WordPress Security matters? WordPress users are always on a threat of website or blog being hacked. The reason being, WordPress is an open source software and hosted on third party hosting services. Brute Force attacks are quite common and well known among the WordPress users.
But, thinking of it, will you stop using WordPress?
I am sure you said no. As WordPress has immense robust features which many simplify your blogging process and beautify it. So, no one can resist from it. Agreed?
Every product or tool has its pros and cons, so do WordPress. There are plenty of ways how you could secure your WordPress blog from hackers. Now, if you are not taking care of the security measures at all, sorry to say it would be your fault if the blog is getting hacked.
Intentionally or unintentionally, maybe after creating a blog you forget to apply some security to it, resulting blog hacked. Instead, cursing on your self later, it’s better to prevent WordPress hack now.
Makes sense? If it does let jump into and see some awesome WordPress security tips and tricks and create a shield out there around your blog.
- 1 Create a Site backup
- 2 Change Your WordPress Username
- 3 Change WordPress login URL
- 4 Don’t Ignore Lockdown feature
- 5 WordPress Regular updates
- 6 Remove WP version
- 7 Two-factor authentication(2FA)
- 8 Start using an SSL
- 9 Security plugin
- 10 Create Strong Passwords
- 11 Change Database Table Prefix
- 12 Don’t use Null themes and Plugins
- 13 Protect WP-config.php file
- 14 Disable Directory browsing via .htaccess
Create a Site backup
First things first, it is always advisable before making any changes to your website always make sure that you are taking a backup of your WordPress backup. For doing the same there are plenty of WordPress backup plugin out there you can make use of. Both free ones and paid are available, few of recommended ones are,
I assume you have installed one of the backup WordPress plugins and performed a backup. Now you are good to go with the next steps. I recommend one should schedule their backups after every post published. Or even after making any changes to the posts or to the blog database.
Change Your WordPress Username
While creating a blog, you will be having an option called username, which is used to login to your blog or website. Generally, most of the people keep it as default “admin” and forget to change later on.
Just assume how easy it could be to guess that for even a mediocre hackers. haha! Had a smile on your face.
You have to make it a unique one, which could not be guessed at all. If you don’t know how to do that, here I have created a guide to change the WordPress username with ease.
Change WordPress login URL
Again by default, WordPress creates a URL for your website to make a login. I hope you have already observed it. It starts some like yourdomainname/wp-admin
This goes common for any of the website, and easily guessed by the hackers too. So rename it sooner as possible and get rid of the sword hanging on your head all the time. Here is the guide to change the WordPress login URL.
Don’t Ignore Lockdown feature
Saying Lockdown means, you should set up a lockdown feature for your WordPress blog.
WordPress hacks can be done manually and through bots as well. So, in this case, you should minimize the failed attempts.
That states if someone guessed wrong username or password, their IP will be locked down for further attempts. And that makes complete sense. Isn’t it?
You will have the full control to assign the failed attempts with the security plugin.
How many attempts should you assign? – It’s completely up to you, generally, its wise to keep 3 failure attempts. 2 can also make sense, but don’t make it to 1, as sometimes even you can mistype your username or password. In that scenario, you would be locked down too. haha!
Wordfence and similar many plugins have lockdown feature. And if your security plugin doesn’t have such feature, then you can always make use of the popular plugin Login Lockdown.
WordPress Regular updates
WordPress comes up with regular updates, by adding many bug fixes. A WordPress user should upgrade it frequently, whenever it notifies.
Many frequently updated security features can secure your WordPress website. SThese updates can only strengthen the WordPress security process to the further level.
Remove WP version
As we have already talked about the WordPress updates. Now it also makes sense, that you should hide your WordPress version to the hackers.
Wondering how they can see the WordPress version which you are using as you have the login credentials?
It’s easy for the hackers to check the WordPress version by the source page. They just need to
right-click( on the webpage) – View Page source – CTRL F(Search for Version). It will look something like the below tag.
Have you ever use two-factor authentication for your gmails. If you are familiar with that, you might have already guessed what I am talking about.
Two-factor authentication security is a way to protect WordPress site from hackers with ease. If you connect your blog to your mobile phone for a two-factor authentication, you will receive an OTP while login. Putting that number in you would be able to log in.
This extends the security to the further level and adds one more layer to it. Here is a quick tutorial on WordPress Two-factor Authentication.
Start using an SSL
An SSL Certificate encrypts the data and does the job difficult for the hackers. In fact, an SSL is useful in many ways. And these days its quite easy to get one at very reasonable cost from well know brands.
It also increases the trust of the visitors to buy a product from your website by making an online transfer. As their data would be safe with an SSL, which keeps the information safe.
SSL makes sure that the transfers between the browsers and the servers are absolutely safe and secure. And there is no leak in between.
It’s wise to go with it, even if you don’t sell anything on your WordPress website as well.
Apart from adding many layers of security, it’s good to go with an awesome security plugin. There are plenty of good security plugins in the WordPress repository, though I can list a few of the best ones.
These plugins are available for free, with quite decent security features. Though, you can upgrade to their pro version for more extended features.
A security plugin does a lot of blocking jobs in the backend. It keeps the spam away and blocks the IP’s throttled for accessing your WordPress blog quite frequently. Scan your website for any malicious threats.
Set a decent firewall against the brute force attacks and DDO’s attacks and much more. So, don’t avoid installing a security plugin and protect WordPress site from hackers.
Create Strong Passwords
This one sounds basic as we do it for other social profiles and email accounts as well.
But trust me very important one, as WordPress sites get hacked like anything. Now it doesn’t matter whether it is a small blog or a huge one. Hackers find interest in all. LOL.
Saying strong password meant, don’t use anything which is related to you. Avoid almost everything, Name, Birth date, Employee ID, girlfriend name, haha anything which could be guessable.
Having trouble for coming up with great ideas for your passwords? You can always take help of some online password generators tools,
There are plenty of ways to change the WordPress login passwords. Like from your WP Dashboard or from WordPress database PhpMyAdmin as well in case no access to WordPress dashboard.
Simple way – Quickly hop into WordPress Dashboard – Users – Your Profile and scroll a bit down to see the New Password button in the Account Management Section.
Hitting the button will give you a unique strong password and finally hit the Update profile button to save the changes. You WP login password has been changed, hoping you have copied that new password with you or else we need to reset the password from the database.
Change Database Table Prefix
While installing the WordPress on your servers, you might have already observed for a dialog box asking for a certain prefix starts something like wp_. That means. This is basically for your WordPress database. The folder starts with wp_.
No wonder, whatever is common, can be guessed by the so-called hackers. So it’s also advisable to change the prefix of something of your own. You can add anything mywpsite_, friendswp_ and so on.
I can easily be done by getting into your website database. But, if you are not that familiar with all the techie stuff, plugins are always there.
Quickly install WP-DB Manager, to get this job done.
Don’t use Null themes and Plugins
WordPress theme hack is quite known. Say a big no to themes, this is one thing which doesn’t need any effort to hack by the third person. You are doing it you’re self if used null themes or plugins.
There are many blogs offering some free themes and plugins saying as a giveaway. Installing those could be dangerous from the perspective of WordPress security.
The codes might be already injected into those to extract the data from your website. I am not saying all the website does such things. But, it’s always wise to give a try to those plugins or themes on your demo site. Makes sense?
Try it for a while to check how legit those products are. Never install those on your WordPress website which is already live.
So be wise while installing Plugins or themes. WordPress repository offers all the checked themes and plugins. But, if you are buying it from the third party websites, do check up once.
Protect WP-config.php file
WP-config is an important part of your WordPress website. All the sensitive data gets stored over there. It can be located in the root directory public_html, where all your WordPress files are.
This is the file if accessed can expose your complete website. I am sure none of the WordPress users wants that.
Trust me, if you hide this file in some other directory, it could be really head scratching for the hacker to step into.
Don’t worry even if you change the location of it, the site won’t break, check out the below steps, how you could Change Wp-Config location.
How to protect WP-config.php file
There is few a way to do so via .hta access and through your file manager as well.
The most easier way would be through the file manager, assessing the root directory public_html. Find your WP-config file there and move it to the up level. That’s it, not it won’t be accessible at all. You WP-Config file is secure now.
Disable Directory browsing via .htaccess
This is another, step in which a webmaster look into. Which is not well known when it comes to securing the website.
But if the browsing of your root directory is not disabled. A reader, visitor or hackers make access the files like the themes, plugin, image and much more.
Here is the step by step how you can disable directory browsing in WordPress via .htaccess.
Final Words on Securing your WordPress Blog:
An approach towards Securing your WordPress blog might take some time, but once and all. And it’s worth it. Before spreading a news on social media “my website got hacked.” It’s wise to take care of some security measures, as your hard work on your blog matters.
You Turn, Are you ready to prevent website hacking?
Consider sharing, if this helps. Thanks!