Steps To Prevent Your WordPress Blog / Website From Hacking

Recently, I have seen some website owners complaining about the security of WordPress blog/website. Their website was hacked and some malicious code has been injected into the files, the whole website was crashed and they have also lost there data and it affects their business as well. It is very painful that can happen to anyone and can destroy the business over night!

So I have done some research on Google and compiled a list of the points which can help you to protect your WordPress blog/website being hacked by the hacker and that can help you to secure your WordPress blog/website:

1. Backup Backup and Backup of Your WordPress Website
This is the first and most important steps, if you are running a WordPress website, you should take the backup of the files and database regularly on the separate place. It is very simple you can take the backup of the database via the phpMyAdmin or can use any available plugins on for the WordPress, you can use the Backupbuddy which will help you to backup the whole WordPress blog/website.

2. Change Your WordPress Admin Username / Password Regularly
This is very very crucial step, when developer is working on any website generally they are using the easy user name and password because they need to login and logout frequently some times when we handover the website to the Client they never change the Password. The default WordPress Login User is ‘admin’ and almost all the hackers know that. So try to change the password of the blog/website updated frequently and always use the strong password for this, you can generate the password from Here.

3. Keep Updated Your WordPress Version.
Whenever you get any notification regarding the WordPress version upgrade don’t ignore it just go for it and keep your WordPress Version Updated, as to make the platform more stable WordPress is constantly working to improve the security and patching up holes and after making these changes they released the new version and then we get the notification on admin, so we need to Updated the WordPress Version it will secure the website.

4. Change Table Prefix
The default table prefix for WordPress is wp_ which is well known by everyone, So make sure to change the Table prefix while doing the WordPress Installation / Setup. In this way you can prevent the website from the SQL Injection attacks. You can change your database table prefix in two ways.
i. Manual way (Please do not follow this method if you have not much more knowledge in the MySQL.)
ii. By using the Plugin (It is easy way to change the prefix in the database tables.)

5. Do the Security Scan by Installing WP Security Scan Plugin.

There are many Security Scan Plugins are available for the WordPress so install any one of them and Scan your blog/website for vulnerabilities and it will inform you if it finds any malicious codes etc. You can use the Wordfence Security

6. Change the WordPress Keys in wp-config.php
The Key is the essentials part of any WordPress Installation so always keep it secret and updated, it work as salts for WordPress cookies to ensuring better encryption of user data.

You can generate the key by using the WordPress Key Generator. Now open up your wp-config.php which is on the root of the WordPress installation, find the lines like as below and replace with the generated ones:

define('AUTH_KEY', 'put your unique AUTH_KEY phrase here');
define('SECURE_AUTH_KEY', 'put your unique SECURE_AUTH_KEY phrase here');
define('LOGGED_IN_KEY', 'put your unique LOGGED_IN_KEY phrase here');
define('NONCE_KEY', 'put your unique NONCE_KEY phrase here');
Save and upload on the root.

7. Protect your .htaccess file

.htaccess file is very important and we need to protect it so that no one can access it directly from the browser there is many ways to do it.
a. Change the file permission of the .htaccess
b. Use the .ha, .hta so that no one can hack your .htaccess.

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

8. Secure the WordPress Connection file (wp-config.php)
We need to secure the wp-config.php file because it is very important file having all the database details. So for this just add the below code to the .htaccess file in the root directory and it will protect your WordPress Connection File from hackers. The code denies access to the wp-config.php file to everyone.

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

9. Prevent Direct Directory Browsing
We need to prevent the direct directory browsing so that user/visitors will not browse the website through entire directory, if it is like this then it is easy way to find out about directory structures and hackers can lookout for security holes.

In order to prevent this just add the below code lines in your .htaccess which is in the root directory of your WordPress blog/website.

# disable directory browsing
Options All -Indexes

10. Prevent script injection by using the .htaccess
Protect your WordPress blog/website from script injection just by using the code below to your .htaccess in the root

# protect from script injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

11. Block Search Engine Spiders from Indexing the Admin Section by using the robots.txt.
Search engines Spiders crawl all the website pages and index all the content into the search engines, so we need to prevent so that it will only crawls the specific page which we want to indexed. So we need to block the admin section as it contains all the sensitive information. You can do it by using the robots.txt file in your root directory. Place the following code in the robots.txt file:

User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
Disallow: /wp-includes

12. Protect WordPress Admin
For protecting the WordPress Admin there are many ways to do it
a. Use the Captcha to make it secure.
For the admin you can use the Captcha plugin and there are many captcha plugins are available, I have implemented this one for one of my client and it is working fine No Captcha reCAPTCHA

b. Change the WordPress default Url (/wp-admin) to any other secure Url.
By default WordPress Admin url is website/wp-admin which is well known by everyone so by using the plugin you can change the default url to the secure one which is good to prevent the website by hacking as well. For this you can use the Protect Your Admin

c. You can also prevent the IP’s so that only you can access the admin the user from other IP will not be able to access for this just copy and paste the code below to the .htaccess in wp-admin folder.
Note : Please use the .htaccess in the wp-admin not the root .htaccess.

	# deny access to wp admin from other IP
	order deny,allow
	allow from xx.xx.xx.xx # This is your static IP
	deny from all

13. Limit Access to the wp-content Directory
For the limited access of the wp-content directory just use the code below in the .htaccess file within the wp-content folder.
Note : Please use the .htaccess in the wp-content not the root .htaccess.

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all

14. Secure website form to prevent the Spamming
Secure all the forms on the website either it is contact form or the Comment form for this you can use any plugins available on the WordPress.

Stay tuned for the WordPress latest tutorial and updates, Hope you enjoyed reading, if you need the professional WordPress Development we can help you, just Click on the Link and send me your requirements.