Let’s start with some statistics
One of the articles on WP White Security gives the statistics of hacked websites:
- 41% were hacked through a vulnerability of the hosting account
- 29% were hacked via a security issue in the WordPress theme they were using
- 22% were hacked via a security issue in the WordPress plugins they were using
- 8% were hacked because of a weak password
Choose reliable hosting
41% of the hacks were enabled due to security issues on hosting platforms, so choosing a high-quality hosting company is very important. A good hosting platform should meet the following criteria:
- Support for the latest versions of PHP and MySQL
- Optimized for WordPress
- Scanning for malware and junk files
Also, do not forget to backup the database and files.
Important installation settings
WordPress Security Keys. Keys improve the encryption of information stored in visitor cookies. They also make it harder for your password to be hacked, since random elements are added to it. Keys can be changed in wp-config.php.
Changing prefixes to database tables. This can help prevent SQL injection vulnerabilities. You will find the prefix to the table names in your wp-config.php file.
WordPress Themes and Plugins
Through the holes in the security of plugin codes and themes, malicious users get access to sites in more than 50% of cases. Therefore, it is important to weigh all pros and cons before using this or that plugin/theme.
Use the correct file/directory permissions
This is another important step in improving security. Installing 777 directory permissions (everyone can read, write and execute) allows attackers to download various files to this directory or modify already existing ones. It is recommended to set the following permissions (usually you can do this through the hosting panel or the FTP client):
- All directories must have 755 or 750 permissions
- All files must have 644 or 600 permissions
- For wp-config.php, set 600 permissions.
Disable script error messages
If any of your plugins or themes contains an error, a message about it may appear on the site. It usually shows the complete path to your website directory. This information is useful for hackers. You can disable script error messages by adding the following lines to the wp-config.php file.
If you want the information you transmit to be protected, you need to use an SSL protocol that ensures the integrity and confidentiality of data exchanges. In WordPress, it’s as easy as pie.
First of all, find out if your provider can use SSL. If so, then open the wp-config.php file and add the following line.
define (‘FORCE_SSL_ADMIN’, true);
Hide the WordPress version
WordPress automatically inserts its version number into the source code of the pages. Unfortunately, it is not always possible to update the engine in time. This means that knowing what version of WordPress you have with all its drawbacks and weaknesses, the attacker may cause a lot of trouble for you. In order to hide the version of WordPress, open functions.php, which lies in the folder with the active theme of your blog (wp-content / themes / title-your-themes /) and add the following code there:
remove_action (‘wp_head’, ‘wp_generator’);
Plugins to enhance WordPress and WooCommerce security
When it comes to WordPress and WooCommerce security plugins, Wordfence is always the first one to mention. The plugin has scored 4.9 stars out of 5. When choosing security plugin, Wordfence with such an impressive result deserves your attention.
All In One WP Security & Firewall
This is an easy to use, robust and reliable WordPress security plugin. It reduces security risk by verifying vulnerability, eliminating it and implementing the latest recommended practices and methods of protecting WordPress. The plugin is 100% free.