6 Simple Ways to Protect Your WordPress Website From Hackers

Today, the most commonly used content management system is WordPress. Businesses and individuals prefer to use WordPress because it is easily managed, simple to use and can be modified with the utmost ease. When a platform like WordPress becomes so popular, hackers and cybercriminals start to notice it. With the extensive use of different malware attacks, bots and malicious programs, hackers can damage the websites. This damage can cause businesses and individuals with reputational loss as well as monetary loss. I am sure even if today you want to create and launch a website you will most likely want it to be created on WordPress. Well, there is no harm in creating a website on WordPress but keeping the website safe and secure should be the primary task that needs to be taken care of.

Following are a few steps with which you can protect your WordPress website from getting hacked; these tips will help you keep hackers away;

It’s Recommended To Restrict Your Directory Listings:

Do you know that by default all the files are visible to hackers if they can get a hold of the directory of the index? In order to keep your website secure from hacking you need to disable directory listings. This way no folders will be shown to anyone. It is suggested that sensitive files should not be accessible to general visitors or anyone who has malicious intentions to hack the website. By creating your website on WordPress you can easily hide the directory listing. Here’s how you can do that;

  1. To start with open your .htaccess file.
  2. Use the code (shared as under) in to the file over all WordPress rules;

# Disable directory view

Options –Indexes

  1. Once the code mentioned above is added save it and upload the file. You’ll witness the magic; file directory will be hidden now.
  2. No matter how many times you refresh your browser or clear the cache you won’t be able to access those files, in fact it will show a forbidden message and the directory will be hidden.

Limit User Record:

On WordPress websites, hackers try to find out the usernames which have access to your website. Usually hackers go for a simple tactic, all they need to do is simply add “?author=1” at the end of the url and they can find the username of the author who has written the post and has the username to login to your website. It’s recommended to hide those public usernames in order to keep your website secure and protected from malicious attacks.

How does this work? Hackers normally use scripts to fetch the usernames of the authors of any website, and this can cause you huge security damage. This practice is known as enumeration, as it’s clear from the term, hackers crack the username by finding username’s specific ID number. It can be prevented if you follow the basic steps, mentioned as under;

  1. The best way to start the precaution is by renaming the display name.
  2. Click on the username and make a few changes in the author profile. The username and display name are now separate. Save it. Make your Nickname visible rather than your username. This step will still let hacker see the url and to take care of that, follow the next step.
  3. Get the Stop User Enumeration plugin that is available on WordPress, install it and activate it. It is one of the most used plugins because it is very easy to operate;
  4. Once activated, you should check it yourself by adding “?author=1” at the end of each URL and you will be surprised to see that a forbidden message will appear after testing it.

Keep Your Website’s WordPress Version Number Hidden:

WordPress is super effective and helpful, there’s no doubt in it but it has a few risks associated with it too. For instance, you can easily find the version number of WordPress by using codes of JavaScript, HTML and CSS; plus, with feeds as well (like RSS feed). If this code is found by the hacker then there are possibilities that your website can be compromised, make sure you hide the WordPress version number for your own benefit. If not, this can lead you to the exploitation of the weaknesses present in your website.

WordPress version number can be easily seen if you view the source code or feed code of the website. If you want to disable and limit this particular number you need to access your website with your CPanel or an FTP client and go to the root folder. Find the file named as functions.php and access it with a source code editor. Add the code mentioned below at the end of the function file; the code will hide the WordPress version number from all the codes and feeds.

  • // remove version from head
  • remove_action(‘wp_head’, ‘wp_generator’);
  • // remove version from rss
  • add_filter(‘the_generator’, ‘__return_empty_string’);
  • // remove version from scripts and styles
  • function shapeSpace_remove_version_scripts_styles($src) {
  • if (strpos($src, ‘ver=’)) {
  • $src = remove_query_arg(‘ver’, $src);
  • }
  • return $src;
  • }
  • add_filter(‘style_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);
  • add_filter(‘script_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);

Now save it and upload the updated functions.php file and you’ll be surprised to see that there is no version number that you can view.

Avoid Robotic Hack-Attacks By Giving Tables Unique Prefix:

It’s a commonly known fact that WordPress table prefix if “wp_”, hackers are aware of this and they keep creating bots and they write scripts that attack table naming convention. The best way to prevent this activity is to give an exclusive and different prefix, this will cause an obstruction in searching for the relevant name which attacker is trying to hit or search for. This can be done during the installation process by renaming the table prefix from the default name. Keep that prefix easy to remember and identify for yourself. Add anything after wp_ that makes sense to you or is easy to recall.

Keep An Eye On Error Logs:

The best way to find out who is trying to access your website is to go through your error logs within your hosting platform. This is one of the smartest ways to keep an eye. You can do this by simply signing in to your cPanel and look out for Error Logs and Raw Access. In case you find any errors there then all you should do is ban the users who are continuously trying to send bots and other malicious attempts towards your website. This can easily be done by installing another WordPress plug-in named WP-Ban. After installing and activating this plugin all you need to do is click “BAN” after going in to the settings. In addition you can also add the IP addresses that are sending malicious traffic towards your website.

Go For Website File Changes Monitor Plugin:

You need to make sure that if there are any changes occurring in your website they should either be initiated by you or any of your team members. Monitoring this is crucial. WordPress has a plugin which can help you in monitoring any file changes, go for Website File Changes Monitor and make your life easy and hassle-free. With the help of this plugin you can get a report of deletion, modification or addition of files; after a detailed scanning of your website. Run the test yourself and you will get a detailed report.

If you want to keep your WordPress website secure and free from any weaknesses then you should give these six points importance. They are very easy to follow and they are not even time consuming. Your WordPress website possesses a reputation and you don’t want to risk that. Do let us know any other steps which you think can safeguard any WordPress website.