Top 10 WordPress Security Tips

You install WordPress, add a post, page, theme and adjust widgets… now it’s time to secure your WordPress website. It would be hard to overstate the popularity of WordPress as a web publishing platform. Between fully hosted blogs on WordPress.com and the self-hosted blog software that’s available for download at WordPress.org, there are millions of sites running on the WordPress platform. This makes WordPress a great resource for individuals and businesses looking to build their first website. But it also makes WordPress websites a popular target for hackers. Since having your website hacked can be devastating to your business, it’s important to make sure you do everything you can to stay safe. Here are the top 10 WordPress security tips you should consider. (Note that some of these tips will only apply if you host your own WordPress installation, but not if you use services on WordPress.com.)

1. Keep your WordPress install up to date

Sometimes the strongest security tips are also the easiest to implement. Every time you login to your WordPress dashboard, check the top of the screen to see if a new version of WordPress is available. Because security fixes to the underlying WordPress code are delivered through these updates, it’s important to make sure you’re always running the current version of the software. You should also make sure all your WordPress plugins are up to date as well.

2. Create backups

Backing up your WordPress site not only provides protection in case your site is compromised, it also acts as an insurance policy in case something happens to your web host. It’s certainly possible to manage the backup process manually, but there are plugins you can use to make the process much easier, including UpdraftPlus Backup and Simple Backup. Be sure to keep those backup files in a safe place.

3. Don’t use “admin” or your email address for your username

Not all hacking consists of high-level computer manipulation; WordPress sites are often compromised by someone guessing the site administrator’s username and password. Unfortunately, if you use “admin” or your e-mail address for your username, a hacker is already halfway toward reaching their goal. It’s much more secure if you make your username something that will be just as difficult to guess as a strong password.

4. Limit the number of failed login attempts

A persistent hacker may not be sufficiently deterred from attacking your site if they can simply use a “brute force” attack to try to guess your username and password. You can use a plugin like Simple Login Lockdown to detect failed logins from a particular IP address and significantly reduce the threat of these brute force attacks. This plugin will block an IP address from accessing your login page for one hour when there are five successive failed attempts – although the lockout time and number of attempts can be changed.

5. Make sure your themes are secure

Hackers shouldn’t be your only security concern. Given the seemingly endless number of sources for WordPress themes, you need to trust that you’re not using a theme with any malicious code. You can use a plugin like Theme Authenticity Checker to identify any potentially problematic code that may have been added to an otherwise valid theme.

6. Additional login authentication

The Login Dongle plugin provides an additional layer of login security. This plugin installs a bookmarklet in your browser, and asks you to create a secret challenge and response text. When you visit your login page, after entering your standard username and password, you click the bookmarklet and can fill in the appropriate response code before logging in. This creates an additional level of authentication security for your blog.

7. Perform a security scan

Unfortunately, it won’t always be obvious to you when you’ve been hacked. Sometimes hackers want to use your server space for activities that may not be obvious just by looking at your site. You can use a plugin such as Exploit Scanner to automatically search through the files on your site for anything potentially suspicious.

8. Consider a multi-tiered security manager

WordFence Security is a multi-faceted security plugin that adds a firewall to your website, as well as virus scanning, real-time traffic analysis, the ability to view any changes to your core WordPress files, and many other functions. WordFence is installed on my site and all of my clients sites.

9. Secure your wp-config.php file

Your wp-config.php file contains very important information about your WordPress site, including details on the database that contains all of your posts and comments. You can keep this file more secure by following the tutorial here. Don’t give a hacker access to your private information in this file:

10. Protect your WordPress directories

Finally, you can protect your underlying WordPress directories by adding the “options –index” code to the beginning of your .htaccess file. If you’ve never worked with a particular file before, this is another one you’ll want to contact your web host or webmaster for help with.
WordPress gives you the ability to create a powerful and professional website without spending a dime on software. Be sure to get the most out of your site by keeping it secure.

Read Also: