WordPress is a powerful tool that can make website management simple. But because so many websites run on WordPress, it does make the platform a target for hackers. Using bots and other automation methods, hackers can do a great deal of damage to many websites in a short
It’s tempting to launch a new website on WordPress and just let it start doing its work. Instead, pause and take the time to ensure you protect your WordPress website from hackers by following these eight simple steps.
1. Disable directory listings
In this first step, we will disable the directory indexing to improve the security of your website.
What does this mean? If a web server does not find an index file on your website, by default it shows a full list of all files within that directory, which is an open door for hackers.
As you can see in the screenshot below, the folders are visible to the public.
The risk involved with such open directory listings is that they show hackers or individuals with malicious intentions the contents of your server.
Sensitive files should not be accessible to the public in this way. The good news is, if you use a WordPress website, hiding your directory listings is quite simple.
Take these simple steps to disable the directory indexing:
- Go to your .htaccess file and open it.
- Paste the following code into the file above any WordPress rules.
# Disable directory view
- Save and upload the file and the file directory will now be hidden.
- Clear any cache and refresh your browser, now it should show a Forbidden message and hide the directory view.
2. Stop user enumeration
If your usernames are visible on your WordPress website, hackers can use those public usernames to gain access to your website’s login page. All a hacker has to do is add “?author=1” at the end of your URL and they’ll be able to see the username for the author of that post.
A hacker can use a script to find all author usernames for your website, which opens you up to so many security risks.
This is called user enumeration because the hacker uses the username’s ID number to learn the username. There is a way to prevent user enumeration though.
Follow these easy steps.
- In the first step, we will rename our display name. To do this click on the username of WordPress on the top right corner.
- Now, make your usernames different from your display names. To do this, scroll down and change the Nickname to something else and in the Display name public as section select the nickname you just picked and click save.
This step prevents hackers from seeing your username listed on the page, but it will still show in the URL if you don’t take the next step.
- Install and activate the Stop User Enumeration plugin. This plugin is popular, well-supported and easy-to-use.
Then, test to see if you can still see your usernames when you add “?author=1” to your URL.
You should get a forbidden message once you test it.
3. Remove WordPress version numbers
When this information is visible, it shows hackers the weaknesses to exploit from those WordPress versions and there are no real benefits to showing your WordPress version number within your site, so it’s best to disable it entirely.
If you view the source code or feed code for your website, you’ll see within the head section that the WordPress version is clearly listed.
To disable the versions showing within your website’s code, access your website with an FTP client or through your cPanel and go to your root folder.
Locate the functions.php file and open it with a source code editor.
At the end of the functions file, add the below code.
remove version from head
remove version from rss
remove version from scripts and styles
if (strpos($src, ‘ver=’))
$src = remove_query_arg(‘ver’, $src);
Save and upload the updated
functions.php file and test to see if you can still see the version within your
Complete a search for your
version number within the source code to ensure it is no longer appearing.
4. Rename the table prefix during installation
The default WordPress table prefix is always “wp_.” And because hackers are well aware of this default, they write scripts and create bots that attack this table naming convention.
You can prevent automated attacks by giving your tables a unique prefix that these bots and scripts cannot attack because the table does not exist in the same name as they are searching for.
During the installation, you can easily change the default table prefix as illustrated in the screenshot below.
To keep your files easy to read and sorted by name, you can add your own characters to the end of the “wp_” prefix.
This can be a set of random characters so that your prefix looks something like this “wp_i2njk_”.
5. Disable file editing in the admin area
WordPress is designed for convenient and easy editing. And while that’s a good thing for many people, it can leave you open to security issues.
One example of this is the fact that an admin can edit or make changes to the theme’s files. The same is true for plugins.
Once an attacker has access to the admin area of your website, they can edit the files of your site and do great damage in very little time. You can disable the ability to make changes to these files with one minor change to your configuration file.
Copy and paste the below code into your configuration file right above the line that tells you to stop editing.
Save and upload your change. As you can see in the screenshot below the Theme Editor option is no longer visible, the same goes for the Plugin editor under the Plugins section.
The admins will no longer have the ability to edit any files via the dashboard. Instead, they can use an FTP client or cPanel, which is more secure.
This simple security patch can keep your website files safe if a hacker accesses your dashboard area.
Plus, this is quite easy to reverse if you later decide you want your admins to have this file editing capability from within WordPress.
6. Monitor error logs and activity
Monitoring your error logs within your hosting platform can give you valuable information about who is trying to access your website.
To check your error logs, login to your cPanel and go to Error Logs and Raw Access (activity logs).
If you’re seeing malicious activity within these reports, you’ll want to be sure that you ban these users from their continued attempts. Bots
and other malicious users that are constantly pinging your website can slow it down for your real visitors.
The easiest way to stop these access requests is to install the WP-Ban plugin. Once you have the plugin and it is activated on your website, visit the Settings menu and then click Ban.
Here you can update the settings in your plugin. Pulling from your error logs, you can add the IP addresses that have been trying to maliciously access your website. Once you save the changes, that user will be presented with the ban message and will be banned from your site.
7. Disable error display
When your website displays PHP warnings and errors in the browser, this can be a serious security risk. You should configure your website to not display these errors.
Websites that display these errors give away important server and setup information to hackers. Those hackers can then use those errors against you to find ways into your website.
Even if you never face a hacker getting this information, displaying this information to the public simply looks bad.
New WordPress installations by default should not display any messages. However, if you’ve recently had your website host troubleshoot an issue or your developers have been active rolling out new functionality, you might have errors and warnings displaying in the browser.
Making this change is simple within your configuration file. Scroll down until you see the “Debug” constant. Once you find it, make sure that the value is set to false and not true within all “Debug” constants.
Your code should look like this:
‘WP_DEBUG’, false );
8. Monitor file changes
To ensure the only changes occurring on your website are the ones you and your team are making, you want to monitor any file changes.
A simple way of doing this is to use the Website File Changes Monitor plugin.
The plugin will scan your website every day and will track three types of file changes: additions, modifications, and deletions.
To ensure the plugin is properly installed and ready to go, you should run some tests by deleting a plugin, installing a new one or editing a few files on your website. The Website File Changes Monitor plugin should record all these changes on your website.
Protecting your WordPress website’s security can be done in less than an hour and without hiring a developer. There’s no reason not to take these eight important steps to ensure the protection of everything you’ve built.