Today, WordPress is one of the most popular and common content management systems in the world. More than 18.9% of all Internet sites work on it, and the number of installations has exceeded 76.5 million. A lot of developers use this convenient and simple engine to build blogs, websites, and portals. There are thousands of free WordPress blog themes and plugins available which one can use in setting up their blog or business website. But such simplicity and popularity attract a lot of perpetrators.
According to the Securi report, a company that specializes in websites security, WordPress is the most hacked CMS in the world. That’s why the security and protection are one of the most important aspects of any WordPress website.
There are a lot of possible ways to protect the WordPress theme and plugin code. Let’s have a look at a number of the simple but at the same time, very important tips to make is secure. Unlike such platforms as Wix or similar, you have to care about it yourself.
Ways to protect the WordPress theme and plugin code
-
Regular backups
It is important to have multiple copies of the site, which are stored on different media that are not related to each other in case your site is still hacked. In this case, the availability of backup copies will help restore the resource as quickly as possible. The optimal backup scheme for medium and large sites is as follows:
- 1 copy is stored directly on the hosting — it is needed for quick work with the site;
- 1 copy is stored on the owner’s computer, which is also reliably protected from hacking by the firewall and antivirus — it is necessary for a quick recovery in case of hacking;
- 1 copy is stored in the cloud service, as the main backup source;
- 1 copy is stored offline on a flash drive.
Since the site is constantly in the process of development, it is important to regularly update copies on media, because you never know at what point on your site an attack can be carried out. In the backup, you need to store not only the site files but also the database.
On hosting, the ideal frequency is 3 backups per day, which many best WordPress hosting companies provide by default.
As for other backups, it is enough to make a backup copy in the cloud 2 times a week, and on the local computer and flash drive — once a week. The cost of website data loss can be very expensive.
2. Limit the available information about the site
Knowing which version of WordPress is used on your site and what plugins are installed, hackers can get information about possible vulnerabilities. To prevent this, the following simple but effective actions are necessary.
a. Delete readme.html and license.txt files from the site root;
b. Block access to the .htaccess file through the browser using the .htaccess directives;
c. Be sure to check the source code of the HTML pageon mentioning the names of the plugins and their versions in the notes;
d. Do not allow access to install.php, wp-config.php, and other system files;
e. Prevent browsing the contents of WordPress site directories in the browser using the .htaccess directives;
f. Hide information about the siteowner, authors;
g. Setup access rights to the site directories — 755, and files — 644.
3. Two-factor verification when logging in to the admin area
This security measure is another effective means of protecting the WordPress admin area.It means that you use not only the standard username and password when entering the admin panel, but also get a security code which is sent to your phone or email.
In addition, a lot of website owners, to share their online business ideas with partners, create several accounts, so, several people can access the dashboard.They may provide the weak password so they are easy to be hacked.
Therefore, if the brute force attack is successful and the intruders manage to hack the administrator account data, the second stage will stop them from gaining control over your site. In that case, they will need physical access to your device.
The most simple and convenient way to implement two-factor authentication on your site is to install special plugins.
Here is the list of the most popular ones:
- Google Authenticator – Two Factor Authentication (2FA)
- Duo Two-Factor Authentication
- Rublon Two-Factor Authentication.
3. Edit default administrator data
By default, WordPress provides an access through the Admin account. This is very bad because hacking a password for a specific login (brute-force attack) is one of the common methods.
In other words, hackers know that you have the Admin login, they generate millions of password combinations and start trying to use them to enter the sites they have in the database.
For example, they check the FDj2423 password among millions of sites, and there is a high probability that it is being used somewhere. Since more than half of the owners do not change the default account, the task for hackers is greatly simplified.
To change your login and increase WordPress theme and plugin code security, you need to:
- create a new account with a complex password;
- specify its role as “Administrator”;
- delete the Admin user.
The simplest actions take 3 minutes of time, but, unfortunately, are rarely made by many website owners.
4. Uninstalling unused plug-ins
If you wanted to test the plugins, and then decided to deactivate them without removing from the site, you are still under the risk:
- plugins can be used for infecting with malicious code;
- unused plugins also need to be updated to improve security;
- even if the file is secure when you installed it the first time, does not mean it will remain secure in the future.
We would generally recommend using fewer plugins for better security. A good alternative to WordPress plugins can be the clear JavaScript and PHP code.
5. Hide the WordPress version
In WordPress, you can see the engine version without any problems. It can be not only curious but also very dangerous moment — the intruder can use the version bugs and vulnerabilities. Therefore, it is better to hide the version.
In the functions.php file add the following line of code:
add_filter (‘the_generator’,”);
This code adds a filter to the WordPress library that is responsible for displaying your version, thus preventing it from doing that.
It may seem that keeping your WordPress theme and plugin code secure is a very difficult task, as there is a bunch of threats and the reasons why intruders can attack you.However, it worth it to protect your data and make the website an effective instrument in your business.