WordPress is the most used CMS in the world. Currently, about 30% of all websites run on WordPress. Unfortunately, due to its popularity, it is also very popular with hackers. That's why we recommend that you add some extra security to your WordPress website, to minimise the risk of getting hacked.
- Always update
- Remove plugins and themes you don't use
- Protect the wp-admin directory with a password
- Create a custom administrative username
- Disable PHP execution in your uploads directory
Always update
Part of WordPress updates are fixes to security issues that could be exploited by hackers, so it is essential to update as soon as possible. You can update from your WordPress dashboard. If you don't have access to your WordPress administration, you can also update manually.
Besides your core WordPress installation, it is also important to check if there are updates available for plugins and themes you have installed.
Tip: If you don't want the hassle of updating manually, you can install a plugin called Easy Updates Manager. It manages all WordPress updates for you.
Remove plugins and themes you don't use
Every plugin and theme you have installed can pose a security risk, so the fewer you have, the better.
We recommend removing all themes that you don't use, except the default WordPress themes (2017, 2018, etc.). The same goes for plugins that you no longer need.
This also applies to any old WordPress installations you might have on your web space, maybe for testing purposes or as a backup. These are also vulnerable to hacks.
Tip: Only install plugins and themes from trusted sources. If you find a free version of a theme you normally need to pay for, there is a big chance that it comes with "free" malware.
Protect the wp-admin directory with a password
Another way of blocking hackers is to protect your wp-admin folder with a password, which adds an extra security layer to your WordPress administration.
You can follow our guide to protect your website with .htaccess. Make sure to protect only the wp-admin directory and not the whole site. Otherwise, your website will not be reachable. Place the files inside the wp-admin folder.
Note: If there already is an .htaccess file in the wp-admin directory, add the generated code to the existing file. Don't replace it.
Create a custom administrative username
Hackers often try to gain access to your WordPress administration with a Brute Force Attack, where robots try millions of different password and username combinations to try to log in. To make it more difficult to guess your login details, we recommend creating a unique username.
You can change the administrative username in phpMyAdmin, in the wp_users table. Check out our guide on how to access your database.
Once you are logged in:
- Locate the table called wp_users (can also be called 0_users).
- Find the admin username and click Edit.
- Under user-login, enter a new username in the Value field.
- Click Go to save.
Tip: There are also several plugins that can help to improve security, we recommend trying Wordfence Security or iThemes Security.
Disable PHP execution in your uploads directory
If you have done a manual installation of WordPress, we recommend disabling PHP execution in your uploads folder. When you have used the 1-click installer, execution is disabled by default.
It is common for a PHP backdoor to be located in the uploads directory. From there on, malware is spread to other locations on your site. You cannot prevent the backdoor from being uploaded, but by disabling PHP execution, you can block it from spreading anywhere else.
# Block executables
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">
deny from all
# Block javascript except for visualcomposer (VC) plugin
RewriteEngine On
RewriteCond %{REQUEST_URI} !^.*wp-content/uploads/visualcomposer-assets/.*\.js$
RewriteRule ^(.*\.js)$ - [F,L]
Note: If you already have an existing .htaccess file on your web space, you don't need to create a new file. Instead, you can add the code to the existing file.
Related articles: