10 Ways to Tell WordPress Hackers to Kiss Your A**
Here’s how to protect your WordPress website from hackers with these 10 security tips:
1: Secure your site with HTTPS – With HTTPS your data is encrypted and hackers can’t read it, even if they have network access.
2: Use strong, unique passwords – Did you know the most common way hackers access websites is simply through weak passwords or passwords previously exposed to data breaches? Use strong passwords that are different from any other password you’ve ever used.
3: Use password managers – This way even if someone is watching you type in a public network, they won’t be able to see your passwords.
4: Add CAPTCHA – Use CAPTCHA on the login and registration form to protect from brute-force attacks.
5: Block failed login attempts – Use a WordPress plugin such as WP Limit Login Attempts to further protect from brute force attempts by blocking failed logins by IP address.
6: Use Two Factor Authentication – This might seem like overkill but it’s not. If hackers obtain your password, the only thing stopping them from accessing your website will be Two Factor (2FA ) Authentication.
7: Keep WordPress Core up to date – Enable WordPress to do minor updates automatically by adding this line of code in wp-config.php, since these updates include security patches for the core:
define( ‘wp_AUTO_UPDATE_CORE’, ‘minor’ );
8: Update WordPress Plugins – When vulnerabilities in plugins are discovered, updates are offered to prevent websites from being hacked. That’s why you want to keep those Plugins updated to the latest version.
9: Use Security Headers – These offer extra protection by protecting against Clickjacking and Cross-site Scripting (XSS) attacks. Get a WordPress plugin that enables Security Headers to protect your site.
10: Set File Permissions for WordPress Files – File Permissions are rules that set how files can be read, edited and executed. This is especially important if you host a website on shared hosting, because when any other website on your shared hosting gets hacked, attackers can access files on your website and then gain complete access to your site.
Here are the file permissions for maximum security:
All files – 644
All folders – 775
Wp-config.php – ideally 600, but if this causes any issues, use 640 or 644 instead.
If your website is hacked, here’s what to do first:
1: Immediately change all of your email and other personal passwords.
2: Restore your website to the latest known backup version prior to the hack
3: Reset passwords of everyone who has access to your website