Web development

WordPress Security

Why WordPress Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users. Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

1. Protect the wp-config.php file

The wp-config.php file holds crucial information about your WordPress installation, and it’s the most important file in your site’s root directory. Protecting it means securing the core of your WordPress blog.

This tactic makes things difficult for hackers to breach the security of your site, since the wp-config.php file becomes inaccessible to them.

As a bonus, the protection process is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.

Now, the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set to the highest on the priority list. So, even if it is stored one folder above the root directory, WordPress can still see it.

2. Disallow file editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

3. Understand, and protect, against DDoS attacks

A DDoS attack is a common type of strike against your server bandwidth, where the attacker uses multiple programs and systems to overload your server. Although an attack like this does not jeopardize your site files, it’s meant to crash your site for a long period of time if not resolved. Usually, you only hear about DDoS attacks when it happens to large companies like GitHub or Target. They’re conducted by what many refer to as cyber-terrorists, so the motive might simply be to wreak havoc.

That said, you don’t need to be a Fortune 500 company to be at risk.

If this worries you, we recommend signing up for the Sucuri or Cloudflare premium plans. These solutions have web application firewalls to analyze the bandwidth being used and block out DDoS attacks entirely.

4. Protect the wp-admin directory

The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached, then the entire site can get damaged.

One possible way to prevent this is to password-protect the wp-admin directory. With such a WordPress security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other secures the WordPress admin area.

5. How to harden WordPress Security By Moving wp-config.php to a Non-public Folder

By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at mysite.com/blog, so is your wp-config.php. That’s not as reckless as it seems since .php files are server-side scripts that are processed by the server. When you are looking at a .php file, you are actually looking at the output of the file. The same goes for when you view the source. The only way to download the raw code of a .php file is via FTP.

But, just because you can’t normally access a .php file doesn’t mean you are always safe…

Accidents happen, and vulnerabilities exist. If your web server’s PHP configuration breaks down, your MIME types aren’t set up correctly, or your web server is otherwise misconfigured, your web page could end up serving plain text instead of processed PHP output; that is just a few examples. And, just like being depantsed during a pep rally in the high school auditorium, it only takes a split-second and before you can get your knickers back on they’ve seen everything. Yeah, they’ve seen it all.

6. Use SSL to encrypt data

Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.

Getting an SSL certificate for your WordPress website is simple. You can purchase one from a third-party company or check to see if your hosting company provides one for free.

I use the Let’s Encrypt free open source SSL certificate on most of my sites.

7. Change your WordPress database table prefix

If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.

$table_prefix = 'iopkljkndhwyiq_';

If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or Acunetix Secure can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).

8. Always backup your website

If you are looking for a premium solution then I recommend VaultPress by Automattic, which is great.

I know some larger websites run backups every hour, but for most organizations that is complete overkill. Not to mention, you would need to ensure that most of those backups are being deleted after a new one is made since each backup file takes up space on your drive. That said, I’d recommend weekly or monthly backups for most organisations.

Customer Reviews

Read what our clients have to say about working with us.

Nikita Sharma
Nikita Sharma
June 30, 2022.
I would highly recommend YONET. Marcin is detail-oriented, efficient and goes above and beyond for his clients. We recently wanted our website re-designed and he beautifully brought to life everything we could have hoped for, whilst considering every detail to ensure our website performed and looked its best. His dedication and experience is very evident through the excellent service he offers.
Mike Devitt
Mike Devitt
June 27, 2022.
We have worked with Marcin at Yonet on a number of web design projects and not only is he a great person to work with, his experience and attention to detail in this field are second to none. He is an excellent designer and collaborator.
rozalia justynska
rozalia justynska
June 14, 2022.
Marcin is very professional and his patience is golden! He created two websites for us, and his ideas were amazing! Highly recommend!
David Browne
David Browne
June 10, 2022.
Marcin has a great knowledge of Web Development, particularly the more technical elements, he has provided me and my business with expert technical knowledge and I have no issues in recommending him
Galle Pasuriao
Galle Pasuriao
June 9, 2022.
I recommend Marcin. He has a lot of knowledge, when I transferred my website to his server it started working very quickly and finally google finds me on the first page.
Damian Kołodziej
Damian Kołodziej
June 7, 2022.
Definitely recommended. I have talked to many web design companies and I can honestly say that Marcin has powerful knowledge about web programming and Google positioning. He takes a very individual approach to his clients and does things that are impossible for other companies. My mistake was to outsource my website creation to another company and I lost more as there were a lot of revisions. I would also like to warn you that you should not use the lowest price on the market when creating a website because you will lose a lot later on. Marcin corrected everything and my website works perfectly and looks phenomenal. Thanks a lot Marcin, I will recommend you to everybody. Damian.
Melissa Jane Reinke
Melissa Jane Reinke
May 31, 2022.
Marcin is so efficient and knowledgeable. I wouldn’t hesitate in recommending him. He has really helped me a lot over the years.
May 30, 2022.
YONET went the extra mile creating our company's website and YONET is always there to help me when I need some help updating our business website. I would happily give more than 10 out of 5!
Paulina Choszczyk
Paulina Choszczyk
May 19, 2022.
Marcin to prawdziwy profesjonalista w swoim fachu. Każda strona, która wyszła spod jego ręki świetnie wygląda i jest bardzo funkcjonalna. Bardzo polecam wszystkim, którzy chcą aby jego strona internetowa robiła wrażenie.
Andrzej Choszczyk
Andrzej Choszczyk
May 9, 2022.
Godna polecenia firma.

Similar Posts