WordPress Hardening: 18 Ways to Harden Security of Your ...

WordPress hardening is a catch-all term used to describe settings and configurations that increase the security of your website. These ... Features Features MalwareScanner MalwareRemoval WordPressFirewall BotProtection VulnerabilityScanner WordPressBackups ActivityLog Pricing Blog SignUp Login Login WordPressHardening:18WaystoHardenSecurityofYourWebsite December23,2020 TableofContents Contents hide 1 Beforeyoubegin 2 5EASYwaystohardenyourWordPresssecurity 2.1 Setstrongpasswords 2.2 Requiretheuseofstrongpasswords 2.3 Implementleastprivilegepermissions 2.4 InstallSSL 2.5 SetupaWordPresssecurityplugin 3 6MEDIUMmeasurestohardenWordPress 3.1 2-factorauthentication 3.2 Limitloginattempts 3.3 Keepanauditlog 3.4 Autologoutinactiveusers 3.5 SetupalertsforsuspiciousWordPresslogins 3.6 Setupawebapplicationfirewall 4 7COMPLEXWordPresshardeningmethods 4.1 BlockPHPexecutioninuntrustedfolders 4.2 Disablefileeditor 4.3 Changesecuritykeys 4.4 Disallowplugininstallations 4.5 Secureyourwp-config.phpfile 4.6 Separatingoutdatabases 4.7 Securingwp-admin 5 UsingaWordPresssecurityplugin 6 Forextracredit 6.1 Backupyourwebsite 6.2 Keepyourcomputercleanofmalware 6.3 Alwayskeepeverythingupdated 6.4 UseSFTP 6.5 Useatrustedwebhost 7 Conclusion 8 FAQs 8.1 WhatisWordPresshardening? 8.2 WhyshouldIhardenWordPress? 8.3 IsitdifficulttohardenWordPress? 8.4 DoIneedtohardenWordPressifIhaveasecurityplugin? Therearesystemsthatarehardtohackinto,butmoreoftenthannot,websitesgethackedbecausetheyarevulnerable,andtheydon’thavebasicsecurityinplace.  Inthisarticle,wearegoingtotalkabouthowtohardenyourWordPresssite.  TL;DR:SecureyourwebsitewithMalCare,anall-in-onesecuritysuiteforWordPress.WithMalCare,youcanalsohardenWordPresssecurityin1-click.  Contents hide 1 Beforeyoubegin 2 5EASYwaystohardenyourWordPresssecurity 3 6MEDIUMmeasurestohardenWordPress 4 7COMPLEXWordPresshardeningmethods 5 UsingaWordPresssecurityplugin 6 Forextracredit Beforeyoubegin We’veorganisedthelistbyeaseofimplementation,soyoucanstartatthetopandworkyourwaydownthelist.WerecommendthatyoustartbyinstallingMalCare,andusingtheSiteHardeningoptionthere.That’sahugestepintherightdirection,andthenyoucancomebackhereformoremeasures.  Protip:Wealwaysrecommendyoubackupyourwebsitebeforemakinganychanges,evensecurityones.Bettersafethansorry! 5EASYwaystohardenyourWordPresssecurity Let’sstartthislistwithsomelow-hangingfruit.Getthesebasicsettingsoutoftheway,andwe’llallfeelgoodaboutmakingprogresswithhardeningWordPress.  Setstrongpasswords Passwordsareperhapsthelowesthangingofalllow-hangingfruit.That’sprobablywhythey’rejustasoftenignored.Andthat’swhythey’reatthetopofahowtohardenyourWordPresssitelist. Passwordsarehardtoremember,andyessomeofthebestpracticesaretiresome:noduplicatepasswords;noteasypasswords;amixofletters,numbersandsymbols;thelististrulydaunting,especiallywhenyoustoptocounthowmanyservicesyouuse.  Wesympathise,andsowesuggestusingapasswordmanager,likeLastPass.Useanautomatically-generatedstringofnumbers,lettersandsymbolstokeepyouraccountsafe.Eventhoughtheoddsaresmall,bruteforceattacksnowusedictionaryattackstoguessatpasswords.  Requiretheuseofstrongpasswords Continuingwithourthemeofstrongpasswords,thisneedstobethenextitemonyourto-dolist.  Whenyouhavemultipleusershandlingyourwebsite,youneedtoensureeveryusermaintainsastrongpasswordandalsochangesitregularly.Now,thismaybeeasieronasmallscale,butwhenitcomestoabiggerteam,itwouldbebettertohaveasoftwarethatwillautomatethisforyou. WordPressbydefaultwillalertyouifyouchooseaweakpassword: However,youcanchoosetooverrideitbychecking‘confirmuseofweakpassword’.Bydoingso,youareleavingyourwebsitevulnerabletoattacks. Toforcetheuserstoupdatetheirpasswords,thereusedtobepluginslikeExpirepasswords.Itwouldallowyoutosetamaximumnumberofdaysbeforethepasswordexpires.However,mostofthesepluginshavenotbeenupdatedforalongtime,sowewouldn’trecommendusingthem.  Implementleastprivilegepermissions Thereare6pre-definedrolesyoucanhaveonaWordPresswebsite:SuperAdmin,Administrator,Editor,Author,ContributorandSubscriber.Eachrolehasasetofpermissions,andcanthereforeperformsometasks.Thesetasksarecalledcapabilities.Thefulllistofrolesandcapabilitiesishere.  Note:Forasinglewebsitetheadministratorroleisthemostpowerful,whereasforamultisiteitisthesuperadminrole.  Ifyouhaveasinglewebsite,youonlyneedalimitednumberofadministrators.Infact,theruleofthumbhereistohaveasfewadministratorsasyoucanpossiblymanagewith.Thereasoningisstraightforward:youarereducingtheriskofhackersstealingadmincredentials. InstallSSL SSLisawaytotransmitdatasecurelyfromusertoserver,andbackagain,overanencryptedconnection.  Quiteapartfromthefactthatitisagoodsecuritypractice,GooglerequiresthatwebsiteshaveSSL.Ittendstopenalisewebsitesbyshowing“Notsecure”inthebrowser,insteadofthepleasantgreenlockthatindicatesawebsiterunsonHTTPSinsteadofHTTP.  ItusedtobequitecomplicatedtoinstallanSSLcertificate,butnotanymore.WehaveacompleteguidetoinstallingSSL,andanothertomakesurethatallyourpagesareHTTPSaswell.  SetupaWordPresssecurityplugin Alltheotherentriesinourlistuptothispointaremanualadditionsyoumaketoyourwebsite.Restassured,theyaretheeasyonesthatdon’trequiretoomuchconfiguration,orinstallationofplugins.  Therestofthislistisn’tquiteasstraightforward.ManyofthemeasuresareincludedinMalCare’sSiteHardeningfeature. Youwillsaveaconsiderableamountoftimebyinstallingthepluginandusingourdashboardtosetupthemeasures.Tryitnow. 6MEDIUMmeasurestohardenWordPress EachoftheWordPresshardeningmeasureswehaveincludedinthissectioninvolvetheinstallationofaplugin.Wedonotrecommendinstallingpluginslightly,astheyoftencontainvulnerabilities,andbecometheentrypointstoinfection.Pleaseusediscretionwhenchoosingaplugintocarryoutthefollowingsecuritymeasures. 2-factorauthentication Oneofthemostcommonwayshackersbreakintowebsitesisthroughtheloginpage.Theyuseatechniquecalledbruteforceattackswhereintheyusebotstoguessthelogincredentialsofawebsite.Anotherwayhackerscangetinisifyourdatawasleakedfromanotherwebsite.Hackersareawarethatmanypeopleusethesameusernameandpasswordformultipleaccountsacrosstheinternet,andhence,itbecomeseasiertoplaytheguessinggame! Toprotectyourself,youcanaddatwo-factorverificationforeveryuser–whethertheyareSuperAdmin,Administrator,Editor,Author,Contributor,oraSubscriber. Manywebsites,Gmailforexample,giveuserstheoptionof2-stepverificationtologintotheiraccounts.Thisrequiresausertoprovidetheirlogindetailsfirst,andthenenterapasswordthatisgeneratedinreal-time(usuallyaone-timepasswordsenttotheregisteredphonenumber).Itmakesyouraccountharderforhackerstocrack,orforthemtogainaccesstoyourWordPressdashboard. Limitloginattempts There’sareasonwhywebsites,especiallybanks,giveusersonlythreeattemptstogettheirusernameandpasswordright.Afterthat,you’regiventheoptionof‘Forgotpassword’orevengetlockedoutofyouraccounts.Theimagebelowisanexampleofawarningthatisgeneratedanddisplayedontheloginscreenwhentheuserhasattemptedtologinwithwrongcredentials. Thisisessentiallytoeliminatebruteforceattacksandreducethesuccessofhackersandfraudsters. Bydefault,WordPressallowsanunlimitednumberofloginattempts.Enablinglimitedloginattemptsonyourwebsiteincreasesitssecurityandensureshackerscan’ttrythousandsofcombinationstogetin.Therearethreewaysinwhichyoucanlimitloginattemptsonyourwebsite. YoucaninstallapluginlikeLimitLoginAttemptsReloaded.IfyoualreadyhavetheMalCaresecuritypluginactiveonyourwebsite,youautomaticallyhavelimitedloginprotectionagainstfailedattempts.Thepluginimplementscaptcha-basedprotectionthatwillpreventbadbotsfromaccessingyoursite.Bymanuallyinsertingcodeinthefunctions.phpfile.YouneedtoaddaWordPressactionandhookfilterwithacorrespondingcallbackfunction.Thismethodistechnicalandrisky.Ifyouaren’tsavvywithcoding,it’sbestnottoattemptthis.  You’llfindthecodeforthethirdoptionandamoredetailedexplanationinourarticleaboutlimitingloginattempts.  Keepanauditlog ThismaynotbeaWordPresshardeningmeasureperse,butitisanabsolutemust-havesecuritymeasure.  SimplyinstallapluginlikeWPSecurityAuditLogwhichwilltrackeverythingthathappensonyourwebsite.Andinthisway,youwillknowexactlywhatyourusersaredoingandwhen.Youcanthenmonitorwhat’shappeningonyourwebsiteandholdusersaccountablefortheiractions. Thepluginwillkeeptrackofeverything–logins,logouts,changesmade,creations,modifications,deletions,additions,updates,etc.Ifyouarehacked,youcanrefertotheactivitylogtoidentifyanysuspiciousactivityorchangesmade. Youcangetinstantnotificationsiftherehavebeenanycriticalchangesmadetoyourwebsite.Youcanalsologofforblockanyuserwithjustaclick. Autologoutinactiveusers Thisfeatureisseenprimarilywithbankwebsitesandappsthatlogyououtafteraperiodofinactivity.Thisistoprotectyouraccountfromanyunauthorizedaccess. Tosetthisup,youcanuseapluginthathasanidlesessionlogoutfeature. SetupalertsforsuspiciousWordPresslogins Hackersareconstantlyfindingwaystobypasssecurityfeatures,andthusitbehovesustobevigilant.It’sadvisabletosetupalertsonyourwebsitetobenotifiedofanysuspiciousactivityasandwhenithappens. TodothisyouneedtouseasecuritypluginlikeMalCare.Itconstantlyscansyoursiteandalertsyouifitdetectsanymalwareoranythingsuspicious. Setupawebapplicationfirewall Awebapplicationfirewallwillblockhackersevenbeforetheyvisityourwebsite.TheydothisbytrackingIPaddresses–anumericalidentifierassignedtoeverydevicethat’sconnectedtotheinternet. IftheIPhascarriedoutmaliciousactivitiesbefore,they’llbemarkedandblockedfromcomingtoyoursite. Setupafirewallusingasecurityplugin,andrestassuredyouhavethebestprotectionpossibleforyourwebsite. 7COMPLEXWordPresshardeningmethods NowwecometotherealscrappystufftohardenWordPress.Thefollowingmeasuresneedsomecodingordevelopmentexperience,otherwisemistakescancausesitecrashesandbreakdowns.  Proceedwiththesehardeningmethodswithsomecaution,andifyouhaven’talreadydoneso,pleasebackupyourwebsite.  BlockPHPexecutioninuntrustedfolders Thisisabittechnicalbutlet’strytosimplifyitasmuchaspossible.  First,youneedtoknowPHPisascriptinglanguagethatisusedinwebdevelopment.APHPfunctionisablockofcodewritteninaprogramthatcanbeexecutedtoperformacertaintask.Next,yourWPwebsiteismadeupoffilesandfolders.However,onlycertainfilesandfoldersusephpfunctions.Onceahackergainsaccesstoyourwebsite,theycancreatetheirownfolders,ortheycaninserttheirPHPfunctionsintoyourexistingones. Topreventsuchahack,youcanblocktheexecutionofPHPfunctionsfromanyunknownfolder.AndyoucanalsodisablethePHPexecutionsinplaceswhereitdoesn’tneedtohappen. Forthis,followthesesteps: Caution:MeddlingwiththebackendfilesanddatabasetablesofWordPressisriskybusinessandcancauseyoursitetobreak.Itrequirestechnicalknowledge.Ifyoudon’tknowwhatyou’redoing,it’sbesttogetprofessionalhelp. 1.Accessyourwebsite’sfilesviacPanel>FileManager.Ifyoudon’thaveaccesstocPanel,youcanuseanFTPclientlikeFileZilla.You’llneedyourFTPcredentialstoaccessyourfiles. 2.Gotopublic_htmlandyou’llseethreefolderscalledwp-includes,wp-admin,andwp-content,likeso: 3.Next,lookforthe.htaccessfile.Ifitdoesn’texist,youcancreateonebyopeningatexteditorlikeNotepadandsavingitas.htaccess. 4.Youneedtopastethefollowingcodeinyour.htaccessfile. denyfromall 5.Ifyou’recreatinganewfile,youneedtouploadittotwofolders:wp-includesandwp-content/uploads ThiswillalterthefilepermissionsandpreventanyPHPfilefromrunninginthesedirectories.Ifthisisalltootechnical,securitypluginslikeMalCareautomatethisforyou. Disablefileeditor IfahackergetsaccesstoaWordPressAdministratoraccount,theycantakefullcontrolofyourwebsite.Fromthedashboard,theycaneditthecodingofyourthemeandpluginsthroughtheoptionof“Editor”.Theycanalsouploadtheirownscriptstodisplaytheircontent,defaceyoursite,spamyourusers,etc.ThemostcommonhacksthatoccurthroughtheseeditorsincludeSQLinjections,SEOSpamhacksandJapaneseSEOSpam. Tofindtheeditor,gotoAppearance>Editor.AndPlugins>PluginEditorlikeso: Todisabletheeditor,youneedtoaccessyourwp-configfile.Thesamewayweaccessedthewebsite’sfilesusingFileManagerorFTPcanbeusedhereaswell. Thenextpartrequirestechnicalcodingknowledgeandcomeswithpotentialriskofbreakingyoursiteifnotdonecorrectly.Ifyoudon’tknowwhatyou’redoing,it’sbestnottoattemptiteventhoughitseemssoeasy.Werecommendusingthe‘Disablefileeditor’featureinMalCare.  Ifyouwishtocarryonwiththemanualmethod,we’vedetailedthestepsyouneedtocarryout. 1.InyourFileManager,findyourwp-configfileandright-clicktogettheEditoption. 2.Here,youwillseemoreinformationaboutitandyoucanselectDisableEncodingCheck.ThenproceedtoEdit. 3.Now,itopensupyourwp-configfileandleavesyouwonderingwhattodonext!Don’tstress.Scrolldownandfindtheline: /*That’sall,stopediting!Happypublishing.*/ 4.Abovethis,pastethefollowingcode define(‘DISALLOW_FILE_EDIT’,true); 5.Savechangesandclosetheeditor. 6.Returntoyourdashboardandyou’llseethatyounolongergettheeditoroption. Note:IfyoudonothaveaccesstocPanel,youcandownloadyourwp-configfileviaFTP.Openitinanytexteditorandaddthelineofcode.Uploaditbacktothewebsitethesamewayyoudownloadedit.Youcanoverwritetheoldfile. Changesecuritykeys Tologineasily,WordPressstoresyourcredentialssoyoudon’thavetoenteryourcredentialseverytimeyouwanttologin.Butwhat’simportanthereisthatit’sstoredinanencryptedform. Ifthedataisstoredinplaintext,whenahackergetsaholdofthedata,theycanjustreadit.Ifthedataisencrypted,itwilllooklikerandomtextthattheycannotuse. Toencryptthedata,WordPresshastousesomethingknownassecuritykeysandsalts.Insimpleterms,keysarerandomvariablesthatencodeyouradminusernameandpassword,andsaltsbasicallyhelpimprovetheencryptiononestepfurther. Ifhackersareabletogettheirhandsonyoursecuritykeysandsalts,theycandeciphertheencrypteddataandhackintoyouraccount. It’srecommendedtoreplaceyouroldkeysandsaltsfromtimetotime.Togetafreshsetofkeysandsaltsyoucanusethislink:SecretKey.Youwillgetapagethatlookslikethis: Nowusingthesamemethodabove,accessyourfilesandcopy-pastethevaluesthataregeneratedintoyourwp-configfile,here: Heretoo,sinceitrequiresalteringthecode,wecautionWordPresswebsiteownerstonotattemptitiftheyarenottech-savvy.It’sbesttouseasecuritypluginthatwillhandlethisforyou. Disallowplugininstallations Thereareoccasionswhenauseroraclientmightinstallapluginwithoutcheckingitscompatibilityorcredibility,asthoroughlyasyoumaydo.Thiscanleadtoanumberofproblemsonyourwebsite,soitisbesttoremovetheabilityforthemtodosoaltogether.  Youcandisablepluginandthemeupdatesandinstallationsintwoways: Byaddingalineofcodetoyourwp_configphpfile Followthesamemethodasdetailedintheprevioussection,youneedtoaddthefollowingline: define(‘DISALLOW_FILE_MODS’,true); Pleasenote:Pleasebearinmindthattoupdatethemesandplugins,andtoinstallnewones,youwillneedtogobackanddeletethislineofcode. Usingasecurityplugin Theeasiestwaytoenableanddisablethisfunctionisbyusingaplugin.Ifyou’reusingMalCare,yousimplyneedtoclickabuttontoenableitandthereafterdisableit. Thisisanextrememeasurebutanecessaryoneincaseswhereyouhavemanyusershandlingyoursite;orintheeventyouwouldliketolimityourclientfrominstallingpluginsunnecessarily. Secureyourwp-config.phpfile OneofthemorecriticalfilesinyourWordPressinstallations,wp-config.phpisaprimetargetforhackers.Apartfromcontainingthedatabaseaccesscredentialstoyourwebsite,wp-configisresponsibleformakingaWordPresswebsitefunction.  Youcandotwothingshere,inadditiontodisablingfileediting:changesecuritykeysanddisallowingplugininstallation.  Hidewp-config.php Thefirstistomovethewp-config.phpfileonelevelup.Thisisnotasafetymoveassuch,butmoretomakeitharderformalwaretofindthefile.Movingthefiledoesn’tmakeitimpenetrablethough,sosetexpectationsaccordingly.  Note:Thereisnoconsensusamongstdevelopersaboutwhetherornotmovingthefileisagoodidea.Insomeinstances,suchastheContactForm7vulnerability,thismeasuremaybealtogetherineffective.However,weliketoerronthesideoflet’s-make-it-as-hard-to-be-hacked-as-possible. Denyaccesstowp-config.php Denyingaccessisamuchmoreconcretemeasure,andifyoudothis,youwon’thavetomovethefileatall.Gotoyour.htaccessfileandaddthefollowingcode,rightatthetop:  orderallow,denydenyfromall Thereareafewthingsyoucandotoprotectyourwp-config.phpfile.Thisarticlehasachecklistforallofthemthatyoucanpulloffinonesession. Separatingoutdatabases  IfyourunmorethanonewebsitewithseparateinstallationsofWordPress,itiswisetokeepthedatabasesdistinctfromeachother,andstoredindifferentlocations.Thereforeifhackersgainaccesstoonewebsite,yourotherwebsiteswillremainunharmed—atleasttheoretically,becausemuchdependsonthesecurityoftheotherwebsitesthemselves.  Althoughthisisbestaccomplishedduringinstallation,itcanbedonelateranditisworththeeffort.However,thisdoesrequiresomefamiliaritywithMySQLanditsconfigurations.  Securingwp-admin Totakeloginsecuritytothenextlevel—whichyoutotallyshould—youcanforceloginstobetransmittedoverSSL.Makesureyou’veinstalledSSLandaddressedanymixedcontentissues.  Thennavigatetothewp-config.phpfilethatyouarecomfortablewithbynow,andaddthiscode:  define(‘FORCE_SSL_ADMIN’,true); Weknowthisisasupersimplestep,butthereisareasonwhyitisincludedhereinthecomplexsection.Pluginsdon’talwaysplaynicewithSSL,andsometimesSSLcanbeconfiguredinunusualways.Forafullexplanationofhowthisworksandwhattowatchoutfor,checkoutthisarticle.  UsingaWordPresssecurityplugin Todomuchofwhatwehavesuggestedaboveeasilyandquickly,installMalCare.  GoodWordPresssecuritypluginscombinethewebsitehardeningmeasuresyouneedtoimplementonyourwebsite,alongwithawebapplicationfirewall,botprotectionandscanner.Sonow,youdon’thavetoworryaboutspendingalotoftimefiguringoutthetechnicalaspectsofit. However,notallpluginsofferthesameconvenienceandbenefits.Therearequiteafewpluginsoutthere,butwerecommendMalCaresimplybecauseitgetsthejobdonequickandeasyinjustafewclicks. Onceyouinstalltheplugin,yourwebsiteisalreadysecured.Here’show: ScansyourwebsiteregularlyandchecksforanysuspiciousactivityProactivefirewallthatblocksmalicioustrafficfromvisitingyoursiteReal-timenotificationsforanymalwarepresentonyourwebsite1-clickmalwarecleanup  Quiteapartfromallofthesefeatures,therearedifferentlevelsofwebsitehardeningyoucanimplementonyourwebsite.Thesemeasuresareoptionalbecausenotallwebsiteownerswillwanttoexecutethesesecuritymeasuresontheirwebsite.Youcanchoosewhattodoaccordingtoyourneeds. Thethreelevelsofwebsitehardeningyoucanimplementare: Essentials ThisenablesyoutoblockPHPexecutioninuntrustedfolders.Youcanalsodisablefileediting.Aswediscussedearlier,thisisastepyouabsolutelyshouldtake. Undernormalcircumstances,youwouldn’tactuallymeddlewiththefilesandfoldersofWordPress.Youwouldonlyoperateyourwebsitefromthewp-admindashboard.Youalsodon’tneedtoeditanythinginthefileseditorofthemesandplugins.Disablingthemclosessomeofthedoorshackerscanusetoattackyoursite. Advanced Youcanblockpluginandthemeinstallationswhichmeansnoonecaninstallnewonesonyourwebsite.Thismeasureisabitextremeandshouldbetakenonlyifyoususpectahackoryouhavetoomanypeopleworkingonthewebsite.Ifyouwanttoinstallanewplugin/theme,youwillneedtodisablethisfromtheMalCaredashboard. Paranoid Here,youcanchangesecuritykeysandresetthepasswordsforallusers.OftenWordPresswebsitesareoperatedbyateamofpeople,witheachpersonhavingtheirownlogin.Thisincreasestheopportunitiesforhackerstoguesscredentialsandaccessyoursite. It’simportanttochangeallsecuritykeysandpasswordsatregularintervals.Ifyouhavealargeteam,thishelpsautomatetheprocessandmakeitfaster. Incaseyou’rerecoveringfromahack,thisisanessentialsteptotaketoensureyoudon’tgethackedagain. Apartfromthis,youbenefitfromthefollowingWordPresssecurityfeaturesonyourwebsite: LimitedloginattemptsCAPTCHA-basedloginAlertsforunauthorizedaccessAnactivitylogthatshowsfilemodifications/updatesonyoursiteItalsoanalyseseveryIPrequesttoprotectyoufromhackslikebruteforceattacksItalsopreventscommonWordPresssecuritythreatslikeSQLinjectionsattacks,SEOspam,andyourwebsitebeingusedinDDOSattacks Afull-featuredWordPresssecuritypluginismorethanthesumofitsparts.Eventhoughthesemeasuresareeffectiveprotectionagainstthreatsontheirown,whenusedtogethertheyerectaformidablebarrieragainstmaliciousactivities.InstallMalCarenow,andresteasyintheknowledgethatyouhavedonetheutmosttoprotectyourwebsite. Forextracredit Thefollowingtipsdon’tfallintothecategoryofWordPresshardening,buttheyarestillbestpracticesforthesecurity-consciouswebsiteadministrator.Wehighlyrecommendcarryingoutthesemeasures,onceyou’vefinishedwiththelistabove.  Backupyourwebsite Thedecidedlyunexcitingentryonthislist:backups.Weknow;wedevelopthebest-in-classbackuppluginforWordPress. Theimportanceofagoodbackupisbestillustratedbyabadscenario.Imagineyouhavespentmonthsandyearsonbuildingyourwebsite.Ithascustomers,engagingcontent,generatesrevenuewithads,andhasareputation.Andpoof,onedaythatvanished.Itcouldbeamalwareinfectionoraserverfailurewithyourwebhost;anyoneofamillionreasons.Imagine.Whatwouldyougivetohaveabackupunderthosecircumstances?  Backupsarevital.Thatisjustcommonsense.  Keepyourcomputercleanofmalware Itissometimestheobviousthingsthattripusup.Whichevercomputeryouuse—orindeedWiFi—hasanimpactonyourwebsitesecurity.ThereisnopointinhardeningWordPress,ifthereisakeyloggeronyourcomputer;you’vehandedoveryourlogincredentialstoahacker.  Alwayskeepeverythingupdated ApartfromWordPressitself,itisimportanttokeepthemesandpluginsupdated.Vulnerabilitiesarediscoveredeveryday,anddevelopersofpluginsreleasepatchestoaddressthosevulnerabilities.  Ifyouaren’tusinganypluginsorthemes,getridofthem.Youcanalwaysreinstallthemlater,ifyouneedthemagain.  Asanaside,thisisacorereasontopurchaseplugins.Apaidpluginisoftenactivelymaintainedandhasasupportchannelforissuesyoumayface.AtMalCare,weuseourexperiencewithhackedwebsitestoimproveoursecurityplugineveryday.Anactivelymaintainedpluginisaninvestmentinsecurity.  UseSFTP IfyouuseFTPtotransferfilestoyourserver,considerswitchingtoSFTPinstead.Itworksinmuchthesamewayfortransferringfiles,exceptthatitdoessousingSSH.Thedatathatistransferredisencryptedandcannotbereadwhileintransit.Also,SFTPusesauthenticationforboththeuserandserver. SFTPisbecomingthenewstandard,andreplacingFTPasaresult.Theconfigurationispracticallythesame,sothereisnogoodreasontocontinuewiththelegacyprotocols.  Useatrustedwebhost Mostsecurityarticles(likethisone)willfocusheavilyonwhatyou,asawebsiteadministrator,candotokeepyourwebsitesecure.Granted,thereisalotyoucando,andmostvulnerabilitiesarebroughtinbyinstalledapplications.However,thatdoesn’tmeanthattheserverisinvulnerable.  Thereislittleyoucandoifyourwebhostdoesn’tdotheirpartinprotectingtheirservers.Serversarealsovulnerabletoattack,andnotjustofthedigitalvariety.Aretheserversinaphysicallysecurelocation,forinstance?Couldahackergainaccesstotheroomandstealdatathatway?Theseareimportantconsiderations,butagainawebsiteadministratorhaslimitedcontrolinthisregard.  Sowhatcanyoudo?Pickatrustedwebhost.Agoodwebhostistransparentabouttheirpractices,andwillincludeconcretemeasurestheyundertaketoprotecttheirserversfromattack.Thisisnottheplacetocutcosts,becauseaninexpensivewebhostcouldprovetobeaverycostlydecisioninthelongrun.  Conclusion WecannotstresstheimportanceofinstallingaWordPresssecuritypluginenough.  Removingmalwareisapainstakinganddifficultprocess,subjecttomisstepsandcostlyerrors.Onlyexpertsshouldundertaketheprocessatall,andthatcanbeanexpensiveproposition.Plus,youwillalreadyhavelostdata,traffic,reputationandmuchmorebythatpoint.  Soyes,takeapreemptiveapproachtosecurity,andinstallagoodWordPresssecurityplugin.Thencomebacktothisarticleandimplementhardeningmeasures,andthenfinallyaudityourwebsitetocheckforcommonWordPresshardeningmistakes.  Yourfutureselfwillthankyouforyourforesight. FAQs WhatisWordPresshardening? WordPresshardeningisacatch-alltermusedtodescribesettingsandconfigurationsthatincreasethesecurityofyourwebsite.Thesetechniquescoverthegamutofwebsiteassetsandstrengthenknownweakentrypoints,inordertoreducetheriskofinfection.  WhyshouldIhardenWordPress?  Ifyoucareaboutyourwebsite’ssecurity,andbyextensionthesafetyofyourvisitors’data,thenthat’swhyyoushouldhardenWordPress.Thesearesimplemeasurestotakeinordertoaddressvulnerabilitiesandreducetheriskofmalwareinfection.  Rememberthatgettingridofmalwareismuchmuchharderthanpreventingitsinfectioninthefirstplace.  IsitdifficulttohardenWordPress?  TherearemeasuresyoucantaketohardenWordPressthataresimpleanddoneviayourdashboard.Thosearen’thard.Thereareothersthatarealittlemorecomplex,butinstallingaWordPresssecuritypluginwillgoalongwaytomitigatingthatcomplexity.Andlet’sfaceit:installingapluginisnotdifficultatall.  DoIneedtohardenWordPressifIhaveasecurityplugin? Yes,becauseeventhoughagoodWordPresssecuritypluginwillincludequiteafewofthecriticalWordPresshardeningmeasures,theywillnotbeabletoperformallofthem.Thisisverysimplybecausethingslikechoosingastrongpasswordorimplementingstrongauthenticationprotocolsisoutsidethescopeofasecurityplugin.  Sharevia: Facebook Twitter LinkedIn More Postedin: Uncategorized Share: Karishma, Karishmawasanengineerinaformerlife,andsoshespecialisesin makingtechmoreaccessiblethroughcommunication.Whensheisn't writing,Karishmaspendshertimetinkeringintheinnardsof WordPresswebsites FixContactForm7VulnerabilityonWordPress Youmayalsolike March24,2022 HowtoProtectYourWebsiteFromWordPressBruteForceAttacks? February25,2022 WhatisWordPressPharmaHack&HowtoCleanit? February25,2022 11BestWordPressMaintenanceServicestoChoosefrom(Updated) Sharevia Facebook Twitter LinkedIn Mix Email Print CopyLink PoweredbySocialSnap Copylink CopyCopied PoweredbySocialSnap