10 Ways To Protect Your WordPress Intranet From Hackers

  1. Avoid using shared hosting where possible. The reason is that if any single site on your shared server gets hacked, it will spread to your site also. Most hosts such as Dreamhost offer Dedicated or VPS (Virtual Private Servers) at only slightly more cost than shared hosting, and trust me it’s worth it!  In my experience at running numerous sites on shared servers over 10 years, a WordPress site on a shared server gets hacked about once a year!
  2. Use a secure (https) server vs just http using a SSL certificate (ask your web host). This is becoming the minimum requirement for web hosting, and if you are still on http:, you are pushing your luck at not getting hacked.
  3. Ensure all users only use strong passwords (long passwords with upper/lower case, punctuation, numbers etc) and change them as often as possible. This is key, and easy to do, so communicate this to your users. It is also highly recommended that you change your FTP and MySQL database passwords. This should be done right after cleaning up a hacked site and at least every 6 months (you need to update your database password also in your wp-config.php file).
  4. Never use “admin” as a username, be sure to change it. Many hackers use software that starts with attempts using this generic “admin” username or even scan the users table in MySQL for an ID of “1”.  You can drastically reduce your odds of a hack by switching this.
  5. Update Your WordPress install to the latest version. WordPress adds security improvements to almost every update, so this is very very important to keep on top of.  We recommend that you also configure automatic background updates in WordPress.  To do this, go into your wp-config.php file and add define( ‘WP_AUTO_UPDATE_CORE’, true ); at the bottom, which auto-updates your WordPress version. to the latest.  You can also replace true with ‘minor’ to only update for minor security updates vs major updates which can sometimes throw off themes or plugins.
  6. Deactivate and delete any unused plugins and themes. The more code running that isn’t updated on your server adds risk to your site being hacked.
  7. Install a site scanning plugin such as WordFence. This is a free plugin and widely used by literally tens of millions of sites already. They are the gold standard currently. I used them recently on a non-profit website I run and it identified a URL injection attack on an outdated version of WordPress. WordFence showed the specific files which were the issue (wp-config.php was modified and wp-includes/init.php was added) by identifying code found in similar recent attacks. Another scan from a malware detection service missed this same issue.
  8. Install a site backup plugin such as UpdraftPlus. This is also critical, and a really good plugin with currently over 6 million downloads, a 4.9 star rating on WordPress.org and one of the top 25 most downloaded plugins.  We like this one also becase it will prompt you to backup your site prior to updating any plugin or theme.
  9. Add an index.php or .htaccess file to any directory with data you want to protect. Htaccess files are a great way to block problem countries or IP addresses from accessing your WordPress site.
  10. Have you updated all of your plugins, themes and WordPress core?  You should to stay safe.