Every day, tens of thousands of websites are hacked due to carelessness or misconfiguration. This situation can even cause financial and prestige losses. With this week’s topic on Security, here are some tips to take your WordPress website security one step further.
User roles and capabilities
There is more than one administrator on your website. You may not want some of them to perform operations such as changing themes, installing and removing plugins for security reasons. You may also want content creators only to see their own posts. In terms of security, it is not correct for users to change an area outside their responsibility. For this reason, it would be best to open the areas to the users only within their responsibility. User Role Editor plugin helps you organize user privileges and responsibilities.
Plugin Name: User Role Editor
Active installations: 700,000+
WordPress Version: 4.4 or higher
PHP Version: 7.3 or higher
Recommended file permissions
Many websites are hacked due to incorrect file permissions. Thanks to their permissions, we can specify who can run, edit or delete files and folders. We highly recommend using the file permissions recommended by WordPress for this.
You can get more detailed information at https://wordpress.org/support/article/changing-file-permissions/.
wp-admin: 755 wp-content: 755 wp-content/themes: 755 wp-content/plugins: 755 wp-content/uploads: 755
Disable server directory listings
If there is no index.html in the folders you created on your Apache HTTP server, you can follow the steps below to prevent the files in the folder from appearing in your browser.
- Open the .htaccess file via SFTP with a text editor.
- Change the following directive to suit you, add it to .htaccess and save and exit.
<Directory /var/www/cloud7news> Options All -Indexes </Directory>
Test your site’s security compatibility
There are two very good websites that we would recommend for you to analyze the security of your website. Both websites provide a security rating of your website by analyzing HTTP response headers. It also guides you about which security steps you are missing and how you can close these vulnerabilities. One is a website created by the Mozilla team and the other is a website written in PHP by a developer named Scott Helme.
Change the WordPress login URL
By default, all WordPress websites have the same admin login path. Therefore, there is a high probability that your website will be attacked. They only need to guess your password to log in to your site as an administrator. This is not difficult at all if you are using a simple password. Changing the default admin path of WordPress is the first thing you need to do to prevent your website from being hacked after increasing the difficulty of your password.
You can use All In One WP Security & Firewall plugin to change your WordPress admin login path. You can also make your website even more secure by checking out other advanced security steps.
Plugin Name: Plugin Name: All In One WP Security & Firewall
Active installations: 1+ million
WordPress Version: 5.0 or higher
PHP Version: 5.6 or higher
Disable file editing
Your WordPress dashboard includes the Editor that allows you to edit the theme of your website. With this editor, you can easily make changes about your theme, but if your password gets into the hands of a malicious attacker for any reason, it can corrupt all your source files. To avoid this, edir your wp-config.php file by typing the following command.
Make regular backups
No matter how secure your website is, irreversible consequences can occur if an IT team member takes the wrong action while improving your site. You can prevent your data loss by taking your web services’ hourly, daily, weekly or monthly backups. For this, we can recommend you the plugin; UpdraftPlus, which is very easy to use.
Plugin name: UpdraftPlus WordPress Backup Plugin
Active installations: 3+ million
WordPress version: 3.2 or higher