A couple of days ago, I saw a post from the Facebook WordPress group asking for help. The issue was that his WordPress site got hacked. The hacker somehow put a hidden script into the server and set the schedule to run the script every 24 hours. The unexpected code that the hacker script generated showed in the index.php at the beginning of the file. That code added a ton of external files into the WordPress media library and if the users clicked on those media files, it redirected to the external websites. The site owner tried to reset all passwords for the WP site, FTP, and hosting login but no luck. Deleting the unexpected code in the index.php didn’t help either. Finally, he moved to the new server then the problem was gone. So this is one of many hacking issues that I found on the internet.
Today I will guide you to protect your site from hackers like this. Please don’t expect 100% protection since hackers always come up with new methods from time to time. Also, there are many factors that can cause hackers or malware to get into your site. Below are the tips that you can follow for WordPress security.
Keeping your WordPress updated
Keep your themes, plugins, and WordPress core updated always. You must back up your WordPress site(themes, plugins, WP files, and database) before the update. This backup will help you if something is wrong while updating. You can restore it later.
Set Strong Password and User Permission
- You must set a strong password such as 4oU!7o"uu@6$dZ.
The strong password should have:
- at least 15 characters
- uppercase letters
- lowercase letters
- numbers
- symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ? /
The password I mean is for all your login, for instance, FTP login, Host login, and WP login. All passwords should be unique…not the same. Sounds like too much trouble, but trust me, you don’t want to deal with the hackers or malware later.
- Please set the user role for each WP user. DO NOT grant an administrator role to all users.
CHOOSE YOUR HOSTING WISELY
Picking the right host will help your site as well. Using shared hosting means your site is sharing resources with other sites on the host. If those sites got hacked, your site has a chance to get malware as well. For me, I use Siteground. I don’t use cheap shared hosting. Please DO NOT use the shared hosting that forces you to change the uploads folder and .htaccess file permission to 777 in order to use WordPress on the server.
INSTALL THE WORDPRESS SECURITY PLUGIN
Install the WordPress security plugin you like, such as Wordfence Security
ADD SSL(HTTPS) TO YOUR DOMAIN NAME
DO NOT USE “ADMIN” AS YOUR USERNAME IN WP OR ANYWHERE ELSE
If you already have the admin user, create the new one and grant the same role as the admin user. Make sure the new login is working by using the new login. Then delete the admin user.
Disable File Editing
- You may notice that in the Appearance menu, you can edit the theme and plugin files from that. To disable it, you can put the code below in the wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Limit Login Attempts
By default, WP users can log in as many times as they want. Imagine that the hackers try to hack your site by guessing your login. They will try many times before they guess your login. Setup the limit login attempts may help your site from these attempts. To do that, you can install the Login LockDown plugin or if your hosting account has this “limit login attempts” setting, you should enable it on your host.
Change the table prefix
By default, when you install WordPress for the first time, the table prefix is wp_. Please change to the new table prefix as you like before continuing set up WordPress.
All the list above are the tips that I normally use. I hope it is useful for your site.