WordPress is one of the world’s most popular content management systems! It has been installed more than 76.5 million times. According to a report issued by Sucuri, an Internet security company, WordPress is the most hacked CMS in the world. WordPress is the only famous CMS platform that powers 25% of the Internet. This is problematic since a hacker can use your bank cards or family photos for example! And that is why it is necessary to secure WordPress!
WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi).
WordPress core is not directly vulnerable to this issue, but they’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
10 Quick steps to secure your WordPress Website –
1. Keep your WordPress updated – You can update your wordpress site by two ways, either you can update automatically through Admin Dashboard or you can update manually through file manager.
2. Enable two-step Verification – As the name suggests, it adds another layer of security to your website that you will need to complete to connect. To activate two step security, you can use the following plugins
- Authy Two Factor Authentication
- Google Authenticator
- Clef Two Factor Authentication
3. Disable PHP Error Reporting – You must correct this as soon as possible because it may reveals your sensitive information like Path Disclosure, Cpanel Username etc. You can disable PHP errors by two ways: by wp-config.php file and with the help of htaccess/php.ini file.
4. Create Backup regularly – There are several ways to create a backup, but we recommend to use manually method via FTP only. But you can also use some third party plugins like wp-db backup, Backup Guard and VaultPress etc. The backup must also be outside the blog and not on the same server as your blog to avoid that the backed up files are themselves infected or damaged.
5. Do not use the default Admin account – This is one of the most common and basic mistakes you can make from a security perspective. Which username do you think hackers try first when trying to access any site? Admin, of course. Create another user name and assign administrator rights to this other user before deleting the old default admin user account.
6. Close comments after 30 or 60 days – True, this could be controversial and not everyone will agree with that. If you are the victim of a lot of spam comments, you can try closing comments after 30 or 60 days. This will only drastically reduce the number of spam. However, consider using the Askimet plugin that will also help you block spam.
7. Hide the access link to your Admin – Regardless of your site’s CMS ( WordPress or similar ), having a login link to the admin interface in a predictable location is like having a safe open in a bank. Sure, moving the link to your website does not guarantee security against hackers, but it just adds an extra barrier!
8. Report any WordPress bug and any security problem – WordPress is the most used CMS on the web and the user community is very active. Every day, users report new bugs that are quickly fixed.
9. Block file access permissions – If you want to enhance the security of your WordPress site, you can lock files and write access. You can do this in several ways: via a plugin or even through the settings (cPanel) of your host.
10. Use a WordPress security plugin – To limit failed login attempts. If more than a certain number of attempts are detected within a short time of the same IP address, then the login function is disabled for all future requests through this IP address. This will help you prevent any attack by brute force that will discover the password. You can try the Login LockDown plugin.