WordPress Security Tips

Anyone who is determined to hack into a WordPress site will always find a way in. The more secure the site is, the greater the challenge to hack it, and the more determined the hacker desires to undress it.

The 4 key factors of any security bolstering plans for a WordPress site are:

  • Pre-Installation
  • Installation
  • Post Installation
  • Ongoing Administration

Pre Installation

Use a reputable host

This is the simplest of all security steps.

Use a reputable host with a proven track record of great server security. Use a host that hires trustworthy staff and that is honest about security breaches and steps taken to fix them. Choose a host with 24 hour support so if your server or site is hacked your host can help you get your site back. We recommend Namecheap.

Dedicated or shared web server?

The security of a dedicated server is not hampered by the moral integrity and technical ability of multiple webmasters. Although expensive, a properly installed and properly managed dedicated server can be more secure than a shared or virtual dedicated server.

Installation

The Database Prefix

The default database prefix used by WordPress for all the tables it creates is wp_. During installation WordPress lets you set an alternative prefix. Do so. Hackers will try to run SQL exploits on the basis that your site uses the wp_  prefix. By using a non standard prefix you will hinder the success of automated attacks against your WordPress site.

Username

Choose a username other than admin, administrator, moderator, editor, subscriber, guest, poster or similar.

Use a username that is different to your displayed author name.

As soon as WordPress is installed go to Users > Your Profile and change your display name.

Password

Choose a hard to remember password. Make a note of it and place it somewhere secure.

Stay clear of common words and phrases when choosing a password.

Include numbers and non-alphanumeric characters like *,#$%^.

If you struggle to remember and recall passwords, try splitting them up (chunking them) into smaller more easily remembered character sections or try to relate them to a rhyme or imaginary shopping list.

Post Installation

Protect WP-Config

Protect wp-config as soon as the WordPress installer has completed.

wp-confg.php contains sensitive information that hackers can use to gain access to your website.

Some of the data in wp-config includes

  • the database name
  • the database table prefix
  • the database username
  • the database password

The easiest way to protect wp-config.php is to tell the server hide it from public view. Use the cPanel file manager to add these lines to the site’s .htaccess file:

Change the cookie Secret Keys

Edit wp-config.php to add (or replace) the secret keys required for browser cookies. Go to https://api.wordpress.org/secret-key/1.1/salt/ to get new unique secret keys for your site and replace the default ones which will look similar to

The secret keys can be changed at any time. Changing them will invalidate any current login sessions so users will need to log back in as soon as the keys are changed.

Remove Redundant Files

Delete the following files from your WordPress installation directory:

  • license.txt
  • readme.html

WordPress Security Enhancement Plugins

There are many WordPress security plugins. I recommend these ones

Wordfence Security

Look-See Security Scanner

Summary

A regularly cleaned, optimized and updated WordPress site with up to date plugins and security conscious configuration settings is quicker and  more secure than one that is not. Protect your wp-config.php and .htaccess files, deny directory browsing to visitors and keep aware of the latest WordPress security news and security plugins.

Plugins are a common cause of WordPress security breaches. Only use those plugins you need and try to not use plugins that perform the same tasks as each other. Some plugins may be disabled after first use without affecting their purpose; others should only be enabled when required. Be diligent about the plugins you use by listening to what others say about them.

Lastly, remember to regularly back up your WordPress database, wp-config.php, htaccess and your wp-content directory. I also suggest you back up any non-standard directories created outside of wp-content. Some hosts dislike backups being made to your server but a good place to back up your files is in a directory above /public_html (surfers cannot view above there). It is also a good idea to re-install the WordPress core files every so often by visiting Updates>Re-install in your dashboard.

Win the battle. Social Warfare Dynamik Website Builder Author Pro

Leave a Reply

2 Comments on "WordPress Security Tips"

Notify of
Sort by:   newest | oldest | most voted

it’s really great tips thanks for shearing with us .

Greetings.We are pleased to announce the release of wSecure. wSecure hides your WordPress admin URL with a special key so that only you can access. The problem with WordPress is that anyone can tell if your site is WordPress by simply typing in the default URL to the administration area (i.e. http://www.yoursite.com/wp-admin). wSecure helps you hide the fact that your website is built with Worpdress from prying eyes.

Check out wSecure in action here: http://wp.joomlaserviceprovider.com/

wpDiscuz

Free to your inbox

Join our mailing list to receive the latest news and updates from JournalXtra.

You have Successfully Subscribed!