WordPress is the most popular CMS platform on the Internet. So, it has higher risk to be hacked. Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data. Here we will discuss about some security and some tweaks. Let’s start:
1. Keep WordPress and all plugins up-to-date
It’s always the best idea to keep the WordPress core, themes and plugins up-to-date with latest versions. Most of the time, wp core or plugin updates come with a security patch. It is really important to fix those security holes by updating the plugins, themes and WordPress core.
2. Protect WordPress admin area
You should hide the admin area from the entire world. If you allow registration in your site, you should use a front end login or registration form. You can do so using the following plugins:
So, if you are only admin, you can allow the admin panel only from your IP. To know your IP address, you can go to http://www.whatismyip.com/. If your IP is xxx.xxx.xxx.xxx then add the following in your .htaccess:
If you need to login from multiple IP, just add Allow from xx.xxx.xxx.xxx in each new line. Never ever login from a unprotected computer.
3. Never use ‘admin’ username
We do this mistakes most of the time. For the sake of simplicity we use “admin” username. But trust me, most of the hackers know that. They start attacking your site guessing the username as “admin”. If you already made your username “admin”, you can follow this article to change the username from “admin” to something else.
4. Use strong password
Another mistake we do, when we keep the password very simple, even like 123456! Such password can easily be guessed. Do not use your name, pet name, spouse name, country name, date of birth etc as password. A strong password should be at least 8 characters long and should contain upper case letter, lower case letter, number, special character with no consecutive repetition. How’s about this – *uj&vb%2. 6(HN6t ? Did you notice, I have put a space in a password? That’s made it more exceptional!
5. Use two-factor authentication
Using two-factor authentication for your WordPress website will definitely improve the security of your website. You can try this plugin: https://wordpress.org/plugins/authy-two-factor-authentication/
6. Get a decent hosting
If your hosting has leakage, you can’t do anything! So, always use a good hosting. Make sure you are confirm about these:
- Support for the latest PHP and MySQL versions
- Account isolation
- Web Application Firewall
- Intrusion detecting system
6. Back Up Your Website
It’s important to keep regular backup of your website. If for any reason, any time, your site goes down, you can restore the backup. There are lots of plugins out there for backup solution:
7. Limit Login Attempts
This is a very useful plugin that will help you to block an user for certain time when he has failed login attempts. The plugin ban the IP for a certain time. You can download the plugin from here: http://wordpress.org/plugins/limit-login-attempts/
8. Change WordPress Salt Keys
If you open wp-config.php file, you will see salt keys like this:
You can change this salt key. Go to https://api.wordpress.org/secret-key/1.1/salt/ and every page refresh, you will get different salt keys. Just copy from there and replace your current salt keys in wp-config.php.
9. Change the table prefix
Again, in wp-config.ph file you will see table prefix like the following:
Change this prefix to something else like: juyhtf_ or anything else. Now you have to apply the changes in your database to replace current prefix with the new one. If you have iThemes security plugin, you can change it in minutes. To do it manually you have to run some mysql query in phpmyadmin (assuming your old prefix is wp_ and new prefix is me_):
10. Set correct file permission
It’s very important to set the correct file permission. Make sure you set the file permission as the following:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
11. Hide login page
There are several plugins that will help you to hide your login page. Such as:
11. Remove WordPress Version Number
Use a very simple code to hide the WordPress version number:
You can write this code in your theme’s functions.php or as mu-plugins.
12. Use a security plugin
There are some awesome security plugins out there, try one of the below:
There are lots of things you can do only on wp-config.php file. Please take a look at this article to know about that.
So, don’t let hackers destroy your hard work. Keep your site secured, be secured 🙂 Hope this article will help you.