I am not sure what are exact numbers today but just a couple of years ago it was said that WordPress powered over 60 million websites with 100,000 more popping up each day. The only thing I know that this numbers didn’t decrease. WordPress is a robust, flexible, 100 percent free platform for building all types of websites – personal, e-store, magazine – anything. Because the code is available to everyone and because so many people use it, WordPress has become an attractive target for hackers.
Fortunately, with such a huge community, WordPress doesn’t leave any issues unresolved for very long. However, this doesn’t mean you shouldn’t educate yourself and take appropriate steps to secure your WordPress.
There are so many ways to harden your WordPress and I will admit that I am not taking an advantage of them all, but here are just a few simple steps you can do today to significantly reduce your chances of being hacked. It’s something I tried and found very easy to implement.
Before you begin back up your .htaccess file and wp-config.php file and save somewhere safe. You are going to do changes to these important files and while you probably will be fine save the original copy just in case anything went wrong. It could be as simple as deleting a character without realizing and voilà – your entire site displays server error. Don’t blame me in that case, okay? This by itself doesn’t do anything bad to your site, only good. But you might miss something without realizing or have whatever special configuration I can’t know about. Backup your files and save the copy of this post for future reference.
Deny access to wp-config.php
One of the first things you want to secure is wp-config.php It contains sensitive information such as your database username and password.
Open your .htaccess file and paste this at the very top (before anything):
<files wp-config.php> order allow,deny deny from all </files>
Some suggest to exclude your own IP, but the official WordPress recommendation seems to be this particular code as mentioned here, so that’s what I am currently doing.
Protect your wp-includes.php
Following recommendations of the same source here I protect my wp-includes.php by placing this code in my .htaccess
# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
Prohibit Directory Views
If you aren’t friends with your cPanel you might be not aware that your site consists of multiple folders. Unless each of this folders contains its own index.html ot index.php you (or anyone for that matter) can navigate there and see your file structure. It would look like this
This is dangerous. I used to create index.html with clever messages to hackers in each folder before, but recently I learned that you can simply add
to your .htaccess and have it fixed all at once.
Disable Theme and Plugin Editors
WordPress allows admins to edit PHP files, which might be handy when you want to edit theme files or plugins. Unfortunately this comes with its price by making your website vulnerable to hackers as it’s the first tool the attackers will typically use (according to WordPress Codex here)
You can disable the editors by adding this line to your wp-config.php
Protect your install.php
Install.php is located in your wp-admin folder. Generally once the installation is done you don’t need it anymore but it’s still there unless you delete it of course. In some cases if your database fails this file might “assume” there is no WordPress installation on your site and load an installation wizard. This will allow anyone to create a new installation with admin account on your domain. There is a number of things you could do to protect yourself from this, including simply deleting this file. I personally chose to add this to my .htaccess
# PROTECT install.php <Files install.php> Order Allow,Deny Deny from all Satisfy all </Files>
You can learn more about other solutions for install.php here.
Last but not the least, always keep your WordPress installation and all plugins and themes up to date. Install only necessary plugins and get rid of anything you don’t use. Some things can be done without plugins by working with raw code. For example, Google Analytics can be inserted right into template. Automatic database backup can be set up using cron jobs. If you have sufficient skills for this, consider doing it yourself.
Obviously, there are many more ways to secure your WordPress, but even if you implement only these simple steps you will much more secure than before.