Advertisement
Security

11 Quick Tips: Securing Your WordPress Site

by

WordPress is the most used open-source platform nowadays for any type of websites: whether it is blog, CMS or any other custom solution. WordPress is naturally based on PHP (among other languages), so, as a PHP developer I always make sure to cover/apply some tips for WordPress to make secure and speedup the site which I develop. In this WordPress tutorial you will find tips and tricks for securing WordPress and otimizing your WordPress blog.

This section will going to cover the tips related to securing your WordPress site. Tips includes protecting files, login restriction, WordPress admin restriction, database protection, etc.


Security Tip 1: Stay Updated

The most important tip for securing the self hosted WordPress websites is also the most obvious; WordPress provides updates with security fixes all of the time. When you get the notification in admin panel, don't ignore it! It's the single most effective way to secure your site from attacks, and yet so many people leave their site (and their client sites) un-updated for fear of breaking their themes and/or plugins.

Here's the real tip though: If you themes and plugins don't work with the latest version of WordPress, they're probably not all that secure to begin with ;)


Security Tip 2: Create Custom Secret Keys for Your wp-config.php File

All of the confidential details for your WordPress site are stored in the wp-config.php in your WordPress root directory. Secret keys are one of the bits of information stored in that file... so make sure you change the default secret keys to something else.

If you are not sure for what to place in the default values, go to this link, and it will generate the random keys for you.


Security Tip 3: Change the Database Prefix

A lot of the basic setup stuff for WordPress is the same across lots of sites... especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don't change the database prefix, the table names of your site's database are easily known to the person who trying to hack your site.


Security Tip 4: Protect Your wp-config.php File

As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it's pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.

<Files wp-config.php>
   order allow,deny
   deny from all
</Files>

Security Tip 5: Protect Your .htaccess File

We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don't worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.

<Files .htaccess>
   order allow,deny
   deny from all
</Files>

Security Tip 6: Hide Your WordPress Version

Another good idea is to remove the generator meta for the WordPress. This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you're not on the most current version.

To do this you need to place below code in function.php of your active theme.

remove_action('wp_head', 'wp_generator');

You can go one step further and additionally remove it from RSS feeds using this:

function wpt_remove_version() {
   return '';
}
add_filter('the_generator', 'wpt_remove_version');

Security Tip 7: Install WordPress Security Scan Plugin

This is a good plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for below things:

  • Passwords
  • File Permissions
  • Database Security
  • WordPress Admin protection

Download the plugin from here.

There are other security scans as well - for instance, VaultPress (which we'll mention below) will do this as well as part of a much bigger package of security services.


Security Tip 8: Limit The Number of Failed Login Attempts

This nice plugin can limit the number failed login attempts; Useful in case of someone is trying to guess your password manually or using a robot.

You can download plugin from here.


Security Tip 9: Ask Apache Password Protect

Here is one more good plugin provided by the Ask Apache. which gives you more control over your blog in terms of security.

You can protect your site with 401 authorization in easy steps. All these you can manage from the WordPress admin panel.

You can download this plugin from here.


Security Tip 10: Don't Use "admin" As Your Username (and Pick Strong Passwords)

This one's perhaps the easiest of them all - WordPress normally will setup your main admin account name as "admin", so it's usually the first username that hackers will try using. As of version 3.0 you can change this during the initial setup, but it's easy to forget that you can go back and change it even if you setup your site before version 3.0. So, pick a new name other than admin ;)

Additionally, picking strong passwords for all of the users on your blog (and your MySQL database) are fundamental ways to boost your security. Use the Strong Password Generator if you can't come up with one on your own.


Security Tip 11: Last but not Least, Backup!

I have placed the backup as the last item here. but don't consider it as a less important. Regular backup of your site will make you fill safer than any other above. There are several plugins available for WordPress which manage the backup for you.

Here are some free plugins for WordPress backup.

But if you are more serious about the backup for your blog then you should go with the paid solution. The two biggest premium solutions out there right now are Backup Buddy and VaultPress.


Conclusion

There are many more tips and tricks to go with this, but I've tried my best to present the best "bang for your buck" tips for anyone out there just looking to get started with WordPress security. Be sure to check out our other WordPress security articles for more information! Share your thoughts on this below!

Related Posts
  • Code
    Web Development
    Securely Handling User's Login CredentialsSecure wide retina preview
    Consider the following tips on how to properly secure your user's login credentials.Read More…
  • Code
    Theme Development
    Creating a WordPress Theme From Static HTML: Releasing Your ThemeCreating wordpress theme from html 400
    If you've been following this series you now have a working WordPress theme. Your theme has a number of template files, including a page template and an archive template, and also has featured image support.Read More…
  • Computer Skills
    Security
    How to Perform a Password Security AuditPassaudit400
    With password breaches, like Adobe's recent loss of up to 130 million passwords, becoming all too common, now is a very good time to conduct an audit of your password security. In this tutorial I'll show you how to use 1Password or LastPass to analyse how secure your passwords, and where necessary, create new, secure ones.Read More…
  • Computer Skills
    App Training
    An In-Depth Look at 1Password 41password4 updatedretinathumb
    Passwords protect our digital lives from prying eyes and malicious individuals. Since so much emphasis is placed on passwords protecting our banking information, saved credit card information on online stores, and the ability to use our digital identity on social media, the risks associated with using the same password on multiple sites is greater than ever before. In this tutorial I will explain how to use 1Password 4 ($49.99 in the Mac App Store) to manage your digital identity, including passwords, credit cards, software licenses and more.Read More…
  • Code
    Security
    Imposing SSL and Other Tips for Impenetrable WP SecurityImposing ssl and other tips for impenetrable wp security b
    Internet security has always been as important as your personal security. If you are making money through your blog or website, the security of your website becomes as critical as securing your bank account. Luckily, WordPress strives to ensure better security with every new version. Besides, there are plenty of plug-ins you can use to fortify your website or blog’s security. However, not all users, including developers, are as security savvy as they can and should be. The most interesting part is that optimizing a WordPress blog/website for better security requires only small tweaks, most of which are previously covered in one of our posts. Today, we share a few more interesting and effective tips to help you secure your website/blog against information theft, breaches, intrusions and interception.Read More…
  • Code
    Security
    Conquering the wp-config.php File - 11 Good PracticesThumb 200
    There are 981 files and 95 folders which come with the WordPress (v3.4.1) package. None of these files need manual modification, except the wp-config.php file. Of course, we don't have to edit the file if we're fine with the default WordPress configuration but it's essential that we learn how to conquer the file in order to apply security precautions, speed tricks and other stuff which we will be studying in this article.Read More…