When it comes to websites, most of us like to think that our website is not worthy enough to be hacked. However, this couldn’t be further from the truth, as most websites are hacked with the intention of using your web hosting server to send spam or phishing emails or to serve illegal files that often contain malware.
Hacking attempts are usually performed by automated scripts whose main task is to scour the internet, look for, and exploit vulnerabilities in various website software.
In this post, we’ve rounded up the best tips for protecting your site from hackers so you can rest easy at night.
Eight Ways to Protect Your Site From Hackers
Take a look at the tips below and implement them so you can ensure your site stays safe.
1. Use Strong Passwords
The first tip is to use strong passwords not only for your WordPress dashboard area but for your hosting account and control panel. Here are a few tips on strong passwords:
- Using a combination of uppercase and lowercase letters, numbers, and symbols
- Coming up with a sentence or phrase and using the first letter of each word to form a password
- Using a password generator and a password manager to create unique passwords for each website
2. Prevent SQL Injection
An SQL injection attack happens when a hacker uses a URL parameter so they can manipulate the database associated with your website in order to get access to your site.
To prevent this from happening, you need to use a parameterized query which is not hard to implement as most programming languages have it.
An example of a parameterized query in PHP would be as follows:
$stmt = $pdo->prepare(‘SELECT * FROM table WHERE column = :value’); $stmt->execute(array(‘value’ => $parameter));
3. Watch Out for XSS Attacks
The best way to protect your site from XSS attacks is to enforce password re-entry on sensitive pages (for example when your users access their account information) and to add a Content Security Policy header (CSP).
A CSP will help mitigate XSS attacks by whitelisting the allowed sources of content such as scripts, styles, and images. You can add it to your functions.php file like this:
header('Content-Security-Policy: default-src https:');
4. Keep WordPress Up to Date
According to statistics, most compromised websites are hacked due to outdated plugins or WordPress core. It’s important to keep WordPress up to date and apply updates as they are released. The same goes for your theme and all the plugins you’re using on your site.
You can use Safe Updates within your ManageWP dashboard to update all your sites as well as your client sites with a click of a button. Safe Updates which are available as a free upgrade for anyone with a premium Backup plan will allow you to create a restore point for all the websites so you can easily revert back to the previous version in case something goes wrong.
5. Implement Server and Browser Validation
When it comes to forms on your website, the best practice is to validate the form on both the browser side and the server side. The browser side will catch errors such as leaving a mandatory field empty or entering your email into a name field.
But, these simple checks can be bypassed which is why a server validation is necessary. Without the server validation, hackers can use forms to inject malicious code into your database which leaves your site vulnerable to further attacks.
6. Use 2-Factor Authentication
Consider using a plugin such as Google Authenticator to set up 2-factor authentication for your WordPress site. This means that on top of entering your username and password you will have to enter additional information such as a 6-digit code to log in to your dashboard.
You can also talk to your hosting provider and ask if they support 2FA so you can set it up for your hosting dashboard or cPanel.
7. Disallow File Uploads
Another way to protect your site from hackers is to disallow file uploads. You can easily do this by adding the following line of code to your .htaccess file:
deny from all
<Files ~ "^\w+\.(gif|jpe?g|png)$">
allow from all
8. Take a Look at Common Error Messages
Lastly, take a look at common error messages that are displayed on your website. This includes error messages when you try to log in and the form spits out the message that your password was incorrect as well as errors that happen because you made a typo in the code.
Messages like these make the hacker’s job much easier so it’s important to prevent them from displaying or keep them generic enough so as to not reveal any compromising information.
Prevent Hackers From Getting Access to Your Site
Hacking attempts are an unfortunate part of our everyday life and even more so if you own several websites. Luckily, there are quite a few ways to prevent hackers from gaining access to your site. Use the tips in this article to secure your site and don’t forget to check out our other tips for protecting your site against malware as well as best practices for maintaining your site.