Secure WordPress sites to maximum safety and no tolerance for hacking. As you know that Laplacef uses WordPress and many other popular platforms like CNN, Forbes, BoingBoing, New York Times also uses WordPress in their blogging system. It is one of the best open-source professional blogging CMS tools today.
Today I will only show how we can secure WordPress sites to avoid any hacking.
Below I am providing you the steps one can take to secure WordPress sites.
1. Use Secure Password
2. Update WordPress
3. Update WordPress Plugins
4. Use Robots.txt file
5. Protect WordPress Administration Panel
6. Hide WordPress Version
7. Protect Your Wp-config.php and .htaccess
8. Backup Your Website
Secure WordPress Sites
Password is the key to your website dashboard and all the important files and folders of your website. It is the first line of defence. You lose it and you have lost the battle. Always use a very strong password which is a combination of letters, numbers and symbols to avoid anyone to take a guess of your password.
Change your password after a span of one or two months to continue securing your website.
DO NOT USE
– your birthday as your password
– your street address, your house name, your pet name, your neighbour’s name, your family member’s name as your password.
– a password that includes your username or your own name.
– keyboard pattern sequences like asdfglkjhg or qwertpoiuy
– combination of symbols, letters and numbers
– combine upper case and lower case letters
– use long passwords that are out of guess for anyone else.
– change password more frequent
Since WordPress 2.7, WordPress has included automatic updates which can be implemented with just a few clicks. The new version always fixes some bugs and errors which was not supposed to be present in the older version and hence it is highly essential to upgrade as soon as you get a notification.
You can notice WordPress notification of update as shown in the picture above.
Warning: While you update your WordPress version, ensure you have checked that the plugins that you have installed are also updated to work with the newer version of WordPress or else some features of your websites supported by plugins may not function properly.
Similar to WordPress core updates, WordPress plugins should also be updated as soon as possible whenever the update is available. For plugins, you should not think for a second to get it updated as the owners of plugins can just make it better and better and more secure compared to the older version.
Once again I would suggest to only install those plugins which you are going to use. If you are not using a plugin and is installed on your WordPress platform, it is advisable to delete it.
All search engines nowadays follow the robots.txt file. It is a file which you have to create in the root folder of your website in cPanel for allowing or blocking some of the website’s pages to get indexed or not!
In short, you have the control to either allow or disallow certain part or pages of your website to be crawled and indexed by search engines.
Warning: Robots.txt file is a file meant for search engines only and not humans. Humans can still access the contents of your robots.txt file by going through the link such as https://www.yoursite.com/robots.txt
You can also check if you have robots.txt file generated by following the above link pattern. You can access mine here.
As you may notice, there are some parameters involved in writing a robots.txt file.
User-agent: The name of search engines – * indicates all search engines – which means that all search engines are supposed to follow the rules outlined in this robots.txt file
Allow: The URL you wish to allow to be crawled and indexed by search engines.
Disallow; The URL you wish to disallow to get crawled by search engines.
/foldername: You are either allowing or disallowing the folder – refer to the link above to check my site’s robots.txt file
You might wonder that if robots.txt file is for search engines and not for humans then how does it help to secure from human hackers. Well, most of the hackers use the search terms as ‘site:yoursite.com’ which will give all the URLs or pages indexed by a search engine and possibly something hidden can be discovered by the hackers and hence it is advisable to use robots.txt file
Typical robots.txt file for WordPress users could look something like…
User-agent: * Allow: /wp-content/uploads/ Disallow: /cgi-bin/ Disallow: /feed/ Disallow: /trackback/ Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /xmlrpc.php Sitemap: https://www.laplacef.com/sitemap.xml
5. Protect WordPress Administration Panel
WordPress Admin panel or WordPress Dashboard is a place from where you control and manage your website. The perfect and best possible option is to make use of .htaccess and .htpasswd (password protecting a directory)
.htaccess is a text file that contains the rules and configs for the directory where it’s placed, those rules and configs will be enforced in that directory and it’s subdirectories.
.htpasswd is a text file that contains plain-text usernames and encrypted passwords
First create a .htpasswd file. For that you will have to visit either this site or this one. These sites helps you to generate the .htpasswd in the required format. I prefer the latter one because it also provides the code to be put in the .htaccess file.
Create a .htaccess file in the /wp-admin folder and paste the following code into it.
The .htaccess code generated should be something like below…
AuthName "My Protected Area" AuthType Basic AuthUserFile /home/mysite/.htpasswd AuthGroupFile /dev/null require valid-user
Ensure the URL ‘/home/mysite/.htpasswd’ is correct or else it won’t work perfectly. Once everything is setup correctly and you would try to login, you will be prompted the login box as shown below:
Warning: Ensure you have created the .htaccess file in the /wp-admin folder and not in the root of your main website or even your visitors will be asked for the password. I made that mistake myself and my visitors were asked to login to visit my site. So be ultra careful while using this feature.
Update: If you are logged out of your WordPress dashboard then add the below code in the .htaccess file within your wp-admin folder.
ErrorDocument 401 default
If you are using Ajax on the front-end of the website, then you also have to add the following code within the .htaccess file of wp-admin folder.
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
I have already made a post earlier to show how you can hide your website’s WordPress version.
You can read how you can remove WordPress version.
In your WordPress install, you may have come across wp-config.php file
If not, then let me warn you that this is the most important file for your WordPress configuration. One small erroneous letter in this file could break your website and you could end up in frustration. This is one of the most sensitive files.
Nobody should have access to this file apart from you and most importantly when you are using shared hosting platform, you should use the following code in the .htaccess file to safeguard your wp-config.php file
<Files wp-config.php> order deny,allow deny from all </Files>
To protect .htaccess file itself from shared hosting neighborhoods, add the code below to all the .htaccess files that you have in different directories or folders.
<Files .htaccess> order deny,allow deny from all </Files>
Ensure you backup your WordPress website regularly. How often depends on how often you publish a post on your blog. If you are posting every day then you need to backup every day. If you are posting once in a week, then you need to backup once in a week.
You should always have several backups stored at different places so if one backup is lost, you could make use of another one. So ensure you store your back in the external drive, on your PC, or use dropbox or use Amazon cloud storage S3.
It is a pain to backup WordPress manually, fortunately, we have a choice of many plugins that does this task for us very easily and could also notify us with the backup file through email also. There are plugins available here. Ensure the plugin is compatible with the WordPress version you are using to ensure maximum safety.
Hope this post could enlighten you to safeguard your WordPress website and please also share what kind of plugins and method are you taking to secure WordPress sites.