WordPress is the world’s most popular content management system and powers close to a third of all websites. These two facts make it a favorite among hackers trying to access website files and data with reports indicating thousands of attacks being launched per minute. However, WordPress is considered quite secure. But this hasn’t stopped hackers and malicious malware trying to access even secure sites.
It’s therefore important that you take the necessary measures to secure your WordPress site. This WordPress Security Measures will teach you beginner and advanced techniques to make your site more secure.
WordPress Security Measures to Take During Installation
Securing your WordPress website begins right before you install the CMS on your preferred host’s servers. Some of the things to do include:
Ensuring that your computer is secure
Hackers and malware use a variety of techniques to gain access to your website. A common way involves infecting unprotected computers which can then be used to spread viruses and malware to WordPress installations accessed through the computer. It’s therefore important that you only install WordPress from a computer that has up to date antivirus software.
You should also ensure that you’re accessing your hosts servers through a secure internet connection and, any files transferred from your computer to the server are sent through an SSH or SFTP protocol.
I recommend don’t use free web hosting because most of the spam sites are hosted in this type of hosting account. This will create unnecessary problems to your online business.
Try out our recommended hosting provider SiteGround . The SiteGround servers are highly secured with 24×7 security monitoring, which helps customers get hack free servers with cheap price.
Create a custom username and password during installation
Early WordPress versions came with a default admin username. If you didn’t change this during installation, hackers found it quite easy to access your site’s files since all they needed to do is guess the correct password. Today WordPress requires you to create a customer username and password during installation. Every WordPress security tutorial you’ll come across will advise you to use this functionality to come up with hard to guess usernames and passwords which will make it difficult for hackers to deploy a brute force attack on your website.
Security measures to take immediately after installation
Your WordPress website is now fully installed. But before adding any content, installing plugins and widgets, you should take extra measures to protect it against security threats. Here are some of the things you can do.
Change default wp_database prefix
Once installed, all your WordPress files are stored in a database whose tables contain a wp_ prefix. This makes it one of the prime targets for hackers using SQL injection attacks. Changing this prefix to something more unique makes it harder for hackers and malware to predict where your WordPress files are stored. Before making any changes, it’s advisable to first backup your entire website.
Making these changes will require that you write some code and queries. First, you’ll need to change the $table_prefix =’wp_’; value inside the wp-config.php file into something different. You’ll also need to change all table names with the wp_ prefix to your preferred prefix name. This can be done through the phpMyAdmin interface.
Restrict access to your admin dashboard
Restricting access to your websites admin dashboard will help to minimize risk of a successful brute force attack. There are several ways to do this.
1. Restricting Access to a specific number of static or dynamic IP addresses
This method requires that you add specific lines of code within the .htaccess file. This tactic ensures that the admin login page can only be accessed from specific IP addresses. Any attempts to access the page from a different IP address will redirect the user to an error page.
2. Adding a Security Question to the Admin Login Page
If you’d rather not risk breaking your website by altering code, you can opt to add an extra verification step to the admin login page. This will require installation of a plugin which asks a specific security question before the user is allowed to log in.
3. Password Protecting the wp-admin Directory
If your webhost uses cPanel, you can easily add an additional security layer to your admin login page through password protection. Simply, scroll down to the security tab on your cPanel dashboard and click on the Password Protect Directories option. Once here, find the /wp-admin/ folder within the directory where your WordPress site is hosted. Clicking on this folder produces a popup screen where you’ll need to add the name and password needed to gain access to the wp-admin page from a browser.
Prevent directory browsing
Hackers can easily access your WordPress websites directories and folders by simply typing their path on their browser. Knowing where a specific file is located makes it much easier for hackers to gain access to them. Preventing directory browsing is therefore one of the important security measures you should take immediately after installing WordPress.
Luckily, it doesn’t involve a complex process. All that you’ll need to add is Options All –Indexes’ inside the .htaccess file.
Delete unwanted files
Once you’ve installed WordPress, some files can be safely deleted. These include the /wp-admin/install.php, readme.html and wp-config-sample.php. The readme.html file in particular needs to be deleted since it provides information regarding the WordPress version you’re using. Hackers often use this information to target specific vulnerabilities associated with specific WordPress versions.
Security measures to take once your website is live
WordPress website security is an ongoing process. Regardless of whether your website receives ten or millions of visitors per day, keeping it secure will not only protect your investment, but also your site visitors. This WordPress Security Measures has therefore included the following ways to secure your website once it’s live.
Always update your WordPress website
Although WordPress is considered to be secure, vulnerabilities within the core are being discovered every now and then. New WordPress versions are therefore released to address these vulnerabilities. Running an old WordPress version increases chances that an attack on your website might be successful. Performing regular automatic or manual updates is therefore recommended if you’re to stay ahead of hackers.
Carefully research and test plugins, themes and scripts before installing them on your live website
Hackers often gain access to WordPress websites through vulnerabilities found in installed themes, plugins and scripts. Before installing anything on your WordPress site, it’s recommended that you first conduct research to find out if it’s considered safe. In addition, always test plugins, scripts and themes on a development environment before installing them on your live website.
Always Perform Regular Backups
No WordPress website is 100% secure. Regular backups ensure that you’ll always have a snapshot of your complete website in the event it’s hacked into.
Today, cyber security is a major concern among website owners. If you own a WordPress website, protecting it against security threats like hackers and malware should be one of your priorities. As you’ve seen from this WordPress Security Measures, securing your WordPress site is a continuing process that begins right before installing the CMS. Hopefully, by applying the mentioned strategies, you’re now in a position to keep you site and its visitors safe.