Wordpress Security 101


WordPress is one of the most popular Content Management System (CMS) on the market and perhaps unsurprisingly, the most hacked. WordPress powers over one-third of the web! That means there are currently over 75 million websites that use WordPress.

Getting Hacked can be a real pain. A simple mistake can damage your business reputation and put your customers and their data at risk.

There Is No Such Thing As ‘Unhackable’ 

You might say: "My website does not contain any valuable and sensitive business information so it won't be hacked."

You’re wrong.

There are still plenty of reasons why your website will be hacked.

1.) Black-hat Search Engine Optimization (SEO)
2.) Spread Malwares
3.) Just for fun
4.) Hacktivism

How do I secure my website?

Website Security should be taken seriously; issues may appear if some basic security precautions aren’t taken. This mindset prompts you to continue taking steps to improve your security as part of an ongoing, never-ending initiative.

1.) Disable file editing - If a hacker obtains Admin Access to your WordPress website, he won't be able to edit any files that are part of your website. This includes all plugins and themes.

Add the Following lines to your wp-config.php

define('DISALLOW_FILE_EDIT', true);

2.) Disable directory listing - A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.

You can prevent this by adding the following line of code in your .htaccess file:

Options All -Indexes

3.) Use two-factor authentication - Using Two-Factor Authentication is a good security measure, in a case where the hacker was able to get working credentials but he won't be able to login since the second step requires you to authenticate using a separate device or app:

https://wordpress.org/plugins/miniorange-2-factor-authentication/

4.) Always Backup - Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.

5.) Install a Security Plugin - A security plugin takes care of your site security, scans for malware and monitors your site 24/7 to regularly check what is happening on your site.

Wordfence does a great job in this regard, and it’s one of the best security services for WordPress out here. It kind of does a bit of everything.

6.) Always Update - Keeping your wordpress instance up to date is a good security practice to maintain. With every update, developers make a few changes, oftentimes including updates to security features. It is also important to update your plugins and themes for the same reasons.

7.) Use Strong Password - This is your first defense against brute force attacks.  A weak password never fares well against a brute force attack.

8.) Delete Unused Plugins/themes - Unused or inactive themes and plugins pose a serious threat to your WordPress website. Plugins and Themes that are not in use should be deleted immediately.

9.) Securing wp-config.php - The Configuration file contains sensitive information about the database, including name, host, username, password and Salts & Keys.

This .htaccess rule will make your wp-config.php inaccessible by anyone.
<files wp-config.php>
order allow,deny
deny from all
</files>

10.) Set Correct Permissions - Make sure your permission is as follows:

Folders – 755
Files – 644


You should never set any WordPress file or directory to 777 permissions.

Ending Thoughts
By Following the steps above you’ve just protected yourself from the most common Threats. This is an Ongoing process that needs continuous attention. Keep in mind that You are never done with security.