WordPress is one of the best and most popular content management systems in the world and in addition open source. However, the fact that it is an open source code makes WordPress sites attractive to hackers.

On the one hand, we have a huge number of designers and developers who are trying to make the web more beautiful, but there is the other side that in every way tries to spoil it. If we take into consideration the fact that in some companies or individuals, a complete business is based on the website, then we understand the importance of good protection.

However, if the protection of the WordPress site is done the right way, we can minimize the chances of a site being hacked and raising security to a very high level.

This post aims to present the best tips and recommendations to increase WordPress security.

It is important to note that these measures do not guarantee full protection against hacking attempts, mostly because a 100% secure website does not exist but will protect you from most attacks.
These are some practical tips and actions to be taken.

SELECTION OF RELIABLE HOSTING PROVIDER

Prior to starting a website design project and planning online performances, the first step is choosing a hosting provider. Find hosting providers that offer good support and pay great attention to security and offer the best performance for your site.

ORDERLY DATA BACKUP

Backup is the basic precaution that every website should practice, especially when it comes to dynamic, CMS sites. For WordPress, you can use either a specific backup utility to set it up automatically, e.g. 1 week, or you can do this manually, by direct access, through the hosting account.

For WordPress, it is necessary to backup the files that come with the installation and the database to which the site is linked.

The safest solution is to keep all your site data stored on your computer in a separate folder with the name and date of the backup.

ORDERLY VERSION UPDATING

It's often that WordPress releases new versions - do not ignore this! It is vital that the site is up-to-date in terms of versions, plugins, and themes that raise the security to a higher level with new versions. WordPress will notify you of newer versions and you can easily update.

To enable automatic updating of the WordPress version in the wp-config.php file, add the following line of code:

1 # Enable automatic update of WordPress version
2 define ('WP_AUTO_UPDATE_CORE', true);

TEST THEMES AND PLUGINS

Themes and plugins can contain certain security vulnerabilities that hackers can use. Use only checked themes and plugins that meet all of the WordPress Code rules.

We suggest these two plugins to test themes and plugins:

    - Theme Check
    - Plugin Check

DELETE INACTIVE/OLD THEMES AND PLUGINS

WordPress themes and plugins that are installed and not used can be a potential security risk and, in case they are not up-to-date, can have security vulnerabilities that hackers can use.

It would be best to remove all the topics and plugins that are not in use and keep only those that are needed.

TURN OFF THE THEMES/PLUGIN EDITOR

If an unwanted incursion occurs in the admin part of the site, access to the theme and plugin files should be protected to prevent the addition of malicious code. For example, hackers can make changes to the template files or change security permissions without your knowledge. This way you prevent the attackers from making any changes to the files.

To achieve this, in the WordPress installation directory, find the wp-config.php file and add the following code:

1 /* turn off themes and plugins editor */
2 define( 'DISALLOW_FILE_EDIT', true );
3 define( 'DISALLOW_FILE_MODS', true );

INSTALLATION AND ADJUSTMENT OF WORDPRESS

These are practical tips that can contribute to greater security:
    - Change the prefix of the database from wp_ to some other combination of letters and numbers (eg $ table_prefix = 'eofofe56k6';)
    - do not use admin for username
    - remove the user whose ID = 1
    - Create a long and strong password; never use the company name, site name, and so on.
    - hide the meta tag that displays the version of WordPress by adding the following line of code to the functions.php theme file - remove_action ('wp_head', 'wp_generator');
    - change the path to access the wp-admin part (iThemes Security)
    - limit the number of logins through the wp-admin part.

PROTECT THE .HTACCESS FILE

The .htaccess file acts as a guardian of your site's gateway in a figurative sense. It allows you to control file permissions, which means that you can define the access rights for particular files and file types. This is a hidden file that is in the root directory of your site and to see it should activate the option of displaying hidden files.

When you open it in the editor, add the following code:

1 # protect the .htaccess file
2 <Files ~ "^.*\.([Hh][Tt][Aa])">
3 order allow,deny
4 deny from all
5 satisfy all
6  </Files>

This will ensure that no one, except you, can access the .htaccess file and thus protect against intruders who try to change the permissions of your site access.

DEACTIVATION OF DIRECTORY LISTING

Another useful thing you can add to a .htaccess file is a line of code that will prevent access to files listing inside your WordPress simulation.

Folders listing allow others to see the complete file structure of your site and find potential security vulnerabilities. To prevent this, add the following code line to the .htaccess file located in the root folder of the WordPress installation.

1 Options -Indexes

This will greatly hamper the work of potential attackers.

PROTECT WP-CONFIG.PHP FILE

Since wp-config.php contains a lot of sensitive information about your site, you need to make sure that someone does not get to them. Things like username and password for a database are invaluable to your site.
The WordPress database can be protected by ensuring that you lock and secure the wp-config.php file. Add the following code to the .htaccess file:

1 # protection wp-config.php
2 <files wp-config.php>
3 order allow,deny
4 deny from all
5 </files>

This code prevents public access to the wp-config.php file, keeping your confidential information secure.

DISABLE WP-LOGIN.PHP APPROACH TO UNDEFINED IP ADDRESSES

This is another trick you can achieve by changing the .htaccess file. The wp-login.php file is used to access the WordPress admin part and is accessible from any location, which is a very convenient option, but also a major security risk.

By using .htaccess, you can deny access to this file from all IP addresses and define IP addresses that can access it.

The following code should be added to the .htaccess file. Instead of x, you need to add IP addresses that will have access.

1 <files wp-login.php>
2 order deny,allow
3 deny from all
4 # static IP
5 allow from xxx.xxx.xxx.xxx
6 # dynamic IP
7 allow from xxx.xxx.xxx.0/8
8 allow from xxx.xxx.0.0/8
9 </files&gt

If you know what your current IP is, use static, or use dynamic if you need to allow access to a wider range of IP addresses.

PROTECT THE WP-ADMIN FOLDER APPROACH

The protection level that you achieve with the list of IP addresses that can access the wp-login.php file can be doubled by doing the same with the wp-admin folder. Add this line of code to a .htaccess file to prevent access to unknown IP addresses in the wp-admin folder of the site.

1 <LIMIT GET>
2 order deny,allow
3 deny from all
4 # static IP
5 allow from xxx.xxx.xxx.xxx
6 # dynamic IP
7 allow from xxx.xxx.xxx.0/8
8 allow from xxx.xxx.0.0/8
9 </LIMIT>

PREVENT APPROACH FOR FILES WITH .EXE EXTENSION

Add the following code to your .htaccess file:

1 # deny all .exe files
2 <files "*.exe">
3 order deny,allow
4 deny from all
5 </files>

This prevents any .exe files from accessing the server by raising security to a higher level.

Website security is usually the last thing that website owners think about, but to ensure business stability, this part needs to be paid much more attention.

Follow me on Twitter – @SrdjanKali.