Once your site is hacked it will cost you traffic ,time and a lot of money. You have to completely redo your site. A great number of sites are hacked everyday. Though necessary tips are provided by WordPress CODEX (Hardening WordPress) but they are not enough. So this is the list of some possible measures that you can take to increase the security of your WordPress site.
Make Sure to Update As Soon As Possible
Latest updates come out often with the efforts of the core developers. All you have to do is grab the opportunity. You can only avail these facilities if you keep your site updated to its latest version. This way your site will be automatically protected from the external viruses.
Security updates apply automatically but some major releases need to be updated manually by going to their respective pages. So if you don’t take out time for these updates, you might leave your site prone to attack from hackers.
How to ensure your WordPress updates go smoothly
New WordPress 3.4.2: Make Sure Your Website Is Updated
How to Update WordPress through the WordPress Administrator
How to upgrade your Bitnami WordPress Instance
Use Trusted WordPress Themes
There are many directories which are full of various themes and plugins which you can use for your wordpress site, however not all of them can be trusted. The entire themes list is created independently. There are some top notch banks which contain themes, all well approved by volunteers but you never know if one of them contains any malicious code which might cause major wordpress malfunction.
So much so these faulty plugins might contain some security loopholes. Hence hackers can easily intrude your site through these plugins.
The best you can do is always check reviews from people before downloading a theme for your site. Make sure the site which is offering you that theme directory is known for its excellence like WPMU DEV. Search for reviews from volunteers and then choose the best.
Theme Forest is probably currently the most popular premium WordPress theme marketplace. Created by the great team over at Envato, they have over 6,000 WordPress themes that cover a wide variety of styles and features.
Mojo Themes puts a little more emphasis on quality than Theme Forest – the average theme at Mojo Themes tends to be better than the average theme at Theme Forest. While Mojo Themes only has about 600 marketplace items.
WPZOOM offers a nicely priced club membership as well as individual pricing for their 57 WordPress themes. They even offer thorough documentation and support for all of their themes
Elegant Themes Premium WordPress Themes Join 282,273 Happy Customers And Get Access To Elegant Themes‘s Entire Collection Of 87 Beautiful Themes For The Price Of One.
The Beginner’s Guide to Selecting a WordPress Theme
Password Strength
This is of utmost importance that you keep a strong password for your website, this way you are giving the hacker a tough time in intruding your site.
If you keep simple passwords like “your name” or “12345” then it will be easy for the hackers to guess it and log in to your site. Hackers are very good in understanding human psyche so even if you think some simple word like “password” could not be guessed, DON’T take the risk. Once hacked, you might lose your account. As the hacker may immediately change the password and start adding malware to your site.
So this is a rule of thumb; always choose some difficult yet related password which you are sure that no one other than you can easily breakdown. It’s recommended your password contains upper case letters, lower case letters as well as random numbers so that your hacker is given some tough time.
You don’t necessarily need a long password, just a unique one that only YOU can easily relate to.
Password Strength
The Password Meter
How Secure Is My Password: Password Strength Checker
Those meters that rate password strength work, until they don’t
Password Strength Meter
WordPress Backup
Always keep in mind to have your website backed up.
If ever your site gets hacked or you do some changes in the software that are irreversible, the best thing you’d want is an entire copy of your original website.
Yes that will be a sigh of relief as you know you have all the database and files necessary to regenerate your site. This way in case someone breaks or hacks your site; you can start fresh, recover all the data and report/delete the previous site.
But for all this you need to have a backup and make sure the copy is constantly updated with all the productive changes you make on your wordpress site.
You should save the copy of your entire site at two different places other than your email (which might get hacked too).
Best option is to keep a backup on cloud or on your OS. This will ensure that even if anything goes wrong, you have an extra copy in hand.
Best Premium WordPress Backup Plugin
WordPress Backup & Clone Master
WordPress Backup & Clone Master is an all-in-one solution for WordPress backup, restoration, cloning, and migration. The plugin helps you manage the above processes in a secure, easy, and reliable way on a scheduled or on-demand basis.
BackupBuddy
The restore function in BackupBuddy is quick and simple. Upload the ImportBuddy file and your backup zip, and it walks you through the steps to restore your site: your themes, plugins, widgets and everything else.
BackupBuddy lets you move a WordPress site to another domain or host easily. This is a very popular feature for WordPress developers who build a custom site for a client on a temporary domain or locally (like a sandbox or playground site) and then want to move (or migrate the entire site with themes, plugins, content, styles and widgets over to a live client domain.
BlogVault Real-time WordPress Backup Plugin
Real-time WordPress Backup is blogVault’s latest offering. Using Real-time WordPress Backup, you can save every update to your WordPress site almost immediately. Any addition to your site in the form of a new post, comment, plugin, or theme is backed up almost immediately after.
Multi Plugin Installer – Plugin backup and restore
Multi Plugin Installer is a utility plugin that saves you a lot of time of installing plugins. With MPI you can install multiple plugins all at once and activate them.
Ether Backup WordPress Plugin
Features
Full customization of backups
Auto scheduling
Easy Upload / Download of backups
Auto URL update for 100% of the site content
Migrate your site to different server/domain with just a few clicks
Simple user interface
WordPress Smart Backup
Smart Backup is a complete WordPress solution for database backup and restore operations. You can create backups of your complete WordPress installation, files only, or database only. Backups can be restored with one click.
WooCommerce Settings Backup and Migration
When a WooCommerce store is configured, all of the settings are stored into the database. This plugin extracts all of the settings and exports them to a CSV file. This file can be used as a backup and imported later, or it can be imported into another WooCommerce store.
Backup My WP to Dropbox
Save your database and attachments with scheduled jobs, get the backups by email or send it to Dropbox. It automatically creates the archive of your database and files. Uses default WP Cron. Once you activate this plugin, it will backup your WordPress file to your backup and once completed, it will send user an email notification of the completion.
Filetrip – The easy way to sync & backup your WordPress to Dropbox & Google Drive
Filetrip is a very unique and powerful wordpress plugin that not only help you acquire & manage digital information (Files, Videos, Music, Audio, Documents and Archives), the plugin mainly integrates your website to the cloud and let you sync almost any digital files into the two top cloud storage services available on the internet (Dropbox & Google Drive), where you can almost forward and distribute all of your website Media and acquired digital content to whatever channel you want.
Best Free WordPress Backup Plugin
VaultPress: Backup, Security WordPress Plugin
VaultPress is a real-time backup and security scanning service designed and built by Automattic. The VaultPress plugin provides the required functionality to backup and synchronize every post, comment, media file, revision and dashboard settings on our servers. To start safeguarding your site, you need to sign up for a VaultPress subscription.
BackUpWordPress Plugin
BackUpWordPress will back up your entire site including your database and all your files on a schedule that suits you. Try it now to see how easy it is!
BackWPup Free – WordPress Backup Plugin
The backup plugin BackWPup Free can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more, see list below. With a single backup .zip file you are able to easily restore an installation.
wp Time Machine
Create archives of all your WordPress data & files and have them stored remotely. That’s right! Remote storage of…
Your data (from your WordPress MySQL database)
Your files (and Uploads) — everything in wp-content
Your .htaccess file
Instructions for a smooth recovery
A shell script that can help automate recovery — though this is still a “work in progress”
WP-DB-Backup
WP-DB-Backup allows you easily to backup your core WordPress database tables. You may also backup other tables in the same database.
Security WordPress Plugins
It’s a very good check if you have installed a security plugin. This way you are informed if any of the hacker is trying to attack your site or post spam stuff on your blog.
Some of the best plugins are:
WP-Lens – Security and Analysis
BotPlug – Brute Force & Spam Bot Protection
WooCommerce Minimize Fraud Plugin
Bulletproof Security
iThemes security
All in one WP Security and Firewall
WordPress Simple Security Firewall
SiteGuard WP Plugin
Anti-Malware and Brute Force Security by ELI
BulletProof Security plugin
I’m sure it will help you secure your site.
Never keep a Default Username
Once your site is created, username is already set to “admin”. In this case it’s easier for hackers to attack your site as you have already provided the username. Now they only have to guess the password. So give them some tough luck and set a related username. Hacker is now one extra step behind you once you have manually changed the user name.
How To Change WordPress Default ‘Admin” Username
HOW TO CHANGE ADMIN USERNAME IN WORDPRESS
Check files and Folder access Settings/Permission
If your site is on Linux you have the access to your file and folder permissions through which you can choose as to who your audience will be for that particular data. You can share data with selected audience, just make sure all your settings are not too permissive that almost anyone can access your important folders.
Support Forum thread
htaccess for subdirectories
Override WordPress Default permissions
Use SSL Certificate
Secure Socket Layer certificate is used by many websites like Google, Facebook and Twitter. Instead of http in the link, you may see https which is indicating the SSL certification. This ensures that the connection is encrypted and safe to use.
So if your site involves entering usernames or passwords then it’s necessary that you use SSL certificate for securing everyone’s personal information.
Easy HTTPS Redirection and Verve SSL are two good SSL plugins currently available.
How To Use SSL & HTTPS With WordPress
Limited Access
It is necessary that the important pages of your site are not accessed by everyone. Limiting access means that these few pages which link you up to your entire site are only accessed by you and your potential users. This way your overall site will be safe.
You can search on Google to help you find various ways to do this.
Restricted site access WordPress
How to keep hackers our of WordPress
Restrict access to wordpress admin login by IP address
How can you Limit WordPress Login Access by IP Address?
Limit Access to the WordPress Login Page to Specific IP Addresses
How to Limit Access by IP to Your wp-login.php file in WordPress
Restrict IP Addresses to Login on WordPress Dashboard
WordPress Plugins for Limited Access
WP-Restrict
Restricted Site Access
Use SFTP or SSH
Secure FTP (SFTP) is a safe way of adding files to your site. The passwords in this are encrypted so attackers cannot easily hack it.
Simple FTP is a way to quickly add up more data to your existing site but it’s not secure. Your FTP connection can easily be interjected by hackers.
So it’s better to use secure FTP or SSH. Secure Shell access (SSH) can also be sued to transfer or add files to your site safely.
If you are not using any FTP connection for sharing more files then its better you delete your FTP account. Don’t leave any room empty for the hackers to try and intrude your privacy.
Other Resources
Administration Over SSL
WordPress Tutorial: Using SSH to Install/Upgrade
Automatic WordPress Updates Using FTP/FTPS or SSH
GoDaddy Hosting:- Managed WordPress: sFTP, SSH and phpMyAdmin Credentials
WP Engine Hosting:- How to use SFTP to access your blog’s theme, uploads and plugins
WordPress: Enabling SSH/SFTP Updates
WordPress Plugins for SFTP or SSH
SSH SFTP Updater Support
Password on Certain Folders
You know which folders contain important data that might attract hacker’s attention so it’s better that you put all such
folders on strict privacy. Keep a password on important folders so they are not accessed by everyone.
In control panel go to Security, then Password protect directories to see the list of all the folders. Now choose the
folders you want to keep safe and hidden from external users.
Once you have set the username and password, go under security settings title and check the box that says “password
protect this directory”. Finally click save and you are good to go.
You can also find software designed for this purpose on internet. Download them and secure your important folders.
Useful Resources
DreamHost Hosting:- Password-protecting directories
SiteGround Hosting:- Password Protected Directories
WordPress rewrite and password protected directories
How to Password Protect Your WordPress Admin (wp-admin) Directory
Secure Your WordPress Site
Password Protect your WordPress Admin Folder
Creating Password Protected Pages and Areas in WordPress
How To Password Protect Your WP Admin Folder in WordPress
Change the prefix of table
In WordPress’s database, by default name of every table begins with wp_ just like some other default features. If you don’t change it, this means you are giving the hacker a chance to easily penetrate your database tables and hence make changes to your site.
So if you change the tables name to some customized words related to yourself, it will be less accessible to the hacker.
Database Name
Similarly the name of your database is also by default ending with a particular common name. Assigning it some new name or adding more unique sequence of alphabets to it will make it stand out. This way hacker will find difficult to decode it. You can take help from certain software to automatically change the name of database to some unique username.
conclusion
So these are some of the very basic yet a little extra effort requiring methods you can use to secure your website. However more methods which require more efforts also exist and they can go pretty far up as well when it comes to securing your websites , but it is of imprtance that most of the measures mentioned above can be performed.