WordPress safety | WordPress database security | wordfence WordPress
WordPress safety is the most hacked content management system in the world, according to a hack report released by Securi, a company specializing in website security. If you follow the WordPress safety precautions in our article and follow a few tricks, you can easily improve the security of your site.
Step 1 — Keeping the WordPress installation up to date
Keeping WordPress always up-to-date is the first and most important WordPress safety recommendation. If you want to have a clean and virus-free website, keeping WordPress up to date is a must. Not every new version brings new security updates. Therefore, major, major updates must be done manually.
Step 2 — Use less common logins
Are you using your WordPress admin username as admin? It is recommended that you change your username to something else. If you don’t want to choose this method, you can create a new administrator account and delete the old one. If you want to do it this way:
Firstly, log in to your WordPress admin panel.
Secondly, Go to Users and click Add new.
Thirdly, and most importantly, create a new user and assign it the Administrator role.
Moreover, log in to your WordPress admin panel again with your new username.
Visit the Users section again and delete the admin user.
A strong password plays a big role when it comes to WordPress safety measures. A password that contains numbers, uppercase, and lowercase letters, and special characters is much more difficult to crack with a brute force attack. Tools like Lastpass and 1Password help you create and manage complex passwords.
Step 3 — Enabling 2-step authentication
2-step authentication creates an additional layer of WordPress safety on your login page. As the name suggests, you have to complete one more step to log in.
Although it may seem complicated, enabling 2-step authentication on your WordPress blog is super easy. All you have to do is install the 2-step authentication app and configure WordPress.
Step 4 — Disable PHP error reporting
If you are developing your website, PHP error reporting can be useful to make sure everything is working correctly. However, exposing errors to everyone is a serious vulnerability.
You should fix this as soon as possible. Fear not, you don’t have to be a programmer to hide WordPress bug reports. Most hosting providers have an option for this in their control panel. You can set this in the PHP Configuration section of your control panel in Hostinger.
If there is no such option in your control panel, you should add the following lines to your “wp-config.php” file.
Step 5 — Not using nulled (non-genuine) WordPress themes
Thousands of nulled plugins and themes are circulating on the internet. Users can download them for free from various warez and torrent sites. What they don’t know is that they contain malware and black hat SEO links. Stop using nulled plugins and themes.
Step 6 — Scan for malware
From time to time, hackers leave themes and plugins open to infect WordPress with malware. That’s why it’s so important to scan your blog often.
There are many beautifully coded codes for this purpose. WordFence stands out among these add-ons. It has different settings as well as manual or automatic scanning options.
You can even restore modified/infected files with a few clicks. It is free and open-source. These facts should be enough for you to install the plugin right now.
Most popular WordPress plugins:
BulletProof Security – Unlike WordFence, BulletProof does not scan your files but gives you a firewall, database security, and more. One of the best things about it is that it can be configured and installed in just a few clicks.
Sucuri Security – this plugin protects you from DOS attacks. It keeps a blacklist, protects your website against malware, and manages your firewall. If it detects something, it will notify you by email. Blacklist engines such as Google, Norton, McAfee are included in this plugin.
Step 7 — Move the website to the “more secure” WordPress hosting provider
Firstly, It shows that 40% of WordPress sites are caused by vulnerabilities in their hosting accounts. So, This issue should force you to reconsider your current hosting provider choice and consider migrating your WordPress site. Here are some criteria to keep in mind when looking for a new hosting provider:
Secondly, If it’s shared hosting, you should make sure that your account is completely isolated from other users and that there is zero chance of another website on the same server infecting your site.
So, It should have an automatic backup feature.
Must have a server-side firewall and virus scanning tool.
Step 8 — Take backups as often as possible
Even large sites are hacked every day, despite the fact that their owners spend a lot to strengthen the WordPress safety system.
While you’re following the best practices and other recommendations in this guide, it’s essential to periodically back up your WordPress website.
There are several ways to become a backup. For example, you can manually download WordPress files and export the database. Moreover, You can also use your hosting provider’s backup tools.
Another way is to use WordPress backup plugins:
Step 9 — Disable file editing
WordPress has a built-in file editor that allows editing PHP files. This feature can sometimes be beneficial, but it can also cause harm.
If the attacker gains access to your admin panel, the first thing they will look at is the file editor. So, Some WordPress users prefer to disable this feature entirely.
So, This feature can be disabled by editing the wp-config.php file and adding the following line.
That’s all you need to do to disable file editing in WordPress.
IMPORTANT! If you want to enable this feature again, remove this line from your wp-config.php file using your FTP client or hosting provider’s file manager.
Step 10 — Remove unused themes and plugins
Clean up your WordPress site and delete all unused plugins and themes. Attackers often look for deactivated and outdated themes, plugins (even official WordPress plugins). By deleting themes and plugins that you stop using (and possibly forgot to update), you reduce risk and make your WordPress site more secure.
Step 11 — Using “.htaccess” for better WordPress safety measures
The “.htaccess” file is required for WordPress links to work. You will get a lot of 404 errors when there are no correct rules in this file.
Most users do not know that one of the WordPress safety measures is to use the “.htaccess” file. For example, with “.htaccess” you can prevent access to certain files or executing PHP code in these files.
The examples below show how you can improve WordPress safety using the “.htaccess” file.
Blocking access to WordPress admin panel
The code below will only allow access to the WordPress admin panel from the specified IP addresses.
AuthName “WordPress Admin Access Control”
order deny, allow
deny from all
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
Note that you need to replace xx.xx.xx.xxx with your own IP address. You can use this website http://ip.atakdomain.com/ to find out your own IP address.
If you are using multiple connections to manage your WordPress site, be sure to include all IP addresses. (You can add as many lines as you need.) If you have a dynamic IP address, it is not recommended to use this code.
Prevent PHP from running on certain files
Attackers like to upload backdoor codes to the WordPress uploads folder. By default this folder is used to upload media files.
Therefore, it should not contain any PHP files. You can easily prevent PHP from running here by creating a “.htaccess” file containing the following lines in the “/wp-content/uploads/” folder.
deny from all
Protecting the “wp-config.php” file
The “wp-config.php” file contains WordPress settings and MySQL database details. Therefore, it is the most important WordPress file. This makes it the first target of WordPress attacker. However, you can easily protect this file with the following “.htaccess” rules.
deny from all
The WordPress database stores important information necessary for the site to work. Therefore, it becomes the target of hackers and spammers who want to perform SQL injection attacks.
Not many people bother to change the default database table prefix (wp_) when installing WordPress.
However, According to WordFence, one out of every five WordPress attacks is done by SQL injection. Since the default prefix is known to the attacker, it will try it first. In this step, we will briefly explain how you can protect your WordPress site from such attacks.
Changing the table prefix of the existing WordPress site
IMPORTANT! Safety always comes first. Be sure to back up your MySQL database before continuing.
Part 1 – Changing the prefix in wp-config.php
Using FTP client or File Manager, find your “wp-config.php” file and search for “$table_prefix”.
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters and underscores please!
$table_prefix = ‘wp_’;
You can add numbers, letters, or underscores. Then save the changes and continue to the next step. In this guide, we will use the “wp_1secure1_ table” prefix.
Once you are in your “wp-config.php” file, also find the database name. In this way, you will also learn which database you need to edit. define(See section ‘DB_NAME’.
Part 2 – Updating all database tables
Firstly, you must update all the tables in your WordPress database. This can be done using phpMyAdmin.
Secondly, Enter the phpMyAdmin of the database you found in Chapter 1.
Thirdly, and most importantly, The default WordPress installation consists of 12 tables and each must be updated. However, this can be done faster using the SQL part of phpMyAdmin.
Moreover, Changing the name of each table manually can take a lot of time. So we will use SQL queries to speed things up. Update all tables in the database by running the following queries.
RENAME table `wp_commentmeta` TO `wp_1secure1_commentmeta`;
RENAME table `wp_comments` TO `wp_1secure1_comments`;
RENAME table `wp_links` TO `wp_1secure1_links`;
RENAME table `wp_options` TO `wp_1secure1_options`;
RENAME table `wp_postmeta` TO `wp_1secure1_postmeta`;
RENAME table `wp_posts` TO `wp_1secure1_posts`;
RENAME table `wp_terms` TO `wp_1secure1_terms`;
RENAME table `wp_termmeta` TO `wp_1secure1_termmeta`;
RENAME table `wp_term_relationships` TO `wp_1secure1_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_1secure1_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_1secure1_usermeta`;
RENAME table `wp_users` TO `wp_1secure1_users`;
In conclusion, Some WordPress themes and plugins may have created their own tables. In this case, you can have more than 12 tables in your database. Manually add these other tables to the query list and run the query.
Part 3 – Checking options and user meta tables
Depending on the number of plugins you have installed, some values in your database need to be manually updated. This can be done by running separate SQL queries on the options and usermeta tables.
For the options table:
SELECT * FROM `wp_1secure1_options` WHERE `option_name` LIKE ‘%wp_%’
For the user meta table:
SELECT * FROM `wp_1secure1_usermeta` WHERE `meta_key` LIKE ‘%wp_%’
When you get the SQL query results, simply replace all wp_ values with your newly chosen prefix. You will need to change meta_key in usermeta table and option_name in the options table.
Securing new WordPress installations
If you are planning to set up a new WordPress site, you do not need to do this again. It is possible to change your table prefix during installation.
Congratulations! You have successfully increased your WordPress database protection against SQL injection attacks.
Although WordPress is the most hacked content management system in the world, WordPress is not difficult to secure.