Security is a very important issue for successfully running a website. WordPress is the most popular CMS and powers millions of websites. Hence, it is quite obvious that it is very favorite among the hackers. For this reason, it is important that you pay attention to WordPress security.
WordPress core is very secure and developers work hard to enhance the security even further. However, there are a number of measures you can take to improve WordPress security of your website. As a matter of fact, the security of your website depends completely on you. It is your responsibility to focus on WordPress security best practices.
The term “WordPress security” may overwhelm you. But you can rest assured that even a person that doesn’t have much technical knowledge can enhance WordPress security to a very high level.
We have prepared this article to share some WordPress security tips with you to help you secure your website. These tips can be helpful to users with any level of expertise.
WordPress Security Tips
1. Keep WordPress, plug-ins, themes up-to-date.
This is a simple yet crucial step for WordPress security. Updates not only add new features to WordPress but remove any bugs or security holes that were present in the previous version. Hence, updating WordPress enhances the WordPress core security. Remember that creating a backup is very useful before updating WordPress. This way you won’t have to be worried of losing any data if something goes wrong.
Updating your plug-ins and themes is also very important. Each plug-in and theme installed on your site is like a backdoor into your site’s admin. Hence, it is absolutely necessary to update your plug-ins and themes regularly.
2. Download themes and plug-ins from trusted websites.
According to a survey, 51% of the hacked WordPress websites were hacked via a security vulnerability in the theme and plug-in they were using. Hence, you should always download themes and plug-ins from trusted websites only. Downloading themes from obscure websites may lead to security holes. Some websites may even lure you by claiming to provide you premium products for free. They do this to persuade you to download their products which may be full of malicious codes.
The best place to download a free theme or a free plug-in would be WordPress theme directory or plug-in directory. The themes and plug-ins are thoroughly tested by WordPress team members. As a result, you will get secure themes and plug-ins. For premium plug-ins you can either upgrade your free plug-in to a premium version or download plug-ins from trusted websites like Theme Palace, Theme Forest. In the case of premium themes you should download themes from trusted websites like eVision Themes, Theme Palace, Theme Forest.
3. Change your username from “admin” to something strong.
During WordPress installation, you may have kept your username as the default “admin”. We suggest you to change that to something else that is stronger. You may say “My site is password protected. Why should I care about the username?”. As a matter of fact, you should care about your username. Since, username makes up half of login credentials; you are making it easier for hackers to do brute force attack by using a probable/weak username.
4. Use a strong password for admin login and change it often.
You should never use a predictable password like your name, date of birth, dictionary words, and patterns as your password. Longer passwords are better than shorter passwords. You should use random letters, numbers, symbols, and capitalization as your password. You can do this on your own or use Strong Password Generator for this.
5. Use two-step authentication.
This is a good way to prevent your website from brute force attacks. In two-step authentication method, username and password along with an authentication code is required to gain access to your WordPress site. Generally, the authentication code is sent to your mobile phone. You can install Google Authenticator to include this functionality in your website.
6. Limit login attempts.
By default, WordPress allows users to attempt as many logins as they want. This is a treat for hackers trying to use brute force. Hence, it is better to limit the number of login attempts an IP can make in a certain period of time. The user is restricted to make login attempts for certain time period. Login LockDown is a great tool that offers this feature.
7. Add user accounts only when absolutely necessary.
The rule is simple. Grant access to those who absolutely need it. Furthermore, give the users the permissions they require to complete the assigned task; nothing more than that. Giving administrative permissions to all your users can lead you into trouble.
8. Backup your website.
Backup is very vital step to keep your website secure. No method of security is foolproof. If your website ever runs into any trouble then you’ll be able to restore it easily. Hence, you should always backup your website in regular intervals. Storing the backup on a cloud service like Dropbox is a good option. You can use plug-ins like VaultPress or BackupBuddy to easily backup your website without having to write any code.
9. Upgrade your HTTP site to HTTPS.
HTTPS (HTTP over Secure Sockets Layer) is a protocol used to secure the communication between a client and server. The main objective of HTTPS is authentication of the site being visited and protection of privacy and integrity of the exchanged data. This prevents man-in-the-middle attacks. Moreover, the encryption of communication between client and server protects against eavesdropping. This ensures that the content of communications between client and server can’t be read or forged by a third party.
10. Change your WordPress database table prefix.
By default, the WordPress database table has the prefix “wp_”. Hence, hackers know that they need to search for the databases with this prefix to exploit them. It makes it easy for hackers to steal your database using SQL injection attacks.
You can watch this video to learn how to change the prefix. But first, you need to backup your website in case something goes wrong.
11. Protect your wp-config.php file
wp-config.php holds the vital information related to your WordPress installation. Hence, it is very important to protect it from attacks.
To protect your wp-config.php file, add this code in your .htaccess file before or after the
# BEGIN WordPress……..# END WordPress tags.
deny from all
12. Disable directory browsing and indexing.
Hackers can use directory browsing to find out if you have any files with known vulnerabilities. As a result, they can take advantage of these files to for their malicious purposes. Hence, it is necessary to turn off indexing and browsing of directory for WordPress security.
For disabling directory browsing and indexing, add this code in .htaccess file:
13. Disable file editing.
The built-in code editor in WordPress allows you to edit any files that are part of your WordPress installation including all themes and plug-ins. This can be a matter of security risk if someone else has admin access of your website. So if you disable file editing then they won’t be able to edit any file.
To disable file editing, add the following code at the very end of your wp-config.php file.
14. Set directory permissions wisely.
Wrong directory permissions can lead to disaster, especially in a shared hosting environment. Therefore, it is a good idea to set your directory permissions to “755”, your files to “644”, and wp-config.php to “600”.
To make these changes, you can do it manually through the File Manager in your hosting control panel.
15. Choose your host wisely.
All your security measures can go in vain if you aren’t using a correct hosting provider. The survey that we mentioned in step 2 also concluded that 41% of hacked WordPress websites were hacked by exploiting the security vulnerability in their hosting platform. Moreover, in a shared hosting environment, hackers can use some other vulnerable website to gain access over your website. Therefore, it is absolutely necessary to choose a right hosting provider for WordPress security.
BlueHost and SiteGround are reliable shared hosting providers. They take the necessary steps to protect their servers against common threats. But if you want to take an extra step for WordPress security then you can go with dedicated hosting platform.
These steps are very helpful to take your WordPress security to a very high level without having to spend a huge sum of money. There are many other complex and expensive steps for securing your website.
We hope you learnt something new about WordPress security. If you like this article and want to get more stuffs like this then please follow us on Facebook, Twitter, LinkedIn. If you are thinking about increasing your website traffic then this article is for you. You may also like some of our other articles.
Was this article helpful for WordPress security? What are the measures you take for securing your website? If you have any thoughts or suggestions then feel free to send us your feedback in the comment section below.