How to Protect WordPress Websites Against Hacking
Did you know that there are more than 53 million WordPress sites in the world? This makes WordPress more popular than Blogger, Drupal, or Microsoft SharePoint. It also means that it is a big target for hackers.
“Usage of WordPress is now at 17.0% of all websites, up from 12.3% two years ago,” said Sam Soltano, W3Techs Web Technology Survey.
“WordPress is used by 54.3% of all the websites whose content management system we know. This is 17.0% of all websites.”
Although WordPress is known for its stability and security, the open-source community is taking serious measures to fix any vulnerabilities that crop up. Developers are constantly providing new tips on how to protect WordPress sites against attacks that could disrupt online browsing (and even e-commerce transactions).
Protect wp-config.php
“Wp-config.php is one of the most important files in your WordPress blog,” said blogging site, DesignWoop.
“This file contains some of the very important administrator credentials that can help a hacker gain access to your WordPress database.”
DesignWoop suggests pasting the following lines into your. htaccess file. This file is located at the root of your WordPress install:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
However, remember to make a backup of your .htaccess file before editing. This will allow you to roll back any changes if you encounter problems along the way.
Create Unpredictable Credentials
The default WordPress installation includes an administrator user account with the name, “admin.” Hackers will try to login into this account and guess passwords.
The admin username cannot be changed. However, if WordPress is installed from cPanel’s Softaculous, the username and password can be altered. Most reliable web hosting companies, including Midphase, offer this feature.
Another option is to log into WordPress and create an unpredictable name and assign administrator privileges to this user and delete the former.
“As for choosing the new user name, make sure that it is not similar to the name you display publicly on your blog,” said Daniel Scocco, Daily Blog Tips.
“If you sign your posts as John Doe, for instance, naming the administrator user as “john” or “johndoe” wouldn’t help. You need something that others won’t be able to guess easily.”
Install Security Plugins
Hackers often rely on automated scripts to take control of the website. These scripts can take numerous attempts to log in to the website’s administration page. They can try thousands of combinations until they have the complete control.
The Better WP Security plugin is highly recommended to enforce login limits.
“Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.”
A longer password, mixed with letter, numbers and symbols will take hackers a longer time to execute a brute-force attack.
These are just a few things you can do to more tightly secure your WordPress blog. Also contact your hosting company for additional tips and advice on how to protect your WordPress install.