Security in WordPress is taken very seriously, but as with any other
system there are potential security issues that may arise if some basic
security precautions aren't taken. This article will go through some
common forms of vulnerabilities, and the things you can do to help keep
your WordPress installation secure.
Note: Please backup your Wordpress files and database before you make any changes to the files or database.
1. updating your WordPress
Most of the common hacks/injections happen because of outdated WP or plugin. So you should always keep up to date with the latest version of WordPress.
The latest version of WordPress is always available from the main WordPress website at http://wordpress.org, or install it from our hosting control panel-->one-click installer, never download the installation package from any website other than http://wordpress.org.
If you are not using a specific plugin, delete it from the system.
2. A strong password is needed
Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
Things to avoid when choosing a password:
Any permutation of your own real name, username, company name, or name of your website.
A word from a dictionary, in any language.
A short password.
Any numeric-only or alphabetic-only password (a mixture of both is best).
3. Check your file and folder permissions
3.1. When there is no need to install any plugins, no need to use the theme editor nor install any wordpress updates, please grante read & Write permission to /wp-content/uploads/ folder and read permissions on the rest for security reason.
3.2. In order to allow plugin installs you need to give write permission to the /wp-content/plugins/ folder. To allow the use of theme editor you need to give write permissions on the /wp-content/themes/ folder, Change these folders back to read only permission is recommended
3.3. In order to allow for the user to install WordPress updates you need to give read/write permission on the root folder where you installed WordPress. This is the least secure option but on the other hand the most common way to install it. Change the permission back to the same as 3.1 is recommended.
Please click here
to check how to change your file/folder permission
4. Hide your wp-config.php
This is another file which is most vulnerable to attacks and by default will be located at your_host/wordpress/wp-config.php. You can move it to the root directory i.e your_host/wp-config.php because WordPress automatically checks the root directory for this file if it doesn’t find it at the default location.
5. Disable File Editing
The Wordpress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. Wordpress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:
This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.
6. Delete the ‘admin’ account – Make it harder for the hackers!
On a new install you can simply create a new Administrative account and delete the default admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';, or by using a MySQL frontend like phpMyAdmin.
7. Change the table_prefix
Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks, please click here
8. Backup regularly
Back up your data regularly, including your MySQL databases. Use FTP to download your website files to your local as back, click here to check how to back your mysql database from our hosting control panel.