WordPress Security - 10 tips to keep your site secure.
WordPress popularity has some advantages and disadvantages. In terms of safety, popularity does not help at all. WordPress websites are more exposed to potential hacker attacks than other websites. That is why it is so important to secure WordPress as much as possible. In this article you will find some basic information that will help you to improve the security of your WordPress website.
Host your WordPress website on a secured hosting
This is probably the most important thing you need to do about security. All the rest steps are pointless if you are not using a secured hosting. The best choice will be a managed WordPress hosting in a good and trusted hosting company. If you can not afford to managed hosting and you are looking for a shared hosting, then you should look for such features:
- support the latest PHP and MySQL versions
- account isolation
- web application firewall
- regular malware scanning
- intrusion detecting system
Update WordPress, themes and plugins regularly
It is very important to have the latest versions of WordPress and all of the themes or plugins that you are using on your site. Often new versions include some security patches which may significantly increase the overall security of your WordPress site.
Since WordPress 3.7, all minor updates are performed automatically. However, you still need to approve a new major update once it is available. If you want to have them installed automatically as well, you can add a simple code to the wp-config.php file:
# Enable all minor and major updates
define( 'WP_AUTO_UPDATE_CORE', true );
It is also possible to enable automatic updates for your theme and plugins:
# Enable plugins updates
add_filter( 'auto_update_plugin', '__return_true' );
# Enable themes updates
add_filter( 'auto_update_theme', '__return_true' );
Please note that automatic updates may break your site! It may occurs that your theme or one of plugins is not compatible with WordPress version you are using.
Keep your computer free of viruses and malware
You may think what my personal computer has to do with the security of my website? Well, a lot. If your computer is infected, unprivileged people can gain access to your username and password. This way they may be able to log in to your site normally as you do. All of your efforts to improve the secuirty will not be worth anything.
Use a unique username and strong password
You should avoid using the "admin" username. This is probably the first choice for a hacker when trying to break into your site. You can make this task for him more difficult by choosing a unique username.
The same rule applies to passwords. I believe you are not using such passwords like "123456" or "admin". Instead of them, you should use a strong password. What does the strong password mean? Strong password is a string of letters, numbers and other characters that has no meaning and is hard to guess.
Use two-factor authentication
Two-factor authentication is a very good protection against a brute-force attack.
This attack is very dangerous because the attacker is trying to login to your site using many combinations of usernames and passwords until the correct one is found. A two factor authentication will make it more difficult to access your website. It requires a user to login with a unique code that is generated for one-time-use only. The code can be provided to a user via SMS, phone call or smartphone application.
There are several free WordPress plugins that you may use to add this feature to your website: Google Authenticator, Clef, Duo Two-Factor Authentication and Stealth Login Page.
Use correct file and folder permissions
Wrong file permissions on your server we can compare to having doors wide open to your house at night. It is much easier for attackers to upload a malicious software or modify some of the existing files. It is recommended to use the following permissions:
- 755 for directories
- 644 for files
- 600 for wp-config.php
Remember to never set permissions to 777 if you do not know what you are doing.
Disable PHP error reporting
Error reporting should be disabled on a production site. This option is useful during a site development, because a web developer can see some reports that may help him to fix errors. However, on a live server the error reporting may be dangerous, because it may display your server path and this information can make a potential attacker very happy.
If you want to disable error reporting on your server, you can add a simple code to the wp-config.php file:
# Disable error reporting
If the above code does not work on your server, you may ask your hosting support for more help to get rid of the error reporting.
Protect your WordPress using .htaccess
Another way to protect your WordPress site is to exploit the potential of the .htaccess file. This is a configuration file that contains rules which you may use to change some of your server settings. Here are some examples of the rules that have impact on your WordPress security:
# Secure the wp-config.php file
deny from all
# Secure the wp-includes directory
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# Disable directory listing
Options All -Indexes
# Protect the .htaccess file itself
deny from all
Use a WordPress security plugin
There is a lot of WordPress plugins that may help you to improve security of your website. Let's take a look on some of them and its features:
It is probably the most popular security plugin for WordPress. It has over 1 milion of active installs and it is completely free. It adds to your website a firewall, security scanning, blocking features and lot more.
This plugin comes in two versions: free and pro. The authors of the plugin claims that it provides over 30 ways to secure and protect your WordPress website. Worth to mention are such features like two factor authentication, malware scanning or brute force attack prevention.
All In One WP Security & Firewall
This is 100% free security plugin for WordPress. It has a user friendly, easy to use interface. It provides a plenty of features, so you will find here a firewall, scanner or database and file system security.
Backup WordPress regularly
Even if you read all the tutorials and perform all the steps on how to secure your WordPress that you may find on the Internet, you cannot think that your website is 100% safe. Probably never will. That is why it is so important to do a backup regulary. This way you will be sure that if your site will be hacked in future, you will be able to quickly restore your website to the state before the attack.
There are some solutions available for automated backup and restore that you may find interesting: VaultPress, BlogVault or BackupBuddy.
Find this tutorial helpful? Please share! Thanks :)