CMSWordPress

WordPress Security Guide

Table of Contents

WordPress Security Guide

Step 1: Keep Plugins Up to Date

This is the easiest way to keep your website security. Plugins, and WordPress itself, update fairly often.

Many times, these updates include security improvements. To update your plugins, go to your WordPress admin area.

Under Dashboard, click updates. If you see that you have the latest version of WordPress and your plugins are all up to date, you’re good to go.

Note:

Keep Plugins Up to Date

Step 2: Hide Your Admin Area

Do you only use your site from home and the office? If so, you can add a small snippet of code to your website to stop your admin page from being accessible by any IP address other than yours. Add this code to your .htaccess file (you need to do this through your FTP client):

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>

Replace the “xx.xxx.xxx.xxx” with your IP address. If you don’t know your IP address, you can get it from whatsmyip.com. If you want to allow multiple IP addresses to login from, such as your office or a family members house you visit a lot, simply add another Allow from xx.xxx.xxx.xxx line of code with their IP address.

This may not be practical for you if you work from multiple places, like coffee shops or hotels or whatever it may be… or you may just not be tech-savvy enough to edit the .htaccess file.

Fear not – another way to secure your website would be to limit the number of login attempts. This stops hackers from being able to continuously try different passwords. The plugin I use for this is actually just called Limit Login Attempts.

Note: You may have heard of changing the URL of your admin area. While you may do this if you want to, ultimately it provides no increase in security what-so-ever. All serious hackers can find the URL of your admin area no matter where you put it.

Step 3: Use a Stronger Username and Password

WordPress defaults your username to “Admin”. Hackers know that people can be lazy sometimes, and will often try this username first. Change it and you’ll already by a step ahead of the pack.

Your password should also be fairly strong. Oh, and I hope I don’t have to tell you this, but… don’t use the same password for everything! An amazing app to help you overcome this password burden is LastPass. It helps you create super strong passwords and save them all to one place for easy one-click log-in.

Step 4: Use Two-Factor Authentication

Google Authenticator is an amazing, free app that gives you two-factor authentication. Basically, you download an app on your phone that shows you a random six-digit password to type in in addition to your normal password. The code syncs between your phone your WordPress account and resets every few seconds. The app (right) and the WordPress login (left) look like this:

Use Two-Factor Authentication

So you would just type “887604” in the Google Authentication code box.

Step 5: Ensure Your Hosting Provider is Secure

If you’re running a business, WP Engine seems to be the best hosting provider in terms of security. However, at their $29/month price tag, this may be beyond the scope of what you need. For a (much) cheaper, but still reliable, alternative, you can use BlueHost or Host Gator.

What to look for in a hosting provider is support for the latest PHP and MySQL versions and a web application firewall. If it has these two things, is affordable, and has any other features you want (like easily installing WordPress), then you’re good to go!

Step 6: Scan Your Computer for Viruses or Malware

This isn’t often talked about, but your own computer could be the culprit of your data being hacked in to. When was the last time you ran a full scan? I used to be bad (going almost two months or longer without a scan), and I learned the hard way.

If you’re looking for some great, free resources, my favorite combination (and most of Reddit’s) is Avast! and MalwareBytes. They both have excellent free features to keep your computer running clean.

malwarebytes
avast

Step 7: Remove Your Password Hint

You know how when you mess up your password, you get a hint as to what it might be? Well guess what? Hackers can see this too. Have no fear, you can change it with one simple addition of code in the functions.php file. Go to appearance -> editor. Find this:

Remove Your Password Hint
Remove Your Password Hint 2

Copy the following code:

function no_wordpress_errors(){
return ‘I love tacos.’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );

Then paste it in your functions.php file somewhere.

Note: You can change the “I love tacos.” to whatever you want. That’s the text that will show up for the hint.

Then just hit save, and you’re done!

Step 8: Disable Pingbacks and Trackbacks

Pingbacks and Trackbacks are basically code snippets that notify other WordPress blog users when you link to them. In a perfect world, this sounds great – they get notified when you link to them, and hopefully they will link back.

In our world of hackers, however, using these can compromise your security. They could use the trackbacks to cause distributed denial-of-service (DDoS) attacks.

In order to disable them, go to Settings -> Discussion and then uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)”.

 

Again, don’t forget to save!

Step 9: Hide Your wp-config.php File

Here’s another one with the .htaccess file. Again, it may be too tech-savvy for some, but if you know how to access it this is an easy change.

This file is incredibly important to your site because it directly affects your sites permalink structures and other things important to security.

Place the following code snippet (to hide your wp-config.php file) anywhere outside the #BEGIN WordPress and #END WordPress. We want to hide this because it contains your personal info and many other security-related information. Add this code:

<files wp-config.php>
order allow, deny
deny from all
</files>

Don’t forget to save!

Step 10: Keep Track of Dashboard Activity

If you have a lot of users on your site, you should check their activity on your site daily. Even if their intentions aren’t malicious, you can see what may have happened if your site broke.

To do this, download the Activity Log plugin. You can also use this to retrace your own steps, in case you broke anything (come on, we all know it happens.)

In case one of your users is malicious, you can see what they upload and check to see if it contains any viruses or malware or any other bad stuff.

Keep Track of Dashboard Activity

Step 11: Back Up Your WordPress Site

This is a really easy and really important step. You never know when you might accidentally change something and have it break your website – or worse, get malicious data on it somehow. All you need to do this is a free plugin called BackWPup.

Back Up Your WordPress Site

All you have to do is press “backup” once it’s installed, then let it work its magic. I’d also recommend scheduling regular backups every week, or at least once a month.

Step 12: Install a WordPress Security Plugin

It can be difficult to do everything manually that we’ve described here, so there are plugins that can help you get the job done.

They won’t do everything listed here, but they will help with some. Plus, they can perform malware and virus scans on your files and do other neat security things.

Three possible plugins are Sucuri Security, WordFence and Acunetix WP Security. Sucuri seems to be the better of the two – it got 4.6 out of 5 stars as opposed to Acunetix’s 3.3 out of 5. However, they each have unique features so you may want to look in to both.

There You Have It – 12 Steps to Better WordPress Security.

It can be difficult to do everything manually that we’ve described here, so there are plugins that can help you get the job done.

They won’t do everything listed here, but they will help with some. Plus, they can perform malware and virus scans on your files and do other neat security things.

Two possible plugins are Sucuri Security and Acunetix WP Security. Sucuri seems to be the better of the two – it got 4.6 out of 5 stars as opposed to Acunetix’s 3.3 out of 5. However, they each have unique features so you may want to look in to both.

YouTube Mistakes

YouTube Mistakes

Whether you’re broadcasting from furnished serviced offices in Brisbane or a back shed in Darwin, growing a YouTube channel is about as straightforward as teaching

Read More »
Twitter for Business

X / Twitter for Businesses

What should your business tweet next? How often should I tweet? The classic question “How do I measure Twitter’s success?” You’re not alone if you can relate.

Read More »
Back to top button