) to open the file
Step 4: Add the following lines at the top of the file:
Important: You should add your Public IP in the orange shaded area above otherwise you will not be able to login to your own website!
Step 5: Save your changes
Step 6: Upload the file back to your server and replace the existing one.
The same rules apply as explained above i.e. To be able to login to your website you need to add your public IP in the orange shaded area.
#5 – Protect xmlrpc.php (optional but recommended) – Besides protecting the above files, a common way to hack into WordPress websites is through xmlrpc. Xmlrpc.php is a file used for communicating remotely with WordPress.
Hackers can make use of xmlrpc (which is enabled by default from WordPress 3.8) to execute DDoS (Distributed Denial of Service Attacks), that can cause server problems and bring a website down.
You need to keep XMLRPC enabled if you are using services like JetPack, the official mobile wordpress app, pingbacks & trackbacks.
To make sure that no programs can access and execute the file, add this to your .htaccess (like you did in point 4 above)
#6 – Update WordPress and Plugins to the latest versions – Most of the times hackers can gain unauthorised access to your website through plugins. Free and paid plugins have vulnerabilities and it’s always a best practice to upgrade them to their latest versions.
Software companies (especially for paid plugins) have started to look into security matters more seriously and they try to close any security holes in order to protect their customers and of course their reputation.
Besides upgrading, review the list of installed plugins and if you find that some have not been updated for several months then consider deactivating them, replacing them with other plugins that are updated more frequently or deleting them.
#7 – Check your ‘comments’ and forms settings – When you have comments open on your posts check your ‘Discussion’ settings and make sure that all comments are manually approved. This may add more administration work from your part but it’s the best way to ensure that no spam comments are entered.
Also check that you have akismet activated and that you use a Captcha on all your contact forms.
#8- Check your server settings – Besides your WordPress installation another way that hackers can break into your system is through your web server.
What you can easily do is to use a strong password for the administrator account and FTP, and also enable email notifications to get notified every time someone is logged-in to the server. You may need to check with your hosting provider on how to do this since it is different for each type of hosting server.
#9 – Move to a reliable VPS host – Any serious blogger or business should be using a VPS for their website. If you are still on shared hosting then it’s time to reconsider and move to your own VPS. The cost is not that much per month but the benefits, especially when it comes to security, are priceless.
There are many hosting companies offering VPS for wordpress, take some time and find a VPS host that is reliable with good and fast support. When you get into security troubles, you will need the support of your hosting company and they need to respond to your requests fast but also in an effective way.
I tried a number of hosts all these years and the last couple of years I have moved all my websites with knownhost. Their support both in speed and effectiveness is the best I have ever seen.
#10 – Take Full Backups of your Website – While this may not be a security measure as such, the first thing that you will need after an attack is a clean backup of your website to use it to recover to the previous good state.
To eliminate any unpleasant surprises:
Make sure that you take a backup of both your WordPress files and Database (at least once per week)
That you keep the backup files in a safe location (other than your website’s server)
That you know how to use the backup to restore your website. This is a critical step and you need to allocate some time to make a test and document the procedure so that you know exactly what you need to have to do when in need and under a lot of stress.
I use the BackupWordpress Plugin which comes free and has the options to schedule backups for both the files and database.
The bottom line: When it comes to security, prevention is always better than cure
You need to take measures to protect your WordPress website from hackers. You don’t necessarily have to pay for a monthly service if you currently cannot afford it but for sure you need to review and configure correctly the other setting suggested above.
Don’t underestimate the damage hackers can cause to your website or business. When you face this situation once, you will understand how important it is to take as many measures as you can before it happens.
If you have any questions or something is not clear, let me know in the comments below.
Martina Cruz says
Very well shared info.”How to Protect Your WordPress Website From Hackers”. actually i was looking for some tips which can save my webpages from hackers n i found your post quite helpful. thanks for sharing your gr8 knowledge with us.. !!
JoeJack says
Thanks for is information.. Finally someone tell us about “How to Protect Your WordPress Website From Hackers”
this is very useful for us and great job.. keep share with us…
Johnny says
Fantastic tutorial. I have suffered from many WordPress sites that have been infected with malware. You definitely showed me somethings I had no idea to do such as changing the default username and protecting the login pages. I thought that WordPress did many of these security things for you already. I was so wrong. Thank you again.
Moore Amber says
Great article. Thanks for sharing this valuable information with us. It is really necessary to take all safety measures to prevent your website from hacking.
Mounika says
Hello sir,
Thank you so much , you made my work easier to protect my WordPress. Few days back my web has hacked by some one through ad inserter plugin. It tooks several days to recover. Please suggest me to how to protect plugin from bad guys.