WordPress - Things You Can Do To Avoid Being Hacked

869 followers

5 years ago

This topic has been on my mind today after a friend of mine had their WordPress site hacked. It was not hosted here at WA, and luckily tech support was able to restore the site, but only after a bit of work. It's not something you want to go through.

With WordPress hosting a massive 30+% of websites on the internet, hackers have gone out of their way to target WordPress sites these days. And while WA does a pretty good job securing your site, there are still few additional measures you can take to further secure your website. In additon, there are folks here who don't have their websites hosted at WA who can benefit even more. Here are a few easy things that can be done to minimize the chance of your site(s) getting hacked.

Remove unused themes/plugins. A lot of us go through a myriad of free themes until we find one that satisfies our needs. What you may not know is that unless you Delete all the themes you previously checked out they are still hanging around, and are a security risk. So a good best practice is to remove all those unused themes and only leave the ones you need. Usually you can get it down to one or two. To remove them, just click on Theme Details on each theme, and you will see a Red Delete link in the lower right. Just click it and confirm. Do that for each theme you don't need. Do this for any plugins you do not need as well.
Keep your WordPress version updated, as well as all themes and plugins. I think that speaks for itself.
Disable Theme/Plugin Editor. If you have no need to use the theme editor or plugin editor disable the ability to edit them. You can do that by adding the line below to your wp-config.php through FTP. You can also request that Site Support do this for you if you aren't sure how to do it. BACKUP YOUR SITE before you make any changes like this.

define('DISALLOW_FILE_EDIT', true);

Weak passwords can be easily hacked and are often overlooked. WA is pretty good about strong passwords. But if you are not hosting at WA or if you have other users working on your site you might want to consider using a plugin like "Force Strong Passwords". This will force users to use complex passwords which are much harder to hack.

Use SSL Security. This is very easy here at WA, you simply turn it on for your websites via Websites-Site Manager. However, for those not hosting here at WA this may be something you need to add to add seperately. Check with your hosting provider.

Limit login attempts. By default, WordPress allows unlimited retries for site logins, which makes your site vulnerable to brute-force attacks. You can use a simple light wieght plugin such as "Login LockDown" which will force WordPress to limit login attempts to a number of your choosing. Usually limiting login to 3 attempts is sufficient.

Add an additional layer of security. For Non-WA hosted sites ONLY. If your hosting provider does not include server level security features for WordPress, use a 2-factor authentication plugin like Wordfence, which also includes other security features such a malware protection. 2-Factor Authentication will require you to enter an additional unique piece of information in order to login.

For NON-WA hosted sites ONLY. Protect wp-config.php. Wp-config.php is one of the most sensitive files on your site. If hackers gain access to this file they can destroy your site. WA already protects this file. For Non-WA websites, check with your hosting provider if necessary. If you aren't sure if your wp-config.php is protected from outside access, you can add the lines below to the bottom of your .htaccess file via FTP. If you are not sure how to do this, have your site support do it for you.

<Files wp-config.php>    Order Allow,Deny    Deny from all</Files>

Backup your site OFTEN. You should backup your website before making any major changes, and at any other point in time you wish, like after adding content, etc. I use UpdraftPlus. Even the free version is very flexible, and has many options as to where to store your backups. I use the free version and store them to my Google Drive. I set it to keep the last two backups only. That way i have backups that are not on my computer, (should my PC crash) and they are stored in the cloud. You can set your options based on your needs.

There are other more technical things that can be done to prevent hacking, but I think this list is pretty comprehensive for most needs.

Cheers,

Michael