Home WordPress 10 Simple Tricks to Secure Your WordPress Website in 2017

at October 10, 2017
loading...
In my blogs, I regularly write about the popularity of WordPress. In addition, I also often share tips on your WordPress website security. Therefore, I give you ten tips that you can easily apply yourself to make your website more secure. Ten tips may not be much. The list can of course be much longer. But I come across so many websites where none of these tips have been applied. Read this blog and apply the tips, at least you have a good base.


Some of these tips do not work with all hosting providers. Especially with hosting providers who automatically update your WordPress installation, not all tips will work. This is indicated by the tip

1. Delete unnecessary WordPress themes


A standard WordPress installation contains some standard themes. These are included free of charge. It's about the themes with the names twenty--. Remove these themes. Regularly, WordPress websites are hacked that are not properly maintained. This simply means that these themes are forgotten to update.
Of course, this also applies to topics you've tested with or your previous themes that you no longer use.
You can delete themes via FTP. In the wp-content / themes folder, you will find all the topics. You can also delete them via the backend. You can do this by:  View> Themes> Managing Themes
As mentioned in the introduction, there are several WordPress Hosting providers that automatically update WordPress to the latest version after it has been tested. In that specific case, you can not delete the files.

2. Delete files in FTP root

In a WordPress installation, by default, three files are used by hackers to retrieve information about your website. For example, they can figure out the version number of WordPress, so they know which holes are in your version. So why would not you close this door? If you have FTP access, it's a minute's work. And it can save you hours of cleanup.
For clarity, just removing these files is not enough to shield your WordPress version. There are still other measures needed if you want to. I will come back to another blog.
The files you can delete:
  • WP-Config-sample.php;
  • Readme.html;
  • License.txt.
For example, to get FTP access to your web server, you can use Filezilla or Yummy FTP .

3. Remove ADMIN user

How to prevent this from a new installation? During the 5-minute installation of WordPress, change the username immediately. Ready. How difficult is a secure WordPress environment really not?
Do you still have an 'admin' user in your WordPress website? Then go to Users and create a new user with administrator privileges. You have an email address to which you can link it. Log in as the newly created administrator and delete the account with the most commonly used username.

4. Use strong password

You will not believe it. By 2015, "123456", "password", "12345678", "qwerty" and "123456789" were the most commonly used passwords. Where is a strong password?
  • No existing words to prevent a dictionary hack
  • Use punctuation marks and numbers
  • Minimum 15 characters long
  • Primary and lowercase letters
This tip is not a higher math. To crack your new password, you need this. And WordPress will be happy to help you. If you want to change your password, you can go to any user and generate a new password.

5.Create directory browsing (indexing) of your WordPress website

If the web server running your WordPress website does not find index.php or index.html file for a request, it will default to a page containing the contents of a particular directory. You really must avoid this. This makes important information accessible to malicious people such as installed plugins, themes, and so forth.
You can easily check if directory browsing is possible on your website by creating a new folder that contains a simple text file and then visiting this directory in your browser. If a link to the text file is displayed, directory browsing is enabled. Time for action so. If you see a 404 page or a web page with the text "forbidden" or just a blank page, directory browsing is out and you can continue quietly at tip 6.
But you're not through to the next tip. Apparently you have to do work. But fortunately it's not very difficult. Follow these steps and you're done:
  1. open your .htaccess file in the root of FTP folder;
  2. add bottom line: Options All -Indexes;
  3. save the file;
  4. look in the wp-content / themes and wp-content / plugins folders if they contain an empty index.php file, if not, create this text editor immediately.

6. Table Prefix WordPress website

The Content Management System WordPress uses a MYSQL database. All information you see on the front of your website is stored and processed in the database. There may be multiple websites in one database. To prevent this information from happening, WordPress creates a prefix. This means that for tables, for example, wp_ will occur.
But ... if I know this information a potential hacker can know this too! So, change the prefix immediately if you're installing a new WordPress website. This blog also shows you how to customize the prefix to an existing website. Be very careful and take care of a good database backup.
Want to know what prefix is currently set? These can be viewed at a number of locations:
  • Log in to phpmyadmin and view the tables that are present in your database. These will all have the same prefix.
  • Open the file wp-config.php via FTP. Here is a line similar to this:  $ table_prefix = 'wp_';

6.1 New WordPress website


WordPress has a very simple installation. The so-called 'WordPress 5-minute installation'. During this installation, you can immediately indicate what the table prefix should be. The default is WP_ here. Customize this and you'll have a little extra security on your website.
WordPress managed hosting with automatic installation automatically adjusts the prefix
If you use managed WordPress hosting, for example, at WikiBeginner.in , this issue will be automatically tagged for you.

6.2 Existing WordPress website maintenance

I regularly do maintenance on WordPress websites. I often also hit the WP_ prefix. How do you apply this to a live website? Fortunately, you need little technical knowledge. I often use the ' Change DB Prefix ' plugin What steps do you follow?
  1. install the Change DB Prefix plugin;
  2. go to Settings> Change DB Prefix;
  3. The old prefix is filled in, enter a new prefix and click Save Changes;
  4. remove the plugin, which you do not need anymore.
CAUTION: Always make a backup of your database before making any changes.
Here you can see the structure of a database in phpmyadmin, the program in which you can manage the website database.


7. Use legal WordPress theme

Increasingly, I come across websites that are hacked. If I go ahead, I see one of the famous themes like Avada , Enfold of Divi . These themes can be purchased at Themeforest.net . But if I go ahead, I often encounter very special code in the source files of the theme. If I ask for a license of the theme, I will be questioned. I thought someone bought that for me. Stop dreaming! You have downloaded a hacked theme illegally.
An illegal theme is unprofessional, ungrateful and unsafe
What's wrong with these illegal themes? There are two enormous security risks.
  1. The theme is not for nothing 'free'. You will get a lot of codes that will allow hackers to access your website and potentially send huge amounts of spam through your domain. And what does the provider do if your website sends spam? Get your website out of the air. Have you ever thought about what this will cost you? Is this not worth the investment of 50 to 100 euros? Remember, free is never free. And besides, the designer has spent a lot of time in the design of the theme, apparently you're satisfied with it, so it seems to me that I'm just getting paid for it.
  2. Each theme has regular updates if it's a good theme. WordPress fits original files, the theme will need to be in order to keep all functionality running. If you have an illegal theme then you do not have any updates. So your website suddenly stops working and the security vulnerabilities that are being poached by the theme makers are missing you too.

Enough reasons to buy your theme legally anyway? Where can you buy themes? There are several websites where you can buy themes. Some of these:

8. Install updates for WordPress

It's so simple. You press update and finished. In theory, too. Make sure the WordPress core and plugins are always up to date. By updating the options mentioned above, you will cover an important part of the security vulnerabilities.
Many WordPress hacks are done through leaks in obsolete plugins and outdated themes. Also take note of plugins that are embedded in your theme. Often, you do not have a corresponding license and are therefore excluded from automatic updates. You can solve this by still purchasing a license if necessary.
In principle, it is indeed so simple to keep your WordPress installation up-to-date. You press update (after you've made a good backup ) and you wait for it to get 'plug-in updated'.
But ... Regularly, I'm going to find websites on which I'm maintaining something wrong while updating plugins. This may vary from a white screen to a database error. And do you know what to do? If you do not want to worry about updating your website, you might want to consider maintenance contract .

9. Turn off the WordPress editor

In the standard WordPress installation, you have access to all files in Display> Editor to change it. Many people also use this editor to make style changes, for example, to their website. That's a very bad habit.

If there is a punctuation mark in this editor, your complete site can no longer function. And how do you recover this? My suggestion is to use one of the methods for changing the CSS described here.
Also, in this case, there are hosting providers who defaulted on this option.
If an attacker has access to the backend of your website, he also has access to the editor. And then all-important WordPress files can be changed. An important part of the security of your website is thus disabling the editor. How are you doing this?
Add this line to wp-config.php:  define ('DISALLOW_FILE_EDIT', true); and you have again closed an important part of the WordPress website security.

10. Choose the right hosting


Also in this blog is about hosting. This is an important building block for a stable and secure WordPress environment. Your host can also work with a safe environment. A few examples that help the provider to optimize your WordPress website security:
  • A famous hack is an iframe hack. This adds rules code to the javascript files on your server. A good hosting provider who manages WordPress itself has blocked it. The files are not available for third parties;
  • The previously mentioned "admin" user is disabled by default. The provider scans the installations on their server and warns when this username is found;
  • The previously mentioned weak passwords are not possible. You will be required to use a strong password;
  • Providers scan the servers on foreign files. If, unfortunately, it has not been possible to place a discutable file in your installation, it will be placed in quarantine. And the website administrator is notified.
These are just a few examples. Here are some more examples to add. This makes the difference for me to always choose for good hosting. And beyond the uptime warranty, support and the different caching capabilities. Want to know more about premium WordPress hosting? Feel free to contact us for more information.

Conclusion about WordPress website Security

Did you find this a long blog? There are still dozens more points to override that bring the security of your WordPress website to a higher level. In my opinion, safety and backups are an issue that is not enough attention.
There are many companies that can build a great website. But these are the issues that are being crippled by many internet agencies. Whether it comes from ignorance or time saving, I can of course only guess. But too often I still find websites where at least five of the mentioned points have not been applied.
As an illustration of the above article, about two times a week, I'm approaching whether I can bring back a hacked website online. This can range from showing unwanted banners or a complete redirect to another domain. And that's what everyone wants to do? That's the nightmare of every website administrator. Fortunately, you can do something yourself to prevent this. So if you know someone who may be hacked please do not hesitate to contact me .
Has your website been hacked? How did you solve this? I'm curious! Let me know in a comment below this blog.

Share To:

SmovieHD4U

View Profile

Post A Comment:

0 comments so far,add yours

Subscribe to: Post Comments (Atom)