The main reason because of which WordPress is the favorite target for hackers, is its huge user base. There are no doubts that WordPress is the most famous CMS in the Internet. It is true that many times, WordPress got its security compromised in its early years, but the WordPress Team (that is, Automattic) was prompt enough to fix the loopholes right on time.
With my 4 years of experience as a blogger and obviously as a WordPress user, I understand the true importance of securing your WordPress blog. In this article, I have tried to put forward 15 highly effective and essential security tips to give you an advance-level of WordPress security.
It’s a perfect blend of some simple, intermediate and some advanced tips to give you an overall advanced-level of security in WordPress. It’s not only for the advanced users, as I have tried my best to make it easily understandable to the amateurs too as WordPress security is everyone’s equal right.
1) Updating WordPress Right on Time
This is one of the simplest and easiest step you can take to secure your WordPress blog. But it is not something less worthy that any other technique you implement. Due to its large user base, WordPress is always a favorite target for the hackers.
Hackers are always trying their best to find loopholes and vulnerabilities in the WordPress core, plugins and theme files to compromise the security of WordPress. But fortunately the WordPress Team is efficient enough to promptly patch any loophole whenever they are detected.
So, it is very essential for you to update WordPress right on time, otherwise it will be very unfortunate if you get hacked only because you were late in updating your WordPress.
2) Restrict Admin Access by IP
This is a simple yet effective tip to provide an extra layer of security to your WordPress blog for free. If you have a dynamic IP or have a multi-authored blog where many users register and login, then this is not a suitable option for you, but otherwise you can create an extra layer of security by simply editing the .htaccess file.
Open the main .htaccess file (outside the wp-admin folder), and find the following code:
Replace the xx.xx.xx.xx with your own IP address. Now find the .htaccess file inside the wp-admin folder, open it and find the following code:
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
Do the same thing that you did previously and replace the xx.xx.xx.xx with your own IP Address.
3) Changing the Database Table Prefix to Something Un-guessable
WordPress database is the favorite target of most of the hackers as the database contains all sensitive information regarding of your entire WordPress installation like Posts, Pages, Categories, Tags, Settings, Plugin Configurations, etc.
You can easily change it during the WordPress installation, but many of us were unaware of this fact right at that moment. So, there are basically two ways to change the DB prefix on a live running WordPress site – either by using a plugin or by doing it manually.
Personally I like the plugin method as it is simple and risk free. There is a plugin – Better WP Security to do this job for you.
You can also do it manually, but the process is risky and needs some basic knowledge. You can take the help of this awesome tutorial to guide you through the process.
4) Disabling HTTP TRACE and TRACK
TRACE and TRACK are HTTP methods which are the default functionalities of most of the apache-powered webservers used for the purpose of debugging. But these methods can prove to compromise the security of your WordPress site, as there are some attacks like Cross Site Tracing (XST) and Cross Site Scripting (XSS) which can steal cookies and many other sensitive information’s from your webserver.
Fortunately these methods can be disabled with ease by placing the following lines of code in the root .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
5) Remove Header Outputs from WordPress
WordPress is known to output many information in the header, which can be used by hackers to compromise the security of your site. But you can easily remove these outputs by adding a few lines of code that I have added below.
But be very cautious while adding these codes directly, as they can break many functions from working properly. If you want anything to remain as it was, you can either delete that line or comment that out.
Open the functions.php file of your theme and add these following lines of code judiciously:
remove_action( 'wp_head', 'feed_links_extra', 3 ;
remove_action( 'wp_head', 'feed_links', 2 );
remove_action( 'wp_head', 'rsd_link' );
remove_action( 'wp_head', 'wlwmanifest_link' );
remove_action( 'wp_head', 'index_rel_link' );
remove_action( 'wp_head', 'parent_post_rel_link', 10, 0 );
remove_action( 'wp_head', 'start_post_rel_link', 10, 0 );
remove_action( 'wp_head', 'adjacent_posts_rel_link', 10, 0 );
remove_action( 'wp_head', 'wp_generator' );
6) Password Protect your Admin Area
It is always recommended to protect the “wp-admin” directory with an added layer of password protection. Whoever will try to access that directory, will need to provide an extra password to open the page.
You can execute this technique by the following three ways:
i) Simple – You can install the AskApache Password Protect WordPress plugin and do it in the simplest possible way.
ii) Intermediate – You can login to your cPanel and use the Password Protected Directories to protect any folder you want with ease.
iii) Hard – You can create an .htaccess and .htpasswd inside the directory you want to protect and can use this tutorial to guide you through the process.
7) Hardening the wp-config.php File Security
The wp-config.php file contains very sensitive information about the WordPress installation, so it is often a favorite target for many hackers. If this file is read, then your entire WordPress installation is lost.
You can protect the wp-config.php file by setting the right file permissions like 600, or even 400 for even better security. You can also move the wp-config.php file to a directory above the WordPress installation directory. This way you can make your wp-config.php file completely inaccessible to outsiders.
You can also use the .htaccess and put the following lines of code to prevent anyone from viewing this file too:
# Prevent public access to the wp-config.php
8) Changing File Permissions to Secure WordPress
Many of us are simply ignorant of how file permissions work and can be properly executed to secure our WordPress installation. We should keep all directories as 755 or 750. Never ever make the mistake of giving full permissions to any file or folder, that is, 777.
There are many PHP files which should not be given high file permissions, as that can pose a security risk. We should limit them to 644 or 640 file permissions.
WordPress Codex has got a complete guide on changing File Permissions in this great tutorial. You can take the help of this tutorial as a detailed guide to understand and change file permissions efficiently.
9) Blackhole Trap for the Bad Bots
This is a great concept developed by PerishablePress to intercept the bad bots which doesn’t obey or follow the rules of the robots.txt file, and thereby tightening the security of your WordPress site.
The concept is really very simple, creating a hidden link to the robots.txt file such that the bots which does not obey the rules of the robots.txt will fall into the trap, which will then perform an immediate WHOIS lookup of the bot and record it in a blacklist file. Then the bots in the blacklist file will be banned from accessing the site completely.
The execution of this technique is not much complicated if you follow this well-written guide on PerishablePress.
10) Secure and Reliable Webhost and SSL
One of the best ways to ensure security is to be with a secure and reliable webhost, like WP Engine, WP WebHost. Hosting plays a vital role in the security of your WordPress blog. It your webhost itself has a weak security, then whatever security measures you take will all go into vain.
Also talk with your webhost provider and try to buy an SSL certificate for your site. Then add this line of code in the wp-config.php:
define('FORCE_SSL_ADMIN', true);
Please note that this line must be added above the code:
require_once(ABSPATH . 'wp-settings.php');
Once you are done with it, all admin sessions will be passed through secured channels such that it will become even more difficult for the hackers to pass through the extra layer of security.
11) Don’t Let the Hackers Know Your WordPress Version
It is not a good idea to show the hackers what version of WordPress you are using, so that they can prepare themselves well-enough with the knowledge of which vulnerability they can use against you to crack your site.
WordPress 2.6 and above automatically adds the version of it in the WP_head section, but fortunately you can remove it with a single line of code. Open header.php and look for the following line of code and delete it if found, and if not then you are already lucky:
You can also install the Better WP Security plugin to do this job for you with just a simple click of a button.
12) Choosing a Strong yet Memorable Password
It is really a wrong idea among many WordPress users that any password like “1234” or “password” is enough to keep them safe from the hackers, but in reality these type of passwords can be cracked within a few seconds.
You should try to create passwords and make them look as ugly as possible, comprising of alphabets, numbers, special symbols so that it becomes immensely difficult for the hackers to crack these passwords.
There are some awesome tools out there in the web, which can help you to generate passwords which are strong yet memorable like, SafePasswrd.com. Use these password generators to generate a memorable password for you. There are also some password strength checkers available to check how strong your current password is like HowSecureIsMyPassword.com
13) Scan your Workstation and your WordPress Installation Regularly
Many times, your malware-infected workstation can also be the reason for getting your WordPress site hacked. So, you should scan your workstation regularly with well-reputed antivirus programs.
Many times hackers take the other way of using methods like KeyLoggers to hack WordPress sites without even your notice. So, it’s time to set up automated scans of your entire workstation on a regular basis.
It is also necessary to scan your WordPress installation periodically. There are some great plugins to do this job for you, but my personal favorite is – WordFence Security. These plugins will periodically scan your entire WordPress installation for viruses or any other file changes and will notify you right on time, if anything is found.
14) Lock-out Users with Failed Login Attempts
Even if you have a strong password or an extra-layer of password protection over your ”wp-admin” area, hackers may still find ways to reach and attempt to crack the password of your admin panel. Here comes the idea of login lockdown.
If a certain user makes too many failed login attempts (say 3 or 5), then they will immediately be locked out from logging in the site further for a few hours. The ban can again be released manually.
There are many plugins, that does this job petty well, but the reliable ones are Login lockdown, Better WP Security and WordFence Security.
Also do not forget to add this line of code to remove failed login error messages from getting displayed to the user:
/ Remove Failed Login Error Message on wp-login.php
add_filter('login_errors',create_function('$a', "return null;"));
15) Nothing Can Replace Backups
Truly, there is no security measure that can replace the need of taking regular and systematic backups. Whatever security measures you take, there can be at least a single loophole left for the hackers to compromise the security of your WordPress.
So, create a perfect backup plan for your site and maintain that throughout. You can install BackWpUp or BackupBuddy plugin, to take automated backups of your entire site with ease. These plugins also have the capability to store these backups in the cloud storage, like DropBox for added security.
Still reading? Want to know more on securing your WordPress site? Then it’s time to implement each of these steps one by one. I can assure that you will learn even more, heading through the process.
