How do I keep my WordPress website secure?

   

WordPress is a popular CMS platform, used by over 20% of all websites on the Internet. This means it's often the target of malicious attacks and hacking.

 

At ProStack, we're serious about site security, and all our services are designed to keep your websites safe. Take a look at our website for [more information on we keep your services secure!]

 

There are some additional steps you should take to ensure your WordPress site is protected against emerging online threats.


 

  1. Keep Wordpress updated : It's recommended to keep Wordpress updated to the latest version in order to minimise the risk of an attack. When a new update is available, you will be notified from Dashboard --> Updates. 

    Wordpress can also be automatically updated. There are instructions on setting this up here.

  2. Protect your wp-config.php file: This file contains sensitive information regarding your website and database connection. Moving the file to a directory above the root Wordpress folder for your website can help keep it secure from hackers. For example, if you have installed Wordpress in /home/username/public_html/wp you can place the wp-config.php file at the /home/username/public_html/ or even the /home/username/ folder.

  3. Limit WordPress Login Attempts: By default, Wordpress allows unlimited login attempts to the dashboard. This can lead to brute-force attacks, where an attacker submits a large number of requests to the login form to try and guess the password. To help prevent this, you may use a Web Application Firewall (WAF) plugin like Wordfence. More details on this plugin can be found here: https://wordpress.org/plugins/wordfence/

  4. Using pre-login Captcha: Having a CAPTCHA installed for your Wordpress login page can help prevent automated brute-force attacks. There are a number of plugins that can be installed to enable this. We also recommend you enable a CAPTCHA for any email forms to protect them from automated spamming.

  5. Customize Wordpress admin page URL: The majority of Wordpress brute force attacks are conducted on wp-login.php and wp-admin/ pages as they are the key links to an administrator's login. It's a good idea to change the wordpress admin area URL to help prevent this. You may use the WPS Hide login plugin to do this- more details on the plugin can be found here: https://wordpress.org/plugins/wps-hide-login/

  6. Disable file editing: When a user gains admin access, they have access to edit all files and even edit the themes, plugins and more. It's a good idea to add the following to the wp-config.php file which ensures nobody can edit files on your website:

    define(‘DISALLOW_FILE_EDIT’, true)

  7. Block Image Hotlinking: Hotlinking doesn't necessarily lead to hacking a website. However, it can lead to serious bandwidth usage if any of your website images are used by another person. To avoid this, you may add the following rules to your .htaccess file replacing example.com with your domain name:

    # Prevent image hotlinking
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} \
    !^http://(www\.)example.com/.*$ [NC]
    RewriteRule \.(gif|jpg|jpeg|bmp|png)$ – [NC,F,L]

  8. Block PHP Backdoors : By adding the following to a .htaccess file in your site's wp-includes/ and wp-content/uploads directories, you can help prevent potentially malicious content from being executed, including PHP backdoors: 

    <FilesMatch ".+\.php$">
    Require all denied
    </FilesMatch>

 

What can I do if my site's already hacked?

If you suspect your website to have been hacked, we would recommend contacting support as soon as possible- we may be able to help restore the site to a clean version from backups.

 

It's important that once you've done this, you immediately review your site's plugins and ensure everything is up to date- once a site is hacked it's often a target for reinfection, so it's important that any vulnerabilities are found and secured as quickly as possible.

 

We offer a comprehensive suite of security tools to help secure your sites and protect them against attacks. [You can find out more about our security offerings here.]


 

Need further assistance?

If you require further information or assistance, please contact the ProStack team and we can help get this resolved for you! [Get in touch today!]


                                                       

 

   

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Can you handle vulnerability reports with shared hosting?

    It's important to be security-conscious when it comes to your business and a...

Bug bounties and website vulnerability scams - How do I handle them?

    Have you received an email from "ethical hackers" reporting website...

Paid and Free SSL Certificates: Which Certificate is right for me?

    This article will briefly explain the difference between a paid SSL Certificate...

How do I password-protect a folder (directory) on my website?

    cPanel allows you to password-protect a directory on your website, so users...

How do I issue a free SSL certificate for my website?

    We provide free [Lets Encrypt] SSL certificates for all customers using cPanel...