- May 17, 2015
- Posted by: Wevio
- Category: Development, Wevio Blog
In WordPress, security is a very important issue. In line with our serious approach to security, our products are carefully optimized to be as secure as possible. There are still a handful of potential security risks when running a website that we have no control over. You, the website owner need to pay attention to these potential security risks in order to keep your website safe.
In this article we will suggest 10 tips that can help you make WordPress more secure and strong:
Use secure hosting
When choosing a web hosting provider don’t simply go for the cheapest you can find. Do your research, and make sure you use a well-established company with a good track-record for strong security measures.
Update all the things
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
The same applies to themes and plugins. Make sure you update to the latest versions as they are released. If you keep everything up-to-date your site is less likely to get hacked.
Strengthen up those passwords
Most of the WordPress websites are compromised due to weak passwords. Your WordPress administrator password strength should be very strong. No need to use weak passwords like ‘abc123’, sitename or ‘password’ (these are way more common than you might think!), you need to change it to something secure as soon as possible.
Never use “admin” as your username
If you use “admin” as your username, user id is “1” and your password isn’t strong enough, then your site is very easy to hack. It is strongly recommended that you change your username. Similar names to admin should also be avoided.
If you already use admin as your website username then by simply you can change that username and id.
- Simply create a new administrator account for yourself using a different username and logging in as that new user and deleting the original “admin” account.
- While deleting the old administrator account called “admin” you can assign all the existing posts that have been published be “admin” to your new user account.
Hide your username from the author archive URL
Another way to hackers can identify your website administrator login name is with the help of the author page.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is jamesblog, your author archive page would be something like http://yoursite.com/author/jamesblog
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user Nick Name entry in your database, as described here.
Limit Login Attempts
In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
Disable file editing via the dashboard
In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and try to add hacking code.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true ); Keep a backup
With the help of some security plugins you can allow to create schedule backups and these backups can be automatically sent to your mail id with these backup files you can revert the website whenever a malicious access has occured on your site.
Use security plugins
As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
Here are a handful of popular options:
- http://wordpress.org/plugins/better-wp-security/– offers a wide range of security features.
- http://wordpress.org/plugins/bulletproof-security/– protects your site via .htaccess.
- http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/– adds a firewall to your site.
- http://wordpress.org/plugins/sucuri-scanner/– scans your site for malware etc.
- http://wordpress.org/plugins/wordfence/– full-featured security plugin.
- http://wordpress.org/plugins/websitedefender-wordpress-security/– comprehensive security tool.
- http://wordpress.org/plugins/exploit-scanner/– searches your database for any suspicious code.