WordPress Security Best Practices

Hacks are common in the development field. There is always someone out there who might find hacking your site beneficial: a dishonest competitor or simply an amateur developer, who has nothing better to do. That’s why knowing how to improve WordPress security can save you a lot of headache in the long run.

Before we delve into the actual steps to improve security, here is a breakdown of reasons why WordPress security is so important:

Why WordPress security is so important?

WordPress site is like your office or retail store. Your business relies on it to make revenue. If your website gets hacked, it’s not only you who gets affected but customer data as well. Loss of customer information is the biggest danger for business, that undermines customer trust and can lead to a total business destruction.

From a financial standpoint, you might find yourself in a tricky situation of having to pay ransom to a hacker in order to regain access to your site.

Here are some other consequences of security breaches: malware distribution to users, Google blacklisting, problems with logging in and passwords. 

As you can see, it’s important for each WordPress site owner to know how to protect themselves. Here are some simple steps to better WordPress security:

WordPress security best practices

1. Passwords and User Permissions

The easiest way for hackers to attack your site is to use your password. Password protection isn’t a complex science. Make all passwords unique to your site and use a stronger password.

Most novice users choose extremely weak passwords because they’re easier to remember. But, in fact, you can use password manager and stop worrying about forgetting your password. Password managers will securely store all your passwords and notify you when a hacking attempt takes place.

Another mistake that WordPress owners make is that they set up strong passwords for the admin area but totally forget about other passwords such as FTP accounts, hosting account, database, and email addresses.

Be careful to not give admin access to everyone. Even if the person is a team member, there are numerous ways to invite them to WordPress dashboard other than disclosing admin password.

2. Two-factor Authentication

While most users got used to Google 2-factor authentication, many remain unaware of the same option available in WordPress. Two-factor authentication is basically a process of verifying identity using the knowledge about you: something you know or something you have.

In WordPress, you can set up 2-factor authentication that will use your mobile device as an additional security check. You can easily set up two-factor authentication with iThemes Security Pro plugin.

3. Regularly Change WordPress Salts

WordPress salts and keys are the additional passwords for your site. They are stored in the wp-config.php file and are used to verify each user or commenter.

For better protection, you can try changing WordPress salts and keys using iThemes Security Pro or another similar plugin.

4. Keeping WordPress Updated

WordPress updates are crucial to the security of your site. There are two ways to install updates in WordPress: manually and automatically. Usually, minor updates will be handled by WordPress. For major updates, you’ll have to trigger updates manually.

Since WordPress isn’t only a website platform but also a repository of plugins and themes, you need to make sure that these components are updated on a regular basis as well. The updates are usually released by developers and you’ll be asked if you want to update.

5. Use Secure File Permissions

If your website files are available to the public, then your site isn’t protected properly. How can you adjust file and directory permissions? Have your files between 400 and 444 and directories between 700 and 744.

Again, you can use security plugins to make the necessary changes. But if you keep using permission mode of 777 you’re basically allowing any user to view your files and folders.

6. Disable directory indexing and browsing

Directory browsing is a process of displaying your directory including the information about plugins and themes to the public. This happens when the server doesn’t find index.php or index.html file.

You can check if directory browsing is enabled. Simply create a text file and then visit directory via a web browser. If you can see the link to the text file, then directory browsing is enabled. If you see “Page not found” message instead, then directory browsing is disabled.

So how do you disable directory browsing? You can add “Options All -Indexes” code to your .htaccess file, and also add a blank index.php files to wp-content/themes and wp-content/plugins folders.

7. Enable Web Firewall

You can also try to raise the security level of your site by enabling web firewall. The firewall will help you block malicious traffic before it enters your site. A Web Application Firewall manages HTTP/S traffic to and from a web application to protect against malicious attempts to compromise the system or exfiltrate data.

8. Backup regularly

As with everything in life, prevention is the best medicine. Backups allow you to quickly restore your site when it gets hacked. Backups are easy to manage and can be set to be done automatically, so you don’t really have to worry about anything. Save all backups to a remote location, not your hosting so that when the hosting is hacked you still have access to a backup.

You can easily backup your site using free or paid plugins. The most popular ones include VaultPress and BackupBuddy.

Final Word

All the aforementioned methods help raise the security level of your site but no one can be completely sure when it comes to WordPress security. If for some reason the hacking attempt happened, it’s best to consult the professionals. The major problem with a hacked website is that it becomes very vulnerable to all the subsequent attacks if you don’t close all the backdoors that hackers installed.

Additionally, remember that keeping your site secure is a never-ending process. You should always stay aware of the best practices and latest updates. But once you make WordPress security a priority, you’ll have a piece of mind.