Did you know that 73% of the popular sites (Source) that use WordPress were considered “vulnerable” in 2013?
There are various people out there who are not very technical about the background details, as of how things our working behind the easy to use WordPress interface. They may have started their blog just for their passion to educate others about something that falls in their area of expertise or maybe to earn money and make a living out of it or making an e-commerce site or for whatever good reason they may have started using WordPress.
One thing that they don’t think of, in the beginning, is the threat to their site in terms of potentials security risks, vulnerabilities and various loop holes that could be exploited by the ones with ill intentions and destructive minds(hackers).
Here I will guide you through 11 simple methods to make your WordPress site more secure. This guide here can be used by both tech-savvy and non-tech savvy people to increase the security of their WordPress site.
11 Simple Methods to Make Your WordPress Site More Secure
Backing Up Your WordPress DataBase
The foremost important step in increasing security of your site is to make sure you backup your WordPress DB before making any changes to your site.
This can be done either manually or by using plugins. I recommend using “WP-DBManager” plugin for this as it not only manages WordPress backups. It also allows you to optimize database, repair database, restore database, delete backup database , drop/empty tables and run selected queries. You can even schedule automatic backups of your DB using this plugin.
Updating your WordPress Version
This step is essential as the guys over at WordPress keep on fixing security issues in their current version. So, updating your WordPress version to the latest available reduces the risks of security holes.
To stay updated with when a new WordPress security patch/fix is released, you can follow WordPress Development Feed and stay up to date with all the new information.
Making your Login Secure
Keeping your login id and password simple is a great way for you to allow hackers to easily enter your website and breach the security (if that is what you want).
E.g., Keeping the login id to default WordPress login i.e. “admin” or to your “domain name” is not very smart on your part as the hackers can easily guess that.
You must keep something that is difficult to guess and involves a combination of alphabets and numbers like “mars281” or “352hustle” or something that will be easy for you to remember as well.
Similarly, you must use strong passwords that include combination of upper case letters, lower case letters, numbers and symbols. Some appropriate secure passwords may be something like “August.08” or “#Jammu003”. You get the idea right?
Also you can limit your login attempts to make your login more secure by using various plugins that serve the purpose of login limitizers.
Deleting Unused Plugins and Keeping The Important Ones Updated
Plugins are your biggest risk as plugin vulnerabilities represented 55.9% of the known entry points to your site as reported by the respondents of the survey so it is recommended to delete the ones that are not being used. This not only helps in improving security but also helps in improving your site performance in terms of site speed and page load times.
As is the case with updating WordPress Version, the reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping them up to date you insure that you benefit from fixes before hackers can exploit them for entering in to your site.
It is also advised to download plugins only from reputable sites and not to install pirated free versions of the premium plugins just to save a few dollars as the code may be infected to somehow gain access to your site’s backend and this can prove dangerous for you.
Adding WordPress Security Keys
These are something to be edited in the WordPress “wp-config.php” file. You can use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones and save the file.
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
The keys generated by WordPress Key Generator are so strong that even if anyone starts to guess and try them to brute force attack on your website, it may take them 100s of years to get the right combination of letters.
Installing Acunetix WP Security
The Acunetix WP Security plugin is brilliant when it comes to WordPress security. The plugin is free and monitors your website for security weaknesses that hackers might exploit and tells you how to easily fix them.
It helps secure your WordPress Installation and even suggests corrective measures for securing file permissions, security of the database, version hiding, WordPress admin protection and lots more.
Changing WordPress Table Prefix
Usually when installing WordPress on any kind of hosting, the default table prefix is used i.e. “wp_”. Everybody knows that, and specifically the hacker does for sure.
Changing the prefix can be done either manually or by using a plugin, but the good news is that you need not install any new plugin for changing it. This can be done using the Acunetix WP Security plugin that I talked about above.
You can simply head to WP Security > Database. Scroll to the bottom of the page and under “Change Database Prefix”, enter a new name for your database prefix as shown below and click “Start Renaming”.
Blocking Search Engine Spiders from Indexing the Admin Section
All the sensitive information about your website is contained in the admin section and to prevent search engine bots to crawl through it, you need to place the following code in your robots.txt file followed by saving the changes:
The easiest way to prevent the crawlers from indexing the admin directory is to create a robots.txt file in your root directory and add the above given code into it.
You can create the “robots.txt” file using any text editor and then upload it via FTP or if you are using Yoast SEO plugin, you can simply create or edit one by heading over to SEO > Tools > File Editor.
Protecting your .htaccess file
.htaccess files are often used to specify the security restrictions for a particular directory so we can not leave the file itself open to attacks. The code below prevents external access to this file. Simply place the code in your domain’s root .htaccess file and save the changes:
# .htaccess PROTECTION
<Files ~ “^.*\.([Hh][Tt][Aa])”>
deny from all
As was the case with the robots.txt file, .htaccess file can also be created using any text editor and can be uploaded either via FTP or can be created and edited using the File Editor of Yoast SEO.
Disabling Directory Browsing
Browsing through the site directory is an easy way to allow visitors to find out about your directory structures and this makes it easy for the hackers to search and exploit the security holes and vulnerabilities.
This can be disabled by editing your “.htaccess” file in your root directory(via FTP or via Yoast SEO) and adding the following lines of code followed by saving the changes:
# Disabling Directory Browsing
Options All -Indexes
As mentioned above, wp-config.php contains all the sensitive data and configuration of your blog and therefore you must secure it by adding following lines of code in your “.htaccess” file:
Deny from all
Also Read :
Other than these 11 Simple Methods to Make Your WordPress Site More Secure, I recommend Eliminating the WordPress Plugin and Theme Editor if you don’t use it on a much regular basis, hiding the WordPress Version(can be done using Acunetix WP Security)and Hiding Author Usernames.
Following all the methods mentioned above will make your WordPress Site more secure, decreasing the chances of your site being harmed if it is attacked in future. What are other methods that you are using to make your WordPress site more secure. Leave your feedback in the comments below.