All web servers receive tons of hacking attempts every day. Most of the hacking attempts are unsuccessful and will be blocked by the server or firewall. However, we always heard of WordPress sites being hacked and that’s kind of bad when people have a negative impression on WordPress. People might think because wordpress is open source and it’s free, so nothing too surprise when it got hacked.
This is wrong! The WordPress core is extremely secure. Your wordpress can be very secure and hard to hack if yo do it right.
1. Secure WordPress Theme
Nothing is free, think what the developer will get when they distribute the free theme for the millions of WordPress user to download? Nothing is free my friend, you will get a lot of spam comments from no where even you have already turn off the comment. In worse case, the theme can be vulnerable and easily hacked.
2. Secure WordPress Plugin
Most of the big player develop their own private plugins. It’s too dangerous to use a plugin created by a stranger. If you happen to search a famous plugin name on WordPress, you can easily find a lot of suspicious plugin trying to mimic the original plugin by having a similar plugin name.
When you can’t avoid to use a plugin, choose from the reliable one by looking at the total installed users and ratings.
3. Update your WordPress
It’s important to update your WordPress as they will release some security update regularly to address any security issues that may arise. The latest WordPress has automatic update since versin 3.7 and you should enable it.
Database backup is one of the major concerns when people don’t really like to enable the automatic update. We don’t want to see our WordPress messed up after an automatic update and there is no way for you to rollback.
Try automatic backup your wordpress database weekly or monthly depends on your needs.
Learn more: How to Automatic Backup MySQL Database using SSH
4. Disable File Editing
WordPress allows administrators to edit PHP files, plugin and theme files. You should disable WordPress file editing feature as this is the main vulnerability for the hacker to inject malicious code without access to your server.
Place this line of code in wp-config.php to disable file editing:
5. Securing wp-admin
Add a server side password protection to /wp-admin/ folder. An attacker or bot has to attack this second layer of protection first before they can attack your actual files. You can even rename the entiere wp-admin folder since most of the hacking attempts are carried out by bots.
Besides plugins, you can also install a host-based intrusion detection system (HIDS) to filter content before it is processed by WordPress. A good example is OSSEC
If you have done all the 6 things as mentioned above, I believe you can survive most of the WordPress hacking attempts.