WordPress Security Guide: 20 Things Which Can Save Your Website
June 5th, 2017 | by Ravi Chahar || 16 Comments |
One of the scariest things is getting your website hacked because of the poor website security. It’s important to have a WordPress security guide which has every possible way to harden the security of your website.
Though WordPress itself is one of the trustable and secure platforms but still there are many things which can add more security layers.
Have you ever even thought about losing the hard work you have been doing for years? Isn’t that scary?
Well, this fear needs to get away. You should apply all the possible WordPress tips and tricks which can save your website.
This article consists an ultimate WordPress security guide which can help you run a safe website.
Why WordPress Website Security Is Important
There are millions of websites running on this world wide web and many of them get hacked every year.
People start their website and within a few days, they get hacked. What’s the reason? It’s because of the poor website security.
You may be thinking about why would anyone hack your website. You should know that the bots seek for the website having the vulnerabilities and it can be yours on the list.
There are different methods to hack a website. They can inject any malicious code in any of your website’s file or maybe direct hack the login to your website by breaking your password.
It can be anything. You should harden every possible part of your website where there is any vulnerability.
The List of the Tips Included in this WordPress Security Guide
It consists of the basic security tips to the pro. You have to make sure you follow each according to your needs.
#1. Keep Everything Updated
It’s not a new thing to hear. There are thousands of security posts and every post contains this point.
You should always keep your WordPress core updated. Always use the latest version of WordPress and update the plugins and the themes accordingly.
This isn’t only about the security, outdated plugins can conflict with the latest WordPress version which can break your website.
It may be the design or anything else.
Many people even enable automatic updates in WordPress for plugins and themes too. Though if you can manage it manually, you don’t need to choose to enable automatic updates, but still, make sure everything is up to date.
#2. Strong Password
Whenever you create the user for your WordPress website, it’s always recommended to choose a strong password.
It’s not only for the login page, it’s about the FTP account, your web hosting account or any account you create related to your WordPress website.
Most of the people ignore this simple aspect and regret it later.
This may seem to be the simplest yet the most common thing but it means so much.
#3. Change The Default “Admin” Username
When you install WordPress for the first time, you will see the default username as “admin”.
It’s always recommended to change it on the same day your complete your website setup. Just a few days ago, one of my clients faced some issues with her website.
It’s because of her default username. She was lucky that nothing went wrong.
But not everyone is too lucky. Just like the password, you should change admin username and choose something which is known only to you.
#4. Always Have A Backup Tool
Having the backup of your website and the database is the first thing you should write in your to-do list.
In case your website gets hacked, you can restore your website from the backup within a few minutes. But only if you have any backup tool.
There are many WordPress plugins which directly sends the backup file to your Gmail inbox, Dropbox, Google Drive etc.
And you can also backup your WordPress website without any plugin.
#5. Install A WordPress Security Plugin
The plugins like Sucuri, BulletProof Security, iTheme Security etc can help you maintain the security of your website.
Most of these plugins help you secure your website from the brute force attack by enabling a firewall. They will scan your website regularly.
You can also block the users with their IP address. The number of failed login attempts will be also be shown.
Every security plugin has its own features. You can try any of them and use one accordingly.
#6. Disable PHP Execution For Particular Directories
As you know WordPress CMS is coded in the PHP language and its files and folders consist the PHP codes.
But not everywhere you would want to execute the PHP codes. The folders where your media files get stored don’t need any PHP execution.
You should disable PHP execution for that. It means no extra PHP code can be injected and run by anyone else.
No hacker would able to add a malicious code to that part of your website.
Some security plugins allow you to add this from your admin panel only.
#7. Password Protect Your WP-ADMIN Directory
The first target of the hackers is the login page of your website. In every WordPress security guide, you will find the concept of brute force attack and fake login attempts.
What if you password protect your WordPress Admin directory? Before seeing the login page, one more security layer will get added which will require the username and the password.
It will help you block all the fake login requests people would try.
#8. Add A Security Question To WordPress Login Page
Apart from the username and the password, you can add an extra layer. Add a security question to WordPress login page.
It will authenticate the user. Only the one who knows the answer to that question. You can select the question according to your choice.
If you run a multi-member website, each member can set a security question for their account. It can be done using a WordPress plugin. Install and activate WP Security Questions.
#9. Disable WordPress Directory Browsing
There are many WordPress directories which can be seen by everyone. The hackers can come to know about the data you’re having on your WordPress website.
It can be secured if you disable directory browsing.
You have to add a small code in the .htaccess file of your website. After that, whenever someone would try to browse the WordPress directories, it will show 403 forbidden error.
#10. Change The Database Table Prefix
By default “wp_” is the database prefix for all the tables. And it can be a vulnerability for your website.
You should change WordPress database tables prefix to improve the security. You can do that using the wp-config.php file which requires some coding skills.
But if you’re not good with it then I would recommend using a plugin. Most of the security plugins allow you to change it from the WordPress admin panel only.
#11. Remove Password Change Link
Many people complain about using a plugin to secure their login panel. There is also a simple solution. It can also be helpful.
On the WordPress login page, you can see the password lost link which can be used to recover your password once you forget it.
What if you totally remove that link? Yes, it can be done. You would need to add one line of the code in the functions.php file of your WordPress theme.
Here is the complete guide to remove password lost link.
#12. Disable Login With An Email Address
In a WordPress website, you can login using the username you choose and the email address you add to your account.
It’s possible that any hacker can hack your email address and will log in to your WordPress website. You wouldn’t even know.
You can disable login with an email address by adding the code in the functions.php file.
#13. Edit Login Error Message
Whenever you fill the wrong login credentials, you get an error which includes the password recovery link.
It can be used to get a new password. Why don’t you change login error message and write something without any link?
Yes, it’s possible. WordPress is an open source platform and you can edit any file. This can be an extra security layer. I always include this in the WordPress security guide.
You may remove the password lost link but if you forget to remove it from the error message, it’s of no use.
#14. Automatically Logout The Users In WordPress
You may have noticed that sometimes due to the poor internet connection or any technical fault, you leave yourself logged into your WordPress admin panel.
Well, this is can be risky. Someone else can use that WordPress login session to hack your website.
You may have noticed it on the multi-user websites. Especially if the data is sensitive. Do you use internet banking? I am sure you do.
If you have ever encountered, you get logged out if you don’t refresh the page and don’t show any activity for a particular duration of the time.
You can set an automatically log out for idle users using a WordPress plugin.
#15. Change The Login Page URL
By default, the WordPress login URL is “htttp://www.example.com/wp-login.php”. You can also login using the wp-admin extension.
Everyone knows about it. To improve the security, you can change this URL using any plugin. It will help you add one more security layer to your WordPress login page.
#16. Limit Login Attempts
This can be something you would want to do. You know that many hackers try the hit and trial method to crack your password.
It may take them many attempts. Why don’t you block them after a few login attempts?
You can use Login Lockdown and set the value accordingly. Most of the people use maximum 3 attempts. After that, the IP address will get blocked.
#17. Protect the WP-INCLUDES Folder
WP-Includes is one of the important folders of the WordPress directory which has some scripts. These scripts shouldn’t be accessed by anyone else.
Hackers may inject their own script and spread the malicious code to your website. It’s important to protect the WP-Includes folder.
You can use the .htacess file to add a security code which will block the access to everyone.
#18. Protect the WP-CONTENT Folder
All the data of plugins, themes, media files are present in this folder. If someone hacks it, your website will go down within no time.
There are some specific file types which can be added. Apart from those, you should block all the other file types, running on your website.
You can protect the wp-content folder by creating a new .htaccess file and add it in this folder.
#19. Protect Your Admin Folder
As you know, every internet connection has an IP address. If you set only one IP address to login to your WordPress admin panel then it can be secured.
If you work from one place then it can be the best way to protect your admin folder. Whitelist your IP address and block all the others.
It wouldn’t let anyone have the access to your login page except you.
#20. Protect the .htaccess File From Unauthorized Access
The .htaccess file is the heart and soul of your WordPress website. You add many codes in this file to protect different directories.
You should always protect the .htaccess file from unauthorized access. It would be dangerous if someone injects any code to this file.
I Hope this WordPress Security Guide Can Help You to a Greater Extent
It’s no new thing that people get scared of the hackers. They should. But it’s not the solution, you have to do some serious things to secure your website.
I have mentioned all the possible website security steps which can be taken. Is your website secure? Have you protected the wp-content, wp-includes, wp-admin folders?
What are the things you want to ask? Have you taken each and every step included in this WordPress security guide? If you have any doubt, feel free to clear it.