Secure WordPress website from malicious attacks, hacker

WordPress is an Open source source we know that . Being open source all of us know the folder/file structure . Hacker can research on these files to put malicious code/virus on the WordPress to hack . Even if we remove this virus once it can come after some time . WordPress Freelancer also need to know securing WordPress website from all aspects . So, it is not so easy for any hacker to attempt . We should have some responsibilities to check and implement on WordPress. We have to checks some plugin , updates files timely and many more . I have mentioned some tricks/tips to secure the website . We can have secure website after implementing these tips and continuous security checks. Lets's discuss below how we can secure our WordPress website .

1) Use your email to login

We have to use email id instead of username to login . Because username is easy to predict while email id is quite secure approach. There we can find lots of wordpress security plugin that help to use email and password for login page .  

2) Rename your login URL to secure your WordPress website

We all know that WordPress admin login page open from wp-login.php or wp-admin after the domain name . Hacker also use this url to brute force attach . They use there Predict login database to guess login details . So, it is very essential to change our WordPress login page wp-login.php should change to something new-custom-login.php /wp-admin can change to /new-custom-admin /wp-login.php?action=register change to something like custom_new_registration There a good plugin available to change the WordPress login page links i.e iThemes Secuiry ( formerly Better WP Security)

3) Setup lock login if wrong password use multiple time

If hacker brute force attempt to login , we have to ban the user as wel as disable login temporarily for some time around 30 min . This can help us to more secure our website .I recommend again for this work iThemes Secuiry ( formerly Better WP Security)

4) Use two-factor authentication for WordPress security

This two-factor authentication (2FA) is nowadays being quite more popular among us . It prevents normal user or hacker to easily login to the website . We can decide the 2 factor login for example normal password with secrete code , OTP (One Time Password) . I found a plugin for this purpose Google Authenticator .

4) Make strong password

Make long password having combination of uppercase, lowercase and some special character . Using these tricks hacker would have very low chance to predict your password . Also change your password in at least 2/3 month

5) Logout idle user after sometime

Lots of user that leave admin panel don't click on logout .This can also cause some serious security issue . So make provision to logout idle user after some interval of time . There a plugin available BulletProof Security for this work. This plugin have management of automatically logout idle user after some fixed time .

6) Protect Wp-admin folder to access for anyone

WordPress's 'wp-admin' folder is very important . For better security we have to protect the folder because if someone can access the folder, he will easily damage the entire WordPress website . There a plugin available for this task called AskApache Password Protect . This plugin autometically generate .htpasswd file.  

7) Use SSL (Secure Socket Layer) Certificate

SSL certificate is nowadays most important things for any website . It secure data flow between users and server . You can buy SSL certificate from third party company or from your hosting company . Nowadays some hosting company like siteground provide free Open source SSL certificate i.e 'Let's Encrypt' .

8) Choose different admin username

Most of us choose 'admin' as username while installing new WordPress . This can be easily guessed by any hacker . So, do change username that quite not easily guess by anyone . A plugin called IThemesSecurity plugin offer such thing . This plugin also ban ip address that male lots of wrong login attempts .

9) Lookup the website files

We need to monitor our website files that whether any file have malicious code injected or new file added by any hacker . If we leave our website files for long term then hacker may inject malicious code to hack entire website . Sme plugins IThemes Security ,Wordfence can use to monitor WordPress files .

10) Change WP Database prefix

Lots of developers leave default wp- prefix while instaling new WordPress . It can be some serious issue . Hacker can use SQL injection because it can easily guess the table name. If you have already installed WordPress with the default wp- prefix then use some plugin like ITheme Security to change the prefix .

11) Backup entire WordPress files

We should keep habit to backup our WordPress database, files in regular basis. It can use to restore if anything goes wrong in our WordPress. There are some free and paid plugins available to backup WordPress. I recommed Backup buddy. It save our time,effort to backup manually .

12) keep database password stronger

The database password should more stronger .So, that it can not be easily crack by any hacker software. i recommend to set password with combination of upper case , lower case, special chracter , numbers etc. There also some free tool available to generate strong password for ex: Strong Password Generator.

13) Secure wp-config.php file

The WordPress' wp-config.php file contains important information regarding the database connection details. We have to protect this file from anyone access . So first of all you have to change permission to 444. So that it can't be read,write by anyone except the WordPress core files. We can also move this file outside 'public_html' means one folder back. Current WordPress version can autometically find wp-config.php file even it is not in your root folder .

14) Disable file editing

We can also disable file editing by placing below code

inside wp-config.php file. Suppose if any hacker succeed to go into your admin panel then he can not edit any plugin,theme file to put malicious code there.

15) Connect with server in secure way

To connect with your server only use SFTP or SSH . It provide secure layer to connect with your server. Traditionally we had option to connect using FTP. But now do not connect with FTP rather use SFTP. Nowadays lots of server provide it in there package.

16) Give proper folder permission

We have to give proper permission to the WordPress folder,files .Setting 755 and 644 are good permission.

17) Disallow directory listing in htaccess

Suppose you want to create a folder inside your WordPress foe ex: shop. But you haven't create index.html file inside it then someone can easily access the folder by just typing www.yourdomain.com/shop/. So, to prevent this directory listing you can put below inside your .htaccess file

18) Block all hotlinking

Some other user can copy your image url from your domain and put in there to save there bandwidth. It uses your server bandwidth. So, you must have to beware for this kind of hotlinking , There are some plugin availabel to prevent hotlinking for ex: All in One WP Security and Firewall        

19) Update WordPress security

We have to regularly check the new security patch of WordPress. Also check theme and plugins new version from there listing page in dashboard. If you find new version releases , you have to update it. Well, WordPress automatically update the core files and send notification email. We should have always update WordPress files to prevent hacking attempts .

20) Hide WordPress version from everywhere

It would be easer for hacker if they know the actual version of your WordPress. So, it is better to hide the WordPress version from your dashboard and from rss feed too. There are lots of security plugins available to hide this. Put below inside your theme's functions.php

Finally above all steps are required to protect you WordPress from hacker,malicious code . Well, you always have to take care of your WordPress website .