How to Secure WordPress Theme and Plugin Code
If you are new to blogging and recently set up your WordPress website, everything may seem to be up and running, but you can never tell what’s happening in the background. With hackers continuously on the lookout for ways to gain access to any site they can get their hands on, it’s important to ensure your themes and plugins cannot be exploited by them. While there are multiple security measures built into WordPress, it is essential to take matters into your own hands and ramp up the security of your website to keep yourself safe from any phishing, malware or brute force attacks that can exploit your themes or plugins.
Improving Your Website Security in 4 Simple Steps
- Data Validation
- Disable the theme and plugin editor
- Restrict access to the plugins directory
- Website logging
1. Data Validation
Data Validation is one of the key measures to protect your themes and plugins from being injected with any malicious code. With proper validation, any form in your website will not accept invalid entries. Even though this feature is available in WordPress natively, every user needs to build custom code by creating custom input boxes for any forms.
For example: If your readers are requested to drop in their email addresses on your testimonial page to subscribe to updates from your website, and someone puts in an invalid entry, it will show a message that denotes one or more fields in the form have an error, and they need to re-enter correct data. This helps to prevent malicious code from being injected to hack your website.
2. Disable the theme and plugin editor
While setting up themes and plugins is extremely convenient, it also leads to more risks. The inbuilt theme editor in a WordPress website dashboard is quite risky as it can be accessed through malicious code without even requiring access to your cPanel. All you need to do is head to your wp-config.php file, which is located in the root folder of your WordPress install, and input the following two lines of code:
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
3. Restrict access to the plugins directory
In order for a hacker to look for any vulnerability in your plugins, he needs access to your plugins. If you restrict access to the plugins directory, it can prove to be very difficult for hackers to find other means of getting into your website. You need to upload a blank index.html file in your root WordPress directory or simply open your .htaccess file in your root folder and add Options -Indexes at the start of the file.
4. Website logging
The more people working on your WordPress site, the higher the chances are of your website being hacked. Even a small mistake, whether intentional or otherwise, can completely wreak havoc on your website. Employing a website logging plugin can help you record everything that happens. Some of the plugins to choose from include WP Security Audit Log, Simple History and Activity Log for monitoring everything and keeping your website safe from hacking, phishing or brute force attacks.
Four Steps to up Your Website Performance, While Enhancing Security:
- Uninstall themes and plugins no longer in use
- Use actively updated themes
- Update themes and plugins
- Disable PHP Error Reporting
1. Uninstall themes and plugins no longer in use
Keeping themes and plugins you no longer need, not only increases risks to your website, but it also opens doors for any hacker that is trying to gain control of your WordPress site. Website speed is very important, as the average human attention span is constantly dropping, and you do not want to have a slow website if you want to engage your readers. According to studies, 47% consumers expect websites to load in 2 seconds or less and keeping your website performance and security on par with your consumers’ expectations is important.
2. Use actively updated themes and plugins
Even with the best web hosting services that offer maximum security, simple things such as using an outdated theme can completely ruin the security of your website. Always choose from WordPress themes and plugins that are actively updated, as the creators are more likely to have patched their themes and plugins from the latest-known exploits and currently-known security risks. Themes and plugins that are not updated very frequently often run the risk of being exploited and you should avoid them. Make sure you review website builders who set up your WordPress and notify them to use only the most actively supported themes and plugins built by their respective developers.
3. Update themes and plugins
While this may sound obvious, most users do not update their WordPress blogs. It is estimated that around 83% of people using WordPress do not update. Updating your themes and plugins not only boosts your security, but may also increase the performance of your website. Updates often carry new features and performance enhancements, as well — not just security updates. You can go over patch notes for your themes and plugins to know what each update brings to the table and fine tune your settings for best performance.
4. Disable PHP Error Reporting
While this may seem counter-intuitive at first glance, PHP error reporting contains a ton of security risks that might allow hackers to exploit your website. The PHP error reporting system is a measure that lets you know whenever any of your plugins of themes malfunction and sends you error messages. Any error message landing in the wrong hands can get your website hacked as it can be used as exploits. Leaving this option disabled ensures that hackers do not get their hands on your error logs and take advantage of them. Simply adding this to your wp-config file, located in the root directory of your WordPress install, will disable the option:
error_reporting(0); @ini_set(‘display_errors’, 0);
These steps will help you effectively beef up the security levels of your WordPress website. Alongside the above-mentioned steps, you should regularly scan your website for vulnerabilities, such as malware, and never install any WordPress themes or plugins that are from unauthorized sources.
About the Author
Catherrine Garcia is an experienced Web Developer at WPCodingDev and a passionate blogger. She loves to share her knowledge through her articles on web development and WordPress.