Aashish Sharma


6 Security Tips To Protect Your Wordpress Website From Hackers

Web Security Tips

It might not seem like your site has anything to be hacked for, but websites are compromised quite often. Most of the website security breaches are usually not meant to mess with your website layout or steal your data but are instead attempts to use your server as an email relay for spam or to create a temporary web server to serve files, usually of an illegal nature. Compromised websites can also be abused in other ways such as using your servers to mine cryptocurrency, or as a part of a botnet. You can also be hit by ransomware.

Hacking is often performed by automated scripts that are written to scour the internet and try to exploit the known security issues in websites and software. Below is a rundown of the top nine tips to help you and your site stay safe online:

1. Always Ensure your Software is Up to Date

It might seem a bit obvious, but keeping all of your software up to date is crucial in keeping your website secure. This applies to not only any software that you might be running on your sites such as a forum or CMS but also the server operating system. If website security holes are found in software, hackers are often quick to try and exploit them.

If you’re using a managed hosting solution, you don’t have to worry much about applying regular security updates for the server operating system. This is because the hosting company will take care of this for you.

Nonetheless, if you’re running a third-party software on your sites such as a forum or CMS, you should make sure that you install any new security patches timely. Most of the vendors usually have an RSS feed or a mailing list where they detail any website security issues. CMSs such as WordPress and Umbraco will notify you in case there are any available system updates as soon as you log in.

Many developers use tools such as NPM, Composer, or Ruby Gems to manage their security vulnerabilities and software dependencies in a package that they can rely on upon without having to pay any attention to the updates since it’s an easy way to get caught out. However, it’s important to ensure that all of your dependencies are up to date, and have tools such as Gemnasium to send you automatic notifications whenever a vulnerability is announced in one of your components.

2. Keep a Close Eye on SQL Injection

SQL injection attacks occur when the attacker uses a URL parameter or web form field to gain access to or to manipulate your database. If you’re using the standard Transact SQL, it’s easy to insert rogue code into your query unknowingly, which could be used by attackers to get information, change tables, and delete data. You can prevent this rather easily by using the parameterized queries. Fortunately, most web languages have this feature and it’s quite straightforward to implement.

There are also cross-site scripting (XSS) attacks which inject malicious JavaScript code in your web pages and then runs in the browsers of your users. These can change the page content, or even steal information and send it back to the attacker.

For instance, if your site shows comments on a page without verification, an attacker could submit comments that contain JavaScript and script tags, which would then run in the browser of every user and steal their login cookie. In turn, this would allow the attacker to take control of every account that viewed the comment. You have to make sure that your users cannot inject an active JavaScript code or content in any of your pages.

In modern web applications, this is a key concern, since pages are now built primarily from user content, and in many cases, they generate HTML that is then interpreted by front-end frameworks like Ember and Angular. These frameworks ideally provide XSS protections, but mixing client and server rendering creates new and more complex attack avenues too. Injecting JavaScript into the HTML is not only effective, but you can also inject content that will run code by using Ember helpers or inserting Angular directives.

The key is focusing on how the user-generated content on your site could escape the bounds you expect and be interpreted by the browser as something different from what you intended. It’s actually comparable to protecting against SQL injection. If the HTML is being generated dynamically, go for function that overtly perform the changes that you’re looking for (such as element.textContent and element.setAttribute that will be automatically escaped by the browser, instead of using element.innerHTML by hand) or use functions in your templating tools that can appropriate escaping automatically instead of setting raw HTML content or concatenating strings.

Source: Wikipedia

Content Security Policy (CSP) is another powerful tool in the XSS defender toolbox. It’s a header in the server that tells the browser to limit what and how JavaScript is executed in a page, such as disallowing the browser to run any scripts that are not hosted in your domain, disabling eval (), or disallowing inline JavaScript. Mozilla offers an excellent guide with detailed example configurations. All this helps to make it harder for scripts from an attacker to work, even if they succeed in getting them to your page.

3. Handle Error Messages with Care

Take great care with how much information you give away in your error messages. It’s best to have minimal errors on your site so that you avoid leaking secrets present on your servers, such as database passwords or API keys. Don’t give full exception details either, since they can make SQL injection and other complex attacks far easier. Show your users only the information they need, and keep detailed errors in your server logs.

4. Validate on both ends

You should always perform validation on both the server side and browser side. The browser might be able to catch some simple failures such as the mandatory fields that are empty or when the user enters text in a ‘numbers only’ field. However, these can be bypassed, and you should put measures in place to ensure that these are verified and also validated on the server side. Failing to do so could make it easy for scripting code or malicious code to be inserted into the database, or lead to other undesirable results on your site.

5. Check your Passwords

Of course, you should be using complex passwords, but not everybody does. It’s vital to use strong passwords for your server and website admin dashboard. It’s equally important to insist on good password practices for your users in order to protect the security of their accounts. Although many users don’t like it, enforcing strong password requirements such as having a minimum of 8 characters, including a number and uppercase letter helps to protect their data in the long run.

When it comes to storing passwords, it should only be as encrypted values, ideally via a hashing (one-way) algorithm like SHA. With this method, it means that when authenticating users, only encrypted values are compared. But for extra security, it’s a good idea to salt the passwords with a new salt per password.

In the event that someone hacked in and stole your passwords, using hashed passwords might be helpful in damaging the limitation, since decrypting them is not possible. The best thing an attacker can do is a brute force attack or a dictionary attack, ideally guessing every combination until they find a match. With salted passwords, the process of cracking a huge number of passwords is even slower, since each of the guesses will be hashed separately for each salt + password, which in computational terms is very expensive.

Fortunately, many CMSs offer user management out of the box with such inbuilt security features, though some extra modules or configurations might be needed to use salted passcodes (pre Drupal 7) or set the minimum strength of passwords. For those using .NET, it’s worth using the membership providers because they are largely configurable, and offer inbuilt website security, and come with convenient controls for a password reset and log in.

6. Avoid File Uploads

Allowing your users to upload files to your site can open up a huge security risk for your site, even if it’s simply changing their avatar. The risk is mainly due to the fact that any file uploaded, however innocent it looks, might contain a script that can completely open up your site when executed on your server.

If there’s any form of file upload allowed on your site, you should treat all uploads with great suspicion. If your users are allowed to upload images, you can’t just rely on miming the type or use the file extension to verify if the file is an image because they can easily be faked. Using functions that check the image size or opening the file and reading the header is not foolproof. Most of the image formats allow the storage of a comment section that could contain PHP code that can be executed by your server.

But what can you do to prevent this?

Well, ultimately, you’ll want to limit users from being able to execute any of the files they upload. By default, web servers don’t attempt to execute files that contain image extensions. However, don’t rely solely on checking the file extension because files with the name image.jpeg.php have been known to go through.

Some options are renaming the files on upload to make sure that it has the correct file extension, or changing the file permissions so that a malicious file can’t be executed. If you’re using *nix, you could opt to create a .htaccess file that only allows access to certain files, ideally preventing the double extension attack.

Ultimately, the ideal solution is preventing direct access to the uploaded files. This ensures that the user uploaded files on your site are stored in a folder outside of your webroot or in a database as a blob. If your files aren’t accessible directly, you have to create a script that fetches the files from a private folder or an HTTP handler in .NET and have them delivered to the browser.

Most hosting providers will deal with the server configurations on your behalf, but if you’re hosting your side on a personal server, there’s a number of things you need to check:

Ensure you set up a firewall, and that all the non-essential ports are blocked. When possible, create a demilitarized zone (DMZ) that only allows access to port 443 and 80 from the outside world. However, this might not be possible without the access to your server from your internal network, since you’d have to open ports to enable the uploading of files and to log in remotely to your server over RDP or SSH.

If possible, let your database run on a different server from that of your web server. This means that the database can only be accessed directly from your web server and that it’s hidden from the outside world, thereby minimizing the risk of your data being exposed.

And don’t forget about putting physical restrictions for accessing your server.

Secure your blog with strong passwords and usernames

It gets harder for a hacker to breach the security nets if you are locking it with secure passwords. Use of alphanumeric keywords along with some special characters is quite enough to create a strong password. Don’t use some simple passwords or names or dates of your loved ones as your passwords as these are the things with which hackers are commonly familiar with. Create one quite innovative and unique that no one can break it. If you would want to save a blog or website and are not up/well versed with technical terms than contact a security company like Rootgatehacks, Quickheal, Kaspersky, and many others to get it fixed.

Make use of security software

You need to know that your blog is directly related to your computer system. So it gets quite essential to secure your computer system with perfect security software so that no one could reach or access it at any cost rather than you. Moreover, keep your security software updated regularly so that to keep all of your general and premium programs safe.

Create perfect backup

Hacking sometimes may also cause some serious harm to the data stored in your computer system as well. So it is quite beneficial to create a perfect backup for the same as well. Blogging usually comes up with different free and premium plug-in options that surely doesn’t provide backup to all of your data. So having a one with the proper setup for backup can save you from harsh conditions.

Make use of VPN

VPN (Virtual Private Network) is a blessing to all of the internet users to save the data of your device through an encrypted connection. This VPN connection usually serves as a tunnel that further creates a mask on your IP address and hence offers you an improved level of security and privacy.

Update WordPress Version

To move a step ahead in the world of blogging, one needs to update the WordPress Version continuously. Consistent upgrading helps users in filling up and fixing the security holes present in your blog through different patches.


The thing one should keep it in mind is saving your blog from getting hacked is very much essential to keep its authenticity, reputation, and performance in hand. You need to work on the activeness and defense of your website or blog to save it from people who are hacking in the world of internet. Just keep updated with your blog and keep an eye on it as well so that to check if it is working correctly or not. In case if you find some inconsistencies, the above-provided ideas can help you a lot in saving your blog from being getting hacked.

More by Aashish Sharma

Topics of interest

More Related Stories