No one will dispute the popularity of WordPress especially now that its being used to power over 60 million websites worldwide. WordPress is one of the easiest CMS to set up and get started. Whether you want to use it for blogging or for a business website, WordPress will give you that flexibility. But all this popularity comes with a price – Hackers are getting interested with its popularity. Lets agree on one thing, that the core developers of WordPress have done a good Job in ensuring that WordPress core files are secure but you as a user also you do play a great role in ensuring the overall security of your WordPress Installation.
Below i have gathered ten top most essential security tweaks you can apply on your WordPress site NOW to ensure that you keep hackers at bay. This is by no means an exhaustive list but the most essential things that you must at minimum apply to your WordPress site to ensure the security.
- Do not Use Admin as username for the Administrator
This one of the single most method hackers have been using to attack WordPress websites. By now am sure you have read of the recent massive botnet attacks on WordPress websites which hackers were using brute force on trying to get entry to the WordPress admin area, using the username ‘admin’ and trying to match with thousands of passwords.Moral of the story is do not use admin as the username of the user with administrative roles, in fact do not use user admin anywhere in your system.To remove user admin do the following
- Login to the admin area of your WordPress Site
- Go to Users and and click on Add New
- Key in the required details. Remember to give this user a role of administrator and use a strong password.
- Click the Add New User button to effect the changes
- Logout and re-login with the new user
- Remove user admin
Remember if user admin had posts you are advised to reassign them to the new user
- Keep Your WordPress Core Files, Plugins and themes Always Updated
Another precaution to take in ensuring that your WordPress is safe is to ensure that your core WordPress is up to date. The same also goes for all the plugins and themes you are using on your sites. When you login on the admin area you will be notified if there is an update. You can also check by going to Dashboard >> Updates on the Admin Area. Its also advisable to remove any plugins or themes you’re not using.
- Enforce Strong Passwords
This can not be overemphasized. Ensure all the passwords used on your WordPress site are strong. The advantage of this that in an event of bruteforce attack your website, your passwords will not be easy to guess by the hacker.No one should lie to you that a password like john123 is good because of the combination of numbers and letters, there is more you need to think about. Use the resources below to get a strong password
If you are not sure if your current password is strong enough use this link to check
- Use a reliable Web Host
You web host is where your WordPress site will live and so its imperative that you consider the security that your web host has put in place so as to make an informed decision. Many people do only consider cost, bandwidth, resilience and other additional services forgetting the single most important aspect SECURITY. Ensure that your web host does not consider security as an afterthought but it integrates it to its core design processes. Some of the questions you should put to your web host include:
- What type of defense mechanism do they have in place?
- How would they respond to an attack, or worse a breach?
- How do they monitor security threats on their servers?
- Do they have back up services?
- Limit Login Attempts
As we have mentioned earlier about brute force attacks where a hacker comes up with a script that will try to force login to your site by trying a number times with different combinations of usernames and passwords. You can combat this by installing a plugin called Limit Login Attempts which will lock a user out if they entered the wrong password more than the specified time.
Some of the tweaks you can do using this plugin are:
- Set the number of failed login attempts allowed
- Set the duration of lock out
- Backup! Backup! Backup!
Never trust your webhost to keep a backup of your WordPress website for you, they always do a terrible job. You should always manage your own backup strategy. You can use a plugin to accomplish this. Whatever happens to your website you can always go back to the clean instance of your website you had backed up earlier. Some of the available backup plugins are
- Delete Readme.html
One thing that hacker can do when he gets hold of your readme.html is that he/she will be able to instantly know the version of WordPress you are running and so he will take advantage of that knowledge to make his/her cybercrime easier. One thing i know about hackers is that those “bastards” are never patient, and that is why if you have any chance of making his/her work difficult the better. If you are the cautions one that even the sound of delete makes you stomach rumble, then what you can do is to rename the readme.html to something else.
- Block Direct Directory Browsing on your WordPress site
NEVER allow the public to access you directories and their files. This creates a big security loophole that hackers can use to punish you. How do you know if the public can freely browse through your directories, try this on your web browser, replace yourdomainname with your real domain name
If you are redirected to your homepage or you get a 404 Error Page Not Found then you are safe, but if you get a listing of your directory structure then you are in great danger and should close that loophole immediately.
What you can do to avoid direct access of your directories by the public is to adjust your .htaccess file by adding the following
# Prevent folder browsing
Options All -Indexes
- Monitor Malware
Another important thing you need to be doing to ensure the security of your WordPress website is to ensure you regularly scan your website of any malware or any other malicious scripts that may be running from your website. Scanning your website is as easy as ABC, just go to Sucuri and provide your domain name and leave the rest to sucuri.
- Invest in a Security Plugin
I intentionally left this for last for one reason that many WordPress security plugins will help you achieve most of the above security measures we have discussed so far. Some of the plugins that you can use to protect your WordPress site are