Top 15 WordPress Security Tips – Step by Step (2018)
Important Advice From Specialists That Could Save Your Business From Attacks
In today’s digital world having a website is essential for every business, no matter of the field. A positive add on to that is the fact that creating a website has never been easier. Nowadays you don’t need to write hundreds of lines of HTML/CSS code to have a good looking website. There are a couple of platforms that can basically do the coding for you. They are called Content Management Systems (CMS) and support the creation and future modification of digital content. WordPress is the most used CMS out there and there are no indications that it will soon fall behind.
Roughly 28% of the whole WEB is being powered by WordPress as 576 WordPress websites are created every single day. And these aren’t only small-company websites; big enterprises also use WordPress as the base of their website.
We need to pay more attention to the security topic since web intruders are evolving with the same pace as the technology itself. Web security is one of the main problems in 2017 as threats are lurking from everywhere. Even if you work at a big company sometimes important factors are neglected and this results in loss of time and money. Nobody wants to lose money, right? For this reason, we want to share 15 important security tips that could save your website from infiltration.
1. Don’t Use “Admin” As Your Administrator Username WordPress Username.
Nowadays everybody (including hackers) knows that “admin” is the most frequent username. Don’t make the life of hackers so simple! Choose a different username and make it start with a capital letter. Once the new administrator user is created and you assign all privileges to him, the old “admin” user can be deleted.
2. Pick Strong Passwords (Long, With Numbers, Capital Letters, And Symbols)
This may sound basic to some, but people are still using passwords like “123456” or “qwerty”. With a password like that, you are just asking for it. Choose a more complicated password that has numbers and symbols in it, and is at least 15 characters long.
3. Use 2-Factor Authentication For Login
No matter how complicated your password is, it can always be cracked. For this reason, use a 2-factor login authentication for maximum security. This second authentication step comes from a plugin that is up to your choosing and includes email, mobile phone or camera confirmation.
4. Download Plugins Only From Known Resources
WordPress plugins are a treasure that everybody wants to use. Only the official repository has more than 40 000 plugins. Be aware that a plugin might sometimes harm your site.
This is why, before downloading any plugin, always check for comments or reviews, if support exists; if the author is quick to react.
5. Keep Your WordPress Environment Updated
The WordPress staff takes the security topic quite seriously. They take care of your website with every patch and update. Every next update improves your security, website performance and fixes some annoying bugs. Keep your environment updated – this is the point of updates.
6. Disable The WordPress Theme And Plugin Editor
The built-in plugin and theme editor that is included in WordPress’s dashboard is a wonderful tool, but if you are not using it you may want to disable it for security reasons. If your account gets hacked, the intruder can easily ‘destroy’ your website, by just changing the code in the editor.
The Theme and plugin editor can be removed by inserting this line of code:
define( 'DISALLOW_FILE_EDIT', true );
into your wp-config.php file.
7.Limit Logins Based On Number Of Failed Attempts;
A user not being able to enter the right credentials three or even four times in a row is not a good sign. Even if you are super drunk this is still not a good option.
Limit your logins based on the number of failed attempts, in order to exclude the possibility of someone who could guess your password.
8. Hide Your WordPress Version Number
Many people recommend that hiding your WordPress version will improve your website’s security because it will protect you against mass hacker attacks.
Your installation version number appears in the following three places:
Scripts and styles with query strings: subscriptions.css?ver=4.0
The RSS feeds’ generator tag: <generator>http://wordpress.org/?v=4.0</generator>
The headers’ generator tag; <meta name=”generator” content=”WordPress 4.0″ />
9. Disable PHP Error Reports
When troubleshooting, these error messages are working wonderfully. On the other hand, they often display your server path, and expose it to danger. It is a good idea to disable your error reporting, and enable it only as a last resort.
To disable it, please add this code:
error_reporting(0); @ini_set(‘display_errors’, 0);
to your wp-config.php file
10. Work on Your WordPress File Permissions
File permissions are quite important if you want to keep those files safe. Avoid configuring directories with 777 permissions because this means they are readable, writable and executable by everybody.
A good advice is to configure your files with 640 or 644 permissions while your wp-config.php file should be 600. Adding a 600 permission means that only the owner will be able to read and write this specific file.
11. Ensure Regular Backups
No matter how well secured is your website; a backup is a must for any valuable business information. We can never know what disaster may the world bring, and how a simple backup could save your whole business.
12. Customize Your Login URL
Once the hackers get to your default /wp-login URL they can try to enter your account -which will hopefully result only in lost resources. Why take that chance? Creating a custom login URL will mislead any attackers and will hide the “door” to your account.
This is possible via various plugins like Custom Login URL, WPS Hide Login or HC Custom WP-admin URL. Once your plugin is installed you will just have to write your new login URL and save it.
13. Never Download Premium Plugins For Free
All these available premium plugins are awesome because they offer enhanced functionality, more customization and better performance. But why would someone pay for a premium plugin and then give it out for free? The short answer is to alter your website.
By adding ‘malicious’ plugins a number of bad actions might occur. This includes codes that add advertisements which could pop up at any moment, hidden links in the footer or other places in the HTML, give a share of your PageRank to other websites, pass your traffic to other websites, and could even alter your browser’s configuration file. Don’t be a cheapskate – it’s worth it!
14. Secure The wp-config.php File
Protecting your wp-config.php file is one of the most important security tips that we can share with you, as the file contains too much valuable information that would hurt you if fallen into the wrong hands.
In order to secure your wp-config.php file you need to download your .htaccess file that is located in the root directory of your website. Once you open the above mentioned file you need to paste the code below, after all other entries.
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
15. Use WordPress Security Plugins
All Plugins add enhancements to your default configuration. So why not use special security plugins? These plugins will monitor your setup for any failed login attempts; will add malware scanning and integrity checking. You will be able to lock down any vulnerable areas that hackers like to goof around with.
As we said in the beginning web security is one of the ‘trendy’ topics in 2017 and we want to prepare you against any future disappointments. If you are having a powerful WordPress website that your business depends on, boosting up your web security is a must. By following these 15 WordPress Security tips you will improve your safety and will build 15 little armors that will shield your content, personal and client information…and this is always worth it!
WordPress has never been more widely used. We are talking about 576 WordPress websites that emerge every day. Because of this big amount, hackers are focusing more and more on WordPress sites and how to alter them. This is why we need to improve your website security and stop any breaching bulk attacks. In this article, we are sharing 15 great tips for WordPress users that will definitely help you in this security venture. Some of them are basic, others are more advanced, but all of them are worth completing, because you never know where an attack might come from!