The first and most important of all WordPress security steps. If you want your site to be clean and free of malware, you need to keep WordPress up to date. While everyone knows this for sure, the reality is that only 22% of WordPress installations run with the latest version in the world, which means 78% of websites are unsafe, WordPress irresponsibly says. The most hackable CMS!

WordPress has automatic updates set up since 3.7, however, it only works with minor security updates. So the updates themselves should be done manually. In case you don't know how to update WordPress, see this tutorial.

Don't use admin as the WordPress admin username, everyone knows admin is the default name! If are using, you are giving a hacker a hand to easily manage the site. Change the info admin value, login name to a different name instead of admin is very important (see this tutorial - if you don't know how to do it) or create a new Account Administrator and delete the Old. Do the following steps if you choose the following :

• Print WordPress Dashboard

• Move to Users item and select Add New

• Create a new user and give it admin rights.

• Re-login WordPress with new information

• Delete old admin account

Complex passwords also play a big part in WordPress security. It will be very difficult to attack BruteForce if you have lowercase, uppercase, numbers and special characters. Tools like LastPass and 1Password can help create password-based journals. Also, if you need to login to your WordPress admin page when using an unsecured network connection (like a coffee shop, library, airport, etc.), don't forget to secure it with a VPN to protect your login information.

Security Layer 2 creates once more security for you during the sign-in process. Mostly used for email, account row. Why not use on WordPress?

Very simple to install on a WordPress blog. You just need to install the 2-layer security application for WordPress. You can see the direction of the modulation to which the active layer 2 security on WordPress at here.

PHP error reporting needs to be enabled if you are programming a website and want everything to run smoothly. However, showing the error for all to see is absolutely not advisable, especially when you are in need of WordPress security.

You don't need to be a programmer to do this on WordPress. Many hosting providers like Hostinger allow you to turn off error reporting in the admin page. If not, just add the following line to the wp-config.php file. You can use FTP client or File Manager in control panel to edit wp-config.php file.

error_reporting(0);

@ini_set(‘display_errors’, 0);

That's all. Bug reporting has been turned off

Remember – “Free cheese is in a mousetrap”. We can also apply that saying to nulled WordPress themes and plugins.

There are thousands of nulled plugins and themes floating around on the Internet. Users can download them at some free Warez or Torrent sites. But they do not know that most of them contain malicious code, even ironically they are included in WordPress security plugins, lighter SEO links of black hat hackers will make your website never to the top. pain. If you install these versions on your hosting, it means that your WordPress website is completely unsafe, and is exposed to vulnerabilities that hackers have created from the inside.

Stopping using nulled plugins and themes today is one of the best ways to secure your WordPress website. It not only violates copyright but also greatly affects WordPress security. You may have to pay more for the developer to clean up your website than you would for the necessary theme or plugin.

Hackers often use vulnerabilities in themes or plugins to install malicious code on WordPress. So it is very important to scan your blog regularly. There are many good WordPress security plugins available today. WordFence stands out the most. It allows manual and automatic scanning with various settings. You can even restore modified and infected files with just a few mouse clicks. Free and open-source, in fact, that's enough for you to install right away, right? What are you waiting for?

Some other good WordPress security plugins:

1. BulletProof Security – unlike WordFence, BulletProof does not scan your files, but only provides firewall, database security, and the like. The most distinctive advantage is that it can be configured and installed in a few clicks.

2. Sucuri Security – this WordPress security plugin will protect you from DOS attacks, it will create a blacklist, scan your website for malware and manage the firewall. If detected, it will notify via email, Google, Norton, McAfee – the blacklists of these devices will be integrated into this plugin...

Try them all. You can refer to how to install the WordPress plugin here.

It may seem strange but statistics show that more than 40% of WordPress websites are hacked because of a security flaw in your hosting account. This number alone should be enough to make you consider changing hosting and moving WordPress to more secure hosting, like BlueHost or HostGator. There are several practical factors that make you consider choosing a new hosting:

If it is shared hosting, make sure your account is separate from other member accounts and there is no risk of one website affecting all other websites on the server.

Has automatic backup function.

Must have firewall and virus scanner

Even large websites can be hacked every day even when in fact web owners have spent thousands of dollars to increase the security of their WordPress website and install tons of WordPress security plugins.

If you are following this guide and following all the steps, it is still very important that you backup your WordPress website regularly.

There are many ways to backup, for example, downloading the WordPress file and exporting the database or using a backup from your hosting provider. Another way is to use WordPress Plugin. The most popular are:

• VaultPress

• BackUpWordPress

• BackupGuard

You can backup and transfer the backup to dropbox via WordPress backups to Dropbox. Backups are the simplest and most secure way to secure WordPress, as restoring from a backup file is easier than checking for errors and removing malware.

As you know, WordPress has built-in file editing to allow you to copy and edit the original WordPress files. While very convenient, it can also be harmful. If a hacker has access to your dashboard, the first thing he will think of is FIle Editors, many WordPress users turn off this functionality completely right from the start to increase the security of WordPress files. It can be turned off by editing the wp-config.php file and adding the following line of code:

define( 'DISALLOW_FILE_EDIT', true );

That's all you need to know to disable file editing software in WordPress.

IMPORTANT: In case you want to re-enable this feature, use your hosting provider's FTP client or file manager and delete the above line of code from the wp-config.php file.

Cleaning up your WordPress site and removing unused plugins or themes is also a good way to keep WordPress secure. Hackers can scan for outdated themes and plugins (including official WordPress plugins) to access your Dashboard page and upload malware to your server. By removing plugins and themes you stopped using (or forgot to update) a long time ago, you reduce your risk of being hacked and make your WordPress Site more secure.

The .htaccess file is used to make WordPress links work. Without the correct commands in the .htaccess file, you will get a lot of 404 errors.

A lot of people don't know that .htaccess can increase the security of a WordPress website. With .htaccess, for example, you can block access or disable PHP execution on a specified directory. Here's how you can use .htaccess to increase WordPress security.

IMPORTANT: Before starting to make any changes, we recommend that you back up your old .htaccess file. You can use an FTP client or File Manager to do this.

Block access to WordPress admin page

The line of code below blocks access to the WordPress Administrator and only allows certain specified IPs:

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName "WordPress Admin Access Control"

AuthType Basic

<LIMIT GET>

order deny,allow

deny from all

allow from xx.xx.xx.xxx

allow from xx.xx.xx.xxx

</LIMIT>

Note that you need to change XX.XX.XX.XXX to your IP address. You can use this website to see the current IP. If you want to use more connections to manage your WordPress site, make sure all admin IPs have been added (you can add as many lines as you want). The above script is not recommended when you have dynamic IP.

Disable the ability to execute PHP in the specified directory

Attackers like to upload malicious scripts to the WordPress directory. By default, this folder is used to store multimedia files. Therefore it should not be used to contain PHP files. You can easily disable PHP execution by creating a .htaccess file in the /wp-content/uploads/ directory with the following commands:

<Files *.php>

deny from all

</Files>

Protect WordPress file wp-config.php

The wp-config.php file contains core WordPress settings and MySQL databases details. So this is the most important WordPress file, also the main file that hackers often target to attack WordPress. However, you can easily protect this file with the following command in .htaccess:

<files wp-config.php>

order allow, deny

deny from all

</files>

The WordPress database contains and stores all the most important information for the site to function. Therefore, it becomes a very attractive target for hackers and spammers who want to execute automated code to perform SQL injection. When installing WordPress, most people don't change the default WordPress prefix to "wp_". According to WordFence, 1 in 5 WordPress hacking cases relies on SQL injections. When wp_ is set to default, the hacker will choose this value to attack first. With this step, you will protect WordPress from such a type of attack.

Change the table prefix for an existing WordPress site

IMPORTANT! Safety is best. Make sure you have backed up/exported your WordPress MySQL database before doing so.

Part 1 – Change the prefix in the "wp-config.php" file

Use the FTP client or File Manager to edit the "wp-config.php" file and find the default WordPress "$table_prefix" value

You can add numbers, letters, or underscores. Then save it and continue with the next step. In this tutorial, we use wp_1secure1_ as the table prefix.

While in the wp-config.php file, look for the database name, to know which database you need to edit. Find the define(‘DB_NAME’ section.

Part 2 – Updating databases tables

Now, you will need to update all the entries in your WordPress database. This can be done with a change in phpMyAdmin.

Find the database you need to fix in part 1 and go to PHPMyAdmin

By default, WordPress has 12 tables, and all need to be updated. However, you can do it faster by going to the SQL entry in phpMyadmin. going to the database in PHPMyAdmin

You can use the following commands to batch change prefixes for all tables in the database:

RENAME table `wp_commentmeta` TO `wp_1secure1_commentmeta`;

RENAME table `wp_comments` TO `wp_1secure1_comments`;

RENAME table `wp_links` TO `wp_1secure1_links`;

RENAME table `wp_options` TO `wp_1secure1_options`;

RENAME table `wp_postmeta` TO `wp_1secure1_postmeta`;

RENAME table `wp_posts` TO `wp_1secure1_posts`;

RENAME table `wp_terms` TO `wp_1secure1_terms`;

RENAME table `wp_termmeta` TO `wp_1secure1_termmeta`;

RENAME table `wp_term_relationships` TO `wp_1secure1_term_relationships`;

RENAME table `wp_term_taxonomy` TO `wp_1secure1_term_taxonomy`;

RENAME table `wp_usermeta` TO `wp_1secure1_usermeta`;

RENAME table `wp_users` TO `wp_1secure1_users`;

Some WordPress themes or plug-ins can create additional tables in the database. In case you have more than 12 tables in the MySQL database, add the missing tables to the list and execute it.

Part 3 – Check the "options" table and "usermeta" table

Depending on how many plugins you have installed, many values ​​in the database need to be updated manually. This can be done through the "options" and "usermeta" tables using separate SQL queries.

With the "options" table you can use:

SELECT * FROM `wp_1secure1_options` WHERE `option_name` LIKE '%wp_%'

With the "usermeta" table you can use:

SELECT * FROM `wp_1secure1_usermeta` WHERE `meta_key` LIKE '%wp_%'

Once you have the SQL query results, just update all the values ​​from wp_ to the new prefix and that's it. In the "usermeta" table you will be able to change the meta_key field, but in the "options" table, the "option_name" value needs to be changed. change the prefix by query

Secure WordPress from fresh reinstalls

If you want to install a new WordPress site, you won't need to go through the steps above. You just need to simply change the table during the installation:

Congratulations! You have saved WordPress from the SQL injection attack.

Although WordPress is one of the most hacked CMS in the world. However, it is not difficult to increase its WordPress security. In this guide we've provided 12 of the most important tips for you to follow to make your website much more secure, and forget about hacking worries and focus on building more content.