As WordPress is one of the largest and most popular blog platforms in the world, it makes sense that hackers would try to infiltrate its security to gain access to millions of unsecured websites on the web. We frequently see complaints all over the web regarding WordPress security vulnerabilities and webmasters requesting help regarding their hacked WordPress installations. Usually, once a hacker has infiltrated a WordPress installation, they will either delete all files causing you to lose your website or use PHP modules to send out massive spam — which will get your hosting account suspended no matter where you host your website(s).
It is important to keep personal backups of your account and to take all necessary precautions to ensure that your WordPress installation is secure and invulnerable to hackers. For this reason, we have compiled a few WordPress security tips for you below which should help make your site immune to any hackers.
Keep your WordPress Installation Up to Date
WordPress updates their platform quite frequently to not only make improvements, but also patch any security vulnerabilities that could be exploited. That is why it is extremely important that you keep your installation up to date with the latest release.
If you’ve installed WordPress using WireNine’s automated installer Softaculous, you can easily upgrade your installation by logging into your cPanel. If you’ve installed it on your own, you can upgrade from the WordPress dashboard automatically, or do a manual upgrade by overwriting your old files with newly downloaded ones from their website. For more information, check out the WordPress codex.
Set a custom username and password
The default username for any WordPress installation is admin and all hackers are well aware of that fact. When installing WordPress, make sure to choose a uncommon username — in most cases, using your name or initials will be fine.
If you are using Softaculous to install WordPress, check the screenshot below (click to enlarge) to see where to set your username.
As important as the username is, it is equally if not more important to have a complex password — choose a password with a mixture of letters, numbers and even symbols if you prefer. If you’re worried about losing your password, you can use a password manager such as LastPass to store all your logins; and WordPress does have a “Forgot Password” function which you can also use to reset your password in case you ever lose it.
Ensure your file permissions are set to 755 or lower where necessary
If you are an intermediate or even advanced user of WordPress, you may sometimes need to modify file permissions to make file edits from the back-end or in some cases, to allow a plugin to function. As most individuals forget to reset their file permissions afterwards, their files are usually left readable / writable for hackers who can use the file as a doorway to into the users account.
Make sure you set appropriate permissions for your files / directories (755 or lower) — always reset to the WordPress default permissions after making edits to any file.
Regularly backup your websites / databases
Although WireNine does create daily backups for all accounts on our servers, it is always recommended that clients also make their own backups from within cPanel in case their site data is ever compromised. Maintaining daily backups will help ensure that you can immediately restore your website in case of an emergency. To create a full or partial backup of your account, simply navigate to cPanel, click on “backup wizard” and choose which elements of your account you would like to backup (refer to the picture below).
Keep all plugins and theme files up to date (free and premium)
Since WordPress has such a vast amount of available themes and plugins (both free and premium), its important to make sure that you only select plugins and themes from trustworthy sources. Most premium theme and plugin purchases will include free lifetime updates to patch any security holes — but free plugins and themes are sometimes not updated for long periods of time. This not only causes the themes / plugins to break with new WordPress updates, but also leaves tons of security vulnerabilities for hackers to exploit.
It is important to use the latest WordPress compatible version of each plugin / theme to ensure there are no security risks to your website. Fortunately, WordPress’ free plugin repository has plugin and theme ratings which can help you decide which plugins would be the best and most secure for your blog / website. If you wish to invest in a premium theme or plugin, make sure the seller is a verified source before you make any purchases.
Use a WordPress Security Plugin
WordPress security plugins are not always necessary if you follow all the security tips listed above; however they do help make your installation more secure. If you are worried about any hack attempts on your blog, its always better to be safe than sorry and install one of the following highly recommended security plugins:
Bulletproof Security
Bulletproof security was created to mainly protect your website through your .htaccess file which hackers commonly use to gain access to an account. With the bulletproof security plugin, you can protect your WordPress website against against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL injection hacking attempts.
Better WP Security
This plugin has a host of features that help secure your website — mainly by hiding and securing any locations of your website that are most vulnerable to an attack (such as the login page or admin panel). The plugin also creates a daily backup of your WordPress databases so in case you do somehow get exploited by persistent hackers, you can easily restore your website.
General Security Tips
- Do not share your login. If you have hired a webmaster to manage your website, make them a separate account with the necessary permissions. It is not advised to share your username / password with anyone you don’t fully trust.
- Enable Cloudflare. CloudFlare is a content delivery network (CDN) that improves the performance of your website but also offers a security scanning feature that comes in handy at times. CloudFlare is included absolutely FREE of charge with any shared, reseller or VPS hosting plans at WireNine and can be easily enabled from within cPanel.
- Regularly change passwords. It’s important to change your password every once in a while to maintain security — you can use a password manager such as LastPass to make this easier
While the WordPress security tips listed above will help you secure your website, they do not guarantee that your website will be 100% immune to hackers. They do however drastically decrease the chances of your WordPress installation being hacked or tampered with in any manner. Remember, it’s important to maintain regular backups of your website / database so you always have a recoverable copy laying around in case of an emergency.
If you have any questions, don’t hesitate to ask by commenting below.