- Use Strong Passwords for all Entry Points
- Add a CAPTCHA to your WordPress Login page
- Protect the ‘wp-admin’ Directory
- Deny access to your Plugins and other directories
- Update WordPress to the Latest Release
- Update WordPress Plugins
- Don’t Show WordPress Version on Your Blog
- Change WordPress Table Prefix
- Be careful when you upload something to your site
WordPress is currently the most popular and widely used blogging platform. It is being used by millions of people around the globe. Because of this reason, hackers and spammers are also taking a keen interest in breaking the security of the blogs. So You should take action for your WordPress Security.
Though WordPress is very much secure by itself, but there is never too much ascertainable. The ‘numero uno’ priority for any blogger or web developer should be security. Due to the lack of security, any site can be hacked and altered, private information can be stolen, and countless hours of hard work can be messed up with. Here I’m sharing some essential WordPress security tips, which will help you to keep your Lovely blog safe and secure.
Luckily, by the strength of being open source software, WordPress has many protective plugins, functions, and techniques to save you. When used in an aggregate, these tools can defend you from vicious activity, hacks, spam and other threats.
Use Strong Passwords for all Entry Points
I saw many of my friends use the WordPress admin password generated by WordPress during install time and thinks that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. I was mainly shocked to find out that their FTP/cPanel password for that domain is not that strong. It gets even better… one of them were using his partners name as the password (Did I mention that his partner’s name was mentioned on his blog’s ‘About’ page?)! The FTP/cPanel password for your domain is equally important. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points, not just one.
Add a CAPTCHA to your WordPress Login page
Adding a simple captcha to your WordPress login page is another great way to minimize the chance of a bot/script gaining access to your site via a brute force attack. So consider a Captcha for your login page.
Protect the ‘wp-admin’ Directory
Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). I already write WordPress htaccess tips post has more htaccess related tips only for You. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)
AuthName “Access Control”
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy
If you don’t have static IP addresses then the above method can be a bit hard to implement. In that case, you could use the AskApache Password Protect WordPress plugin. That plugin adds good password protection to your WordPress Blog. Consider Reading this post about some best plugins that secure your blog very well.
Deny access to your Plugins and other directories
A lot of bloggers don’t protect access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows all the plugins that you are using. Many WordPress plugins can have vulnerabilities which the attacker can use to harm your blog. So, it's a good idea to block access to these directories.
you need to create a new .htaccess file and drop it in your plugins directory to deny access.
Update WordPress to the Latest Release
Keeping your WordPress up to date is the first and basic security tip for any WordPress blogger. This is something that you never want to miss, whenever WordPress is sending an update, it means that they have fixed some bugs, added some features and most importantly added some security features and fixes. You never want to miss out on this.
Update WordPress Plugins
As I mentioned above WordPress releases an update to fix bugs and security holes, and same goes with plugins. Many time, a vulnerable plugin or script used, can cause mass WordPress hacking. One such issue which we have seen in past is Timthumb vulnerability. Though, it was because of the script but many plugins were using this script and they become vulnerable too. It’s important to keep your plugin update to keep it invincible. Always, use the plugin which is constantly updated and get good support. Being dependent on such plugins, which are not updated from long is a bad idea. Also, always use official WordPress repo to download free plugins.
Don’t Show WordPress Version on Your Blog
You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.
Most of the theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line.
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Change WordPress Table Prefix
By default the WordPress table prefix is ‘wp_’ and if this is left as such, it paves ways to a lot of hack attacks. This is probably the most important step in this tutorial, this is also one of the most complex steps to do if you are a newbie or doesn’t know much about working on PHPMyAdmin. But I will walk you through, no worries. Just make sure you follow the steps carefully.
- Deactivate all your WordPress Plugins.
- Login to your cPanel
- Make a complete backup of your blog database.
- Once you have taken the backup of your database and downloaded the .sql file, open it with a text editor, my personal favorite is Notepad++.
- Find all the instances ‘wp_’ and replace it with a complex table prefix, eg: ‘rer349jt_ ‘(don’t use this, this is just an example), and save the file.
- Go back to PHPMyAdmin and Drop all the tables in the database, make sure you do not delete the Database itself. You need to drop only the tables within the database.
- Now your database will be empty, use the Import option to import the new .sql file in which you replaced all the ‘wp_’ with your preferred prefix.
- After the import is complete, you need to edit one last file, called Wp-Config.php, if you don't do this step your blog will not work. Open the file and look for the line,
$table_prefix = ‘wp_’;
replace the ‘wp_’ with your new table prefix and don’t forget to save the file.
- If you have done all the above steps correctly, your database prefixes would have changed and you will be able to login to your blog.
Note: If in case all the widgets appear to be broken, simple add a new dummy widget to your sidebar and reload the page and then remove it after the page loads properly.
Be careful when you upload something to your site
When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be extra careful as it can harm your site if it was designed to do so. Only upload authentic content to your site. Never download a plugin or a theme from a warez or torrent or file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm your site when uploaded to your server.