How To Secure Your WordPress Site - WordPress Security 101WordPress is a pretty secure platform, but there are several things you can do to harden WordPress security and protect your website.
One of the most vital steps you must take for WordPress Security is to keep your WordPress installation up to date. If a new security vulnerability is found in WordPress it is usually fixed pretty quickly and a new version is released. In addition to this, there are several other steps that you can take to improve WordPress security.
Change the Database Table Prefix in WordPress
When installing WordPress you have the option to specify a database table prefix. By default this is 'wp_' and it is an easy guess for would-be attackers. By Changing this to something only you know you can harden the database from potential attacks.
Keep Wp-Admin Directory Protected with .htaccess
Although you need to enter a username and password to enter the WordPress administration pages, there are still resources within the admin folder that an attacker could use to gain control of your website. You should enable server-level password protection on this folder, which gives you an extra layer of protection over all the administration content. The following tutorial shows you how to do it in 7 easy steps.
Keep Backups of your Database and Files
Keeping a backup of your WordPress database and files is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert to. Many hosting companies provide options to backup database and files, or there are a few plugins for WordPress that will backup your database and email it to you.
Disable XMLRPC to Improve WordPress Security
If you do not publish posts from an external application, you should disable XMLRPC which is a method for remotely logging in and publishing using desktop or mobile applications such as Windows Live Writer.
Disable or Remove Unused Plugins and Themes for added WordPress Security
If you have downloaded a few plugins or themes and decided not to use them, did you deactivate them? Did you delete the files? There is always a possibility that a vulnerability can be found in a plugin, or code that the plugin or theme uses. It's always best to remove any unused plugins or themes you have installed.
Remove or Rename the Admin User Account in WordPress
A typical installation of WordPress comes with a default user account with the login name admin. If that's what you are using to access your site, then you have just made a hacker's job 50% easier. Now all he has to do is guess the password...
Here is how to change the admin login name:
- Login to WordPress admin panel
- Go to Users -> Add New
- Add a new user with Administrator role, make sure you use a strong password.
- Log out of WordPress, and re-login with your new admin user.
- Go to Users
- Remove "admin" user
- If "admin" has written posts or pages, remember to attribute all posts and links back to the new user.
Use a Strong Password
A strong password is one that you can remember easily enough but is very difficult for somebody else to guess. It should also be as long as you can make it. You should also try and avoid using common letter replacements in standard words, such as changing an o to a 0, a with an @ and so on.
Good passwords are often made up using phrases, for example, think of a common phrase and use the first letter of each word. "The Quick Brown Fox Jumps Over The Lazy Dog". The password becomes 'tqbfjotld', which seems like a good password, but would only take the average desktop computer about 22 minutes to crack. You should also add numbers as well as symbols to a password, again something which you can remember, but not something anybody else would know. And not your PIN either. A simple change to the password '1tqbfjotld!' (adding a ! and the number 1) takes the cracking time to 48 years. Adding another number to the end '1tqbfjotld!4462', should take cracking time to several hundred million years.
You can check how strong your current password is with howsecureismypassword.net .
Bad Password Examples
Easily guessed words, and some numbers but still guessable.
april1 1223334444 admin password
Better Password Examples
Random letter generators are secure, but can you remember these? Chances are you would have to write this down somewhere. Random strings are also crackable using a brute force technique
usuengoidlnpwxean g1sJOj1Oo3bp3cyvLr63
Best Password Examples
Combinations of letters, numbers and symbols.
n[4[(x%I0RC|
MRPeSF;{MAYm
Y5^-x]njQh3Qk32 Plugins to Help Improve WordPress Security
Akismet
Akismet checks your comments against the Akismet web service to see if they look like spam or not. If a comment looks like spam it is automatically moved to the junk folder. Spam comments may contain scripts or other codes that can compromise your WordPress security.
Better WP Security
Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
Use Google Authenticator for WordPress Security
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.
Jetpack - WP Security, Backup, Speed, & Growth
WordPress security, performance, marketing, and design tools - Jetpack is made by WordPress experts to make WP sites safer and faster, and help you grow your traffic.
We guard your site so you can run your site or business. Jetpack Security provides easy-to-use, comprehensive WordPress site security including auto real-time backups and easy restores, malware scans, and spam protection. Essential features like brute force protection and downtime/uptime monitoring are free.
