Quick Tips to Concrete The Security of Your WordPress Site

WordPress is a great CMS platform and is dictating the trend on the web today without a single doubt. But no software is developed impeccably. Despite of all the wonders, this CMS is capable of providing, one of the major issues with it is the frequent security loopholes we often encounter, thus crippling the overall legitimacy of a website.

Security has become a major concern for the site owners, and it’s something which is known to WordPress. The platform has been beleaguered with so many security attacks, which ultimately spell doom to the site owners. Cyber criminals have always been around, and the with the advancement of hacker’s tools and the increasing accessibility to any data, the problem has become all the more elevated.

So, in order to beat this threat, I have put together a round-up of some resourceful tips and tricks you can implement to augment the security of your website and thus avoid being the next victim.

1. Make Use of Security Socket Layer

SSL is a popular concept in the web realm especially among those who are related to Internet security. It’s primary objective is to establish an encrypted link between the server and the client and makes the data incomprehensible for the hackers to break. SSL makes use of two keys- a public key which is known to everyone and a private key which is only known to the user to decrypt the data and read it. Implementing SSL will let you protect the confidential user information, such as credit card, debit card numbers, passwords and anything that is sensitive and needs to be protected.

SSL

2. SQL Injections

The mere WordPress installation isn’t enough to sit back and relax thinking that your website will never be exposed to hacks. Depending on which WordPress version you are currently in, an SQL injection can be extremely terrible.  An SQL injection is nothing but a web attack mechanism used by hackers to spoil the website data. In this type of attack, an attacker seeks to pass SQL command into say a login form to gain an authorize access over the data of your website. SQL attacks can be very harmful and to deal with them, you need to constantly update your website and backup your database.

SQL

However, to fix it, you can also add the below-mentioned code to your .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ – [F,L] RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|e|”|;|?|*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(“|’|<|>||{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ – [F,L] </IfModule>

3. Providing Direct Access to the Login Page

Another mistake which can spoil the overall functioning of your website is by providing direct access to the login page. While having a strong password  comes handy to protect your website against anomalies, but a malicious user won’t be able to attack on your website if they aren’t provided with any kind of direct access to your login page. Hide Login is a plugin which you can use to hide the location of your login page.

Also, there are some files within WordPress which can be easily accessed by malicious coders if they aren’t covered intelligently. However, we can fix these issues by adding the below mentioned code within our .htaccess file.

Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all

4. Getting Rid of the Default Prefix

One of the biggest security lapse one can make is by keeping the default prefix ‘wp’. With only password left to encrypt, you are already making their job half-accomplished. So, it is recommended to change this prefix to something hard to decipher. It will give hackers an impossibly hard time, and reduce the chances of your website getting hacked.

5. Safeguard Your Wp_config File

Wp_config file is one of the most crucial files in the WordPress core installation and contains all the confidential information related to your site such as passwords, usernames, etc. You certainly don’t want the content of this file to be fallen in the wrong hands, so protecting wp_config site is definitely you can think of. The most simplest way to beef up the security of wp_config file is just add the following code in your .htaccess file.

<Files wp-config.php>
order allow,deny
deny from all
</Files>

6. Hiding Your WordPress Version

WordPress by default leaves it footprints to track your website which let the external people know which version you are currently using. If you don’t welcome updates on a regular basis, these footprints can harm you badly. There are many ways to hide your WordPress version, but the most suitable one is- open your functions.php and add the following code into it.

remove_action(‘wp_head’, ‘wp_generator’);

In order to completely remove the version, go one step further and remove it from RSS feeds as well by adding the code to your functions.php file.

function wpt_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpt_remove_version’);

Conclusion

Security lapses can prove to be extremely dangerous for any kind of website. So start thinking wisely and pay attention to the tips mentioned above to combat hackers and prevent yourself becoming the victim.

About the Author: Amanda Cline is currently serving as a senior programmer with Xicom Technologies Ltd. You can hire PHP developers for successful execution of varied web development projects, both simple as well as complex ones. Get in touch with her via Twitter.

1 thought on “Quick Tips to Concrete The Security of Your WordPress Site”

Comments are closed.

Scroll to Top