Home > Blog > Blog > 12 Tips to Prevent WordPress Site from Getting Hacked

12 Tips to Prevent WordPress Site from Getting Hacked

10/05/2019
dsim-image

Online security is a serious issue nowadays. However, there are still website owners who are not taking web security into consideration.

Therefore, that could spell disaster if you aren’t too careful.

The thing is, there are a lot of hackers and spammers out there. That’s why you need to think about the ways on how you can make your website security stronger than before.

You can either opt to add plugins, update the framework of your blog, and more.

In this post, we’re going to talk about some handy tips to prevent your WordPress site from getting hacked.

1. Add SSL Certificate

An SSL (Secure Socket Layer) certificate is a great way to secure your admin panel. Implementing it ensures that the data transfer between the user browser and the web server is secure. Thus, making it difficult for hackers to take your information or breach the connection.

add-ssl-certificate

Getting an SSL certificate for your WordPress site is pretty straightforward. You can check with a third-party or see if your hosting company provides one for free.

cerberus-install-ssl-certificate-2

2. Check Your Plugins

check-your-plugins

These days, it’s so easy to download plug-ins and install on your WordPress site. But you also have to be careful with the kind of plug-ins that you download.

Some plugins have malicious codes. Right after downloading them, the best thing that you can do is to scan it immediately for malware. You need to do this especially for plug-ins that you’ve downloaded in places outside the WordPress directory.

It’s best to use anti-virus software. When you use a newer operating system, when downloading the file, it usually checks for viruses.

However, for older ones, it’s best to scan it weekly or right after downloading the files.

3. Take out the Themes and Plugins That You Don’t Use

A lot of people have a site full of installed themes and plugins that they don’t even use. Some resort to keeping them disabled, but that’s a huge mistake.

It’s because it’s easier for hackers to target old plugins and themes that are installed yet disabled. Chances are, they can get past the security of your site by targeting the vulnerabilities of those themes and plugins.

Because those are already disabled on your site, you’re entirely unaware of the subtle changes in those themes and plugins that hackers are taking advantage of.

Moreover, the actual developer of that plugin might stop updating, and again, hackers will take advantage of these vulnerabilities to hack your site.

So, keep the ones that you do use on your site. If you’re not using it anymore, then it’s better to delete them. Whether its a plugin or a theme that comes with the default installation on WordPress or something that you’ve installed separately. This rule applies to everything.

Only keep the ones that you need, and get rid of the rest.

4. Backup Regularly

One of the most important steps is to backup your files. Before you plan on making any changes, backup your files first. You can either use an available plugin or do this manually.

5. Keep Up-to-Date

One of the most obvious‒yet a lot of users tend to neglect‒is to keep all installed plug-ins, WordPress core, and themes up-to-date. So, if you have an older version of the software you have on your site, you are at risk for an attacker to find it.

Aside from keeping your software updated, you can protect your site by hiding the version numbers that are installed.

There are two things that attackers can find on your site that will compromise it. First, is the software you’re using (in your case, it’s going to be WordPress and the extensions that are installed).

Second, is the version you have. With this information, it’s easy for hackers to exploit your site. All they need to do is to look it up on their playbook, and then hack your system.

6. Get Secure Hosting

Another way to keep your site secure is to choose a hosting provider that gives multiple levels of security.

Initially, it might be tempting to choose a cheap hosting provider and spend your money on other essential things. But don’t go this route. There’s a chance that your data will be erased, and your URL will be redirected someplace else.

When you pay more for a quality hosting company, there will be additional levels of security on your site. Aside from that, a right web hosting provider can significantly speed up your site, which is excellent for your conversions.

7. Skip Default Credentials

skip-default-credentials

Your password acts as your first layer of protection against attacks. Chances are, those attackers know that you’ll try to use something similar, and thus, have a better chance of guessing it.

Therefore, make sure that you’re not using a default password. Use something difficult to decipher instead.

8. Use a Strong Password

As we’re saying earlier, using a strong password will protect you from malicious attacks. While this is the most basic advice and almost everyone probably knows this, this aspect is easily overlooked.

Ensure that your admin password on WordPress contains the following combinations: Uppercase, lowercase, and alphanumeric numbers.

en

Moreover, make sure that it’s at least nine characters long.

When you pattern your password like this, it’s difficult for hackers to access your site.

9. Use Two-Factor Authentication

Using two-factor authentication when logging in is one of the most straightforward and efficient ways to prevent malicious attacks.

two-factor-authentication

So how does it work?

Well, it adds a layer of security by asking another proof of ID such as secret questions and a mobile-generated code. Therefore, the user can give login details for two different components.

Over the years, this practice has been adopted by big companies like Google, Dropbox, Apple iCloud, and so on. That’s why there’s no reason that you must not adopt this practice as well.

Here are some plugins that create a two-step authentication for WordPress:
  • Google Authenticator: Lets users enter a QR code or a key that’s delivered on their mobile phones.
  • Clef: Enables a “passwordless” two-step authentication via smartphones.
  • Clockwork SMS: A two-step authentication with the help of text messaging.
  • Authy: Requires users to give an API key via a smartphone app.
  • Stealth Login Page: Adds another authorization code that’s required for log-in.

10. Limit Login Attempts

limit-login-attemts

By default, WordPress lets users log in for as many times they want. It might help you significantly if you always forget what letters are capitalized. But it also makes you vulnerable to brute attacks.

Decreasing the number of login attempts is a surefire way to prevent determined hackers and other unauthorized sign in. When you limit those login attempts, users can only try to sign in a couple of times until they’re temporarily blocked.

Usually, this involves a locking mechanism on your WordPress Login Section’s login retry. Thus, this increases the chance for the hacker to be locked out in your account before they can finish their attack.

11. Modify Table Prefix

Aside from limiting the number of login attempts, there are other things that you should take note of to make your site secure. One of them is changing your custom table prefix.

Now, if you search the standard installation in the WordPress database, almost all the tables start with a wp_.

But that also makes your site more prone to SQL injections. It’s because, with this kind of attack, hackers need to know the table prefix.

It’s worth noting that the standard WordPress setting is already common knowledge. To increase your security, change it into something random like 8uh7zgokm_.

12. Hide Your Login Page

A majority of hackers know that the WordPress admin page can be accessed by merely adding right after the domain name.

For instance, if your domain name is abc.com, your admin page can be accessed by the URL, http://abc.com/wp-admin.

Moreover, attackers will instinctively know that the login page name is wp-login.php.

Luckily, you can change that. Several plugins are available in the market that allows you to customize the login URL of your WordPress site. As a result, it becomes more challenging for hackers to break into your system.

Why? It’s because they can’t even find your login page in the first place.

Over to You

WordPress security is one of the most vital parts of having a website.

Every good site needs robust security. If your site isn’t secure enough, hackers can easily penetrate it and steal your data. Some might even try to destroy your website. Once they are over, the damage that has been done cannot be recovered.

Therefore, if you don’t take the necessary steps to ensure your WordPress security, hackers can easily take advantage of your site.

Unlike what others are led to believe, maintaining your WordPress security isn’t so hard, and it’s not expensive either. Some steps can be done without spending a single penny.

Author Bio:

Kenneth Sytian is the CEO of Sytian Production, a WordPress developer in the Philippines. He has been designing websites and developing web apps for more than a decade. He is regarded as one of the top influencers in web design and development in the Philippines.

Share Button
Masters in
Digital Marketing
for professionals & job seekers
Learn how to market a business online just like experts & agencies do it.
Learn from real practitioners not just trainers.

Watch DSIM Trainees Celebrating Last Day of Batch

Watch Demo

Leave a comment:


Call Us
Free Demo