Here I am presenting an essential WordPress security tips to help protect your website from any known harm.
When I started blogging back in 2011, I was unaware of the fact that Google finds almost 9500 websites every day which was affected by malware. And I am damn sure that no new blogger will ever know about this fact until they experience it themselves.
- 1 Advanced WordPress Security Tips
- 1.1 Change Your Username
- 1.2 Change Your Administration Panel Password
- 1.3 Keep Your WordPress Installation Updated
- 1.4 Generate Custom Secret Keys
- 1.5 Protect wp-config File
- 1.6 Hide .htaccess File
- 1.7 Hide wp-content Folder ( Additional Tip )
- 1.8 Limit Logging Attempts
- 1.9 Use Themes From Trusted Sources
- 1.10 Regular Backup
Advanced WordPress Security Tips
WordPress undoubtedly is the world’s most popular blogging platform. Its open source, free to use and customize but with popularity the security risks arises. Though WordPress has dedicated team which review each and every line of codes of the core framework, but they are still humans.
Consider yourself and consider me. What if I missed an important sentence or just repeat the same sentence twice, most probably my readers will inform me about it in the comment section.
Similarly, when developers and designers find any bug or security related problems in WordPress core, they open new ticket considering the topic.
Even if we assume that core doesn’t have any security holes, but the installation of additional plugins and themes may create some loop holes for hackers.
So inorder to help you protect your WordPress website from hackers I have crafted this in-depth tutorial. Follow my steps to bulletproof your website from any unknown damage.
Change Your Username
Are you still using the same old, boring, known and default username “admin” for your website? If you are using it then you are making your website more venerable to brute force attack.
In the previous year, we have seen buzz all around the globe about the mass brute force attack on WordPress websites. Responding to this buzz, Matt wrote a blog post asking all bloggers to change there username and password to something unpredictable. According to him if you did this you will be ahead of 99% of rest of the websites on the internet.
Change Your Administration Panel Password
According to Matt Mullenweg who is the founder of WordPress, if you change your simple and easy to understand password to something strong and unpredictable one, as already said you will be ahead of almost 99% of venerable websites. That’s said, you and your website’s will be protected from any kind of brute force attacks.
Generally, you should use a mixture of capital and small letters combined with numeric values and signs.
For better security you can use the IP or Login limit plugins since the hackers may try to hack your websites via different sets of IP addresses.
Keep Your WordPress Installation Updated
WordPress keeps on releasing updates which include addition of new features, bug fixes and security patches. And its only your’s responsibility to update it. You should also update all your themes and plugin since their older versions may not be supported by latest WP update. So whenever you get any update notification in your administration panel don’t ignore it. Take instant action and update them instantly.
There are certain hosting companies which use the softaculous script on shared hosting. If you know and use it then it has the option to enable automatic updates any platform on which your are running your website.
You one simple click will not only harden your website’s safety but will even keep your equipped with latest features and settings.
HINT: If you have purchased your theme or plugin from any marketplace like codecaynon or ThemeForest then go to your profile page and grab the latest version from the download section. Other wise contacts your theme developer for instructions.
Generate Custom Secret Keys
wp-config.php file stores all the secret of your WordPress installation. It stores your MySQL database username, database password, and the secret key. Overall its the most important file on your complete site’s folder structure and it’s also important to change all its default vales to custom generated ones.
You can generate the custom secret key from this official API page. Once you visit the page just press f5 to refresh the page and to grab the newly generated and unique secret key.
Protect wp-config File
We already know that this file stores most important data related to your website. So its really important to hide it. You can easily protect the wp-config file by adding the below custom file rule into your .htaccess file.
< Files .htaccess> order allow,deny deny from all < /Files>
Exactly copy the above code and paste it into your .htaccess file which will be stored in your hosting’s root folder.
Hide .htaccess File
It contains all your custom functions which can control the redirects, website speed, login control, CDN support, domain redirection and file visibility.
< Files .htaccess> order allow,deny deny from all < /Files>
If the hackers get’s their hand on your site’s .htaccess file then they can easily control your website. The easiest way to hide it is to add the snippet provide below to your .htaccess file.
Hide wp-content Folder ( Additional Tip )
wp-content folder stores all your images, themes, plugins. Now if you made it publicly visible then any one who knows you are using WordPress ( which is extremely easy to determine ) can download your premium themes or plugin and even important files or images from your website without passing any kind of authentication.
Today most of the hosting provider can automatically hide these folders, but if your host doesn’t then you should hide it manually.
Follow these steps to hide the wp-content folder.
- Create a blank index.php file with notepad or notepad++.
- Now upload this file to the wp-content folder and to its sub folders like themes, plugins, uploads.
- Now visit yoursitename.com/wp-content/
If you see a blank page then you have completed the task perfectly. If you still see the sub folders then leave the comment below.
Though the folder’s visibility won’t arise any hacking risk, but you might lose important files and data.
Limit Logging Attempts
One of the best methods to protect WordPress website is to limit the login attempts from one IP address. say if a hacker is attempting to hack your site using a group of passwords and username, then this type of plugins can be of great use.
It will automatically block particular IP address for a certain period of time and he will be forced to change his IP location. Overall it will make the hacking task more complicated, thus protecting your site.
You can use a free plugin like limit login attempts which have some advance features like the ability to handle servers behind the proxy servers, ability to offer email notifications, IP filtering and many more.
Use Themes From Trusted Sources
Are you using free WordPress theme which you have downloaded from any random website from Google search? If your answer is yes, then I will suggest you to immediately install exploit scanner plugin.
This plugin will check your themes for WordPress standard and will also find any hidden base64 encryption.
Now if you don’t know anything about base64 encryption then you for you information, its a common practice of free theme developers to hide footer links to their websites. These types of links will not only cause damage to your PageRank but will also lead to penguin penalty. So it is always better to stay away from free templates which are available on non-recognized websites.
Instead, you can search the official WordPress directory for some of the best WordPress themes.
Backups ensure that you and your website’s precious contents are protected from any unknown threat. Let me assume, my blog has been hacked and the hacked cracked into my WordPress administration panel. He stole all my subscribers and deleted all my contents.
Now if my hosting provider hasn’t created any backups, above all if I haven’t created any automatic or manual backups then all my hard work is lost. But if I have the backup then I can restore the content immediately and can also inform my subscribers about the problem which I faced.
Today there are many ways for creating backups. You can either choose free services like dropbox, Google drive and other for storing your files or can go with premium cloud services.
Here comes the end of this post. I have shared all my personal methods of securing all my blogs and websites. Creating regular backups and using security plugins are the most important steps.