Security has been taken seriously in WordPress, with a large number of experts constantly developing the most stable WordPress versions, refining the code for flaws, as well as doing security updates. However, you need to know that no system can be completely safe and secure, and even WordPress have some bad security track record.
According to Secunia, WordPress had 7 unpatched security advisories in April 2009, had caused many high profile search engine optimization blogs and low-profile commercial blogs been attached in January 2007, and had released 50 most downloaded WordPress plugins which were vulnerable to common Web attacks such as SQL injection and XSS in June 2013.
In this circumstance, you have to carry out some security precautions to keep your WordPress powered website safe. And in this article, our editors have listed some basic but really useful tips on how to achieve this goal.
Adopt Strong Passwords
You have to set a complex username and strong password on your login page, otherwise you may give malicious intruders the easy access to your login credentials, thus hacking your site effortlessly. We have discovered that many webmasters choose their real name, their website name, the number of their birthday, or even a word from a dictionary as the password. This is totally wrong.
You have to make your password be hard for other people, even yourself to remember and guess, and avoid using any number specific or alphabet specific password. In fact, there are so many tools available to help you generate secure, encrypted and random passwords safely, such as GoodPassword, Multicians, Random Password Generator, PC Tools, LastPass, and much more.
Use Complex Username
Everyone knows WordPress will give you a default username – admin, after the installation process has been completed. But this username is basically making hacking an easy thing, because only the password needs to be broken into. Therefore, you should always avoid continuing use admin as your username, and should change it immediately with a mixture of numbers, letters, dashes, and slashes.
To change your default WordPress admin username, just follow these steps:
- Login to your WordPress admin panel
- Click on the Add New User button in the Users section
- Add a new user by choosing the Administrator role in the Role drop down menu. Note the password you enter should be strong and safe.
- Re-login with your new WordPress admin username.
- Delete the previous username in the User section.
Frequently Update the Version of WordPress
A study revealed WordPress secure experts has showed that 98% of WordPress blogs which are exploitable because they are running outdated and unsupported versions of the software. Generally, once a vulnerability or a loophole is discovered in WordPress, then a new version will be developed and released to address the issue, and the information about this loophole will be certainly known for every. To be frank, this makes website with old WordPress versions pretty easy to be attacked.
If you are not willing to keep an eye on WordPress.org to see whether there is a new version been released or not, your WordPress dashboard will notify you about the updates.
Utilize WP-Config.PHP File
The security benefits of storing your wp-config.php outside the web-root folder depend on what theme you’re using and how your site is configured, but if you don’t do this, you will end up encountering serious vulnerabilities.
Nothing can be more important than keeping back up the core file, data, and database of your WordPress site. Just image your site has been hacked, but you do not a clean backup file to easily restore everything in a very short period. How frustrating will it be?
Thus, you have to keep a backup copy of all your website files, as well as programming data on the web server in case any valuable information gets corrupted or lost. In this way, even the hacker has destroyed or deleted some, or all of your website files and texts, you don’t need to rebuild your site from scratch, but just restore everything with the backup files. We have already given you some tips about backing up your website a few days ago, so you can read the article and backup your site accordingly.
Keep an Eye on Login Credentials and File Permission
Generally, we don’t recommend you sharing your login information with anyone else, as this may lead some potential dangers to your website. But if there are some people really need to access your site regularly, say your coworkers, just create a separate account for them. And if you take away this permission, deactivate the account or change the password immediately.
Besides, you have to carefully set the file permissions to specify who and what can read, write, modify, and access your content.
Change Your WordPress Tables Prefix
WordPress will give your WordPress tables a default name like wp_posts or wp_users, but you’d better rename it to avoid some potential attacks. But make sure that you have learned about how to do this, otherwise you may destroy your WordPress site.
Secure your Site with Plugins
You can find a tremendous number of security related plugins in WordPress.org. And you only need to download and install them, then you site will be monitored and safeguarded effectively from any intrusions and suspicious activities. But do not forget keeping them up to date. Here, we’d like to recommend you the top 3 of WordPress security plugins.
- Better WP Security– The easiest and the most effective WordPress secure plugin which improves the security of any WordPress site in seconds. It integrates the most advanced security features and techniques, thus can detect and prevent as many vulnerabilities as possible.
- Wordfence Security – This plugin is powerful but free to use, with a firewall, virus scanning, malicious URL scanning, real-time traffic with geolocation, and much more.
- Exploit Scanner – This plugin will quickly scan all the files and data in your WordPress site, and will list the ones with malicious code. Even the spam links which hide in your posts using CSS or IFRAMES will be detected.
Scan Your Website Regularly
You need to have your website scanned and monitored regularly, at least once a month to make sure that your site hasn’t been infected by malware, blacklisting status, website errors, and any other suspicious pieces of code. If you don’t know which website scanner should you choose, simply try SiteLock or Securi Sitecheck.
Use SSL Encryption
SSL Encryption is used to prevent people intercepting the date you use, especially the account credentials. Thus hackers cannot get their hands on your password and destroy your website. Some web hosts require you to pay for an SSL encryption, but others like HostGator offer this service for free. Besides, for WordPress SSL encryption, you need to add the following line to your wp-config.php:
define (‘FORCE_SSL_ADMIN’, true);
Choose a Secure Web Host
A safe and reliable web hosting company is essential to protect your site from potential dangers. You have to make sure that your hosting service comes with suPHP, which execute PHP scripts only with the permissions of the website owners. Besides, the web host you choose should perform regular backups for website and servers, no less than once a week. Here, we highly recommend the following web hosts which are the leading web hosts offering the highest level of security and reliability.