While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.
Why Website Security is Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users. Worst, you may find yourself paying ransomware to hackers just to regain access to your website.
In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.
Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
If your website is a business, then you need to pay extra attention to your WordPress security.
Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.
1. Protect the wp-config.php file
The wp-config.php file holds crucial information about your WordPress installation, and it’s the most important file in your site’s root directory. Protecting it means securing the core of your WordPress blog.
This tactic makes things difficult for hackers to breach the security of your site, since the wp-config.php file becomes inaccessible to them.
As a bonus, the protection process is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.
Now, the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set to the highest on the priority list. So, even if it is stored one folder above the root directory, WordPress can still see it.
2. Disallow file editing
If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.
If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.
To make this work, add the following to the wp-config.php file (at the very end):
3. Understand, and protect, against DDoS attacks
A DDoS attack is a common type of strike against your server bandwidth, where the attacker uses multiple programs and systems to overload your server. Although an attack like this does not jeopardize your site files, it’s meant to crash your site for a long period of time if not resolved. Usually, you only hear about DDoS attacks when it happens to large companies like GitHub or Target. They’re conducted by what many refer to as cyber-terrorists, so the motive might simply be to wreak havoc.
That said, you don’t need to be a Fortune 500 company to be at risk.
If this worries you, we recommend signing up for the Sucuri or Cloudflare premium plans. These solutions have web application firewalls to analyze the bandwidth being used and block out DDoS attacks entirely.
4. Protect the wp-admin directory
The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached, then the entire site can get damaged.
One possible way to prevent this is to password-protect the wp-admin directory. With such a WordPress security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other secures the WordPress admin area.
5. How to harden WordPress Security By Moving wp-config.php to a Non-public Folder
By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at mysite.com/blog, so is your wp-config.php. That’s not as reckless as it seems since .php files are server-side scripts that are processed by the server. When you are looking at a .php file, you are actually looking at the output of the file. The same goes for when you view the source. The only way to download the raw code of a .php file is via FTP.
But, just because you can’t normally access a .php file doesn’t mean you are always safe…
Accidents happen, and vulnerabilities exist. If your web server’s PHP configuration breaks down, your MIME types aren’t set up correctly, or your web server is otherwise misconfigured, your web page could end up serving plain text instead of processed PHP output; that is just a few examples. And, just like being depantsed during a pep rally in the high school auditorium, it only takes a split-second and before you can get your knickers back on they’ve seen everything. Yeah, they’ve seen it all.
6. Use SSL to encrypt data
Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
Getting an SSL certificate for your WordPress website is simple. You can purchase one from a third-party company or check to see if your hosting company provides one for free.
I use the Let’s Encrypt free open source SSL certificate on most of my sites.
7. Change your WordPress database table prefix
If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.
If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or Acunetix Secure can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).
8. Always backup your website
If you are looking for a premium solution then I recommend VaultPress by Automattic, which is great.
I know some larger websites run backups every hour, but for most organizations that is complete overkill. Not to mention, you would need to ensure that most of those backups are being deleted after a new one is made since each backup file takes up space on your drive. That said, I’d recommend weekly or monthly backups for most organisations.