Some people who have blogs and personal websites like “a little about everything” rarely think about security questions until the first attack of violators. And it can be easily explained: the owners of small resources simply do not believe that someone will need to hack them. But the practice shows that it is better to assume measures for protecting the website under CMS Wordpress in time than further find that the page spreads malware. Curiously enough today more and more user computers are infected by viruses via such small blogs and sites. Besides spreading viruses and Trojan horses, there are a lot of reasons for attacks on resources: from illegal advertisements publication to a common hooliganism, attempts of assumption or complete removal.
What should be taken into account to protect the site from hackers?
First of all, as was mentioned before, the most popular reason of website hacks is a negligent attitude to it from the side of its owner. Unwillingness to read articles about information security and follow the recommendations of experts cost many careless web-masters a lot of efforts and headache.
Secondly, in order to provide more or less stable website security you need much less time than for fixing the results of hackers’ actions. The same is fair in terms of complexity. That is why security aspects should not be ignored. This will highly simplify your life and save you more time and energy for something pleasant.
Thirdly there are no websites that hackers are completely not interested in. It’s impossible to say for sure why they hack personal pages. Someone wants to place their ads for free or become an owner of the ready-made resource. Some of them are motivated by a leisure interest or a wish to vandalize a little. Therefore even if no one owes a web-master a grudge, and the website’s subject is not too competitive, protection from hackers is still needed. Finding that after spending so much time, ideas and efforts your page was damaged is at least unpleasant and baneful for your CV.
The first priority measures for securing a Wordpress website
People say that everything is simple, but of genius. It is fair also for providing Wordpress security: the most of measures don’t require any special knowledge and skills. Even a beginning web-master is capable to secure his site from hacking easily.
The first required measure is deleting admin user right on the launch stage, as filling the resource with content with such security hole is a waste of time. It seems to be obvious how it simplifies the hacker’s job. Depending on the Wordpress version, it is done either manually or using an SQL-query. A new account with administrator permissions should be named so that the displayed name would be different from the login – this will additionally complicate the hacker’s job.
The second important step is a generation of a complex password. A built-in strength indicator in Wordpress will be useful. It is green, when the strength of the combination is enough. Of course, it is not reasonable to use existing words, as even consisting of seven or more characters, such word is easy to hack it. It is recommended to combine lower and upper case letters, numbers and punctuation marks, and better randomly. To do this you can use one of password generators. Many of them generate very complex combinations.
The third thing that should be done is to install a plugin that limits the number of login attempts, Login LockDown, for instance. Besides its major function, it logs the history of failed login attempts and blocks the potential violators, if they make many attempts to login from the same IP-address. Besides, it makes sense to forbid Wordpress showing authentication errors. Absolutely this function seriously simplifies the life for users and increases chances to hack the site. It is very easy to do: you need to enter “add_filter('login_errors',create_function('$a', «return null;»));” into functions.php file of the selected theme.
Don’t forget about backups. Regular back up is useful for the range of reasons, while requires very little time. Moreover, there are special plugins that make this process even simpler. You also need to update Wordpress regularly, as new versions contain not only visual improvements but also security improvements. The version must be hidden from violators’ eyes by removing readme.html and license.txt files in the site root folder, and by adding the code “remove_action('wp_head', 'wp_generator');” into functions.php file. Therefore the information about engine version will be hidden, and the violator will not find out about vulnerabilities and other defects that he can use.
There is one more important stage for providing protection from hacking – deleting unneeded plugins and themes. Sometimes inactive settings are very useful for hackers, and the level of website security directly depends on their existence.
Advanced websites and blogs security
The aforementioned measures will obviously help to increase the security of the Wordpress-based resource significantly. But it is still not enough. To increase the tolerance to hacks you need to do a few more operations that will close the remaining breaches.
At first, when choosing hosting you need to pay attention on the offers with ability to use SSL-protocol. It helps to protect the transferred data from interception, and therefore it increases the level of security. For the forced usage of SSL you need to enter a line “define('FORCE_SSL_ADMIN', true);”into wp-config.php file.
Secondly, you should install CMS Wordpress in a folder with some unpredictable name. It will be much harder to find the login to admin section. Also you need to setup the pre-authorization that will not only complicate the password guessing but also will throw bots for a loop.
Thirdly you should limit wp-includes and wp-content directories. To do this, create index.php file in each subfolder of these folders. You can also implement this with the help of special plugins.
And the last thing important for protection from hacking attacks: even the safest passwords can be guessed in time. That is why you need to change them regularly in order to secure the site.