How to Secure a WordPress Website

You are here : Home / How to Secure a WordPress Website

To secure your wordpress website from hackers and avoid website vulnerabilities, wordpress files needs special attention while installation. Preventing Directory Listing using .htaccess file, regular changing of your wordpress password or restrict direct access of wordpress core files are small but very important aspects for security of a wordpress website. We have discussed about the ways by which your WordPress Site poses security threats in the post How to Hack WordPress Site using SQL Injection  with a clean intention to warn you from the vulnerabilities of being unaware of the hacking techniques.

However it will be better if we know how to secure your wordpress website from such attacks. I am thus listing here a few precautionary measures to help you be more vigilant and keep your WordPress Website safe.

Keep your WordPress Password Strong

Lets start with the easiest strategy which most of us know but still neglect, to keep the passwords really strong and thus difficult to crack. It is a general tendency to keep passwords that are easy to remember like your name or phone no. or date of birth but that can be the biggest gateway for hackers for entering into your site. A good password must at least be of eight characters both upper and lower case including numbers, and special symbols. You can easily check the complexity of your password here and know how safe is your password and keep secure your wordpress website.

To keep your online presence safe, always set unique password for every account. If not, an access to one account can be a key to the rest. Use a password management software like KeyPass to safeguard all your passwords.

“admin” Username is Not Safe Anymore

WordPress gives all the default administrator rights to the username “admin” and since the login page of all the wordpress websites is wp-login.php appended with the domain name therefore it is not very tricky to find out if your site running on wordpress and can be a risk to your wordpress security. So in case a hacker gets the access to this page he will have half his work done and all he would have to know is your password. Thus for security of your wordpress it becomes indispensable to change your default username. To do this, login to your admin area, go to Users → Add New to create a new user and assign the administrator role. Now logout from your current admin panel, login as the new user and delete the previous admin account.

Change Database Prefixes to Secure One instead of just “WP_”

WordPress has a common setup wizard during its installation where by default the database prefix is set to wp_. The attackers therefore have a little information of your database name and tables. To completely drop off this hint you should enter a complex and different prefix while setting up wordpress.

You can also do this by changing the prefix in $table_prefix = ‘wp_'; line of the wp-config-sample.php  file and renaming the file to wp-config.php.

Block Suspicious IPs

Because your site too can be a victim of a cyber attack so stay vigilant and use a monitoring tool to keep a watch over your visitors’ activities. Block a suspicious activity immediately if you find so. A tried and tested plugin that I use for the security of my WordPress websites and blogs is Best WP Security that is a simple way to block IP’s individually or by a range.

Set Limit to Login Attempts in WordPress Website

Commonly hackers use Brute Force attack against your encryption and constantly tries all possible passwords against your encryption to enter of the website. The amount of time taken to gain successful access depends upon the complexity and length of your password. To secure your wordpress website from such attacks you can restrict the number of login attempts from a particular IP. Limit Login Attempts is a popular plugin used to secure your wordpress website from such attacks by blocking the series of failed login trials. The admin can set the number of attempts after which the plugin will block the login hits.

Keep WordPress Site Updated to Latest Version

WordPress periodically releases its newer versions. It is strongly recommended to keep your wordpress updated. These newer versions consist of new features, bug fixes and security patches. A notification appears on your wordpress dashboard with every release. Security of your wordpress website highly depends upon a single click enabling you to upgrade your wordpress and avail with the latest released security patches that are not available for older versions.

Secure .htaccess and config.php Files

Ensure that your website’s two most vital and confidential files .htaccess (controls directory it is placed in and all other subdirectories) and config.php (configures database functionalities, improves performance and security) are protected properly and have restricted access.
Use the code below in the .htaccess file itself to save it from unauthorized access:

Similarly the code to secure the config.php  file can be put at the top of the .htaccess file is:

Prevent Directory Listing using .htaccess for WordPress Security

Ensure that your website’s directory listing is not accessable to view contents within directories and all it’s sub directories. Place following code in your .htaccess file to prevent directory listing.

Hide WordPress Version Using remove_action

The enabled WordPress version on your website may be an indication for the prevailing security issue associated with the version. Therefore it would be a good thought to remove the generator meta for your WordPress. This can be done by by adding the below given code in your function.php file:
remove_action(‘wp_head’,’wp_generator’);

Modify Default Secret Keys in wp-config.php File

The wp-config.php file located at your WordPress root directory contains confidential details of your website. It includes a set of secret keys whose default values are recommended to be altered for enhancing the security of your wordpress website.

Replace these phrases with a long, random and unique value to modify the existing phrases. You can also use a tool created by WordPress to generate these random values.

Change File Permissions

File Permissions are vital for security of your WordPress website and granting file write permissions can prove to be major threat to security especially in a shared hosting environment. For the same reason you should restrict the file permissions and prefer to create a less restricted folder for purposes like uploading files whenever possible.

You can use the below given command to control file permissions of your websites:

For Directories:

For Files:

755 and 644 are the default file permission for folders and files. Set 755 chmod value to restrict everyone with read-only permission except you. But remember not to set a 777 permission which may make the file “World-Writable”.

Disable File Editing

The high user friendly wordpress dashboard facilitates the website administrators to edit php files, plugin codes and theme files from the admin panel itself. However it makes wordpress easy to use but it resources the hackers to execute malicious code from the dashboard itself. So it is wise to disable this feature to prevent atleast some attacks by adding the following code in the wp-config.php file.

Protect wp-includes Directory

Sometimes even a small loophole in the wordpress installation can lead attackers to the wp-includes directory where they can execute malicious code. To secure your wordpress website you need to protect this directory. Block the scripts residing in the wp-includes by placing mod_rewrite in .htaccess outside the # BEGIN WordPress and # END WordPress tags to avoid being overwritten.

To allow the code to work well with multisite, drop

which will obviously offer less security but otherwise can prevent the ms-files.php file from generating images.

Backup WordPress Files and Database

Lastly, a regular backup of your wordpress is one of the most important wordpress security measure in the worst case if your website is hacked. If you have your backup, you can sit back and restore your site without much panic. Backup can be taken at either a remote server or local system. You can use wordpress plugins available at free like BackWPup for the purpose.

Do not solely rely on the backups offered by your hosting servers, they might not be wordpress specific, not scheduled properly or may fail during emergencies.

 How to Secure a WordPress Website

Flipper Code

We have been building WordPress Plugins at flipper code since 2008. We follow wordpress coding standard that ensures we deliver the excellent wordpress plugins and services.

More Posts - Website

Follow Me:
twitter How to Secure a WordPress Websitefacebook How to Secure a WordPress Websitegoogleplus How to Secure a WordPress Website

Customize Product according to your requirements?

We will be glad to discuss any of your needs related to our wordpress plugins . if any of functionality you'd like to see in products, you can reach us by via email hello@flippercode.com.