14 Effective Practical Security Tips for WordPress
Reading Time: 4 minutes 
WordPress is the most user-friendly expandable blog platform around. “With power comes more responsibilities”, says Spiderman’s uncle. So what if your valuable WordPress blog gets hacked? You will be literally devastated, violated, and humiliated. Now you need to know how an attacker or cracker hack or exploit your site.
- They know about your security weakness points about your site
- They know about the important directories are open and accessible
- They know about the version of WordPress has security issues
- They know what outdated unsecured plug-in you are using and they can take advantage of it
- They will use brute force to attack your site login for random username and password
- They know WordPress uses “Admin” as the administrator name, so they keep generating passwords and keep trying
So how do you overcome these situations? Well, you just need to tighten up the security principle to avoid these problems. These are very practical options to protect yourself from getting hacked. In truth, every protection can be broken but the point is not to cure but to prevent.
Table of Contents
- Knowledge
- Keep your WordPress install and plug-in up to date
- Rename the administrative account
- Use strong password
- Disable directory browsing
- File permissions
- Do not advertise the WordPress version you are running
- Stay on top of Security Releases
- Use Captcha whenever possible
- Limit access to your wp-admin directory
- Restrict access to your wp-config.php
- Use AskApache Password Plugin
- Use the WordPress online security scanner
Knowledge
Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation. Use the WP-DB backup plug-in to schedule your database backups.
Keep your WordPress install and plug-in up to date
The newest versions of WordPress automatically notify you if there is an update for your WordPress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.
Easily Craft Stunning WordPress Websites that Excel in Speed and Design!
Divi AI Empowers You to Effortlessly Create Content and Produce Images Right within The WordPress Builder.
Rename the administrative account
You can do this in the MySQL command-line client with a command like
update tableprefix_users
set user_login='anothername'
where
user_login='admin';Use strong password
Creating a strong, memorable password is one of the most accessible defenses against being hacked. There are a lot of online password strength checkers that you can check. Here is Lorelle’s article on Blog Herald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable.
Disable directory browsing
An attacker can reveal your files because they have been indexed by search engines, so you can use a simple one-line code inside your .htaccess file
Options -Indexesalso, use a robots.txt file to disallow the search engine robots to index the subfolder contents. Here is an example of a robots.txt file
User-agent: *
Disallow: /cgi-bin/
Disallow: /wp-content/
Disallow: /wp-admin/
Disallow: /wp-includes/File permissions
Some of WordPress’s cool features come from allowing some files to be writable by the webserver. However, letting an application have to write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.
Do not advertise the WordPress version you are running
If you are running an old WordPress version with known vulnerabilities, displaying this information to the public is unwise. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as possible, there will be a lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to ensure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version plugin (the newer and better version with more features is Secure WP).
Stay on top of Security Releases
Subscribe to the WordPress Development blog. When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.
Use Captcha whenever possible
Captcha solution for the comments and login also builds contact forms with Contact Form 7 or CFORMS II. This keeps bots from spamming and trying to crack your login.
Limit access to your wp-admin directory
Protect wp-admin directory by IP address or password, which will another level of password access to the wp-admin folder: if you are using CPanel then you can use the directory protection tool to password protect folders.
Restrict access to your wp-config.php
I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password. Create a file within your WordPress root install directory named .htaccess if there isn’t already one. Append the following to your .htaccess file inside of your root directory:
deny from allUse AskApache Password Plugin
This plugin doesn’t control WordPress or mess with your database, instead, it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site
Use the WordPress online security scanner
This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template, and look at your plugins for vulnerabilities.
References:
3 tips to protect your WordPress installation
Some of the link on this post may have affiliate links attached. Read the FTC Disclaimer.
