17 Tips to Secure Your WordPress Website
How to Secure WordPress Website? If you are running a WordPress blog or website then this is your first question, this can’t be achieved in one single step and it’s not one time process, you need to check your WordPress site’s configuration once in a while and check this list to strengthen security of your WordPress website. Here are some list of points to Secure WordPress Website.
Follow These 17 Tips to Secure Your Webiste
1. User strong Passwords to Secure WordPress Website
For WordPress Admin Dashboard keep strong passwords, and also for FTP, Database, Web Hosting Control Panel. Update these passwords on a timely basis. While creating passwords use small letters, capital letters, numbers and special symbols to make it strong enough to Secure WordPress Website.
2. Don’t use Admin username
If you are using default admin username for production website, that is too risky. If you already using admin password, create a new user with administrative access and login to WordPress admin dashboard with that new login information and remove admin user assign all content to new user which belongs to admin user.
3. Update as they are available
Update themes and plugins as they are available, If you want to recieve an email whenever a plugin, theme or wordpress core is available for updates then install use this plugin – WP Updates Notifier.
4. Stop Brute-force attacks
Brute force attacks are the attacks that checks for matching username and password from a list of username and password files. You can use firewall for blocking brute force attacks in WordPress.
5. Limit Login Attempts
Block a user’s ip address based on number of login attempts, for doing that you can use Limit Login Attempts plugin. Which has lot of options to block a user after specific number attempts to Secure WordPress Website.
6. Never show your username
If hacker knows your username then they can do brute-force attack for password. If you are not showing username then that will become tough to know username to brute force. Anyone can find your username from www.yoursite.com/author/username, try to remove this to make it more Secure WordPress Website.
7. Remove WordPress version from html metadata
If a hacker gets your WordPress version, they can easily check for flaws with in that version and break it easily. So it is recommended to Disable wordpress version from metadata html. To remove this data add this below code functions.php file in active theme directory.
8. Disable Theme/Plugin editing from WordPress Admin Panel
If anyone gets access to your admin area, then they can edit your theme files and plugin files to inject malicious code. To stop that disable theme and plugin editing in admin area. You can follow this post to Disable theme and plugin editing from WordPress Admin.
9. Change Database prefix from ‘wp_’
If you are using default WordPress table prefix, then change them to something else differently. You can change table prefix in PHPMyAdmin and then update those changes in wp-config.php file.
10. Delete Inactive Themes and Plugins
If you have inactive or disabled plugins, themes then delete theme immediately because that can cause problems with security.
11. Protect wp-config.php file
Protect wp-config.php file from accessing, restrict permission by making them to read mode. And restrict wp-config.php file from .htaccess, add this code to .htaccess file in root directory.
# protect wp-config.php <files wp-config.php> order allow,deny deny from all </files>
12. Protect wp-admin directory
Protect wp-admin restricting other ip address, you can access only from your ip address, If you have dynamic IP you can add that too. add this below code to .htaccess file.
<LIMIT GET> order deny,allow deny from all # static IP allow from xxx.xxx.xxx.xxx # dynamic IP allow from xxx.xxx.xxx.0/8 allow from xxx.xxx.0.0/8 </LIMIT>
13. Protect wp-login.php file from unknow ip’s
Protect wp-login.php file from unknown IP address, add this below code in your .htaccess file to restrict unknown IPs from accessing wp-login.php for making it more Secure WordPress Website
<files wp-login.php> order deny,allow deny from all # static IP allow from xxx.xxx.xxx.xxx # dynamic IP allow from xxx.xxx.xxx.0/8 allow from xxx.xxx.0.0/8 </files>
14. Disable Directory Listings
This is already fixed by your webhost or by using .htaccess file in WordPress, if you can still access directory listings on your websites. Then add this code to .htaccess file in root directory to Secure WordPress Website.
15. Create custom secrete keys in wp-config.php file
Replace secrete keys in wp-config.php to something different, you can generate a new set of secrete keys from here.
16. Ask Apache Password Protect
Here is plugin to secure wp-login.php file and wp-admin directory at Apache level. You can protect your site with 401 authorization in easy steps. All these you can manage from the WordPress admin panel. You can download this plugin – AskApache Password Protect.
17. Always Backup
This is last and important step, in-case if you face any problem anyone hacks your website. Always keep your backup in hand, so that you can replace them instantly. Use this plugin for WordPress automatic backup – BackWPup Free – WordPress Backup Plugin. It’s simple to configure BackWPup plugin.
If you have any tips to Secure WordPress Website, let us know using below comment form.