WordPress security vulnerabilities? Tips and plugins to remain safe from Hackers
WordPress is one of the most preferred Content Management System amongst website designers and developers. It offers many fascinating features that makes it very user friendly, and search engine friendly. However, for hackers, passing through WordPress security is not very painful, but having said that, it doesn’t mean that WordPress don’t take security very seriously. Instead, the prime reason of coming up with an updated version almost every 4-6 months is to fill in all security related loopholes.
However, just like other software, security risk is always involved, which can only be countered with precautions. Therefore, it is vital to keep it safe and secure. And with this article, we are going to tell you about the ways to tighten up your WordPress based site’s security and protect it from common vulnerabilities just with a little bit of editing in the codes, and using powerful security plugins.
1: Always keep your WordPress version & Plugin updated
While using WordPress as your CMS, it is imperative to keep updating it whenever a new version is released, as every new version fills in the security gaps wherefrom hackers can bypass your site’s security. Updating the WordPress version is just a matter of seconds.
The same applies in case of WordPress plugins. As soon as WordPress rollout its new version, the plugin author also starts updating their plugins based on the WordPress security fixes to ensure that they run smoothly. Therefore, always keep your WordPress plugins updated.
In addition to this, for the up-gradation task, you can also use a plugin like Automatic Updater.
2: Remove the default user name
By default, ‘admin’ is the username for every WordPress installation. And that’s pretty easy for hackers to guess, and steal access of your site. Therefore, you should change the default username of your site to something that is tricky to guess for everyone but easy for you to remember.
To change the username, login to your WordPress site, and in the dashboard area, on the left hand side menu options, click on Users and select Add new. Then enter a new username and assign full administrative rights to it. And then login again to your WordPress site using the newly created username, and delete the default username profile.
3: Remove the WordPress version from the site’s header
Anyone can know what WordPress version you are using for your site. And if you are using an older version, hackers may strike hard from all sides, because it’s easy to hack the outdated versions of WordPress than hacking the latest one.
You can do this in two ways, either manually or with a plugin like Secure WordPress, which can be downloaded from the WordPress plugin repository.
However, if you want to do it manually, insert this little code inside the function.php file.
function nm_remove_wp_version() {
return '';
}
add_filter('the_generator', 'nm_remove_wp_version');
4: Monitor server log files regularly
To ensure your site is untouched and safe from the hackers, you should keep track of your server log files on a regular basis. As the server log files are those files, which provides you with the details on your site visitors info such as who has accessed your site, a human or a bot, and at what time of the day, and their IP address. For this purpose, you can also use a free tool named as AWStats, which will provide you with complete log file analysis report.
5: Keep track of WordPress access
To keep your site on a safer side, it is always a good idea to keep login usernames and passwords that are hard to decode. But still hackers can attempt to break all the barriers to get the access your site. Therefore, it is imperative to keep track of your WordPress login access, for which you can use Login Security Solution plugin that is available for free inside the WordPress plugin repository.
This plugin can notify you or the administrator about the attacks and breaches, and it also tracks the IP addresses of the users who attempt to login into your site, and the usernames and passwords they use to breach the security.
6: Change your login password regularly
You should change your login passwords in every 2-3 months if you are using a simple password that you can remember easily. However, if you use a strong alpha numeric password then you can change your password once in 6-12 months.
7: Keep an Eye on File Changes
To keep an eye on any file changes that take place on your site, you can use CodeGuard, a plugin that acts as a time machine, and notifies its user via email about the changes made in the files (if any), and keeps the backup of everything so that you can undo all the changes that you hadn’t made on your own or you aren’t aware of.
8: Restrict File Permission
Every file has a three level of access, which includes; Read Access, Write Access, and Execute Access. A user with all three level of access can also be called as a user with administrator powers. However, to make your site secure, you should restrict the file permission, where any other user except you, can only Read and Execute the file. And this can be easily done by changing the CHMOD value to 755 for folders, and 644 for files. Once you set these values, you can be rest assured, as with these values, only the owner will have all the three level of access, and others will have read only access.
9: Change Database Table Prefixes
By default, the WordPress database tables use prefixes like ‘wp_’, and that is something every hacker knows about. Therefore, to be on the safer side, it’s better to change the prefix with something else. Moreover, if you have already installed the WordPress software on your domain with the default values, you can change the database table prefixes with a plugin named as Better WP Security.
10: Take Data Backup at Regular Intervals
Data Backup is something that is very crucial, and should always be kept in the list of high priority tasks. That’s because, it’s only the backup of your database that can take you back where things were perfect and help you overcome any successful hacking attempt. And it is something that you should do at regular intervals; for instance if you take a backup manually probably 15 days to a month’s time would be a good idea.
However, for this purpose, you can also use some great plugins which takes the backup every day. For example; Updraftplus – WordPress Backup and Restoration. With this plugin you get the flexibility to take backups manually as well as automatically, which are then saved into the cloud server technology such as Google Drive, Rackspace Cloud & Dropbox.
11: Update your Firewall and Antivirus Software
Just like you update your WordPress version regularly to keep your site secure; it is necessary to do the same with Firewall and Antivirus software. As they are the one that keeps your computer clean and block or remove any unwanted access and virus threat.
Use Plugins for Enhanced Security
To enhance the security of your WordPress powered site, you can use a wide range of plugins that makes it really tough for hackers to crack through. However, before you install any plugin from any source, you should really check its credibility by verifying the no. of downloads, and take the reviews from experts.
Additionally, to give you some extras with this article, we have compiled a list of top 10 WordPress Security Plugins that you can use without any hesitation, as we have already verified their trustworthiness, and they all are compatible with WordPress version 3.6.1 or more.
-
1: Akismet
It is one of the most reliable and most preferred scam protection plugin that is being used by leading bloggers. What it does is that it checks the comments, for spam, left by the website visitors generally for a product, blog post, or a news story. To make this plugin work, you need to have its API key, which is free for personal blogs, but costs a little for commercial sites. It supports WordPress version 3.6.1.
No. of Downloads so far: 16,965,121
Average Rating: 4.1 stars out of 5
-
2: 6Scan Security
6Scan Security is relatively a new but a popular plugin that costs $9.99 per month under its basic plan. It keeps a WordPress powered site automatically protected from hacking attacks such as SQL Injection, Directory traversal, Remote file inclusion, Cross-Site scripting, and many more. Once it finds any vulnerability in any of your site, it fixes that quickly and automatically before hackers can pass through your site. Moreover, it also protects the sites from brute-force password hacking and dictionary attacks. This plugin is compatible up to WordPress version 3.6.1.
No. of Downloads so far: 55,619
Average Rating: 4.1 stars out of 5
-
3: Stealth Login Page
Want to keep remote bots away from making login requests? Use Stealth Login Page plugin, and keep yourself protected. What it does is that it looks for the login sequence used to access the site, and if it finds any discrepancies in that, it just blocks that login request. Stealth Login Page is compatible up to WordPress version 3.6.1.
No. of Downloads so far: 23,611
Average Rating: 4.5 stars out of 5
-
4: Wordfence Security
Wordfence Security is yet another awesome plugin that keeps your site protected against virus attacks, and unwanted access as it comes with an integrated firewall, and virus scanning technology. It comes in two versions namely; Premium and Free. It also monitors the real time traffic with geolocation. Another great feature about this plugin is that it can verify and repair the WordPress core files along with the theme and plugin files even if you don’t have any backup. This plugin can also be used for WordPress Multisite. Till now it is compatible with WordPress version 3.6.1, and has also received 5 star ratings from 580 users.
No. of Downloads so far: 784,104
Average Rating: 4.8 stars out of 5
-
5: Bulletproof Security
Hackers generally try to pass through the security of websites through multiple techniques, which includes; Cross Site Scripting (XSS), Remote File Inclusion, CLRF Injection, Cross Site Request Forgery, Base64, Code Injection and SQL Injection. But if you have Bulletproof Security installed and in active state on your WordPress site, then you need not to worry about any of these hacking techniques.
In addition to this, it also protects your site’s vital files such as wp-config.php, readme.html, bb-config.php, php.ini, install.php, php5.ini, and also secures your .htaccess file with just a single click. The Bulletproof Security plugin is compatible up to WordPress version 3.6.1, and has managed to receive 5 Star ratings from 469 users.
No. of Downloads so far: 821,585
Average Rating: 4.8 stars out of 5
-
6: Better WP Security
The Better WP Security is one of the most popular security plugin till now. Once it is installed on any WordPress site, it takes complete control, and helps you keep the hackers away from your site. With this single plugin, you can be rest assured that it won’t be an easy game for even a professional hacker to crack through your website. At first, it removes the Meta generator tag, and change the URLs for WordPress login, admin and other access. This plugin is so popular, that more than 1900 people have rated it with 5 star rating. Better WP Security is compatible with WordPress version 3.6.1.
No. of Downloads so far: 1,096,836
Average Rating: 4.8 stars out of 5
-
7: Acunetix Secure WordPress
Acunetix Secure WordPress is a completely free tool/plugin that helps users to keep their WordPress based website secured. At first, it takes the complete backup of a website which comes quite hand while recovering from any hacking attempts. Then it removes the WordPress version except from the WordPress admin area, and then adds various changes within the site to make it highly secured than ever. Since its launch, it has managed to impress 111 people who have voted for it with a 5 star rating. Acunetix Secure WordPress plugin is compatible with WordPress version 3.6.1.
No. of Downloads so far: 870,924
Average Rating: 4 stars out of 5
-
8: WangGuard
First of all, WangGuard is an awesome plugin to enhance the security of a WordPress site. Secondly, it is free for personal use, but if you have a commercial site that you need to secure with WangGuard, then you need to spend some money for it based on your daily queries. What it does is that it allows its users to keep their site free from sploggers and spammers, and don’t let them fill in your database. Till now, has managed to get 5 star ratings 47 times. Additionally, it is also compatible with WordPress version 3.6.1.
No. of Downloads so far: 89,576
Average Rating: 4.8 stars out of 5
-
9: Sucuri Security
Do you face frequent malware or spam attacks, or have you ever witnessed anything wrong with your site security? Just start using the Sucuri Security plugin for WordPress site, and stay relaxed. Once it is installed on a site, it checks for the marlware, spam injections, database connection issues, website errors, and much more. With it you can easily scan your site completely with just a single click from the dashboard itself. The best part about this plugin is that it doesn’t cost a single penny. If you are using WordPress version 3.6.1, you can download this plugin without any hesitation.
No. of Downloads so far: 110,769
Average Rating: 4.5 stars out of 5
-
10: WordPress SEO by Yoast
.htaccess file plays an important role in overall site security, and WordPress SEO by Yoast plugin is one of those few plugins that lets you edit that file without logging into FTP panel. That’s because it comes with an inbuilt file editor with which you can also edit the robots.txt file pretty easily. Along with that, this plugin also helps you to optimize your site in a better way for search engines. WordPress SEO by Yoast is compatible with the latest WordPress version 3.6.1, and has been voted 5 stars more than 2600 times.
No. of Downloads so far: 6,084,555
Average Rating: 4.7 stars out of 5
We believe this blog post would prove to be a great source to know how to keep a WordPress powered site secured, and what plugins you can use to enhance the security. And if it does help you in any manner, then don’t forget to share it with your buddies, and on your social media network. For sharing your views or provide us with your feedback, please use the comment section provided below.
