One of the great things about WordPress is it’s easiness to get started. Along with is easiness it has to be arranged eith some important things to tighten up security and access of website. Let me take you through some of the basic things one can easily do to tighten security on ones website and it won’t take very long at all.
1. Update site with latest themes and plugins
Every new release of WordPress contains some updated patches and fixes that address real or potential vulnerabilities. If one who don’t keep ones website updated with the latest version of WordPress could be leaving oneself open to attacks. Many hackers intentionally target older versions of WordPress with known security issues, so keep an eye on Dashboard notification area and don’t ignore those ‘Please update now’ messages.
2. Create a secured password
According to a survey around 8% of hacked WordPress websites are down because of weak passwords. If WordPress administrator password is like ‘admin’, ‘admin123’, or ‘password’ (all way more common than you might think!), one need to change it with a more secured one.
As security experts advice passwords has to meet the following criteria:
- Have 8+ characters in length
- Contain a mix of numbers, uppercase/lowercase letters and special characters like @ , $ and %
- Never use One password for all accounts
One can use tools for remembering passwords if they are facing any problem with passwords.
3. Admin should be admin not a user name
During the year of 2013, there was a spate of brute-force attacks launched at WordPress websites across the web, making repeated login attempts using the username ‘admin’, combined with common passwords.
If one use “admin” as ones username, and password isn’t strong enough , then site is very vulnerable to a malicious attack.
4. Limit failed login attempts
One should limit the number of failed login attempt to site to avoid Brute-Force attack (an approach of password guessing).Some typical WordPress plugins can come in handy as Better WP Security or Limit Login Attempts, Login Security Solutions, Login Lockdown
5. Change admin URL path
The default URL path for WordPress admin panel is /wp-admin. Everyone knows that.Changing this URL is also a way to secure login site and avoid attack.
One can change the admin URL manually, which is a bit complicated and risky. The fast and safe way is to do it using a plugin.
Here are the methods to improve security using plugins:
- Install the plugin
- Navigate to Security -> Hide Backend
- Change URL in Login slug, Register slug and Admin slug.
6. Change access permissions
By default, CHMOD is set as 664 for files and 775 for folders. However, there are important files that need special permission and wp-config.php file, The file stores login information of site database. One rarely edit this file so set its CHMOD to 444 so that all user groups can read the file but can not edit it, including the owner. One can also set CHMOD for wp-config.phpfile to 400 and .htaccess file to 404 for more restriction. If one want to modify wp-config.php, change CHMOD to 664 and remember to return its original value when you are done. Modifying .htaccess file is similar.
7. Back up your data regularly
Regular backup helps to limit attack risks and reduce damage to some extent. In case of data loss, One can make a quick site recovery using backup files. There are many free and premium WordPress plugins for backing up data regularly and automatically.
These free plugins include:
- WordPress Backup To Dropbox – Much like its name, this plugin will helps to schedule automatic backups and send the backup files to Dropbox account.
- UpdraftPlus – This plugin supports uploading backup files to S3, Dropbox, Google Drive, FTP, SFTP, Email and so on.
- XCloner – Like UpdraftPlus, XCloner supports both backup and restore website.
8. Disable editing via dashboard
In default WordPress installation, one can navigate to Appearance > Editor and edit any theme files from the dashboard.
The trouble is, if a hacker managed to gain access to admin panel, they could also edit files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );
9. Use themes from trusted developers.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links in to site, or other malicious code that can cause all sorts of problems. 8 out of 10 sites reviewed offered free themes containing base64 code.
If one really want to use a free theme, one should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
10. Use secure hosting
Not all web hosting providers are created equal and, in fact, hosting vulnerabilities account for a huge percentage of WordPress sites being hacked.
When choosing a web hosting provider, don’t simply go for the cheapest you can find. Do research, and make sure of selecting a well-established company with a good track-record having strong security measures.
