More than 25% of the websites are made in WordPress.
And it is said that some 37,000 websites are hacked every day. If we maintain the proportions and do the calculation, we have that 9,250 WordPress installations a day would-be victims of attacks. And among these could be yours.
Making your oberlo for WordPress secure is not just a matter of having a super-strong password.
Using a theme with errors (which apparently are not seen, but they are there), installing a badly programmed plugin or not having the files well protected or updated can lead to our WordPress website being hacked overnight.
And the main problem is not the itself-hack, but the bad time that you are going to have, the time (and money, surely) that you will have to dedicate to solve the problem and the bad image that you will be giving to your clients.
Without underestimating the losses that you will have during the period in which your WordPress is not accessible (if your website generates income).
For all this, and although we have previously spoken on several occasions about security in WordPress and we have reiterated that WordPress is safe, it never hurts to review some small tips that we can apply on our website to make it harder for the bad guys.
Even if you are not a super expert, you can easily apply these tricks on your website and it is possible that they will save you from more than one problem in the future.
1. Scan your Website Regularly
If your web host doesn’t already do it for you, something you should do practically every day (although it depends on your number of visits and the popularity of your website) is to scan your WordPress for any infections.
This is practically the same thing that your antivirus program does on your computer. Don’t really have to wait until your website is infected to scan your website; Anticipate and install a security plugin that’s able to go through your files regularly.
If you do not know what plugin you can use for this, here is a list with the three best known:
- Sucuri Security
- iThemes Security
These plugins check, among other things, your WordPress files for suspicious changes and will alert you when they are found.
2. Turn off the Plugin and Theme Editor
WordPress administrator users can easily edit the files that are contained within the plugins and themes directly through the editor that WordPress includes by default. This editor is accessible from the WordPress Desktop, within the Appearance »Editor or Plugins» Editor menu.
The problem is that the smallest and slightest mistake when editing a PHP file from there, for example, will cause our website to break causing for us to only see a blank screen when we visit it. Also, if the administrator password gets stolen, any attacker can edit the plugins and can add a malicious code.
Therefore, a simple protection measure is just to disable it. This way you can only modify the theme or plugin code through FTP access.
3. Hide the WordPress Version
Generally, and by default, WordPress shows the version you are using on your website.
This means that if you do not have your WordPress updated it is relatively easy for attackers to search for WordPress installations with a specific version, of which a vulnerability is known, and then take advantage to take advantage of it.
This way, having a WordPress with a version that is not the latest one puts automatically your website at risk. What you can do is hide the version number.
Remember that if you put a line in your theme, you will lose it when it is updated to a new version. So you should consider having a child theme or review this post where we explain how to add your customizations to WordPress.
4. Limit the Number of Failed Accesses
A typical attack they can do is brute force to discover your password, testing thousands of possibilities until they guess which one is good.
WordPress by default does not limit the number of failed accesses, so an attacker could test passwords continuously. Luckily, many hosting providers include extensions to control it.
5. Limit Access to the Login Page
A very effective way to protect your WordPress installation is to completely block access to the / wp-admin and /wp-login.php pages.
However, this is only recommended if you have a fixed IP (or more) and you will always access the WordPress Desktop from that same IP (or set of IPs). If this is your case, read on to find out how.
To make it only possible to access the Desktop from a set of IPs, you have to add the following fragment of instructions to your installation’s .htaccess file:
6. Turn off PHP Error Reporting
When you are developing a WordPress plugin or theme, having bug reporting enabled is very useful, as it lets you know if something is wrong and what is wrong.
In addition, it also indicates the PHP file that fails and the line inside that file where the error is.
However, in production we have to disable this, because if an attacker sees one of these errors he will be able to know the absolute path where the faulty PHP file is, something that he can use to his advantage and against you.