Security has always been one of the most important indicators of the site`s success. Security ensures the stability of your internet project, the level of safeness of your data and the degree of site visitors care (no one wants to visit dangerous sites and get viruses).
The good news is that any site on the WordPress platform initially has an excellent safety level. This achievement is reasonably because of constant work of WordPress experts over the safety of the projects on this platform. As soon as there is a definite threat, WordPress admin panel offers to download updates to protect your site. It is really well-honed and reliable system.
So why there is a need to write about WordPress site security? It is all about the human factor. Lack of experience in site administration, reckless installation of plugins, add-ons and themes from untrusted sources, and the use of poor hosting – all these factors can threaten the security of your site even on a proven and reliable platform like WordPress. Let’s try to figure out how to secure your internet project from yourself.
Try to do nothing
If your site is hosted by the tested server and officially updates from WordPress, you do not need to fear for its safety. An important advice that should be given in this respect: do not try to fix something that already works well.
Most problems start when we try to improve, optimize and change the things that we poorly understand. This article will contain the main points that you should check in your own site. But the invention of “your own wheel” often entail problems. Perhaps the first failure will have no relation to the security of the site, but in the end it all comes down to it.
Obvious discoveries for beginners
There are a number of site protection methods, which are obvious to a more experienced administrators. But if you’re just starting the work with a personal website on WordPress, then you should pay attention to the following important points:
- Choose a hosting with a good reputation and not for the cheapest price.
- Enable the backup to saveyour website data (you can use helpful plugins for this purpose).
- Use strong passwords (with letters, numbers, different registers and special characters).
- Always update WordPress, when it offers to install the new version.
- Download and install one of the security plugins for WordPress.
- Protect your own computer with a good antivirus.
- Try not to touch the core files.
- Choose only trusted resources for downloading plugins, themes, and extensions for WordPress and in any case do not use pirated software.
Maintain the site files in order
If you do decide to save such files at any cost, it will be necessary to protect them from being overwritten. Such protection should be carried out through the entry in the .htaccess file:
RewriteRule /filename\.ext - [F, L] RedirectMatch 403 /filename\.ext
Instead of writing “filename” you must specify the name of the file you want to protect, and instead of “.ext” you enter the extension of the file. Do not forget to add a new .htaccess file in the root directory on the server.
If you did everything correctly, then the request for the protected file will cause a browser to generate a 403 error code page.
A common mistake of many modern people is a reckless attitude towards unchecked internet networks. When you connect to an unknown wi-fi network in a supermarket or cafe, you should be very careful with your personal data. You never know how secure is a network, which you see for the first time. Therefore, do not rely on luck in such cases.
Avoid entering passwords, billing information and other important data when using an unverified internet connection. It often happens that these are the networks created specifically for identity theft and hacking of your account. Not only your accounts in social networks can become victims, but also more important information: for example, your own WordPress site or your bank account.
SFTP, SSL and HTTPS
The Safe FTP is different from the usual FTP by the optional encryption of all the data you exchange with the site. When using the old FTP, you are not protected from potential intruders, since your passwords and other personal information can be intercepted in a simple and understandable form. SFTP encrypts all the data you exchange with the site. This makes it almost impossible to break because hackers are unlikely to puzzle over the encrypted data – it is much eaiser for them to intercept those who are not yet using SFTP.
The need for data encryption is also evident in the interaction between the site and its visitors. Enable the HTTPS protocol and provide your users’ data a good security. HTTP allows you to encrypt the data sent by visitors of your site. To switch to HTTPS you will need to properly set the security SSL certificate for all pages of the site.
Moving to SFTP and HTTPS you will need to contact your hosting support team and ask about the ability to refine this approach. Of course, the ideal option would be to start the work on the site with encrypted protocols. That will save you from the need of further transfers.
How to protect the Login Page
Login Page is the first target for hackers. The brute-force attack could be carried out from this page of your site. But there are some simple ways to protect the Login Page, save it from the entry of any person other than the administrators of the site. Here are the ways:
- Set a special plug that blocks access to the Login Page.
- Apply two-step authentication using a mobile phone.
- Configure authentication over HTTP.
- Create a whitelist IP addresses which can see Login Page.
To create a whitelist IP addresses you will need to add the following code to your .htaccess file:
Order Deny, Allow Deny from all Allow from 192.168.0.1
Instead of “192.168.0.1” you will have to enter your IP address. It is also important to place the .htaccess file on the server in a root folder with the file wp-login.php.
How to protect wp-config.php
Wp-config.php file is the key to the security of your site. If attackers gain access to this file, they will be able to do everything they want with your site. For this reason, a good web hosting is always protecting your wp-config.php file. If you do not trust your hosting on 100% and want to apply additional protection, you will need to add the following entry to the .htaccess file:
Order Allow, Deny Deny from all
Remember that files .htaccess and wp-config.php should be together in the root folder on the server. Otherwise the above described method will not work.
Lock the file editing
WordPress allows editing of files in charge of themes and plug-ins for users with administrator level of access. If you want to close this loophole and block editing files through the admin panel, you should simply add one line to the wp-config.php file:
define ( 'DISALLOW_FILE_EDIT', true);
Now you should have no more worries about the safety of key files involved in the stable work of your site.
An important postulate, which you must understand is the following: there is no way to protect your site once and for the end of times. Hackers are constantly coming up with new ways to gain access to other people’s data. Therefore, the struggle will continue as long as the internet is online. All techniques are designed to minimize your chances to become a victim of a hacker attack, but can not protect you at 100%. Thus there is no reason to panic: the WordPress team is constantly working on the improvement of the service and quickly helps its users.
The problem of the owner and the site administrator is to maintain the current version of WordPress updates and track suspicious activity on the site. Remember that any protection starts from you. If you follow the above rules, then a chance of breaking your site will be kept to a minimum. If you fail to comply with one or more safety principles, you will be punished for your carelessness with a high probability.
We wish you luck and patience in developing your site. And let hackers bypass your side!