Request a Quote – Baniwal Infotech

11 Ways to Protect Your WordPress Website From Being Hacked

11 Ways to Protect Your WordPress Website From Being Hacked

You can find below the list of safety hacks that you can apply on your WordPress Blog/Website to protect from being hacked. As we all know WordPress folders & Files structure is very easy to understand by any developers. And the hackers get benefit and inject the malicious code on the website core files. So, to protect your website from bot/hacker’s injection we can implement some safety hacks on our website.

Highly recommended: Please do take the complete Back-up of your website/blog files and database before implementing any below mentioned security hacks to be a safer side. 

1. Protect your .htaccess file
Just place the below mentioned code on your website .htaccess file in the root directory:

 # STRONG HTACCESS PROTECTION</code>
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

2. Secure wp-config.php file.
Simply adding the below code to the .htaccess file in the root directory:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

3. Limit Access to the wp-content Directory
Place the below code in the .htaccess file within the wp-content folder (not the root):

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

4. No Directory Browsing
In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog/site:

# disable directory browsing
Options All -Indexes

5. Prevent script injection by bot/hackers
Simple place the below code to your .htaccess file in the root directory:

# protect from SQL injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

6. Restrict access of wp-admin directory
Just placed the below mentioned code on the .htaccess file:

<FilesMatch “.*”>
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]</FilesMatch>

7. Allow access to WP admin/ Login to your IP
Just allow access to your website admin to your IP only through IP filtering, add the below mentioned code on the .htaccess file:

<Files wp-login.php>
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]</Files>

8. To prevent any malicious persons/bots from sending unwanted scripts straight to the heart of your website.
Add this before #BEGIN WordPressin your .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
# BEGIN WordPress

9. Disabling editing PHP files from dashboard
which is where the attacker will concentrate after hacking through an access point, just placed the below mentioned line into your wp-config.php

define(‘DISALLOW_FILE_EDIT’, true);

10. SQL injection-based attacks by changing its value from the default wp_
$table_prefix is placed before all your database tables. You can prevent

example: $table_prefix = ‘r235_’;

Note: You can use the plugin also, to change the your WordPress website database tables pre-fixes: https://wordpress.org/plugins/change-table-prefix/

11. Replace your WordPress Keys in wp-config.php
Just goto the WordPress Key Generatorsite to generate these keys. Now open your wp-config.php file &  find the lines that look  similar to the below mentioned lines and simply replace with the new generated ones: 

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

Conclusion: See these are the safety hacks used to prevent you from being hacked not to reset & clean the hacked website /blogs. If your WordPress Blog/websites has been hacked. You can use the Free Security Plugin WordFence  https://www.wordfence.com/ . Once you will install this plugin you can scan your website & can check the injected & hacked files. So that you can clean & fix the same. It’s a free plugin but you can buy the premium version also for extra protection.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Categories

© 2019 Baniwal Infotech Pvt. Ltd.