2

Table of Contents
PAGE 3 Keep software up to date
PAGE 4 Use HTTPS
PAGE 5 Enable Web Application Firewall (WAF)
PAGE 5 Use 2-factor authentication
PAGE 6 Use Top Quality WordPress Themes
PAGE 6 Watch out for SQL injection
PAGE 7 Check your passwords
PAGE 7 Avoid file uploads
PAGE 8 Beware of error messages
PAGE 8 Get website security tools
PAGE 9 Use email as login
PAGE 9 Rename your login URL
PAGE 9 Change the admin username
PAGE 10 Change the WordPress database table prefix
PAGE 10 Backup your site regularly
PAGE 10 Protect the wp-config.php file
PAGE 11 Disallow file editing
PAGE 11 Remove your WordPress version number
PAGE 11 Limit Login Attempts
PAGE 11 Disable Directory Indexing and Browsing
PAGE 12 Automatically log out Idle Users in WordPress
PAGE 12 Add Security Questions to WordPress Login Screen
PAGE 13 Summing things up
 3

When it comes to a successful business, you should always consider the security of the
whole project. Just as your business should be safe from fraudulent activity, your website
should be free from hacking and other kinds of illegal activities.

To put it simply, you should make a real fortress out of your website, but do you really know
how?

Since WordPress is the engine that the majority of websites use nowadays, it would be
reasonable to review the smartest security measures that you may use in your project to
make sure your website will never be hacked.

Keep software up to date

WordPress is supported very well and developers usually release a few updates a month.
Staying on the same page with the developing team means having all the security breaches
fixed right on time. The best way to make sure that nobody will hack your website through
some old bug is to update your CMS constantly and right after the latest release.

As it is 2018, most of the time WordPress updates itself without even asking you, but if you
somehow disabled this feature, we strongly recommend your reviewing that decision. An
updated website is a healthy website.
 4

Use HTTPS

SSL certificate assures your visitor that you are a reliable website and that his data will
be carefully encrypted and guarded all the way from his browser to your server. Trusted
SSL providers will issue a certificate only to real companies that have successfully been
verified and checked more than one time. That way users will not have to worry about
their credit card info, login or password, the data will be delivered to the right company
safely.

The price of each SSL certificate depends on the security features included by the SSL
provider, so price usually varies from $50 to $400. Everyone has an opportunity to find an
affordable certificate for his/her needs. I conducted a quick overview and created a list of
SSL certificate providers for you.

Symantec
One of the best known digital security companies that offers top quality SSL certificates
starting from $399 per year.

Comodo
Very reliable SSL provider that not only offers quality certificates for an affordable price but
also provides free SSL certificates that are valid for 90 days and are trusted just as much
as their paid ones.

Network Solutions
A reliable company that offers SSL certificates in a range from $54.99 to $399.50 per year.
They have five solution plans for you, from express SSL certificates to extended.
 5

GoDaddy
This company occupies the place of one of the most well-known SSL certificate providers.
Top quality - check, Affordable pricing - check.

SSL.com
A pioneer in this industry that offers a great service for a good price. Their customer base
includes Microsoft, IBM and other big and well-known brands.

Enable Web Application Firewall (WAF)

Web Application Firewall makes sure that malicious web traffic doesn’t even reach your
server. It catches it and blocks the traffic packages that are identified as malicious. In order
to make sure that this is not a bot acting, WAF can send a CAPTCHA challenge.

There are three security models of WAF:

1. Whitelisting – only allows traffic according to the pre-configured criteria.

2. Blacklisting – blocks traffic that is clearly malicious.
3. Hybrid model – can be the best choice since it unites two previous models
and together they create an amazing security duo that can ensure your
website’s security.

Use 2-factor authentication

You may have faced this kind of sign-in method on Gmail, Telegram and other trustworthy
resources. Basically, this is the best way to ensure the safety of your login session. The idea
is to involve your smartphone in the authentication process.
 6

Since we invariably have our smartphones with us, there won’t be a problem for us to
confirm the sign in. However, if someone should try to brute force your password, he won’t
get ANY meaningful results. The only way for him to access your admin panel would be by
stealing your smartphone.

WordPress has a plugin for that in their plugin repository. Try it out; it’s really intuitive.

WordPress 2-step verification

Use Top Quality WordPress Themes

We all tend to download some hot steaming themes for our WordPress websites from
the Internet. The only thing that you may not realize is that bad developers might leave
security breaches right there in the code of your next WP theme.

Unfortunately, there are many unreliable freelancers working on the WP themes trying to
make a living, they care only about how fast they can bring their theme to market. They
only care about how to get a faster income.

There is only one way to make sure that you’re using a top quality theme that is perfectly
secure – by going to the #1 theme marketplace on the web.

Luckily, TemplateMonster offers thousands of top-notch WordPress themes from which to

choose. With many discounts and occasional sales, getting yourself a good quality template
for your next project is not really painful for your budget.

By choosing from dozens of topics and niches, anyone should be able to find something
for him or her-self.

Watch out for SQL injection

This is a very popular way to get access to the website’s core – the database of the whole
project. Regular SQL query can be hacked on the way to your server. The malicious injection
can be made by the hacker and give him access to editing or removal of your tables and
data. This is very dangerous, yet the fix is very easy.

You can easily prevent this by always using parameterized queries, most web languages
have this feature and it is easy to implement.

Consider this query:

«SELECT * FROM table WHERE column = ‘» + parameter + «’;»

If an attacker changed the URL parameter to pass in ‘ or ‘1’=’1 this will cause the query to
look like this:
 7

«SELECT * FROM table WHERE column = ‘’ OR ‘1’=’1’;»

Since ‘1’ is equal to ‘1’ this will allow the attacker to add an additional query to the end of
the SQL statement which will also be executed.

You could fix this query by explicitly parameterizing it. For example, if you’re using MySQLi
in PHP this should become:

$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’);

$stmt->execute(array(‘value’ => $parameter));

Check your passwords

Wait… we understand that this is somewhat obvious advice. We always talk about how
crucial passwords are and how strong they should be, yet according to the latest studies,
people still prefer the names of their pets, their birthdays and ‘123456’ combinations.

Just understand that your password can become the first and the last issue that your hacker
can face. Wouldn’t it be cool to have such a strong password that a hacker won’t even be
able to crack it fast?

The best way to ensure it is to use a combination of characters, numbers and special
characters. Long ones are hard to remember, but they are also harder to break.

Passwords should always be stored as encrypted values, preferably using a one-way hashing
algorithm such as SHA. Using this method means when you are authenticating users you
are only ever comparing encrypted values. For extra website security, it is a good idea to
salt the passwords, using a new salt per password.

Avoid file uploads

Numerous websites allow customers to upload their files to the website. Sometimes it’s
about giving customers an opportunity to upload pictures in the comments sections, some
people even decide to give their readers the ability to publish news and articles on the
front end.

It will sound restrictive, but we strongly recommend your limiting the uploading permissions.
Don’t give your clients any way to upload anything to the server, since this is one of the
most popular breaches that hackers use to upload malicious files. They upload it through
the front end to the server and execute it there.

If possible have your database running on a different server to that of your web server.
Doing this means the database server cannot be accessed directly from the outside world,
only your web server can access it, minimizing the risk of your data being exposed.
 8

Beware of error messages

Review all the error messages that you show to the users on the front end. Sometimes your
messages may provide too much technical information. This may help hackers understand
what technologies are used on the server, what CMS you use and which is the best way to
reach the core of your whole project.

Don’t provide full exception details either, as these can make complex attacks like SQL
injection far easier.

Get website security tools

There are numerous tools that may help you manage your website’s security.

Some free tools that are worth looking at:

Netsparker (Free community edition and trial version available)

Good for testing SQL injection and XSS.

OpenVAS

Claims to be the most advanced open source security scanner. Good for testing known
vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires an
OpenVAS server to be installed which only runs on *nix. OpenVAS was a branch of a Nessus
before it became a closed-source commercial product.

SecurityHeaders.io (free online check)

A tool to report quickly which security headers mentioned above (such as CSP and HSTS)
on a domain has been enabled and correctly configured.

Xenotix XSS Exploit Framework

A tool from OWASP (Open Web Application Security Project) that includes a huge selection
of XSS attack examples, to which you can run quickly in order to confirm whether your site’s
inputs are vulnerable in Chrome, Firefox and IE.

You can also locate lots of free plugins in the WordPress repository. Your best choice would
be targeting the ones that have a lot of reviews and good rankings. It means that those are
trusted by thousands of website owners.
 9

Use email as login

You don’t have to come up with some cool nickname for your admin panel, you can just use
the email instead. Set up some random username and forget about it, with the WP Email
Login plugin you can use your email to sign in to your WordPress dashboard.

Additionally, since people regularly use their nicknames to log in, a potential hacker may
waste his time on trying to match the required nickname. His work will be simply useless.

Rename your login URL

One of the things that may help a hacker to understand what kind of CMS you use is the
link to the dashboard. While you use this ‘/wp-admin’ address, you’re at a greater risk.

There are lots of useful plugins that help you set a custom WordPress dashboard link.

When hackers know the direct URL of your login page, they can try to brute force their way
in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed
usernames and passwords; e.g. username: admin and password: p@ssword … with millions
of such combinations).

Change the admin username

Some of you may still be using the default ‘admin’ username. If so, please go to your
dashboard immediately and change it to something more secure. The fact is that ‘admin’
is the default name that is number one on the list of the nicknames that a hacker will try.
 10

Using the predictable or simply default nickname is a huge breach of your website’s security.
This is a simple step, yet if you take a few of these steps, you’ll make your website much
safer. Then you’ll be able to try out more complex security measures.

Change the WordPress database table prefix

If you have ever installed WordPress then you are familiar with the wp- table prefix that is
used by the WordPress database. I recommend you change it to something unique.

Using the default prefix makes your site database prone to SQL injection attacks. Such an
attack can be prevented by changing wp- to some other term, e.g. you can make it mywp-,
wpnew-, etc.

If you have already installed your WordPress website with the default prefix, then you can
use a few plugins to change it. Plugins like WP-DBManager or iThemes Security can help
you do the job with just a click of a button.

Backup your site regularly

This is an obvious no-brainer. You cannot have a big project running without constant
backups saved on your server. You have to let your WordPress CMS make backups and store
them safely. And it’s not only the way to restore your website after it gets hacked but also
a way to restore it after having a malicious plugin installed or any other issue.

P.S. We all know that, unfortunately, some WordPress plugins may crush your dashboard
and give the white screen of death. There are plenty of reasons for that. Some say it’s
because of the version problems, some say that the plugins themselves are badly coded,
but the fact is you can get it anytime. So having a backup is a priority action at all times.

Protect the wp-config.php file

This is the file that includes all the crucial information about your website. This is where
you set everything up and put in the most sensitive data. Basically, getting access to the
wp-config file is the key to getting complete access to your website.

Luckily, there is something you can do without even performing some complex tasks. You
see, WordPress is so innovative these days that it can locate the wp-config file even if it’s
not in the default folder. So you can easily store it in some other folder on the same server.
WordPress will find its way to it’s core file anyway and get all the required data to maintain
your website’s work.
 11

Disallow file editing

Once a user gets a full admin access to your dashboard, he gets all the rights to edit the
files that are a part of your WordPress website. In order to ensure that no one will ever use
it to execute malicious scripts, you should forbid file editing on your server.

Add the following to the wp-config.php file (at the very end):

define(‘DISALLOW_FILE_EDIT’, true);

Remove your WordPress version number

Anyone can access the source code of your main page through any modern browser. While it
doesn’t give any real opportunities to hack your website, it may give out sensitive data. For
example, WordPress shows the current version of the CMS used on the particular website
right there in the source code of the home page.

Knowing your version of the WordPress, the potential hacker may understand what kind of
breaches on your website are available and what kind of bugs are still out there without
the fixes from the developers.

The version number can be hidden by any security plugin mentioned above.

Limit Login Attempts

One of the most popular ways to get access to your admin panel is the brute force attack.
Hackers run an app that tries thousands of password combinations to find the correct one.
In order not to give them any chance of success you can just limit the login attempts.

Just like you have with your SIM card, just set it to a few times and you’re safe. There is little
chance you won’t remember your admin password and put in the wrong one more than 10
times.

Disable Directory Indexing and Browsing

Directory browsing can be used by hackers to find out if you have any files with known
vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find
out your directory structure, and other information. This is why it is highly recommended
that you turn off directory indexing and browsing.
 12

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the
.htaccess file in your website’s root directory. After that, you need to add the following line
at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site.

Remember: You should always be careful, as messing with the .htaccess file is very
dangerous. So this operation requires your maximum attention.

Automatically log out Idle Users in WordPress

Have you ever used any banking applications and websites? They have this amazing feature
when, if you don’t perform any actions within a few minutes, they just log you out. This is
the way to ensure that your session will not be stolen by someone.

You can do the same on your WordPress website by simply installing a plugin from the
WordPress repository. You can set your own rules on when you want your users to be
logged out automatically.

Add Security Questions to WordPress Login Screen

Some of you may ask: what if I don’t want to mess with the 2-step authentication? There is
another way. You can install the plugin that allows you to enter an answer to your question
as an additional security measure.

Usually, people set something like ‘What’s your mother’s last name?’ and ‘What’s your
favorite color’, but you can also make up something more serious to confuse your potential
hacker and fraud.
 13

Summing things up

There are lots of security breaches that your website may have if you don’t really take some
action to make your website a fortress.

WordPress offers a huge repository of plugins for developers to deliver some additional
security measures and make our life much easier. The main point in making your website
completely secure is in using a top-quality product, using strong passwords and the best
security plugins on the market.

So in this e-book, we have offered around 23 ways to ratchet up your security game and
make your website strong and secure. How many of these methods have you already used?

Statistics show that website owners sometimes don’t take the responsibility of keeping the
data seriously secure . Unfortunately, it may end up bad not only for the whole project but
also the users that share their sensitive data on your website.

It means that the security of your website should be your #1 concern, you’re responsible
for keeping the data of your users safe, so you have to take the whole issue seriously.
 14

Thanks for Reading!

If you’ve found this guide useful, chances are you’ll like the other guides and e-books that
we have to offer. While working on these e-books, our authors focus on the topics that help
novice site owners build their online businesses and make their websites profitable:

See other e-books

P.S. Well-written content is crucial for your website, but there’s is a ton of other factors that
influence its success. Namely, impeccable design and robust architecture are the two cornerstone
aspects of any online resource.

In case you’re just about to launch a new website — or want to redesign your current one — have
a look at the awesome readymade solutions available from TemplateMonster. We’ve got more that
26,000 website themes to choose from, and our products have been crafted by professionals.

See our website themes