WordPress is the most popular blogging and CMS system on the Internet which makes it a target for hackers. Having a WordPress site means that you have to take some extra efforts in order to protect your and your user's data. Here is a summary of the best practices for securing a WordPress, that will help you do that. It is important to mention that these measures don't guarantee a 100% protection against hacking attempts, mostly because a 100% secure website doesn't exist, but they will protect you against the majority of attacks.

 

Step 1)  Keep your WordPress site and plugins up-to-date

In most cases, WordPress blogs are compromised because their core files and/or plugin are outdated; outdated files are traceable and it’s an open invitation to hackers. Everything is working just fine, why should I touch plugins? Easy Updates Manager — WordPress Plugin Can be a good place to start as non-native Upgrade.

The same reason you’d updating any other software — even more so with themes and plugins — because they don’t necessarily go through the same vetting and testing as WordPress core.  

Step 2)   Protect your WordPress Admin Area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xx.xx.xxx with your IP address.

 # ----------- YOU MUST HAVE   ------------ #

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xx.xx.xxx

</Files>

# ----------- Recommended as follows to /wp-admin directory  ------------ #

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic

<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist ripon's IP address
allow from xx.xx.xx.xxx
# whitelist  alam's IP address
allow from xx.xx.xx.xxx
# whitelist abdul's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or too few IPs can be inconvenient. In such cases, we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a nice little plugin called Limit login attempts.

 

Step 3) Never use “admin” as your username

 

Earlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.

If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.

Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.

Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.

If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.

 

Step 4) Prevent direct access to PHP files : 

When WordPress loads it looks for all currently active plugins and loads the appropriate file from each active plugin’s directory. Because these PHP files are most likely located within the web server’s document root (ex: /srv/www/yourgroovydomain.com/wp-content/plugins/my-plugin/my-plugin.php with yourgroovydomain.com being the root directory), anyone can access them from a web browser or other program by going to http://yourgroovydomain.com/wp-content/plugins/my-plugin/my-plugin.php. This is bad.

We must account for the possibility that attackers may exploit this to harm our user’s website or their hosting provider’s server. Preventing this is very easy and should be the absolute first thing you add to the top of your PHP files — before any other code is executed.

We want to prevent public access to this file but still allow WordPress to load the file internally. The most common solution is to check for the existence of the ABSPATH constant defined by WordPress when your site is loaded. If the constant exists, then WordPress is requesting access to load this file. If the constant does not exist, someone is trying to directly access this file and we want to stop them immediately.

<?php defined( 'ABSPATH' ) or die();

 

Step 5 ) Consider two-factor authentication

Enabling two-factor authentication for your WordPress website will significantly improve the security of your website. One of the easiest ways to do this is to use Clef to authenticate using your mobile phone.  Find Clef Two-Factor Authentication or any other good plugin for two-factor authentication. Clef is a free replacement for usernames and passwords that makes logging into your WordPress site easier and more secure.

 

Step 6 ) Update or rename and Delete some .php files 

We would highly recommend you to take meaningful steps to the following. php pages aligned with your business objectives.

• Be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every WordPress installation or upgrade. 
• Rename WordPress login file wp-login.php to wp-login.php.backup if you want nobody/user can login to your website. The wp-login.php is the only file within the WordPress core that handles the WordPress user sign-on process. Therefore, without direct access to that file, no-one can log into your WordPress sites.
• You may consider using a security service such as Sucuri, to run periodic scans on your website.
• Delete Inactive Themes what is not currently in use.
• How to Password Protect Your WordPress Admin (wp-admin) Directory. You can do by going to cPanel -> Password Protect Directories -> Fine wp-admin directory -> Give name and save with username and password. 

Furthermore, If your computer is infected with a virus or a malware software, a potential attacker can gain access to your login details and make a valid login to your site bypassing all the measures you've taken before. This is why it is very important to have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.

 

Step 7) Disable file editing via the dashboard

 In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.

The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true);
define('DISALLOW_FILE_MODS',true);

Rename Your WordPress WP-Content Directory.  Click Here to know how to change the directory. You can put any of these directories under version control separately if you want to. In order for WordPress to use your new WordPress directory, you can just need to point the WP_CONTENT_DIR and WP_CONTENT_URL constants to it:  

Something like below : 

define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . 'path/to/wp-content' );
define( 'WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/path/to/wp-content' );

 

To ensure maximum compatibility with properly coded plugins, be sure to set both the WP_PLUGIN_DIR and WP_PLUGIN_URL constant. WP_PLUGIN_DIR is the path relative to wp-config’s location and WP_PLUGIN_URL is the full URL, http:// and all, of the directory’s location. You can either hardcode your site’s address, or use $_SERVER[‘HTTP_HOST’] to set it programmatically.

Something like below : 

define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/path/to/plugins' );
define( 'WP_PLUGIN_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/path/to/plugins' ); 

 

Step 8)  Secure your WordPress through .htaccess  

.htacess is a configuration file that allows you to override your server’s global settings for the directory that it’s in, by limiting file access. There are several ways of making your WordPress secure (using WordPress best practices, security plugins, content delivery networks…) and configuring your .htaccess is just one of them, the one that belongs to the domain of prevention. 

WordPress best practices suggest you protect your wp-config.php file and you can do that by adding:

<files wp-config.php>
order allow,deny
deny from all
</files>

# Prevent any directory browsing:
Options All -Indexes

# Adding this to your .htaccess will prevent hotlinking from happening:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

# Protect the .htaccess Itself

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Protect /wp-content Directory

WordPress holds all your media files in here and they’re an asset you want search engines to crawl. But, “/wp-content” is a place where your themes and plugins reside, too. You don’t want to allow access to those sensitive .php files.

In order to work you need to create a separate .htaccess file (just use your FTP client and create a file with no name and give it an “.htaccess” extension) and put it in your /wp-content directory. This code will allow access to images, CSS, java-script and XML files, but deny it for any other type.

order deny,allow
deny from all
<files ~ ".(xml|css|jpe?g|png|gif|js)$">
allow from all
</files>

That’s it. Your WordPress website should be a lot safer place now. There’s just one last thing we should do and that’s protecting the .htaccess file(s).

 

Step 8)  Try to avoid free themes.

We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.

The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.

If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.

Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer. 

 

Step 9)  Keep a backup

I can’t overemphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late.

Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.

If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory.

The WordPress Codex tells you exactly how to back up your site, and if that seems like too much hard work, you can use a plugin such as WordPress Backup to Dropbox to schedule regular automatic backups.

 

10. Download Few Important Files :

• Download  .htaccess file attached from this post below. 
• Download  robots.txt file attached from this post below. 
• Download  wp-config.php.txt file attached from this post below. Open the file wp-config.php.txt to copy everything and past under your wp-config.php file JUST Above the below line : 
  
  
  • require_once(ABSPATH . 'wp-settings.php'); 

11. Use security plugins

As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.

Here are a handful of popular options:

• http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
• http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
• http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
• http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
• http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
• http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
• http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.

Further resources

To learn more about hardening your website’s security, please check out these two resources:

http://codex.wordpress.org/Hardening_WordPress

http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site

We also recommend Sucuri.net if you are unsure about this topic. Sucuri can help monitor your site, alert you of suspicious activity and even help clean up your site in the case of a malware attack.

Do you need More Tips? 

As a part of improving our service excellence, we want to keep our customer site secure as much as possible. Therefore, Please Click Here we have more tips for better security.   

Don’t panic!

This may all sound pretty intimidating, especially if you’re a beginner. I’d like to point out that it’s not intended to scare anyone, it’s just important to discuss the topic of security regularly, as we want to make sure you stay one step ahead of the hackers!

If you’re not technically skilled enough to do everything on this list (although it certainly wouldn’t hurt). Eicra Support team is here to assist you as much as you need in the journey. Please contact with our support team to assist or Open a Support Ticket to get help from our security experts.