Home / Development / How to Protect WordPress Website from Malware Attacks
How to Protect WordPress Website from Malware Attacks
How to Protect WordPress Website from Malware Attacks

How to Protect WordPress Website from Malware Attacks

How to Protect WordPress Website from Malware Attacks

Introduction :  Today, WordPress is most demanded platform because of its easy interface. WordPress platform was recognized in 2003 to enhance the typography of everyday writing via blog representation. Since then and now, WordPress has grown to be the most used open-source platform for largest self-hosted blogging, CMS or any other custom solution in the world. Based on PHP and MySQL, it provides free open source platform, security and speedup features for developers. Here are the tricks to Protect WordPress Website from Malware Attacks.

With this article, I am sharing some security actions for WordPress website. These tips will help you secure your database, server path and website access from third parties or hackers. Please follow below steps that include-

  • WP-Config.PHP file setting
  • Database protection
  • Htaccess File setting
  • Latest version updates settings
  • Error removal
  • Protecting files
  • Login restriction
  • WordPress admin restriction

1. Change the Database Prefix

The basis setup of WordPress includes default database prefix (es). The default prefix is known to hackers and they can easily find the table names of your site’s database. So, it should be changed to protect the database files.

2. Create Custom Secret Keys for wp-config.php File

Wp-Config.php, the main file in WordPress root directory contains all the confidential details of website. The file requires to be secured from hacking, attack or database sharing. The file contains secret keys that keep a bit information about authentication and access. The default secret keys should be changed to something else to keep the information confidential.

Don’t use any software or online tool to generate random keys for you.

3. Protect your wp-config.php File

The wp-config.php file should be secured keep all the confidential information safe. Protect the file by placing the below code in your .htaccess file on your server.

<Files wp-config.php>
 order allow,deny
 deny from all
 </Files>

4. Protect Your .htaccess File

Protecting wp-config.php file is not enough for an advanced security. The .htaccess file should also be protected to have the website’s other information secure. Put the below code in your .htaccess file.

<Files .htaccess>
order allow,deny
deny from all
</Files>

5. Automatic Core Updates

The old version of WordPress, theme, plugin is well known of hackers and they can easily hack the site. So, always upgrade your WordPress version, theme and plugin to the latest version. The automatic updates option might be a good choice to keep aware of every version. It will help to those who want to take a more hands-off approach to site management but want a secure site, just the same. Though minor updates install automatically, major ones still require approval. The approval of major upgrade may fix any security bug from the previous version. To do this, put the following code into wp-config.php file and allow the major code updates to be happened automatic in the background without any approval.

 define( 'WP_AUTO_UPDATE_CORE', true );

The minor updates do not affect any code or site functionality; however the auto major updates can break your website, especially if you’re running a plugin or a theme that isn’t compatible with the latest version. So, log into to your website regularly and don’t change in your core files to stop the new version override your files. Automatic updates for plugins and themes can be configured by below code into wp-config.php.

For plugins:

 add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

 add_filter( 'auto_update_theme', '__return_true' );

You can hide WordPress version number as well that displays via meta. Displaying the WordPress version lets hackers know your current version and attack your website through the previous version’s bugs.

You can hide your WordPress version number by following below instructions:

  • If you are using an older theme, remove the following line from your theme’s header.php file
php bloginfo('version'); ?>" />
  • Remove the generator tag, which actually exposes all known vulnerabilities to that version date. If you are using a newer theme, just add the following in your theme’s functions.php file
<? php remove_action('wp_head', 'wp_generator'); ?>
  • Simply put the following code to your functions.php file:
add_filter( 'the_generator', '__return_null' );
  • You can go one step further and additionally remove it from RSS feeds using this:
function wpt_remove_version() {
 return '';

}  add_filter(‘the_generator’, ‘wpt_remove_version’);

 

6.Eliminate PHP Error Reporting

Your WordPress website has a lot to do for backend security and protect the site from weak spots. Another one is error reporting. If a theme or plugin doesn’t work properly, it occurs an error message. These error messages give the hackers every nook and cranny of your website on a silver platter. Because the error messages contain your server path and hackers can easily get your full server path by these error log files. So, it should be disables by single code snippet into wp-config.php.

// Turn off all error reporting
 error_reporting(0);

@ini_set(“display_errors”, 0);

7. Disable Login Hints

Once you try to login on WordPress website’s admin panel with wrong, incorrect password or a non-existent username, you will get a hint like your username is wrong, or your password doesn’t match with that username. This can offer a fair opportunity for hackers to break into your site. So, you should get rid of such information by disabling it with a script within your functions.php file:

function no_wordpress_errors()
{
return ‘What the heck are you doing?! Back off!’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );

8. Protect your WordPress Admin Area

WordPress admin area is the panel where you keep backend customization and content integration of your website. So, the access of the admin area should be restricted to people that actually need access to your panel. The third parties or people would not be able to access your /wp-admin folder or wp-login.php file of you have restricted registration or front-end content creation area. Put the below code with your home IP address and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.

<Files wp-login.php>
 order deny,allow
 Deny from all
 Allow from xx.xxx.xxx.xxx
 </Files>

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another

Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases, you can limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password.

9. Hide Author Usernames

It is often seen that author name and administrator name are same during. No one thinks to keep them separate if only single user is managing the website. It is easy to find the admin’s username if anyone has your main author or administrator name. It’s not good for security purpose. It is same like you give the treasure of your site to hackers and run the risk of seeing your site compromised.

You should hide the author’s username to prevent the hackers. You just need to put the below code snippet to your website’s function.php file. It will make it so when someone inputs ? author=1 after your main URL, they won’t be presented with the administrator’s information and will instead be sent back to your homepage.

add_action(‘template_redirect’, ‘bwp_template_redirect’);
 function bwp_template_redirect()
 {
 if (is_author())
 {
 wp_redirect( home_url() ); exit;
 }
 }

Several other tips and tricks are still there which you can use to keep advanced security of WordPress website, however above are the best bunch of security features that would make your website more secure and safe.