20 WordPress Security Tips To Secure Your Website in 2018

Rate this post

WordPress is one of the most widely used content management system (CMS) these days. With an increased usage, its reliability and wordpress security has become more problematic over time.

There are certain security measures you can take to prevent a hacked WordPress site. Our team of wordpress security experts have collected information and data on thousands of websites to present you with most detailed tips to improve the security of your wordpress site and prevent it from being hacked.

Common WordPress Security Vulnerabilities & Issues.

  • Weak Passwords.
  • File Inclusion Exploits.
  • SQL Injections.
  • Brute Force Attacks.
  • Cross-Site Scripting (XSS).
  • WordPress Malware attack
  • Outdated WordPress, Plugins or Themes.
  • Plugins and Themes from Untrustworthy Sources.

WORDPRESS SECURITY TIPS 2018

Tips to improve the security of your WordPress site

Listed below are some of the important wordpress security tips you must know to increase the security of your WordPress website in 2017.

1. Cleanup your WordPress installation

Ensure to delete unused versions of WordPress on your server. Unused WordPress themes, plugins, files etc even if they are not active or are not being used should be deleted. Try to keep your server clean and follow a simple rule ‘Delete delete delete’! the unwanted files or installs.

2. Use Updated WordPress plugins, themes

Maintain safe WordPress themes and  plugins. Also, use the proper API’s provided byWordPress.org to avoid the direct actions and manipulations. A user needs to take security into consideration when opting for the WordPress themes and plugins. Approximately 30% hacks occur due to the same reason so it’s definitely a good decision to stick with a theme/plugin that is updated timely.

3. Change WordPress table prefix

wp-table-prefix

For WordPress, the default table prefix is wp_. Everyone is aware of the prefix and so is the hacker. Changing your table prefix is recommended to make your website more secure and protected from SQL injections. Just change the table prefix and you will be one step close to your secure site. With the use of this plug-in you can easily replace your database default prefix to any other prefix in single click.

4. Use SSH2 (SFTP) connections for WordPress Upgrade

SSH2 (SFTP) connections are much more secure than the regular FTP connection to Upgrade Your WordPress. The shell method is more secure as it encrypts all the data transfer. You can also use “SSH SFTP Updater Support” wordpress plugin which uses phpseclib – it is the best way to utilize SSH, SFTP, RSA and X.509 in PHP.

5. Use SSL certificate

The SSL (Secure Socket Layer) is one the best option for the users to secure their WordPress admin panel. SSL certificate for your site makes it difficult for the hackers to spoof your information and also affects your WordPress website Google rankings.

It’s really beneficial as Google has announced recently that it uses https as a ranking signal, so SSL sites are awarded with high rankings in search results. Having SSL installed on your WordPress website allows you to login securely (via HTTPS). The users can purchase it from the renowned companies or ask their host providers to hook up with the one.

6. Backup Your WordPress Website

Although backups are not that helpful in recovering from WordPress hacks but they are beneficial for the recovery of your WordPress website. Ensure to backup your site before it’s too late as your entire website content is stored in the database. The users can backup their site manually or can also use wordpress website backup plugins such as updraftplus.

7. Protect .htaccess

.htaccess is basically used to specify the WordPress security restrictions for a particular directory and is the default name of a directory level configuration. In order to secure your blog from the attack of hackers, simply place the below mentioned code in the domain’s root .htaccess files.

# STRONG HTACCESS PROTECTION</code>

<Files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all

</Files>

8. Secure wp-config.php

The wp-config.php file is the most important file of your website’s root directory and basically stores the crucial information about your WordPress blog. Securing wp-config.php means you are protecting the core of your blog as it becomes way more difficult for the hackers to breach the information from your site as it becomes inaccessible to them. A user can secure wp-config.php by simply placing the below mentioned code in the root directory.

# protect wp-config.php

<files wp-config.php>

Order deny,allow

Deny from all

</files>

9. Configure .htaccess to prevent directory browsing

Configure-.htaccess

Another concerned issue for the WordPress security is to avoid people from browsing your website’s directory structure. If you are curious to know what this all looks like, you just need to enter ‘index of’ into Google and then Google will provide the list of all the websites that generally allow the directory browsing. In order to avoid directory browsing add ‘Options All – Indexes’ to your .htaccess file in the root directory.

10. Protect WordPress admin

The wp-admin directory is one of the major part of your WordPress website. Any damage in this part may damage your entire site. To protect the WordPress admin section from the attack of hackers, ensure to have password-protection for the directory.

WordPress files should be accessed only by a person who is designated or only by you. You can restrict the access by using .htaccess to allow only specific IP addresses to this directory. Just add the below code to the .htaccess in the wp-admin folder.

# deny access to wp admin

Order deny,allow

Allow from xx.xx.xx.xx # (This is your static IP)

deny from all

Any access from other IP’s will be disallowed.

11. WordPress security keys in Wp-config.php

WordPress security keys in Wp-config.php is one of the important security measure to avoid your blogs from getting hacked. The keys in wp-config.php ensures better encryption of user’s data.

Use WordPress Key Generator to generate the keys and replace them in wp-config.php file.

define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’);

12. Use HTTPS To Log-in Your Dashboard

HTTPS is a secure version of HTTP. When you are using HTTPS, your data is sent into an encrypted form instead of a clear text. This makes it difficult for the hackers to decode and intercept the data (password, user name). Use define(‘FORCE_SSL_LOGIN’, true); code in wp-config.php when logging into your dashboard to use HTTPS.

13. Remove Inactive User Accounts

Inactive user accounts may be a security threat for your website. The best thing is to delete the inactive user’s accounts in WordPress.

To do this,

>> Go to your WordPress dashboard >> Click on ‘Users’ this will take you to the page where each user will be listed >> Delete the ones that are inactive.

14. Use email as login

As you open your WordPress website you have to input the username to login your account. Logging in by a username instead of an email ID is more secure approach to avoid your website from being hacked.

15. Prevent Script Injection

Users can easily protect their WordPress blog from script injection. Just apply the code mentioned below into your .htaccess root directory. This will protect your blog from unwanted modification of _REQUEST and/or GLOBALS.

# protect from sql injection

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

16. Strong Passwords

Strong password is the first layer of protection to your WordPress site. Use lowercase, uppercase, special characters and numbers to set the strong password for your account.

strong-wordpress-password

You can also use Force Strong Passwords, which enforces strong passwords for users with publish_posts, upload_files & edit_published_posts capabilities

Few basic requirements for a strong password:

  • Include numbers, capitals, special characters (@, #, *, etc.)
  • Can include spaces and be a passphrase
  • Change passwords every 120 days, or 4 months
  • Be long (10 characters – minimum; 50 characters – ideal)

17. Restrict Failed WordPress Login Attempts

wordpress-lockedout-login

Restricting the number of failed attempts basically prevents the users from using the brute force techniques on their WordPress site. Brute Attack is an attempt to know the user’s password via trying out each and every single possibility. You can add an extra layer of security to your WordPress login page by implementing two-factor authentication or add HTTP authentication

18. Hide WordPress Version number

The WordPress Version is placed into your website’s source view and can be an easy target for the hackers. If your WordPress version is known, the hackers may easily build up a perfect attack technique. Use this WP plugin to remove the WordPress version number from Meta, RSS, and Javascript & CSS parameters for increased security of your wordpress site.

Just place that single line into your theme’s functions.php

remove_action('wp_head', 'wp_generator');

19. Change Default WordPress Login/Password

change-default-wordpress-admin-log-in

A user may change the default wordpress login i.e ‘admin’ to reduce the chances of login attempt by the hackers. One of the best thing to do is to delete the default admin and create a new custom login for the account. If the password is really strong, you must be perfect with your account.

20. Block Search Engine Spiders from Indexing the Admin Section:

Search engine crawlers like the Google, basically crawl over your entire blog site and indexes each content placed there unless they are asked not to do so. It is to be kept in mind that the use?rs do not want to index their admin section as all the sensitive information is placed there. One of the easiest ways to prevent crawlers from indexing the admin section is by creating a robot.txt file in the root directory. Just place the code provided below.

#

User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins/

Disallow: /wp-content/cache/

Disallow: /wp-content/themes/

Disallow: */trackback/

Disallow: */feed/

Disallow: /*/feed/rss/$

Disallow: /category/*

We cannot guarantee that your WordPress blog will not be hacked after the implementation of the above discussed points but we ensure you that the chances of getting attacked by the hackers will be minimized. The more you strengthen your WordPress security, the harder it will be for a hacker to breach into your information.

Any suggestions.

Any piece of advice related to the wordpress security from your side can help masses to refrain their WordPress website from being hacked.

Please use the comment box below to share your thoughts!

Related Post:

Leave a Reply

Your email address will not be published. Required fields are marked *