According to the latest statistics, WordPress is currently used by more than 34% of the total websites in the world (about 1,695,657,191 websites by InternetLiveStats statistics year 2019). That's enough to see how popular WordPress source code is.
The WordPress platform itself is great and secure, but it can still be hacked by hackers because no one system is completely secure. However, most of the bugs arising from WordPress source are fixed very quickly, so the case of the hacked site mainly comes from the bad WordPress web security of users.
To help you minimize the case of website attacks and help you WordPress security better. Below I will share some tips for protecting your WordPress website.
1. Admin account should not be set to “admin” or “root”
From the very beginning of creating a WordPress web, when naming an admin account you shouldn't put it admin, administrator good root, … Because, these are very common names and hackers can use the attack method Brute Force Attack to try to login to the admin page.
If your web account is being managed in a less secure way, then change it now. How to change can be done in 2 ways as follows:
- Create an account with a new username and set the highest admin rights to it. Then, log into the new account and delete the account with the other admin username (see: instructions for creating a new account in WordPress).
- If you know about database administration, log into the PhpMyadmin page and then look for the table
wp-usersand change username as admin in the column
user_logininto the new username.
2. Set complex passwords, difficult to guess
Just like a username, setting a password is too easy for hackers to detect. When setting passwords, avoid using your date of birth, phone number, ID card, etc. Safe passwords will include uppercase, lowercase letters, numbers and special characters.
In addition, the password also needs to have a certain length (about 8-12 characters). For me, I often use LastPass software to create and password. So I usually create a password about 30 characters long and then save it on the software LastPass and never have to remember and never be afraid to forget your password.
3. Update WordPress, themes, plugins to the latest version
New versions of WordPress, themes, or plugins will often be bug fixes, new feature updates. So whenever there's an update notification, check changelogs to see what's new.
If you notice an update that is an error fix, then you Please backup to the web and update immediately Up to new version to avoid risks.
A web backup is needed because the update may be a feature upgrade, and many incompatible themes and plugins will cause web errors. Now the backup will help you restore the temporary version and you have time to find a way to fix the error.
4. Backup web data regularly
As mentioned above, not only before performing the update or anything to interfere with the web source you need to backup. The data to backup here is usually database, web code.
Web data backups need to be done regularly (daily or weekly). You can perform manual or automatic backups. But to save the effort, you should set up the automatic backup system.
If you are running WordPress on hosting, refer to the automatic backup web guide to another server or backup to Google Drive, Dropbox.
And if you run the web on VPS, do not worry, I have a tutorial on how to backup VPS to Google Drive on my blog. You just need to read and follow the instructions.
5. Do not use plugins, themes are nulled
Plugins, nulled themes are plugins, copyrighted (paid) themes that are cracked and shared on free download sites.
Remember, “Nothing is free“So when downloading these themes, this plugin you use to determine will receive”presents” attach. These gifts can be malicious code or backlinks that people share it for your website.
And of course, if it is a backlink, it can make your website lose SEO worse than contain malicious code, sooner or later hackers will attack your web.
6. Install WordPress security with 2-step verification
The current 2-layer security method is applied to many accounts such as Google accounts, Facebook, … It helps your site be protected 1 more layer when someone accidentally knows the account and password admin. rule your web.
To set up 2-layer protection for WordPress, you only need to follow the instructions in the 2-step security installation guide for WordPress on your blog.
In addition, I also have 1 tutorial on how to set up WordPress admin protection by IP. That way, only authorized IP addresses can log into the WordPress admin page.
7. Choose a reputable and quality hosting provider
If you are using a VPS, I am not saying because VPS is self-configured and managed. And if you are using shared hosting (see: What is hosting) then choosing a reputable quality provider greatly affects the protection of your WordPress web.
If you choose the wrong NCC poor quality, you may lose data caused by the NCC itself. In addition, the shared hosting is on the same server system so when one website on that system is attacked, other websites are also at risk of being attacked by Local Attack method.
In my experience, you should choose the hosting provider to use CloudLinux OS. Because, with this system, each share hosting will be a separate virtual file system so it will not be affected when other websites and systems are attacked.
Currently, I usually use hosting of Hawkhost, Stablehost or AZDIGI
8. Secure hosting administration information
After choosing to buy hosting from a reputable provider, the next important thing is the security of hosting information.
Usually, hosting credentials will be sent via email. You need to protect that information, to avoid fraud. Because, hosting is where the web source is stored and just revealing hosting information, all other security jobs become meaningless.
To protect secure hosting, you should often change your login password with a complex, difficult to guess password. In addition, your hosting has support, then turn on 2-step verification to enhance security for hosting.
9. Disable the function of editing plugin and theme files in admin
This will help prevent your website from being broken when someone has access to the webmaster page.
There are some quite sophisticated hackers who will insert some malicious code and the files in your plugin, theme on the web.
So, the solution here is to turn off the file editing function directly in WordPress Admin. Disabling this function means that if you want to edit a file, you must access the file manager via FTP or File Manager.
How to turn off the plugin and theme editing function in the web is very simple. You only need to insert the following code at the end of the content of the file
wp-config.php and save it.
10. Block new installation and update themes, plugins
This is a bit of a conflict with the third trick above, but don't rush it. Please listen to my explanation.
Blocking the installation of new themes, plugins means blocking update notifications, so you cannot perform theme updates or plugins (WordPress core updates will still receive notifications).
Just like editing a file, if you do not block the installation of new themes, plugins, then when the hacker gains an administrator account, you can install a new plugin, theme which may contain malicious code. So, to be safe, turn off the plugin, theme.
Please insert the code below at the end of the file
wp-config.php to block installing new plugins, themes.
Note: Due to this blocking, you will not receive notification of plugin, theme updates. So, sometimes you open the file
wp-config.php and pass the word value
false then save and go to the admin page to check if there are any plugins, themes that are updated, then update. The update is back again to the old way to prevent the installation of new plugins, themes.
11. Decentralize CHMOD for safe files and folders
The proper part for folders and files on hosting is essential to ensure the safety of the web. This helps limit attacks against web source code such as reading sensitive information, creating additional files into web directories (see: Basic knowledge of CHMOD).
How to secure CHMOD for your website is as follows:
CHMOD is safe for folders
Usually, WordPress directories upload to the default hosting CHMOD is 755 will work well.
However, to enhance security, I recommend CHMOD to 2 folders
wp-includes was 700. Such a CHMOD means that only the person who created the directory (yourself) can read, write and access, but others are not granted any rights.
Note: When CHMOD is 700 for the same folder as above, if later when updating WordPress there is an error, please change CHMOD to 755 and then proceed to update manually. For me, there has never been an error so I still let CHMOD be 700.
CHMOD safe for files (files)
With the file, it will usually be CHMOD 644 as web files that can function normally. However, my advice is with some sensitive files like
wp-config.php then CHMOD is 600 or 400.
Inside, 600 is only allowed The owner has the right to read and write still 400 is only Allows the holder to read permissions file. Rest Other users are not granted permissions what.
For me, usually the file
wp-config.php I always CHMOD is 400.
However, when installing some plugins such as cache creation plugin WP Rocket, WP SuperCache, W3 Total Cache, … it will need write permissions to the file.
wp-config.php. You will have to CHMOD again to 644 to install the plugin and then CHMOD again to 400.
12. Delete backup files, .zip files on hosting
This is something that some people often overlook when backing up source code or moving source from other hosting to new hosting and uploading web code to hosting.
Often, the backup files are a lot of to you
public_html.zip, … or 1 other web-related names that are easy to guess and put right in the directory
If you are doing so, test it by typing
https://domain.com/public_html.zip is to be able to download the .zip file and so are the hackers. In a way, they can scan and download that file as if the entire structure, information about your web source, they will know. That way, they can access your website and do whatever they want.
The advice here, when moving hosting, uploading web code to hosting, you should delete the .zip, .gz file, … or move it somewhere safe. If it is a web backup, you should set up backups in a safe folder or better to upload to Google Drive, OneDrive, .. then delete the file on hosting.
13. Install security plugin for WordPress
If you are not a security expert, then with WordPress you are always supported by great plugins that can help you protect the web.
Currently, including free and paid plugins, there are many plugins that support security enhancement for WordPress. However, here I just introduce you to the 2 plugins that are being used by the most users and it is also the plugin with the most security functions.
Plugin Wordfence Security – Firewall & Malware Scan
This Wordfence Security security plugin is developed by a team of WordPress security experts.
Wordfence Security plugin with many secure solutions for WordPress websites such as:
- Create firewalls to prevent attacks and malicious traffic.
- Scan and warn malicious code, malware for web.
- Create login Captcha to prevent bot from logging in
- Repair altered files by overwriting the original files.
- Check and warn security holes on your web.
In addition, the free version has many more features. In addition, the plugin also has a paid version with many advanced features.
However, if you are buying a premium version, the Wordfence Security plugin is quite expensive. In my opinion, you should use for free or buy a premium version of iThemes Security plugin, I will talk at the bottom.
IThemes Security plugin
IThemes Security Plugin is a plugin that is being used by a lot of users with the free version. Especially with the paid version iThemes Security Pro it is the first choice because the plugin has a reasonable price.
IThemes Security plugin with the following security features will help you feel more secure with your web.
- iThemes Brute Force Attack Protection: Limiting the number of false logins and blocking that IP address to protect the web.
- Scan websites and immediately alert for existing vulnerabilities and malware.
- Enhance server security.
- Request strong passwords and prompt for changing the password in a period of time.
- Disable file editing in admin page.
- Detect and block database attacks
- Change admin login path
- Turn off the ability to log in for a while
- Change the prefix_ prefix in the database
- Detect 404 errors on the web that affect SEO
- Detect file changes and alert you if hacked
- Automatically backup the database
In addition, there are many other functions of the paid version that I cannot list here.
In general, with a security plugin, iThemes Security is always the first choice for webmasters.
Bonus: If your web site has been hacked, unfortunately, the first thing you must do is to restore the hacked web. Then find out the reason why hacked to protect. And of course, after restoring the web, you need to immediately take security measures according to the instructions above.
The above are some basic tips to help protect your WordPress site from the risk of vandalism. Job WordPress security Not simply doing the above is 100% safe.
However, to ensure your website is protected at the highest level, you should apply the WordPress security tips above.
If you find the article useful, please like and share to support me. In addition, if you have any high opinion in WordPress security, please share it for yourself and everyone to know by commenting below.