How to secure wordpress from hackers
WordPress has become most popular CMS for small businesses, blog, news and has been a top target among hackers. So here are easy steps you can take to secure your wordpress site. Follow our steps to keep your WordPress website secure.
Many website owners do not think about security at all until it is too late but the 15 minutes it will take to secure your site are well worth it. Learn How to secure wordpress from hackers tips for a safer blog.
Disable File Edits from the WordPress Admin
If a user has access to your WordPress admin area then they will have access to all the files which are currently installed on WordPress this includes all plugins and themes. When you have access to the files you can open the theme in the in-built editor and start changing the HTML of the theme. This is a great feature if you notice a spelling error or need to switch a CSS class in the HTML but if someone doesn’t know what they are doing they can easily break the look of the site.
Disabling the ability to edit PHP files in your WordPress themes and plugins is one way to keep a persistent hacker from making significant changes to your WordPress website without your permission. Often, the first thing a hacker will go to after gaining access to your WordPress admin is the file editors for themes and plugins.
You can actually stop any user from having access to edit the files in the WordPress admin area, which means the only way to change the files would be to upload the files through a FTP.
- Step 1: Open Wp-config.php file through a FTP
- Step 2: Now add the following line of code to the wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true);
Block Plugin Updates and Installation
If you want to make sure that the user’s of your WordPress site are not allowed to update and plugins or install any new plugins then you can use the following code snippet. Add this into your wp-config.php file it will disable access to new updates or installations.
define('DISALLOW_FILE_MODS',true);
Securing WordPress with the htaccess File
Aside from plug-ins there are a number of additions you can make to your .htaccess file which in conjunction with plug-ins and regular updates will tighten up your site’s security and give you that extra level of protection.
I’m going to cover a few of these that I feel protect some of the essentials in your WordPress install and show you how and where to add the code snippets; you don’t have to use every single one, just whatever you feel would help you secure your site.
The typical WordPress .htaccess file looks similar to this:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
Securing the wp-includes Directory
Now that you know the basics of the WordPress directory’s htaccess file, let’s try a practical example of how to use it to secure your wp-includes directories more sensitive files with htaccess rules. Here is the code you would put after the WordPress commented section in your htaccess file to block access to critical files in your wp-includes directory:
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L]s file:
If you are not too familiar with mod_rewrite rules and .htaccess files, don’t worry, you can simply copy and paste the above code into your .htaccess file for you main WordPress folder and you will be fine. The one rule on the fifth line above won’t work for multi-site installations that need to write images, but everything else should work in almost all cases. If you have to comment out or delete the fifth line and you will still have tighter security for wp-includes than you had prior to adding the above code. It does lessen security a little to comment out the fifth line, so only do so if it causes a problem with multiple WordPress sites. If you only have one, it won’t be an issue.
Securing the wp-config.php File
You can also secure access to the wp-config.php file using an addition to the htaccess file. Simply add the following declaration to the file at the top before anything else and no one will be able to access the file via FTP or otherwise:
<files wp-config.php> order allow,deny deny from all </files>
Then to go a step further, you can also move your wp-config.php file up one directory where wp-includes are to further tighten security. This method should probably only be used by those of you that know the implications because it has been talked about extensively and there are several arguments both for and against moving the wp-config.php file up one directory. It is something you can consider if a problem arises however.