Using WordPress for your website? Your website is not secured by default, yes, you need to take care of it by yourself to keep it secured. The more you are aware of the risks the more you may do for your website to avoid unwanted hackers attach or other damage.

Check while you choosing a hosting for WordPress

Is the support is competent and helpful?

Good support will save your time and nerves when your site gets problems with work. Response time and competencies is the key. If there are any problems with access to the site or other types of failure, the problem should be removed as fast as possible. Satisfaction for your customers is most important.

Does use up to date software  ( like PHP, MySQL, cPanel/DirectAdmin)

Every new version of the software may bring some new features, security fixes or performance improvements, so it is important that our server use up-to-date software. Just an example: PHP7.0.0 was released at the end of 2015, but now, in 2018 still most of hosting provider uses version 5.6 (2014) or even older versions when 7.x can bring 25% better performance!

What is the backup policy?

Often made backups will allow you to restore copies of the page when needed. Make sure that your backups will be available in critical time. The good idea is always to create duplicate backups if possible. Do not rely only on your hosting company.

Does it provide domain separation? ( if you want to have several pages )

Separation of pages raises our level of security by restricting worked scripting only within the selected domain. If there is a break, it will not touch all of your projects.

Does it provide protection against server DDOS attacks?

For your website to be always available, you should choose hosting that protects your website from DDOS attacks or any unwanted massive traffic. Check, ask how your provider will be able to deal with this problem.

Does SFTP connect is possible?

The SFTP connection allows us to encrypt the data which is far more secure than regular FTP connection. Nobody will be able to listen or grab to your data.

Remember while creating a user account

Set a different username than domain or company name

Do not let any unwanted person guess your usernames or passwords. The fewer data equal the lower the possibility of a hacking attempt on your website.

Set a strong password

A strong password will protect you from dictionary attacks. The good password should include numbers, symbols, capital letters and lower-case letters.

Keep order on hosting

Take care of the pages separation, create a separate database for each page

A separate database for each site will allow you to maintain order and increase security. In case of hacking, access will be limited only to one page.

Invent the directory structure and obey it

A good directory structure will keep you clear and organized. Limit folder creation, get used to thinking in hierarchies.

Keep only site files in the site directory

Don't keep any no needed files on the hosting. Additional files in the folder with the page are an extra load, corrupt order and may cause hacking attempts.

When installing WordPress

Do not use the auto installer 

Mostly, the versions available in the auto installers are not up to date. By using the auto installer we also do not have full control over the installation, so It is always better to download the latest stable version of the product page and install it manually.

Limit access to the database

Additional limiting the database will allow you to increase the security of your site. The privileges granted to a MySQL account determine which operations the account can perform. Learn how the MySQL access privilege system works. Use the GRANT and REVOKE statements to control access to MySQL. Do not grant more privileges than necessary. Never grant privileges to all hosts.

Set a different database name than the username

With different database names, you will reduce the chances of guessing credentials by an unwanted person.

Set strong and unique usernames and passwords for all your users

A strong password and unique username will reduce the vulnerability of your site to dictionary attacks or other hacking attempts.

Set a hard to guess database table prefixes

Hard to guess table prefixes will increase your security and will prevent you from a damage if somebody breaks into the server.

Keep your website secured with those code tricks

Generate unique WordPress security keys ( AUTH_KEY, etc )

Using unique WordPress authentication keys is very important to get a more secure WordPress. WordPress security keys are made up of four authentication keys and four hashing salts (random data) that when used together they add an extra layer to your cookies and passwords. Using unique WordPress authentication keys is very important to get a more secure WordPress. WordPress security keys are made up of four authentication keys and four hashing salts (random data) that when used together they add an extra layer to your cookies and passwords.

You can generate keys here: https://api.wordpress.org/secret-key/1.1/salt/After that you need to set these key in your "wp-config.php" file.

Move database access data to a file other than wp-config.php

Access database data should be kept somewhere other than the default file. You can create new PHP file, for example, "unique_wp_db.php" and set constants:

define('DB_NAME', 'your_db_name'); 
define('DB_USER', 'your_db_user'); 
define('DB_PASSWORD', 'your_db_password'); 
define('DB_HOST', 'localhost'); 
define('DB_CHARSET', 'utf8mb4'); 
define('DB_COLLATE', '');

Next, add in your 'wp-config.php' file:

require_once "unique_wp_db.php";

Off course, file name should be unique and hard to guess.

Set WP_DEBUG to FALSE and make sure PHP errors are not displayed

Blocking error shows is not a way to fix them, but better hide this message from potential hackers.
Add in your "wp-config.php" file:

define('WP_DEBUG', false);if(! WP_DEBUG) {      
  @ini_set('display_erros', 0);
}

Turn off the file editor ( DISALLOW_FILE_EDIT option)

Allowing editing files in the back-end is quite risky and it is better to avoid this option to limit the danger of a potential hacking attempt.

Add in your "wp-config.php" file:

define('DISALLOW_FILE_EDIT', true);

Block PHP file execution in folders wp-includes and wp-content

Securing these folders will increase your security against uploading malicious files.Create .htaccess file in your "wp-content' directory with example code:

<FilesMatch "\.(?i:php)$"> 
       Order allow, deny 
       Deny from all
</FilesMatch>

Block access to wp-config, readme.html, xmlrpc.php

Protecting these files will increase your security against tampering. Add in your ".htaccess" file:

<FilesMatch "wp-config.*\.php|\.htaccess|readme\.html|xmlrpc\.php">       
 Order allow, deny        
Deny from all
</FilesMatch>

Hide Wordpress version in <head> section, RSS channels and includes scripts

Hiding the current WordPress version will increase your likelihood of attacks that are targeted to specific software versions. Add in your functions.php file function:

function pe_remove_version() {    
return '';
}
add_filter('the_generator', 'pe_remove_version');

or even shorter:

remove_action('wp_head', 'wp_generator');

Secure access to wp-login.php and wp-admin directory using BasicAuth or limited list of IP addresses

Additional security to crack when logging in by a hacker will be useful to us. Example for "wp-login.php" file:

<FilesMatch "wp-login.php"> 
AuthName "Member Only" 
AuthType Basic 
AuthUserFile /path-to/.htpasswd 
require valid-user 
</FilesMatch>

or create the htaccess file in "wp-admin" directory with the code:

AuthName "Admins Only"
AuthUserFile /path-to/passwd
AuthGroupFile /dev/null
AuthType basic
require user your_username

<FilesMatch "admin-ajax\.php|admin-post\.php">    
Order allow, deny    
Allow from all    
Satisfy any 
</FilesMatch>

Block username scans

The goal of this type of malicious scan is to obtain information about registered usernames. Is recommended to block this with Rewrite Rule in a .htaccess file. Example:

RewriteCond %{QUERY_STRING} ^author=([0-9]*) [NC]
RewriteRule .* http://example.com/? [L,R=302]

Take care of your website

Always update Wordpress, themes, and plugins to latest available versions

Always make sure that your software is up to date. The latest versions usually include security patches or new features.

Remove plugins and themes you do not use

Such non-upgraded, unused plugins/themes can cause hacking or take up server resources.

Check if plugins and themes are still being developed

Select software that is still supported and will be compatible with the latest versions of WordPress.

Install themes and plugins only from proven sources

This will allow you to get rid of unproven software in which the malicious code may be embedded.

Create your own independent backups and store them outside the server

It's good to keep your backups on a separate disk in case of a root server failure because we would lose all the data.

Do not use poor quality plugins which giving the false sense of security

Better results will be obtained by properly configuring and securing the page than by installing a large number of " security " plugins. Fewer plugins, less code it is always a better way.