How to Protect Your WordPress Website from Hackers: 12 Simple Measures11 min read
10/02/2019WordPress is a simple and easy-to-install content management system (CMS) preferred by numerous users. It’s the most popular blogging platform worldwide. 30% of all websites on the Internet use this solution. However, its popularity also has the other side of the coin: it attracts hackers from all over the world. So if you consider deploying WordPress for your website or have already been using this CMS for your blog, online store, or corporate resource, you should know how to keep your WordPress site secure.
WordPress security
According to a report by Sucuri, the company focused on website security, WordPress is the most hacked CMS. 83% of all hacked CMS-based websites refer to WordPress compared to Joomla, which has the second place in its rating, with its 13.1% and following Magento with 6.5%. This statistics can form the misconception that WordPress is highly vulnerable and has many cybersecurity holes.
Although, Sucuri claims that their report doesn’t mean that WordPress is less secure than others. In most cases, the weak protection, which had led to cyber infections, had nothing in common with the system itself but with improper installation, configuration, and maintenance. In other words, the common reason for WordPress websites have been hacked is in that site owners or webmasters haven’t taken proper steps towards ensuring the protection from hacking attacks rather than in the platform vulnerability.
Is WordPress secure enough for Ecommerce?
Woocommerce is the most popular plugin for WordPress online stores. With more than 4,000,000 installations, it allows users to create Ecommerce websites with categories, products, payments, and email notifications. However, users wonder whether it is safe to use WordPress for their online store since they may think they put their business at a bigger risk by developing an Ecommerce website with this platform than when creating a blog or corporate site.
In fact, there hardly is the difference between securing a WordPress-based online store or blog. To convert an ordinary WordPress website into an online store, you just need to install and configure Woocommerce while taking into account that your theme should be compatible with this plugin. Despite it’s open source, you can trust its developers since the plugin has been approved by a dedicated team of developers.
Everything you install in addition to the core, standard themes, and Woocommerce is your responsibility. You should remember that your online store remains secure as long as the overall WordPress website is secure. So all the cybersecurity measures mentioned below are applicable for both Ecommerce and corporate websites.
The best WordPress cybersecurity practices
There are a number of important measures you have to apply in order to secure your WordPress website. Below, we will cover the simplest ones which won’t break your website if improperly configured.
Practice #1: Conduct regular updates
With each new update, WordPress becomes more and more secure. Since the release of the version 5, Wordfence, a cybersecurity company, has reported about a few vulnerabilities fixed with the next update 5.0.1. You should always keep your site up-to-date thus ensuring the protection from hacking attacks focused on older system versions.
However, you shouldn’t rely solely on core security. Both plugins and themes also get regular updates. By updating them, you ensure their compatibility with the latest core version as well as get better protection from cyber threats. Moreover, clicking on the update button is easy and everything you have to do in order to conduct an update. You need no copying any files.
Practice #2: Protect your passwords
The best and easiest thing you can do to secure your WordPress website is to avoid simplifying a hacking attack for cybercriminals. This includes reliable passwords. In short, use long complicated passwords containing no personal information like your name or address. In addition, it may sound obvious but you should keep your admin login data in secret. Don’t share it or write it down.
Here’s a full list of practices on how to protect passwords from hackers:
- Use a complicated password
- Avoid using your personal information in a password
- Avoid using words in passwords
- Use long passwords
- Don’t share your login details
- Update your passwords once per two months
- Use a different password for WordPress admin panel and other online services
- Don’t enter your credentials on computers or networks you can’t control
- Use a password manager if you use many different online services
- Don’t write your password down on paper or anything else
- Doubt all unusual information you receive via email, SMS, or phone
The last measure also can protect you from phishing attacks aimed at making you disclose your sensitive data or encouraging you to click on malicious links. Don’t open emails from unverified senders and don’t follow suspicious links because you may accidentally download and install malware.
Practice #3: Don’t use the Admin username
I often faced people using Admin as a means of a username of the WordPress admin panel. It’s short and easy-to-remember since associated with a website administrator. According to Gizmodo, it’s also one of the most popular passwords. It has the 12-th place in their 2018 rating. So its popularity makes it easy to guess. Your username should be as secure as your password. So choose a unique username to prevent hackers from unauthorized access. Consider using your email address in the case you don’t want to remember another long and complicated set of symbols.
Practice #4: Limit login attempts
“Any password can be hacked with enough time”, SANS Institute
One of the common types of attacks is a brute force attack aimed at guessing your password. To do so, hackers generate massive automatic logging attempts. In addition to creating a strong password, you can limit these attempts and block hosts sending such requests.
According to the Global Information Assurance Certification (GIAC), there are no unbreakable passwords. So limiting login attempts will dramatically minimize the risk of hackers to compromise your credentials. You can do it by installing a special security plugin like iThemes Security. With its free version, you can set a suitable number of unsuccessful login attempts after which the plugin will block the host and it will no longer be able to try to sign in.
Practice #5: Change the login page URL
To try to guess your password, hackers first need to visit your login page where you usually enter your credentials to access the WordPress admin panel. They can conduct the above-mentioned brute force attack, dictionary, or rainbow table attack. Rainbow attacks rely on special databases of password hashes while dictionary attacks refer to cyber threats aimed at simple passwords consisting of common words.
So you can disorientate cybercriminals and prevent them from initiating an attack focused on compromising your sensitive data. To do so, you can hide your login page by changing its default URL from https://your-site.com/wp-admin to something like https://your-site.com/bla-bla-bla. Thus, they won’t be able to visit your login page and launch their malicious algorithms.
Practice #6: Use HTTPS
Using special hacking measures, cybercriminals can try to intercept sensitive information which your website visitors interchange with your resource. This data can include emails visitors enter to fill in your contact form or payment information like credit card number, its expiry date, and CVV2 they share with your site to make a payment.
To prevent compromising user data, you should install an SSL certificate and establish the safe HTTPS connection instead of the standard HTTP. This will also make your website more attractive to search engines. When configured, you can make sure your site is safe by visiting it and checking the URL (it should start from https:// but not http://) and presence of the lock icon before the URL.
Practice #7: Enable automatic backups
Regardless of any active cybersecurity measures, you always have to have a plan B in case of emergency. So you should enable automatic backups on your website. Once hacked, you will be able to easily recover your website with the previously saved backup data. You won’t lose your posts, categories, tags, images, or products if you have a backup stored on your computer or in the cloud storage. To enable regular automatic backups, you can install the free Duplicator plugin. With this add-on, you won’t need to manually create backups with each next update like adding a new post or product.
Practice #8: Use two-factor authentication
In many cases, when hackers compromise your credentials, nothing can’t stop them from accessing your admin panel. So you should create another barrier for cybercriminals and make their attack much more difficult to conduct. You can make them enter data they can’t guess to hack your site. Enable two-factor authentication (2FA).
This is a feature that adds an additional step towards signing in. Besides a username and password (something you know), you will have to enter some data taken from something you have. In addition to entering your credentials, this feature usually requires you to enter a one-time password sent to your mobile device via push-notification or SMS. To enable 2FA on your website, you can use special plugins like Google Authenticator or iThemes Security Pro.
Practice #9: Don’t install unverified themes and plugins
Since WordPress is an open source platform, anybody can create themes and plugins for the system. So when installing an add-on, you entrust your website security to third-party developers. By downloading files from unverified websites, you put your site at risk since these files can contain bugs or even malicious code that can damage your resource.
That’s why you should use those themes and plugins placed in the official WordPress repository. This measure will minimize a risk to install a virus along with an add-on. Furthermore. it’s much easier to click on the Install button rather than download files and copy them to the file system on your hosting server.
Practice #10: Disallow new user registrations
You might have wondered why you’ve have been often receiving email notifications about new user registrations on your website. Why would anybody sign up on your blog if you have enabled comments without the need for registration? In most cases, those are spammers. It’s worth noting that visitors have no need for becoming users to receive newsletters. If you don’t accept guest posts, then disable new user registrations on your website. Instead, let your visitors submit posts via email. Go to the Settings section and choose the General menu option. Then uncheck the Anyone can register checkbox and save your changes.
Practice #11: Set the right permissions
If you still need certain users to sign up in order to publish or edit your posts, make sure they don’t get higher permissions than they need. Set the corresponding permissions for your editor instead of granting this person with the admin role. Thus, you will avoid damaging your website design or functionality.
| Table of permissions for different roles in WordPress | |||||
| Permissions/Role | Administrator | Editor | Author | Contributor | Subscriber |
| Visit a site | ✔ | ✔ | ✔ | ✔ | ✔ |
| Edit posts | ✔ | ✔ | ✔ | ✔ | |
| Delete posts | ✔ | ✔ | ✔ | ✔ | |
| Edit published posts | ✔ | ✔ | ✔ | ||
| Upload files | ✔ | ✔ | ✔ | ||
| Publish pages | ✔ | ✔ | ✔ | ||
| Edit pages and posts published by others | ✔ | ✔ | ✔ | ||
| Delete pages and posts published by others | ✔ | ✔ | |||
| Visit private pages | ✔ | ✔ | |||
| Edit private pages | ✔ | ✔ | |||
| Delete private pages | ✔ | ✔ | |||
| Edit categories | ✔ | ✔ | |||
| Delete categories | ✔ | ✔ | |||
| Moderate comments | ✔ | ✔ | |||
| Install plugins | ✔ | ||||
| Delete plugins | ✔ | ||||
| Add new users | ✔ | ||||
| Delete users | ✔ | ||||
| Install themes | ✔ | ||||
| Configure themes | ✔ | ||||
| Delete themes | ✔ | ||||
| Edit files | ✔ | ||||
| Export/import content | ✔ | ||||
| Update the core, plugins, and themes | ✔ | ||||
Practice #12: Disable XML-RPC
The WordPress core has the xmlrpc.php file that enables the remote connection to your admin panel. This file allows you to edit posts using, for example, a specific mobile app. However, this feature is a significant security drawback since it simplifies for hackers to conduct brute force attacks.
To try 100 different passwords on your site, attackers usually need to make 100 login attempts. If you have a security plugin installed, it will block their host after the first few unsuccessful attempts. With XML-RPC, hackers can try these 100 passwords with a single request. That’s why you should disable XML-RPC on your website if you don’t need any remote connections.
How to disable XML-RPC in WordPress
You can either use a specific plugin or manually insert the code in the .htaccess file stored in the public_html folder on your hosting server. If you prefer using a plugin, then install the one called Manage XML-RPC. With this add-on, you can totally disable XML-RPC or allow it for specific IP address including yours.
If you don’t want to overload your admin panel with another plugin, just insert the following code in the .htaccess file:
# Block XML-RPC and protect your site from brute force attacks
<Files xmlrpc.php>
order deny,allow
# Blocking all requests
deny from all
# Allowing requests from a specific IP
allow from 194.186.212.368
</Files>
Replace 194.186.212.368 with your IP. You can find your IP address on the admin page of your hosting server. Make sure you don’t have a dynamic IP address that can change over time. If you don’t need XML-RPC at all, just remove the “allow from 194.186.212.368” line.
In case of emergency
Few of us start looking for security measures until we face a threat. If this is your case too, don’t panic. In the case where your WordPress website has been hacked, you have two simple ways out. The first one is to fully recover your website from scratch using your previously generated backup. If you don’t have backup data, then you can approach a dedicated cybersecurity team like Sucuri that will help you retrieve access to your website back. They will also share a tip on how to clean your hacked WordPress site on your own.
I visit day-to-day a few blogs and blogs
to read content, except this blog offers quality based writing.
Ӏ read this paragrph fully regarding the differencе of most recent and pгevious technologies, it’s amazing article.
Right here is the right blog for everyone who would like to understand this topic.
You know a whole lot its almost hard to argue with
you (not that I actually will need to…HaHa). You certainly put a brand new spin on a topic that’s been written about
for many years. Great stuff, just great!
I think that is one of the so much vital info for me.
And i am satisfied reading your article. However should statement on few
common things, The web site style is ideal, the articles is actually excellent : D.
Just right task, cheers
Hello would you mind stating which blog platform you’re using?
I’m going to start my own blog soon but I’m having a hard time choosing
between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your design seems different then most blogs and I’m looking for something unique.
P.S Sorry for being off-topic but I had to ask!
Simply want to say your article is as amazing. The clearness to your publish is just excellent and
i can think you’re knowledgeable on this subject. Fine with your permission allow me to clutch
your RSS feed to stay up to date with approaching post.Thank you one million and please carry on the enjoyable work.
I am sure this post has touched all the internet visitors, its really really good article on building up new weblog.
I’ve been browsing on-line more than three hours
nowadays, yet I by no means discovered any interesting article like yours.
It’s beautiful price enough for me. In my view, if all website owners and
bloggers made excellent content material as you probably did, the internet
shall be much more helpful than ever before.
Thank you for some other informative web site. The place
else may I get that kind of info written in such an ideal means?
I’ve a undertaking that I am just now working on, and I’ve been at the look out for such info.
Hello my loved one! I wish to say that this post is amazing,
nice written and include almost all vital infos.
I would like to see more posts like this .
Everything is very open with a clear explanation of the issues.
It was truly informative. Your website is very useful. Thanks for
sharing!
Its such as you read my thoughts! You seem to understand a lot approximately this, such as you wrote the e book
in it or something. I believe that you simply can do with some p.c.
to drive the message home a little bit, however other than that, this is great blog.
A fantastic read. I will certainly be back.
Hi! I just wish to offer you a huge thumbs up for the excellent info you have got right here on this post.
I’ll be coming back to your blog for more soon.
Hey very interesting blog!
What’s up every one, here every one is sharing these know-how, thus it’s fastidious to read
this website, and I used to pay a quick visit this web site all the time.
It is not my first time to pay a visit this site, i am visiting this web page dailly and take
fastidious data from here every day.
Hello, I check your blog on a regular basis. Your writing style is awesome, keep it
up!
Pretty nice post. I just stumbled upon your weblog and wanted
to say that I have really enjoyed browsing your blog posts.
After all I’ll be subscribing to your rss feed and I hope you write again very soon!
Excellent post. I was checking continuously this blog and
I’m impressed! Very useful information specifically the last part 🙂 I care for such info
a lot. I was seeking this particular info for a long time.
Thank you and good luck.
You really make it seem so easy with your presentation but I find
this matter to be really something which I think I would never understand.
It seems too complex and very broad for me. I’m looking forward for your next post, I’ll try to get the hang of it!
Whats up are using WordPress for your site platform?
I’m new to the blog world but I’m trying to get started
and set up my own. Do you need any coding expertise to make your own blog?
Any help would be really appreciated!
Wonderful, what a weblog it is! This webpage provides
useful information to us, keep it up.
Please let me know if you’re looking for a writer for your blog.
You have some really great articles and I believe I would be
a good asset. If you ever want to take some of the load off,
I’d absolutely love to write some content for your blog in exchange for a link back
to mine. Please blast me an e-mail if interested.
Cheers!
I appreciate, result in I discovered exactly what I used to be having a look for.
You have ended my 4 day long hunt! God Bless you man. Have a nice day.
Bye
excellent post, very informative. I ponder why the other specialists of this sector do not realize this.
You must proceed your writing. I’m sure, you’ve a great readers’ base already!
Greetings from Los angeles! I’m bored to tears at work so I decided to browse your blog on my iphone during lunch break. I enjoy the knowledge you provide here and can’t wait to take a look when I get home. I’m amazed at how fast your blog loaded on my mobile ..
I’m not even using WIFI, just 3G .. Anyhow, superb site!
I like the helpful info you provide in your articles. I will bookmark your weblog and check again here
frequently. I’m quite sure I will learn many new stuff right here! Best of luck for the next!
Excellent weblog here! Also your web site quite a bit up very fast!
What host are you the use of? Can I am getting your associate hyperlink to your host? I desire my site loaded up as quickly as yours
lol
Of course, I like your web-site but you need to take a look at the spelling on several of your posts. Several of them are rife with spelling problems and I to find it very bothersome to inform the truth on the other hand I will definitely come again again.
I’m really enjoying the theme/design of your weblog. Do you ever run into any browser compatibility issues? A few of my blog visitors have complained about my site not operating correctly in Explorer but looks great in Firefox. Do you have any recommendations to help fix this problem?
I simply could not depart your website prior to suggesting that I extremely enjoyed the standard info a person supply to your visitors? Is gonna be back often to inspect new posts
This is very interesting, You are a very skilled blogger.
I have joined your rss feed and look forward to seeking more
of your excellent post. Also, I’ve shared your site in my social networks!
I’m truly enjoying the design and layout of your website. It’s a very
easy on the eyes which makes it much more enjoyable for me to
come here and visit more often. Did you hire out a designer to create your theme?
Excellent work!
First off I want to say awesome blog! I had a quick question in which I’d like to ask if you
don’t mind. I was curious to find out how you center yourself and clear your mind prior
to writing. I have had trouble clearing my thoughts in getting my thoughts out there.
I truly do enjoy writing but it just seems like
the first 10 to 15 minutes are lost simply
just trying to figure out how to begin. Any ideas or hints?
Kudos!
Hello there! Do you know if they make any plugins to safeguard against hackers?
I’m kinda paranoid about losing everything I’ve worked hard on. Any recommendations?
When someone writes an paragraph he/she retains the thought of
a user in his/her mind that how a user can know it.
Therefore that’s why this post is perfect. Thanks!
Hello, i read your blog from time to time and i
own a similar one and i was just curious if you get a lot of spam responses?
If so how do you stop it, any plugin or anything
you can recommend? I get so much lately it’s driving me crazy
so any assistance is very much appreciated.