Top 15 WordPress Security Tips & Tricks
Some of the security tips that can help protect your WordPress blog from possible outside attacks. Simple ways you can use to protect/secure your WordPress website now!
1. Change the default login page address. This makes it difficult for hackers to find your login page.
2. Change the default admin username. This forces hackers to try and guess your username
3. Suppress default login error messages. This makes it very difficult for hackers to guess your username
4. Install a CAPTCHA. This will stop automated hacking tools from trying to guess your username and/or password
5. Block suspicious IP address. This will make it very difficult for hackers to keep coming back to try and attack your website
6. Do not get plugins/themes from untrusted sources.
7. You should always keep up to date with the latest version of WordPress, Plugin & themes. Older versions of WordPress & plugin are not maintained with security updates.
Current versions of WordPress feature one-click updates. You can launch the update by clicking the link in the new version banner or by going to the Dashboard > Updates screen. Once you are on the “Update WordPress” page, click the button “Update Now” to start the process off. You shouldn’t need to do anything else and, once it’s finished, you will be up-to-date.
In general, we would recommend the following steps when performing an update:
- Back your website up
- Turn off any caching plugins
- Update your plugins and theme framework
- Update WordPress
- Reactivate your caching plugin and clear your cache
8. A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
Choosing a password that other people won’t guess easily is a matter of creating an unlikely letter and number combinations.
A strong password:
- Are at least eight characters long
- Does not contain your username, real name, or company name
- Does not contain a complete word
- Is different from previously used passwords
- Contains a mixture of uppercase, lowercase characters and numbers
- You can use a free tool like the Norton Identity Safe Password Generator to create a complex password for your WordPress accounts.
9. Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.
10. Back up your data regularly, including your MySQL databases.
11. Change database table prefix. By default, the prefix is “wp_”.
12. Hide your username from the author archive URL. Like http://yoursite.com/author/username
13. Make sure you’re site is on a secure hosting.
14. Protect Your Administrative Page
You can significantly improve the security of your WordPress site if you restrict the access to your admin area.
you can restrict the access to the /wp-admin directory only to your IP address. Create a file called “.htaccess” in your /wp-admin directory. Open the file and add the following lines
Deny from ALL Allow from x.x.x.x
Note that you need to replace x.x.x.x with your actual public IP address. To find out your address, you can use the What Is My IP website. To add multiple IPs, simply replicate the Allow from x.x.x.x command to a new line and change the address.
If your Internet service provider provides you with a dynamic IP address, the IP restriction option might not be suitable for you because you’ll have to edit the .htaccess file each time your IP changes.
15. Implement Two-Factor Authentication
Two-Factor Authentication is a login method whereby a person has to provide his/her username, password and a random generated OTP (One Time Password). Even if they guess your password hackers will still need access to your mobile phone.
OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your WordPress Administrator username and password correctly, they would still require the OTP to log in.
To implement Two-Factor Authentication on your WordPress site we can recommend using either:
16. Disable file editing via the dashboard
In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
However, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to. So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
We love to hear from you in the comment box that what you learn here and you can also include your own thought regarding WordPress tips and tricks.