WordPress is a free and powerful CMS which is very easy to use for normal users and flexible for developers. It has million of users and a large community of developers around the world. It also has a lot of amazing themes and useful plugins available in WordPress Themes and Plugins directory. And because of its popularity, WordPress has become a good target for hackers. According to WP WhiteSecurity, more than 70% of the 40.000 most popular websites that use WordPress are vulnerable to hacker attacks. So if you’re using WordPress for your site, you should take extra care to make it more secure. Below are some ways:

1. Don’t use the default table prefix

When installing WordPress, don’t use the default “wp_” as the table prefix. This may help protect your WordPress from some types of SQL Injection attack as the attacker must know exactly the tables’ name to perform SQL Injection.

2. Never use “admin” for administrator username

As another good practice, don’t use “admin” for administrator username when installing WordPress. This username is very common and often used in brute force attacks, in which the attackers try to guess password of this username with every possible passwords.

3. Use themes and plugins from trusted source

Installing themes and plugins are what most people will likely do after installing WordPress. There are a lot of free, useful themes & plugins for WordPress around the Internet. They can be either free or priced. You should not use them if you’re not sure they’re safe or not, especially for themes and plugins which don’t come from WordPress directory. Some themes and plugins out there may come with backdoor included, which allows the attacker to gain access to your site without your acknowledgement. Even those come from WordPress theme and plugin directory may contain serious bugs that will put your site at risk. So if security is your highest concern you should make sure that what you’re going to install is safe by doing some research about it. Just google around with the theme or plugin name and the keyword “bug”, “vulnerability”… to find out. You can also do this “the hacker way” by visiting Exploit-DB, and search for the plugin or theme name.

Search for vulnerability from Exploit-DB
Search for vulnerability from Exploit-DB
Search results for "total cache"
Search results for “total cache”

4. Disable file editing and PHP execution

This will help in case somehow an attacker could login to your administrator dashboard and try to upoad his backdoor or malware. With file editor disabled, the attacker will not be able to edit your files. With PHP execution disabled in /wp-content/uploads, any PHP file uploaded here would not be executable.
To disable file editing, add the following line to wp-config.php file:

To disable PHP execution in /wp-content/uploads folder, add a .htaccess file to /wp-content/uploads folder with the following content:

5. Use a two-factor authentication system

Two-factor authentication can help protect your site from illegal logins. In fact, this is a very strong and useful protection layer that is very hard to break through. If an attacker has your password, they must also have your device in order to login. I recommend using Duo Two-Factor Authentication plugin because it’s really easy to setup. With Duo Two-Factor Authentication, you can have many ways to authorize a login such as using a phone call, SMS, mobile app… Currently I’m using Duo Mobile on my Blackberry to generate passcode, no cell service required : )

Duo Two-Factor Authentication enabled
Duo Two-Factor Authentication enabled

6. Use Limit Login Attempts Plugin

This plugin will block an IP from logging in to your WordPress after a preset number of failed login is reached. Thus make a brute force attack much more difficult for the attacker. This is the plugin that is used by default on WP Engine – a managed WordPress hosting service.

You're blocked for a while after some failed login attempts
You’re blocked for a while after some failed login attempts

7. Backup and update your WordPress regularly

You never know what will happen with your site. Eventhough when you’ve applied all the above techniques and you really feel safe. Even in that case nothing can guarantee that your WordPress will stay safe forever. Maybe someday your server would be compromised or your hosting provider got hacked, or a serious bug in one of your themes or plugins was discovered and an attack is made before you know it. So remember to backup and update your WordPress regularly. Have a look at BackupWordpress plugin, it makes the backup process simpler. You will never regret of this “investment” : ).

* Xem bản tiếng Việt tại đây

SSS Full-stack Engineer

Love Silicon Straits and want to know more about our company culture, working environment or job vacancies?
Find out more at careers.siliconstraits.vn.

Silicon Straits
Be Challenged. Be Inspired. Be Different.

Published by Minh Danh

Developer and sysadmin at Silicon Straits Saigon