- Oct 6, 2015
WordPress is the most widely accepted and supported CMS globally. It has robust features and benefits but since it is an open-source platform, your website security can be at risk. Although with every update, the version of WordPress gets better. But, even today there are few areas that it is absolutely vulnerable.
If you are looking to improve the security for you WordPress website, then you have landed on the right page. This blog will prove extremely useful as it comes directly from a Developer’s desk who is a WordPress specialist –
Steps to BETTER SECURITY
Selection of Username, Password and Table Prefix
It is important that you don’t have obvious usernames and passwords. Select your username and password very tactfully. Make sure you choose the most unexpected option. Avoid user names like admin, superadmin, administrator etc. Ensure that you are selecting the unexpected.
Deciding what passwords to keep can the tricky part. Maintain long and strong passwords everywhere, do what is not done. Obvious passwords or your website data can be broken easily by Brute Force Attack or other tools. You can take help of a password generator to generate strong passwords. Click here: (https://www.google.co.in/?q=password+generator)
It is suggested to remove the default database table prefix and your own table prefix while you install WordPress that will indeed help in securing your website.
Update WordPress, Themes and Plug-Ins
Core development team updates WordPress on regular basis, which includes security concerns, the more old your WP version the more it is vulnerable. So keep your site up to date with latest version of WP. Same way it is advisable to update the themes and plug-ins you use as plug-ins and themes might use the deprecated and vulnerable functions.
Fight Network, Web Server and PC issues
Ensure the security of the device you are functioning from. Install higher grade Anti-Virus. Run thorough checks on malware, spyware and viruses. It is important that you always update your browers with the latest version. Furthermore, you need to check the security of your web server where you are running your WordPress website. If at all you are sharing the server, be prepared to deal with the consequences of a compromised website on the shared server.
FTP & File Permissions
To keep your WordPress website secure, always use SFTP (Secure File Transfer Protocol) connection. It avails you with the function to encrypt your FTP. This ensures that your password will be kept hidden and protected from the hackers. By default, WordPress allows some files to be edited by the web server. Writing/ editing access to is not recommended if your website is on a shared host. Choose required files that you need often edit for your user account access.
Take a look at this permission scheme: (Three Main Functions)
WordPress Admin – Keep all files writable only by the user account
WordPress Includes – Keep all files writable only by the user account
WordPress Content – Keep all files writable by user account and web server
Secure WordPress Admin Section
Are you aware that you can add an extra layer of security to your website by securing your WordPress admin section. All you have to do is add basic authentication in your .htaccessfile. WordPres uses this file to manipulate how Apache servers files from its root directory and subdirectories. Use a .htaccess generator, click here: http://www.htaccesstools.com/htaccess-authentication
Or you can simply follow the steps below and add to your file:
AuthName “Protected Area”
Further create .htpasswd file in your root directory and add the following line which results in username and password.
Here, admin is the username and “:$apr1$Lj043TBU$p1hgb.gOpE48hJ8jk.MXc.” and the password in MD5 format. To generate a htpasswd file online, click here: (http://www.htaccesstools.com/htpasswd-generator/)
One can enable extra-security on their WordPress websites. We have a solution for you. We wrote the code, all you have to do is add the below mentioned to your .heaccess file before #BEGIN WordPress Function.
Securing wp-includes also enables extra security. Just add following lines in your heaccess file before # BEGIN WordPress.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
This will help you in bettering the security of your WordPress website. Adding this code can act like a shield for your WordPress website.
Secure WordPress CONFIG.PHP file
WordPress uses PHP language for coding which makes functioning of the website very robust. It comes with Config.PHP which is one of the vital files of the system. It contains the information of the database. You can secure that too. Follow these steps and add the below mentioned code to your WordPress Config.PHP file –
deny from all
There you go, now you can be rest-assured that your database is safe and secure.
Disable File Editing from Backend
WordPress CMS system allows users to edit file from the backend itself which is one of the reason why it is the most widely accepted open-source system. But, this could also be harmful for your website as this is the favourite area for the hackers. So it is better that you remove this default function and personalize it.
Add the following code to the Config.PHP file to remove this default function –
Although this will not stop the attacker to upload files or hack but can provide a decent shield to your website. It is always better to have it.
Ensure Data and file backup
Prevention is better than cure. It is so rightly said. So be careful with your data. Always maintain a back-up. It is recommended to backup files on regular intervals. It comes handy in case your website is compromised for reasons whatsoever.
Install security related plug-ins from WordPress repository
WordPress is well-known for the large number of plug-ins and themes repository. Here, we have listed some of the best WordPress security plug-ins. Be careful to not download plugins from third party sites, unless you trust or know them. Because plug-ins which are not approved by WORDPRESS.ORG may be vulnerable and may risk website security.
a) All In One WP Security & Firewall (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )
b) iThemes Security (https://wordpress.org/plugins/better-wp-security/ )
c) Bulletproof Security (https://wordpress.org/plugins/bulletproof-security/ )
d) Wordfence Security (https://wordpress.org/plugins/wordfence/ )
Hopefully time invested to read this blog was worthwhile. WordPress websites are convenient so used globally, but securing it can be in your interest. We wish to help you get better security and make a difference in the tech world through our blogs.
We are tech freaks, we don’t take a moment if we do not crack the code or solve problems while development. Tech is our adrenaline rush, we feel it and love it when tamed by it. We are WordPress Specialists and offer services in WordPress Development. We would love to be a part of your steps in success. If you have any query, please write to us. And if you are looking to Outsourcing WordPress India, then we offer the a deal you can’t deny. We would love to help you out with our tech solutions. Keep tuned in for more such tips.