Failing to protect your WordPress site from potential hackers could leave years of work vulnerable to attack. Malicious users know how to exploit vulnerabilities in unprotected sites, hijack files and plugins for their own use and sabotage functionality. If you’re not doing all you can secure your site against attacks, it’s time to take action. Use these ten WordPress security tips as a starting point to lock out hackers and protect your web presence.
1. Obscure the Login Page
By default, WordPress users access their login pages via domain names followed by wp-login or wp-admin. Hackers know this and will immediately navigate to these pages when attempting to enter your site. Using a security plugin, you can change the URLs of login and user registration portals. Although this doesn’t prevent hackers from eventually finding these pages, it slows them down and maybe frustrating enough to make them give up trying to access your site.
2. Choose Unique User Identification
Using “admin” as your administrator login name is like an open door for hackers. Your log in should be distinct to your website and difficult to figure out. One way to ensure your login remains unique is to use the email associated with your WordPress installation instead of a username. Email addresses are harder to guess and offer better authentication for administrator logins.
3. Be a Password Juggler
There was a time when you could stick a few numbers on the end of your dog’s name and call it a reliable password, but in today’s volatile Internet landscape, you need much more than that. Use a password generator to create strong WordPress passwords, and change them on a regular basis. Good passwords include uppercase and lowercase letters, numbers, and symbols in various combinations. The more complex your passwords, the more secure your site will be.
4. Enable Two-Factor Authentication
Many sites employ a two-step process to verify the identity of each user attempting to log in. Using the same method on your site means it will take a little longer for you to get to the dashboard, but it may prevent hackers from gaining access to your site. Two-factor authentication lets you choose a secret question or a special code to be after the initial password screen. Some methods use a one-time authentication message sent via text to ensure only authorized users can log in.
5. Install a Security “Watchdog”
Hackers need multiple attempts to get into your WordPress site, and plugins like WordFence alert you to this activity while locking down the site to prevent unauthorized access. Such security plugins act like gatekeepers, watching who tries to log in, sending alerts, checking for file changes and banning offending IP addresses. Reports of activity arrive in your inbox immediately and again in weekly summaries so that you can keep on top of any potential problems.
6. Control Other Accounts
Collaborative or corporate blogs require several user accounts, and this can pose a problem for security unless all users understand how to keep the site protected. Be selective when adding accounts, since every new login creates another potential point of vulnerability. Establish rules about password strength and how frequently passwords should be changed, and make sure each user has a distinct login name. Set individual user permissions at the lowest levels possible so that it’s difficult for hackers to do damage should additional accounts ever be compromised.
7. Use .htaccess to Hide Important Files
Editing the .htaccess file can change certain WordPress functions, including the level of security. With the right code, you can:
- Disable directory listings to prevent unauthorized users from accessing file listings
- Hide your wp-config file from malicious users
- Set which IP addresses are granted administrative privileges
- Block access to the PHP files for themes and plugins
Remember to back up the existing .htaccess file before making any changes.
8. Stay on Top of Updates
Themes, plugins and the WordPress core are updated regularly to fix known problems, including security issues. Before installing any plugin or theme, check the last time it was updated. Ensure the developers offer continued updates after installation, and stay away from pirated “free” versions of premium plugins. Run updates as soon as you can to eliminate vulnerabilities. If you have trouble remembering to update or have a tendency to miss notifications, consider setting automatic updates to run on a routine basis.
9. Don’t Neglect “Spring Cleaning”
Make a habit of going through the plugins and themes stored on your WordPress site whenever you run updates. Delete anything you haven’t used in a while or have replaced with something more functional. You may be surprised how many plugins you’ve accumulated while building your site and getting rid of unused ones eliminates vulnerabilities. It’s also a good idea to clean up your database from time to time. Find a reliable database cleaning plugin and run it to remove old file versions and other outdated information. As a bonus, your site should load faster and run more smoothly without the extra files weighing it down.
10. Backup as Often as Possible
No matter how careful you are, there’s always a chance an enterprising hacker could break through your site’s defenses. Creating site backups safeguards all the information on your site, giving you a way to restore everything should your security measures ever fail.
Some hosting companies provide scheduled backups as part of their services, but it’s a good idea to also have your own plan in place. Use a backup plugin or make manual backups on a regular basis, and store the files in a secure place so that you know they’ll always be there if you need them.
WordPress site security isn’t a “set it and forget it” measure. After putting initial protections in place, it’s essential to continue monitoring activity and running updates. Keep an eye out for new, stronger security tools, and implement the best combination of plugins and code changes to prevent the majority of attacks.