How to Secure a WordPress site the Effective way
Today we’re getting many support request from people who have their WordPress website being hacked & compromised. Most of them coming from a non-technical; non-coders; non-wordpress background that usually installed their WordPress sites and blogs directly from the hosting server application such as Softaculous & Fantastico. With the lack of web security knowledge, people will ended up with a long list of Security Plugins that are available from the official WordPress plugin directory.
Here we will share some tips and information based on our experience and all of the guides here were already tested and proven will work with most of the WordPress hosted environment.
Do you know that “Bad Guys” love the following:
- Randomly exploits vulnerable WordPress features, such as XMLRPC.
- Having fun with widely used vulnerable Plugins that are having security flaws and loopholes.
- Simple Googled the plugin directory “/wp-content/plugins/**super-easy-to-hack-plugin**/” and voila! Your website is listed on Google! Let’s have fun 🙂
- Setting up a brute force bot and spam your /wp-admin/ login page to find the password for user named “admin” or “test” or “Administrator” or “yourdomainname”.
- Ouch! “ERROR: The password you entered for the username admin is incorrect. Lost your password?” Tadaa! Thank to you for telling them that the username “admin” did exist. You’ve made their life easier!
- Easy to guess password by using brute force password library within 5 secs. Don’t tell me that your password is “abc123”, “0987612345”, “admin”, “1qaz2wsx”, “admin123”, “1029384756”, “1234567890”, “superman”. If it’s one of these, please change it to something more unique.
All the above are the most common ways how hackers can get into/access your wordpress installation and files then inject any malicious codes, scripts or files into the website for profit or only just for fun.
How to Prevent from Hackers?
Here are few things you could do now, if not yet being done onto your site. Regardless your website has already being hacked or not. No matter if you’re WordPress beginner or Pro, these guides should be easy to follow and we highly recommend it.
The Power of Wordfence
Install Wordfence Plugin. Wordfence is a lightweight WordPress plugin that acts as “Firewall” to your website. It can log all visitor traffic into your website, failed login attempts, vulnerable 404 urls and remotely scan your website for known dangerous script and malicious files.
More guides on how to quickly configure Wordfence can be found here.
From the above Wordfence actions, now we can know if our website is being a target/victim or not. As we can see here, all the hackers will always tryout “admin” username which might be exists in our website. If you do have administrator account with username “admin”, please quickly delete it and change it to something else.
Also we can see the usage of brute force bot software where there is an ip from Ukraine tried to login 2006 times within 2 hours! In our Wordfence settings, we set 5x password input trials within 5 minutes before that ip blacklisted for 2 months. Also you can set whenever people try to login using “admin” username, they’ll automatically getting banned because we know that username does not exist and they’re trying to hack our website.
Blocking access to your website from the “Bad IPs number” is the best way to prevent from getting hacked or haced the second times. If Wordfence is configured correctly, you can almost ignore other security plugins that bloat your wordpress website which may slowing it down.
Minimise The RISK, Get Them Out of Reach – iQ Block Country
Install iQ Block Country from WordPress plugin directory. If you’re running an ecommerce site for example and only targeting local buyer from you own country or neighboring countries, iQ Block Country can be use as simple Firewall that prevent your site from being accessed by other unwanted visitor which may include foreign web hackers.
With iQ Block Country, you can block any suspected countries which may give a threat or known as where hackers ip origin came from without affecting you SEO since this plugin still allow access to your website from popular Web Crawler Bot such as Googlebot, MSN bot and Bingbot.
Now we already have two important security addons to be installed in our WordPress site. They can be use together without any conflicts and use very minimum server resources. With these plugins we will have peace of mind without worrying of getting hacked or if you ever got hacked before, after removing the infected files, these tools can help reduce the impact and narrow down the root cause by monitoring the website activities.