WordPress is one of the best content management systems on planet earth because its open source and used by millions. This very reasons creates security problems for most website owners.
Because hackers know that WordPress sites are in their millions, so if they can find one security hole in this popular open source Content Management System (CMS) called WordPress, then they can get in and hack thousands of websites without anyone noticing they were even there.
Understanding WordPress Security Basics
Despite you and I hearing about the horror stories from WordPress built sites being hacked and taken over by some known or unknown hacker. WordPress is actually a very secure platform managed by the largest blogging community on the planet. That means, there are thousands of security professionals working on making WordPress CMS more secure.
Update Your WordPress ALWAYS
Your WordPress site should always use the latest version which you can download here.
Login to your Dashboard > Dashboard > Update it there.
Or you can make sure that its always updated automatically by place this code in your wp-config.php file (login to your web hosting manager > File Manager > public_html > wp-config.php (right click > Edit > Insert Code > Save)
define( 'WP_AUTO_UPDATE_CORE', true );
Also, since your website should be using HTTPS, then force all logins to go through SSL
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true );
Once Again Always Update WordPress Core and Use the Latest Version
Most clients I work with are reluctant to use the latest updates because the plugins they are using create conflicts with the latest version of WordPress. But, that is the worst thing anyone can do when managing their WordPress CMS (choosing Plugin features over core updates). Because it is the outdated plugins created without best security practices in mind that hackers often use.
Always make sure that you are aware that having the latest version of WordPress core updates is the single most important security precaution you can take when securing your website built on WordPress.
Conduct Regular Security Audits & Backup
When was the last time you actually conducted a thorough security audit checking the health of your WordPress site? If you believe that’s beyond your skill set, then consider hiring someone who can do this for you, or outsource this work to a reputable security service providers (Not the WordPress security experts found in Freelancer or Fiverr as most of them aren’t advanced enough in coding and security best practices).
Backing up your wordpress site should be part of website maintenance. You can use your Web Hosting One Click App Auto Backup Option. Simply locate your WordPress installation settings as shown in the images below.
Keep in mind that you can actually backup to another hosting provider by providing your FTP login details.
These options will only work if you used One Click Apps when installing your WordPress site. But if you haven’t used One Click Apps, you can still backup your site manually or by using external services such as VaultPress by Automattic Inc. This is a paid service, although its worth it for your peace of mind. VaultPress will do daily backups of your entire site automatically for you, given you the option to restore it in case some hackers break into your site.
Backing up WordPress Database should also be part of securing your site. I have created how to tutorials for this on my YouTube channel (how to backup WP database) (how to restore WP Database)
Here’s a Video That Explains How to Secure WordPress
Sample WP Security Codes
Always remember that on internet, you can never have a website that is 100% secure. Because much will also depend on the web hosting server and how the web hosting provider you are using is keeping their end secure as well.
.htaccess file for Security
Apache servers can use .htaccess file rule such as
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Or you can even go further and block certain queries hackers usually use to find vulnerable WordPress sites. (Sample only, use with caution and make sure you backup .htaccess file first)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|mosconfig) [NC,OR]
#RankYa NOV 2020 added xmlrpc.php
RewriteCond %{QUERY_STRING} (xmlrpc.php|boot.ini|echo.*kae|etc/passwd) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR]
RewriteRule .* index.php [F]
</IfModule>
At the end of the day, there is no point in waiting for some hacker to hack your WordPress site, instead take the security precautions as best that you can and be vigilant.
Keep in mind that most hackers use automated software to find unsecured WordPress sites. That means, if you haven’t taken the required precautions, or you aren’t using security plugins, then these hacking software programs will find the open security holes in your WordPress built website.
Secure phpMyAdmin
Since almost all WordPress built sites use phpMyAdmin for their installation, but most 1 Click Installations by default grant all database privilege for the user, but you only need SELECT, INSERT, UPDATE and DELETE for most setups. Also, most 1 Click installations use easy to brute-force passwords (both for WordPress Dashboard and phpMyAdmin), definitely change this so that your MySQL login password is complex.
Thank you for sharing this blog post by RankYa so that all WordPress site owners like me and you can make it harder for hackers to hack in to our WP site.