4 Steps to a Secure WordPress Website

Secure WordPress Website

4 Steps to a Secure WordPress Website

WordPress has become the earth’s most famous CMS. Since it’s so popular, this is even more of a reason to improve and enhance WordPress security if you’re using it for your website. Many Individuals understand how to create their Page itself secure, however if you are not focusing on the security of your WordPress Website by restricting access to important folders and files, then you’re still at risk. To do this you will not be making any changes to WordPress itself, but rather altering how WordPress runs on a server and how much access users have to its files.

WHAT IS A .HTACCESS FILE?

Using .htaccess files lets you control the behavior of your site or a specific directory on your site. For example, if you place a .htaccess file in your root directory, it will affect your entire site (www.coolexample.com). If you place it in a /content directory, it will only affect that directory (www.coolexample.com/content).

.htaccess works on all of our Linux hosting accounts. Some examples of what a .htaccess file can be used for are:

  • Customize the error pages for your site
  • Protect your site with a password
  • Enable server-side includes
  • Deny access to your site based on IP
  • Change the default page (index.html) that is loaded for your site
  • Redirect visitors to another page
  • Prevent directory listing
  • Add MIME types

A .htaccess file is a simple text file with the name .htaccess. It is not a file extension like .html or .txt, as the entire file name is .htaccess. For more information on how to set up .htaccess files, visit Apache’s website.

Using BlueHost, Host Gator or GoDaddy as your hosting company?
Use the links below will show you how to find this file

bluehost
godaddy
hostgator

STEP 1: LIMITING ACCESS TO WP-INCLUDES FOLDER

A WordPress Business Website are comprised in a set of folders and files, each using their own Unique URLs, which means if someone were to type in the right URL they could get or change sensitive files which run your website. One Of the most frequent targets for this sort of hacking is your wp-includes folder, So we’re going to include some extra code into the host configuration file to Beef up safety and avoid these types of threats. When we are done with this, anyone attempting to access these files gets redirected back out.

To start you will want to open up the .htaccess file for your site. You can do this through any text editor, doesn’t matter which because all we are doing is adding a little snippet of code to the file. You will notice that the file already has code in it, generated by WordPress. In one of the early lines of code, you will find a line that says # BEGIN WordPress. Immediately above this code, we’re likely to add the extra lines of code, which will fortify the website’s defenses by limiting access into this wp-includes folder.

 

# Blocking web access to the wp-includes folder

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]

</IfModule>

 

Afterward, you simply need to re-upload the file to the server and you’re done. While the changes here seem minor it can have a large impact on your site’s defenses. Because a lot of the Innovative functions of WordPress are located inside the wp-includes folder, they’re a significant goal for Hackers to go after. With these changes executed, when users try to access this folder, they will rather be redirected to the front page of your website.

 

STEP 2: PROTECTING WP-CONFIG.PHP

Our next step to Reinforce your Business Website built in WordPress Safety is to restrict access into the wp-config.php file. When you first created your WordPress site, you had to create a database name, username, password, and table prefix, which is contained in the wp-config.php file. The reason you want to protect this file is because it contains the information WordPress needs to talk to the database, and in the long run, control your site.

To ideally shield your wp-config.php file, you will just want to do a few little steps. First, we will want to open up the .htaccess file again. Next, we will want to copy the snippet of code below and paste it into our .htaccess file just like we did with step 1.

 

# Blocking web access to the wp-config.php file

<files wp-config.php>

order allow,deny

deny from all

</files>

 

Finally, save and re-upload the file.

 

STEP 3: DEFENDING THE .HTACCESS FILE ITSELF

As you can see with steps ONE and TWO, the .htaccess file can be intrinsic to shielding your WordPress Website from malicious external threats. That’s why in this step we’re going to shield the .htaccess file itself, preventing hackers from eliminating the Protections we have previously put in place.

To achieve this we can open the .htaccess file. Next, insert the code below into the current code.

 

# Securing .htaccess file

<files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all

</files>

 

And with this Easy addition, your .htaccess file is shielded from external threats.

 

STEP 4: REMOVING FILE EDITOR ACCESS

For the last and final step we will be denying hackers’ access to one of the very harmful tools that they can get their hands on: the Editor inside the WordPress dashboard. It allows you to edit your theme files, which is helpful but can be dangerous. If a person, other than yourself would get access to this, then they could change your code and break your site.

With this Project, We’ll be eliminating the Editor in the WordPress dashboard. Instead of accessing the file via WordPress, I recommend that you access it through an ftp client such as FileZilla, which is better for site integrity.

So to perform this Project we’ll first want to start out wp-config.php file. Once we have that open, we are going to go to the end of the code, here you will find the text “That’s all, stop editing! Happy blogging.” Right Prior to this text we are gonna add the code below to eliminate file editing completely from WordPress.

 

define(‘DISALLOW_FILE_EDIT’, true);

 

Once you have added the code, save the file and re-upload it to the server. Now your WordPress site is Secure from anyone gaining access to a site and seeking to manipulate the code.

 

KNOW THAT YOUR SITE IS SAFE

In case you follow all these amazing steps ideally, your site should be a lot safer. By reducing the amount of access Hackers have into the files important to conducting your site, you’ve improved your WordPress Business Website and it’s overall security.

Write a Comment