Hardening WordPress: How to Keep Your WordPress Site Secure

-

 If you have ever been hacked, you know what a nightmare it can be. It can be difficult to understand which WordPress security steps will help to keep your WordPress website secure.

Keep reading to learn how to keep your WordPress site secure. Learn the proper steps for hardening WordPress, and get a WordPress website security checklist. Hardening WordPress

What is WordPress Hardening?

WordPress makes up about 40% of all websites. Because of this, people who know how to exploit WordPress can easily find a lot of targets. Fortunately, there are many things you can do to make the job much harder for them. This is known as hardening WordPress.

Why WordPress Security is Important

Not only is getting hacked embarrassing, but it can lead to downtime, data loss, and leaked information. This can translate to lost sales and poor brand reputation. In addition to this, it can take a lot of work to get everything back up and running again.

Hardening WordPress: 10 WordPress Security Steps to Take

There are four main ways that hackers can gain access to hack your Wordpress site:

  • Getting your password or session and logging in.

  • Through indirect access such as FTP, SSH, or the database.

  • By discovering information in your web root.

  • Through vulnerabilities in the WordPress code or plugins.

The simplest way to gain access to your site is simply by logging in. Here are a few ways to harden WordPress against password thieves.

1. Secure the Machine You are Connecting From

One important thing that is easy to overlook is the computer you are connecting from. If it is not secure, then that can make your server vulnerable too. This is why it is very important to have a virus scanner and firewall, to keep your computer up to date, and to practice safe browsing habits.

2. Secure the Connection to the Server

Even if your computer is secure, your password or your sessions can still be stolen on the way to the server. To prevent this, it is important to make sure you are using HTTPS when logging into your WordPress backend.

It is preferable to always connect to your server using your home or business wired connection or a Wi-Fi connection that uses a long, random Wi-Fi password. If you must connect using a public hotspot, then you will absolutely want to invest in a VPN.

3. Prevent People from Guessing Your Password

When an attacker uses a script to rapidly try different username and password combinations until they guess the right one, this is called a brute force attack. To prevent brute force attacks, use a long password that contains upper and lowercase letters numbers and special characters.

To make this technique even more difficult, you can get plugins that will help. Look for two factor authentication plugins, plugins that add a captcha to the login form, and plugins that limit the number of incorrect attempts you can make.

4. Don't Use Admin

Another way to prevent brute force attacks and other methods of stealing passwords is to name your admin account something else. If they can't guess your username, then they can't guess your password. Any additional administrator accounts should be deleted when they are no longer needed. Any new accounts you make should only have as much access as they need.

If hackers can't access your administrator account directly, they may be able to access your site indirectly through SSH, FTP, or the database. Everything mentioned about keeping your local PC secure, choosing secure passwords, and using a VPN while on public internet applies to SSH, FTP, and connections to the database too, but here are some additional considerations.

5. Use SFTP or FTPS

FTP transmits your data and passwords over the internet in plain text, meaning that anyone who can intercept your data can see your passwords and your data. SFTP and FTPS both encrypt your data.

6. Close or Limit Access to the Ports

Generally, if your database and your website are on the same server, you do not need to have your database port open to the public. If you can manage your database through the portal or from inside the server, this is generally a better option because it gives attackers one less way to exploit your website.

Likewise with FTP, if you are able to use SFTP to connect to the server, there is no need to have the FTP port open. If you do need to use one of these ports to connect to your server, it may be a good idea to scope the ports to only your IP address.

If your IP address changes a lot, it can be inconvenient to have to call to get access to your server every time your IP address changes. One way around this is to use a VPN. Not only does a VPN encrypt the connections between yourself and the server, but it makes it so that you can use a static IP address that you can add to your firewall to prevent anyone else from accessing the ports.

One mistake many people make is to store files and database dumps in the web root. Remember that anything in your web root is accessible to anyone on the internet and it shouldn't have anything that you wouldn't want anyone to have.

7. Remove Anything Unnecessary From Your Web Root

It is worthwhile to look over your web root and make sure there is nothing that is unnecessary for your site to function stored in it.

For example, it can be convenient to dump the database to the webroot so that you can download it later. But remember that your database contains your password hashes and could contain other information that you don't want to be public.

A better idea would be to dump the database somewhere else and use SFTP to download it. If you want to keep it on the server as a backup you can simply move it up one level or put it anywhere except the webroot.

Likewise, zipped copies of the website code can be used to learn about your code and can be downloaded by anyone one the internet. Another common practice is to make a backup of a file like the .htaccess or a code file before modifying it.

It is certainly a good idea to backup your files before modifying them, but if you plan on keeping them in the web root, you should change the permissions so that they can't be accessed.

For example, you can type chmod 000 .htaccess. Finally, even README files or anything else that could expose version numbers should be safe to remove — and removing them can improve security.

The final thing to consider is the code itself. Web application code security is a very complex topic with entire books written on the topic. Since you are using WordPress the immense task of keeping the code secure is done for you, all you have to do is install the patches.

If you are hosting with Nexcess, we take care of updating core WordPress for you, but the themes and plugins can also contain vulnerabilities.



                             Call +1-857-342-2365 for help and support of Hardening WordPress.





Comments

Post a Comment

Popular posts from this blog

How to Use the WordPress Logo and Trademark Properly

-
  WordPress is one of the most popular content management systems on the Internet. It’s a free system that helps developers create a full and powerful website in mere moments. It’s only natural that some will want to use the WordPress logo in their developments.   Learning what WordPress is   and what you can do may serve to improve your own online business solutions.  WordPress Logo Unfortunately, not everyone uses the logo or trademark properly when creating content or graphics. In a world where a professional appearance is vital, especially because of intense online competition, it’s important to make sure you get everything correct. In this tutorial, you’ll learn how to use the trademark and logo and the reason behind why you should care. Why is it important to know how to use the logo and trademark of WordPress? The nature of WordPress allows many business owners and developers to use the logo and trademark without worry of copyright repercussions as part of the...
Read more

How to Install WordPress?

-
If you have ever been in a website development process, or has a website up and running, you probably have heard about   WordPress . It is also the most favored platform because of its flexibility and easy usage. It has seen incredible usage growth in website development. Over the years, it has grown from helping to develop blogs & websites to content management system(CMS), eCommerce websites, membership sites to name a few.  WordPress Installation WordPress comes in two variations;  WordPress.org  and  WordPress.com . While the former is a free, open-source downloadable software that works in a self-hosted environment, while being installed and administered on your computer, the latter is a blogging hosting platform that works as a wizard and does not need installation on your computer. In this article, I’ll explain how to install WordPress software on your computer. To use WordPress, we need a web host server. Basically, there are two ways you c...
Read more

How To Install WordPress: The Complete WordPress Installation Guide

-
Image
WordPress , WordPress, WordPress. Lately, you have heard this term thrown around a lot. You’ve been hearing great things about WordPress, the most popular of content management systems (CMSs). Now you’re curious. You want to dive in.  WordPress Installation You’re ready to take full advantage of the WordPress platform to power your website. But there’s a problem. You don’t know what to do or where to start as far as installing WordPress goes. Well, rest your worries. In today’s serving, you’ll learn everything you need to install WordPress on your web server or locally on your PC. We will show you how to install WordPress using one-click installers, and then do it manually just to have some fun. By the end of this tutorial, you’ll be a WordPress installation ninja, so you can concentrate on your work. In other words, you’ll learn: Which role do you get to play in all this? Of course, you just have to try out this tutorial or share your thoughts and experiences in the comments. Deal...
Read more