Unfortunately, there is no way to protect a WordPress website or a blog from hackers 100%, since hackers are more than determined to surpass any obstacle, and find gaps to push their way through your system as hard as you’re trying to prevent them. What you can do, however, is to make them go through the needle’s ear to do it.
One thing you can rely on is that the hacker will eventually give up, and start looking for a website that pays off more.
This article aims to suggest a few strategies you can use to ‘mask’ your website in front of hackers.
1. Avoid defaults
Defaults are already known to hackers, and most of the brute-force attacks they’ve performed in the past were a result of easy-to-guess domains, that didn’t even take the time to discover. It doesn’t mean that you have to drill for details – simply provide the least website information possible, and you’ve already given them some hard time.
This is something you probably know, but please don’t use the default names and passwords you were given while creating your account, especially not for creating and managing content. Change them to something more specific, and do it right after you’ve signed for the package and installed it.
Adjust default details even if you were able to create them yourself (basically, there were no defaults and you chose your login information), since you can never know whether your hosting company gave access to them to external servers and other parties.
2. Isolate your WordPress database, and protect it
If there is one place where you can see all website information, it is the database. It contains a lot of information, which makes it almost irresistible to hackers.
To be completely frank, databases are easy to break in, due to the fact that the automated codes for SQL injections are used to run all websites and blogs on your server, meaning that the hacker would get instant access to all information you possess.
The way codes are made, the minimum you can do is to use an individual database for each site/blog, and to let separate users manage them. The good side is that you can revoke every database privileges at any point of time, except maybe the right to read or write from the users who are installing the plugins and writing your content. Still, we don’t recommend you to withdraw all permissions, because changing the original scheme will require all privileges to be at stake.
Renaming the database is also a good practice, or at least changing its prefix and letting hackers misaim their attacks. It won’t mean that your database is completely safe, but rather that a compromised database won’t necessarily endanger the entire WordPress installation. You should also rename your database (by changing its prefix) to misdirect the hackers aiming their attacks on it.
3. Regular backup
Once again – let’s not dilute ourselves and believe that hackers won’t be persistent enough to get inside our systems. You may have skipped the basic security protocols so far, but the moment to rethink them is already here.
The best thing to do is to backup information regularly so that you could reset security once the threat appears. Afterward, you will be able to restore it easily, upload your data, and change the password to continue working after only one day.
Manual backup is your best and most secure option unless you’re using one of the best hosting companies which offer extra backup space without a fee. The last two versions of your websites will be enough, but you have to keep them outside your server to prevent hackers from reaching them.
4. Don’t even think of setting file permissions to 777 (not even for an hour)!
Setting file permissions to 777 is not serious, to say at least. 777 should be avoided at all costs because they represent completely open access and lack of any directory permissions for all users, which doesn’t really exclude hackers. Beginners often make this mistake, because they find it easier or forget to change it as time goes by. It is already too late!
777 are extremely dangerous since you’re allowing everyone to see, alter, or remove your files. Your website simply becomes an open house, where hackers can easily take a tour, install backdoor, or simply compromise all of your information.
5. Update WordPress regularly
Depending on your package, you might be lucky enough to have your WordPress version updated automatically. In most of the cases, however, you will have to do it yourself. Instead of jumping around excited about the new features, take care of the Security and Maintenance notes first.
WordPress updates are somehow knives with two blades – they eliminate the security vulnerabilities from the past, and bring new ones on board. The cool functionalities are there, but they bring a long list of security flaws we often fail to consider.
If we don’t update in time, we’d even be risking not fixing the ones from our previous versions. The worst part about not updating and getting hacked is that you will have nobody else to blame but yourself. Hackers love lazy website owners, so don’t give them the pleasure of using your lack of attention.
6. Use the most complex passwords you can think of
Passwords are a cliché when it comes to security threats, but there are passwords where both hacker attacks and good security precautions begin.
We don’t blame you for being one of those people who hate memorizing long and complex passwords, and use shorter and easier ones instead, but we are warning you that you’re making hackers’ job seriously easier.
The rule is simple: safe passwords need letters, numbers, and other valid characters in unusual combinations to make the hacker give up. Even dramatic approaches such as ciphers and algorithms are not exaggerated. If nothing else, longer passwords take more time to decipher, so make use of them.
Another recommendation is to avoid personal data in passwords because that makes hackers’ job more than easy. Single words should be excluded as well (even if they are long), the same as a plain letter or a plain number passwords. All of them are known patterns which simply put your website on disposal for every hacker.
7. Secure the admin files
WP-admin files are meant to be accessed by a single person, or two people the most. In order to restrict access, try using the .htaccess file to assign the directory to the only IP addresses concerned.
In case your IP address is static and you use the same computer to blog, you’ll have the advantage to be the only person able to access admin files by default. Multiuser blogs, however, should govern access and choose a range of IPs to assign to it. Apache’s documentation available on mod_access can help you do this in only a few minutes.
All you have to do is to copy this code and to paste it in the .htaccess folder (not the root one):
# deny access to wp admin orderdeny,allow allow from xx.xx.xx.xx # This is your static IP deny from all
This code will stop browsers from accessing whatever file in the sensitive directories, and will show them only “xx.xx.xx.xx” which represents your hidden IP address. You can perform the same action in an even easier way, by simply adding a password to the .htaccess file.
If you run a WordPress website, you should definitely perform all the steps mentioned above to secure it against hackers.