Malware on WordPress - Adding Security

The onset of modern technology marks a more convenient lifestyle for all – including malicious individuals. In fact, the digital age has amplified their attacks. Ranging from piracy, fraud, identity theft, security breach, hacking, etc., cybercrime seems unstoppable.

As owners of digital assets, there is no doubt that enhancing your online security is a necessity. In this article, various ways to protect your WordPress site are given for your reference. You can choose from free to paid tools or both.

Update WordPress

Developers regularly maintain and update WordPress (plugins, core, themes) to improve security, reliability and features. Generally, minor updates are automatically installed in your site. You only have to manually update for major releases.

While it appears taxing, updating WordPress is imperative for your site’s stability and security. Outdated sites are more susceptible to malware, viruses, worms, etc.

Here are some articles that will help you update WordPress safely:

• How to Update WordPress to the New Version
• How to Update WordPress With FTP
• How to Update Themes in WordPress

Secure Login Credentials

It takes an administration’s username and password to gain full access to your WordPress dashboard. Having said that, it is only crucial that both credentials are given extra measure. The same is true for the other users (editor, author, contributor, subscriber, etc.). Despite their limited access to the dashboard, an extra measure is still necessary. In addition, user permission should be assigned correctly to ensure that every log is authorized.

In order to secure your login credentials, these are the extra measures required from your end:

• Change default admin username
• Use a strong password
• Assign correct user permission

By default, WordPress assigns admin as the administration username. However, a username covers half of your login credentials. Using the default username allows cybercrimes a step towards your dashboard. These days, you can customize username upon installation or you can change the default username from your dashboard.

A password, on the other hand, is your authorization key. If chosen poorly, you are opening doors to malicious individuals. Make sure to use a combination of uppercase and lowercase letters, numbers, and symbols. If your password is not strong enough, please change immediately.

Here are helpful articles to reset your WordPress password successfully:

• How to Reset the WordPress Hosting Password
• How to Reset the WordPress Password

Lastly, WordPress provides a system to manage user roles. If you want, you can create your own user role in addition to or in favor to the five default user roles. Just make sure that you provide the right access to each user. As for the default users, their access are limited to:

Disable File Editors

Two built-in code editors come with the WordPress dashboard. They are specifically designed for your plugin and theme files. Both editors give unrestricted access to the said files. Despite its convenience, it can create havoc to your site once left to wrong or unskillful individuals.

If you want to add security to your site, it is recommended to disable these editors. Here’s a step-by-step guide to disable file editors correctly:

1. Access your File Manager.
2. Scroll to public_html folder and select to open the contents of the folder.
3. Right-click on the wp-config.php file, then select Edit.
4. A code editor will display, just click Edit.
5. Insert following codes at the bottom:

       /** Disable File Editor
       define( ‘DISALLOW_FILE_EDIT’, true );

6. Click Save Changes.

   Important: Moving forward, you can only modify plugin and theme files using an FTP client or from the cPanel.

Disable the Directory Browsing

Directory browsing allows other individuals to examine your files, copy your images, and learn your site’s structure and relevant information. This gives advantage to people who want to access your site. Therefore, it is recommended that you disable your directory browsing.

Here’s a step-by-step guide to turn off directory browsing:

1. Access your File Manager.
2. Scroll and select the public_html folder on the left navigation panel. Right-click on .htaccess file, then select Edit.
3. Right-click on .htaccess file, then select Edit.
4. A code editor will display, just click Edit.
5. Add the following at the end of the file:

       Options –Indexes

6. Click Save Changes.

Back up Website Regularly

Your first defense against malwares is to backup. After all the precautions mentioned above, nothing can guarantee a 100% security. Even high profile websites with world-class security are not exempted from malwares.

When worse comes to worst, backups allow you to restore your site quickly without losing your site to malwares and hackers. It is highly recommended that you back up your website regularly.

At Crazy Domains, you can back up your website for free from the Hosting Manager. A zipped copy of your website will be downloaded to your computer. Moreover, Crazy Domains also offers Site Backup & Cloud Backup. Both tools offer automatic, scheduled and real time backups, one-click restore feature and digital file access.

Install Security Plugins

WordPress can extend its function through plugins. You can easily install and activate plugins from your dashboard to add features to your site – including site security.

There are tons of security plugins available in WordPress. More likely, you will have to pay a small amount for these plugins. In general, you can go for a plugin that does it all – from tracking, monitoring and malware scanning. However, there are also plugins meant for a specific action such as to log out idle user, add security question upon log in, and restrict login attempts. Depending on your needs, you can choose a variety of plugins to amplify your site's security.

For any assistance in adding security to your WordPress site, or if you have any questions, please let us know. We’d love to help!