First things first…

WordPress is not necessarily “unsafe”. For years people have been concerned about the security of their WordPress installation, often wrongly so. It is the plugins (small pieces of code you can install to easily add functionality to your website) that make a site less resilient. The actual WordPress core software is updated regularly in order to pursue a safe, stable environment.

Protecting your WordPress website

Better be safe than sorry. Here are a few quick and easy tips that are very easy to set up, but will make your site a whole lot safer. So I can only recommend everyone to implement them.

1. Update!

The updates of WordPress are there for a reason. The most common hacks are based on outdated WordPress code. If you get a notification in the back office that updates are available, please do so.

Tip: do not forget to take a backup before updating. In case something goes wrong while updating the WordPress core or one of the installed plugins, you can always go back.

2. SSL

I already mentioned in another article what SSL exactly is. If your website is not yet secured with SSL, do it as soon as possible. Unlike the following points, SSL encryption is not an option, but a basic requirement.

3. Disable the file editor

Within the WordPress admin it is possible to edit the files / code of your website (View > Editor). It is best to disable this. If a hacker were able to get into your admin area, he could otherwise easily modify the software of your website. And if he’s good, you would never notice it before it’s too late.

In order to disable the file editor, you must connect to your webhosting via an FTP program (e.g. FileZilla). In the root folder of your WordPress installation, you must then edit the wp-config.php file. Add the following line:

define('DISALLOW_FILE_EDIT', true);

4. Optimise .htaccess

To edit the .htaccess of your WordPress website you need to reconnect via FTP. The .htaccess is located on the same level as the earlier wp-config.php. When you open this file you will see the following somewhere:

# BEGIN WordPress

The pieces of code that follow should be placed above that line.

4.1. Limit access to wp-includes

An often-used hack is to snoop around in the wp-includes folder of your website. With the following piece of code, you restrict that access.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

4.2. Block access to the wp-config

During the installation process, sensitive data such as database usernames and passwords are written to the wp-config.php. If someone were to access this file, they could do a lot of damage. Therefore, please increase the security of that specific file:

<files wp-config.php>
order allow,deny
deny from all
</files>

4.3. Blocking access to .htaccess

We have already set up important security mechanisms in the .htaccess, it would be a shame if a hacker could disable them again. Therefore, it is best to block access to the .htaccess itself:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

5. Change your password

You would not be the first site whose site was hacked because a bot could guess your password. Choose a “secure password” from the installation. Go for a mix of letters, numbers and characters.

However, such a password is more difficult to remember. Therefore, I recommend you to choose a password manager like 1Password. This stores all your passwords in an encrypted way (so no more post-its on your laptop!), and you only have to remember one password: that of your 1Password account. If you are diligent, you can also change your WordPress password every 3 months; with such a password manager, you won’t have to remember them anyway.