30 Handy Tricks to Secure your WordPress Website
WordPress is the most popular and widely used Content Management System in the world. An endless amount of websites have been developed and will inevitably continue to be. The popularity of WordPress doesn’t show signs of slowing down, it is projected that the number of WordPress sites will continue to increase exponentially for many years to come, indefinitely.
Due to the extreme popularity of WordPress, security is a major concern- its flexibility and the easy-to-tweak code will attract hackers to integrate glitches throughout its system.
We realize a hacked site is quite troublesome, therefore maintaining security is of the utmost importance for all of our developed sites. In order to secure a WordPress site, one needs to be aware of a few basic things to ensure the site will be protected from the very first day it is launched.
Here are some handy tricks to secure a WP website:
- Get hosting from a secure hosting provider
Your WordPress site is as secure as your selected hosting provider; this is not a place to cut cost. Choose a reliable hosting provider for your website, a provider that has all of the appropriate security measures in place.
- Don’t use ‘admin’ for any Administrator account
Hackers begin cracking your account by using the simplest of usernames. It is common knowledge that WordPress suggests ‘admin’ as the username for the Administrator account, so avoid using it and choose a unique username when installing WordPress.
- Continuously update your password, using strong passwords by combining the following:
Choose a complex and atypical combination of characters for your WordPress installation, particularly for administrator account(s). Avoid using common & predictable passwords like 123456, admin123, password etc., honestly… these aren’t the passwords but a window for hackers.
- Upgrade WordPress to its most recent version as soon as it is released.
WP is a CMS which is upgraded often. Pay close attention when signing into the CMS, once a new version is released there will be a notification in the dashboard to upgrade your current version. As soon as a new version becomes available, your site should be updated immediately as new versions include security patches needed to keep your site secure from an attack.
- Keep your plugins & themes updated
WordPress is a Plug & Play platform. You simply have to install a plugin to create a new functionality on your site, including changing the overall look and feel. There are an abundant amount of free and paid themes available to choose from; however, remember similar to WordPress CMS, you need to consistently upgrade any and all installed plugins & themes to their latest versions to maintain the utmost security.
- Disable file editing in WordPress Admin
WordPress Editor is indeed a fantastic tool that allows changes to be made simply and quickly to tweak design and/or functionality; However, if left accessible a hacker can add any script into the editor, potentially overtaking your site. Therefore, it is advisable and considered best practice to disable this functionality. Blocking users from your core code ensures your site’s overall security to a much higher degree. Disabling this feature can simply be done by adding the following code in wp-config.php:
- How to choose plugins
WordPress has an abundant amount of plugins and themes available for free. When selecting a desired plugin for your site it is advisable to select plugins that are recently updated, highly rated and highly recommended. Additionally, it is important to note that the desired plugin is compatible with the WordPress version your site is currently running.
- Keep spammers away
Spam is an irritating issue prevalent on WordPress. Therefore, it is strongly advised to include a captcha on all registration forms, as well as the blog post comment section. Captcha will obstruct spambots and deter human spammers alike. There are many plugins available for WP that provide this service.
- Protect WordPress Admin panel
‘/wp-admin/’ is the gateway to any WordPress site, but if the entry is well secured it is extremely difficult for a hacker to overtake or damage your WordPress website. It is advisable and considered best practice to add a second layer of security, using server-side authentication for your WordPress admin URL. This will further protect your domain from hackers and/or bots.
- Secure configuration files
wp-config.php is a file containing essential and key information for all WordPress sites. It is advisable that the configuration files and the .htaccess file be out of the reach of unknown IP addresses. This can easily be achieved by adding a code snippet to the .htaccess file. See below for snippet and placement:
order allow, deny from all
- Choose sensible table prefix
Once we start using default settings for the most susceptible elements, it becomes easier for a hacker to locate and cause harm. Choose a sensible table prefix for your WordPress installation. Have an existing installation? Don’t worry! You can still change it, see below:
In wp_config.php, just change value of $table_prefix with your favorite prefix, like:
$table_prefix = ‘wp_’; => $table_prefix = ‘wp_sys789’
Now rename all the tables of the website, like:
‘wp_users’ => ‘wp_sys789_users’ and like for other tables
- Hide your WordPress version
Your job is not complete by simply upgrading WordPress consistently. It is advisable to hide your WP version as well. Hackers are extremely savvy and have knowledge about the glitches respective to each WordPress version. So, it’s always ADVISED to hide core information from them. If they get to know your version, they can place a hack/malicious code on your website according to the version of WordPress you are running. This is the place where they can find the version, see below:
<meta name=”generator” content=”WordPress <?PHP blog info(‘version’); ?>”/>
But.. no worries… it’s very easy to hide it by just patching the following code snippet to your functions.php:
adding the above snippet will not print the version in the head of your web page or in the RSS feed of your website.
- Limit site login attempts
Hackers are extremely diligent, they relentlessly attempt to crack a site. Implement code that does not allow anyone (human, robots or attackers) to attempt to log in more than 4 times. There is a multitude of plugins available that keep track of login attempts, like WP Limit Login Attempts, Login LockDown and so on.
- Install security plugins
A basic level of security is achieved by following all of the above recommendations, but to further secure your WordPress site, install a security plugin! Having a plugin on a site will heighten the security fence around the website overall and reduce the likelihood of being hacked. Below are some popular security plugins to consider:
- iThemes Security/Better WP Security (http://WordPress.org/plugins/better-wp-security/) plugin offers a wide range of security features.
- BulletProof Security (http://WordPress.org/plugins/bulletproof-security/) protects your site via .htaccess.
- All In One WP Security & Firewall (http://WordPress.org/plugins/all-in-one-wp-security-and-firewall/) adds a firewall to your site.
- Wordfence Security (http://WordPress.org/plugins/wordfence/) is a full-featured security plugin.
- Last but not the least- Backup!
As stated above, it is of the utmost importance to consistently backup your site. Even with the best security measures in place, something unexpected can happen, leaving your site vulnerable to an attack. In the event of an attack, your site could potentially become severely damaged! A previously backed up, unaffected version can be restored. Having backups of your site is the ultimate security and easiest way to restore a badly damaged website.
This isn’t the full list of security measures one must take to secure a WordPress site, but an introduction to securing it at its most vulnerable entry points.