WordPress security is not only at the level of this platform. Indeed, the various attacks can come beyond the borders of your site and, in particular, on the side of the server, the database, certain APIs, or even from a browser or even from your computer.
1 – Modify the prefix of your WordPress database
By default, the prefix of the tables in the database of a WordPress site is ” wp_. “ If you leave these prefixes as is, then it will be easy for hackers to guess, this is a fairly common WordPress security vulnerability.
If you install WordPress manually, you can easily set your database prefixes, so change that with a custom prefix during the installation process.
On the other hand, if you install WordPress with the “1-click method” proposed by certain hosts, it is possible that you will not have the possibility of choosing these prefixes. As a result, your site’s database may contain the prefix proposed by default (wp_), and you will have to change it later, either manually or using a plugin (Change Table Prefix).
Warning: Note that any modifications made to the database can cause bugs and even the loss of all your data (articles, pages, settings, etc.). It is recommended to make a backup of your database before making changes and / or calling on experienced WordPress maintenance professionals .
2 – Disable indexing and browsing in the parent directory
Directory browsing access can be used by hackers to find out if your site contains files with known vulnerabilities, or by others to view your files, copy your images, know your directory structure, and other information. That is why you should disable indexing and browsing the directories of your WordPress site.
Some security plugins allow you to easily deactivate this navigation in the directories, but you can also add this little bit of code in the .htaccess file located at the root of your site:
Options - Indexes
This will prevent the curious from going further in their navigation and will simply return a 403 page: Access to the file requires authorization.
3 – Disable the Rest API and XML-RPC in WordPress
In some cases, your site does not need the Rest API and XML-RPC protocol, which is provided and enabled by default in WordPress. These are “bridges” that allow certain mobile applications to connect to your WordPress site and vice versa.
There have already been a few security vulnerabilities that have been discovered and fixed, but we are not immune to new vulnerabilities, which is why we recommend disabling them if you are not using them. There are two ways to do this:
- using a plugin
- via .htaccess
Again, it is advisable not to touch this kind of functionality if you are not a developer.
Be careful, with the next version 5 of WordPress and the integration of Gutenberg, the Rest API will be necessary to make your site work.
4 – Use a healthy environment
Security is also at the office, at home or on the move. We talk about vulnerabilities on the web and on the server-side, but did you think that a healthy environment is also an effective way to protect yourself against hacks?
When you log into the administration of your site, be sure to:
- use a recent and updated computer: in fact, it is not only your site that must be updated, your computer and your applications must also be.
- Use a powerful antivirus or WordPress firewall
- log in from a quality browser and also updated to its latest version: it is rather recommended to use browsers like Chrome or Firefox, for example.
- Be careful when you connect from a public place or an insecure connection.
- Never trust questionable emails or files/applications that you download illegally and that contain certain viruses.