Every year 1000’s of WordPress Websites getting hacked. While it is most robust cms we can use for any purpose, we need to make few things for Securing WordPress Website.
For securing WordPress website, few most important tips and checklist listed below. And these are very common ways for hacker to access the website files:
Incorrect File and Folder Permissions
By default File permissions are set to 640 or 644. If not make sure to set correct permissions.
For folders permissions are 750 by default. Note that uploads folder requires 755 mode for plugins and themes installation from admin panel.
wp-config.php and .htaccess file permissions
When wp-config.php file writable by non owners – hacker will be able to inject shell script which changes all file, folder permissions and injects ad related malware. To prevent it make sure your wp-config.php file permissions are set to 444
And for hackers it’s also possible to add malware to .htaccess file which causes redirection to unknown web pages, so its important to keep .htaccess file permissions to 444
Disable Theme and Plugin Editor from wp-admin dashboard
Add more security to your website by disabling the file editor feature from admin panel. Add the following line of code to your wp-config.php file to disable theme and plugin editor.
define('DISALLOW_FILE_EDIT', true);Update WordPress, Themes and Plugins
An outdated plugin or theme will create a backdoor to hackers to inject malicious code. So we need to make sure the website is upto date with updates to plugins and themes, and remove any outdated plugin or theme.
Third party Tools and Plugins to monitor suspicious activity
Few plugins and tools helps a website to stay protected from hackers, few are:
- Loginizer Security Plugin
- iThemes Security Plugin
Block PHP execution from wp-content/uploads directory
For themes and plugins to create directories and files we set folder permissions to 755, and it will be the easiest place for hackers to inject shell scripts and change the way how your website works.
We need to add the following code to .htaccess file to block php execution from uploads directory, place the file in uploads folder root directory.
<Files ~ "\.php">
deny from all
</Files>We should also make sure the hosting company where the website hosted should provide server side security. So choosing a proper hosting provider is also plays an important role.