Essential WordPress Security Tips

WordPress is the most popular and widely used CMS (Content Management System) platform. It is being used by millions of web users around the globe and mainly it is because of this reason, hackers and spammers are also taking keen interest in breaking the security of the web sites that use WordPress.

Use a strong passwords

It’s very important to note no matter how many security walls are placed around your website, there is always a key for complete access and that is your password. Many hackers use ‘dictionary attacks’ by not using a common word, your admin account immediately becomes more secure. A strong password is a combination of numbers, uppercase letters, lowercase letters, and, if possible, other characters. Don’t use the same password for multiple services or websites.

Change your Admin username

Are you still using “admin” for your website? If you are using it then you are making your website more venerable to brute force attack. First create another admin user then log in with that user and delete the old admin user.

Install a good security plugin

One of the most popular WordPress security plugins is called iThemes Security. With a single click, this plugin fixes many of the really important security related issues.

Change the WordPress table prefix

If attackers know the names of the tables in your database, it makes their life easy. So change the names from the default naming. This sounds complicated but is part of the ‘single click fix’ in the iThemes Security plugin or follow this great tutorial.

Take regular backups

A complete backup should include not only your WordPress database, but also your entire media library, theme files, plugins and everything else. Take regular backups of your website files and database. There are plenty of good backup plugins free and commercial.

Keep your WordPress installation updated

WordPress keeps on releasing updates which include addition of new features, bug fixes and security patches. It’s your responsibility to update it and keep everything up to date. You should also update all your themes and plugins don’t ignore your update notifications in your administration panel take instant action.

Generate custom secret keys

File wp-config.php stores all the secret information related to your WordPress installation. It stores your database username, database password, and the secret key. This file is very important to the function of your website also it is very important to change all its default vales to custom generated ones.

You can generate the custom secret key information from this official API page. Just refresh the page and to grab the newly generated and unique secret key.

Protect wp-config file

Reading above we know that this file stores most important data related to your website. So its really important to hide it. You can easily protect the wp-config file by adding the below custom file rule into your .htaccess file.

<span class="pln">< Files .htaccess>
   order allow,deny  
   deny from all  
< /Files></span>

Copy the code above and paste it into your .htaccess file which will be stored in your root folder provided that you been granted access to see it and edit it.

Hide .htaccess file

You can also hide your .htaccess file. Your .htaccess file can hold a good amount of information about the structure of your website, some of which should not be exposed to users.

<span class="pln">< Files .htaccess>
   order allow,deny  
   deny from all  
< /Files></span>

The easiest way to hide it is to add the snippet provided above to your .htaccess file.

Limit logging attempts

One of the best methods to protect WordPress website is to limit the login attempts from one IP address. You can use a free plugin like limit login attempts which have some great advance features like the ability to handle servers behind the proxy servers, ability to offer email notifications and much more. But be careful with plugins like this so you don’t lock yourself out.

Reduce the number of external scripts and plugins

If possible try to avoid external scripts, directly or through plugins. A really common cause of websites being hacked, is the existence of malicious external scripts that users install not knowingly by downloading plugins and using scripts from random sites.

Use plugins and themes from trusted sources

While some users are getting commercial plugins for free, they may also be getting backdoors and malicious software. This is not a new problem and it doesn’t affect just plugins it also affects website themes. Restrict yourself to the repository or well known companies.