Basics to Fix WordPress Security Loopholes

5 minutes read

Wordpress Securitytips

WordPress is currently most popular content management system that powers a whopping 75 million websites. This means every 1 in 5 website is based on WordPress. Statistics by recent survey
revealed that as much as 73% of these websites are vulnerable to attack. If you aren’t running the updated WordPress Version that you are inviting multiple bugs that will be used by hackers as a platform to compromise your website security.


As a matter of fact, majority of website owners are entirely focused with content and design of the during website development thereby, the security is often ignored. almost more than half of the WordPress vulnerabilities are at user’s end. It will require the best practices to beef up website security. Following basics need to be considered for strong security set up.


1. Choose the Right Web Hosting
A reliable and quality hosting solution ensures not only protects user domain but safeguard user in case if user domain gets crashed by providing a solid strategy for disaster recovery .


2. Strong Password
This is important step to consider to ensure high level security to Website users. Hard guessing passwords that includes a combo of numbers, punctuation and case sensitive alphabets are always a security friendly approach. Also, users are recommended to use different password for different websites and email accounts.


3. Login Attempt Limitation
The add-on limit login attempts(link) provide that extra level of security to website that prevents hackers from guessing the the password. It will also save the user from brute force logon attempts by blocking the IP of hackers who tries to get into admin panel of WordPress.


4. Deletion of Unused Plugins and Themes
A potential threat is always possessed by keeping unused or inactive themes or plugins therefore, it is very important to ensure no such outdated extension exists in your WordPress database. This will safeguard users from any additional updates required for them.

5. Scheduled Backups
It is very crucial from security point of view to effectively manage the crisis. When everything is fine user can have an on-premise backup solution to enable user to get online quickly


6. Keeping WordPress User Updated
When users prefer a reliable Web Hosting solution it will apply regular patches for maintenance of user platform. Although, in case of a self-hosted WordPress website it is a critical security tip to ensure full safety for WordPress site. Users are recommended to keep their WordPress Plugins and Themes updated to ensure WordPress website stability in the future.


Now, we will explore options to deal some serious security threats


7. SQL Injection and URL Hacking Prevention
Since SQL is a command language used for MySQL database so hackers usually embed commands either in user URL or inside User Comment Box to trigger a suspicious behavior from user database. This will reveal various sensitive information about the specific user database. As most of the WordPress installations are hosted on Apache web server where a .htaccess name file is used to define access rules so we need to insert the following code into website .htaccess file to ensure that user is do not face any serious SQL injection attack.


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ — [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ — [F,L]

8. WordPress Sensitive Files Access Deny
Sensitive files like wp-config.php, install.php and the readme.html files which are supposed to be hidden from outside access. To do this a user will require to add following code for properly hiding the sensitive Web Server and WordPress files.


Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
<files readme.html>
Order allow,deny
Deny from all
<files license.txt>
Order allow,deny
Deny from all
<files install.php>
Order allow,deny
Deny from all
<files wp-config.php>
Order allow,deny
Deny from all
<files error_log>
Order allow,deny
Deny from all
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
<files fantversion.php>
Order allow,deny
Deny from all

Looking forward to respond to your queries and comments regarding approach to fix WordPress security issues. In the meanwhile you can opt this “All In One WP Security & Firewall” extension to scan website and get aware about upcoming threats and some other specific security details of the WordPress environment.


About Singsys Pte. Ltd. Singsys is a solution provider that offer user friendly solution on cutting edge technologies to engage customers and boost your brand online results from a set of certified developers, designers who prefer optimized utilization of the available resources to align client’s idea with their skillset to reflect it into a Mobile applicationWeb application or an E-commerce solution

You may be interested in following:


  1. WordPress Plugins Recommended for Social Media Sharing
  2. WPdocker can launch WordPress as a Service Business
  3. WordPress Plugins for Trending Website

Related Posts...