Around 37,000 websites are hacked daily. Considering that WordPress powers 25.4% of all websites, every day a good deal of bloggers find their blogs hacked.
While some security tweaks are self-evident – like changing the admin username – others might not be so obvious. And yet, there’s a ton of small things that can improve your WordPress security.
1. Remove your WordPress Version Number
By default, WordPress displays the version number you’re running for the world to see. This helps hackers identify which version-pertinent vulnerabilities they can exploit to hack your blog.
The solution is to remove the WordPress version number from public display. But backup your website first, and once that is done:
This code will prevent the WordPress version number from showing up on your front end.
2. Disable WordPress API
The REST API in WordPress lets developers integrate custom-built applications into their blogs. But it’s also a security vulnerability since it can bypass Word-Press authentication system.
If you’re not using the REST API, you can safely disable it through the Disable REST API plug-in.
3. Disable XML-RPC
XML-RPC enables remote access and posting to your WordPress blog, which is another potential entry point for malicious actors. But if you aren’t posting remotely, you can improve your blog’s security by a mile just by disabling XML-RPC with the Disable XML-RPC plug-in.
4. Vet Third-Party Plug-Ins
Vet any plug-in with a magnifying glass:
Read user reviews, and avoid plugins that are barely used, or recently published. Polished and thoroughly written documentation is a sign the developer has been conscientious building the plug-in.
Developers with an excellent track record of popular releases are more likely to produce robust and secure plugins than newcomers.
5. Choosing The Hosting Provider
41% of WordPress blogs are hacked through vulnerabilities in their hosting platforms. So, a secure host is as important as using a strong password.
Opt for established, reputable providers that have experience catering to WordPress bloggers. Also, consider investing in a dedicated server, or at least a Virtual Private Server to reduce the attack vectors.
6. Disable PHP Error Reporting
When a plugin or theme fails, the servers send out a PHP error report, which is a useful thing for debugging. But they also expose the full server path of the error, which is a major security risk.
You can disable PHP error reporting by adding the following code to your wp-config.php file:
error_reporting(0);
@ini_set(‘display_errors’,0);
Whenever you need, you can toggle the error reporting back on.
7. Update Your File Permissions
The right file permissions protect your blog from security exploits, making it difficult for a hacker to hijack your site.
You can update your file permissions via FTP:
- The wp-config.php file should be set to “600”
- The files within your WordPress directories to “640” or “644”
- The WordPress folder permissions should be set to “755” or “750”
You’ll still be able to work with your files, but malicious intruders won’t be able to manipulate or delete your files, plugins, themes, or take over your website.
Editor’s Note:
From time to time, SensorsTechForum features guest articles by cybersecurity and infosec leaders and enthusiasts such as this post. The opinions expressed in these guest posts, however, are entirely those of the contributing author, and may not reflect those of SensorsTechForum.