14 simple steps to boost your WordPress site security in 15 minutes or less
Securing your WordPress website is a top priority. Whether you’re running a new food blog or a high-traffic niche site, hackers are always ready to break into your site. Rather than get hacked and take steps to recover from a devastating attack, you’re better off just acting proactively to improve the security of your WordPress site.
Keep in mind though that there’s no site that’s 100% secure. But you can take steps to improve your security and protect your site from some of the most widespread hacks on the web today. This post highlights some easy steps you can take to boost your WordPress site security in 15 minutes or less.
1. Don’t use ‘Admin’ as the administrator username
A lot of WordPress sites are still using ‘Admin’ as their administrator username, and hackers know it. This is one of the most wannabe mistakes you can make for the security of your site. Hackers are going to use this username and run millions of password combinations in an attempt to log into your site. Depending on how complex your password is, they may or may not manage.
Well, you can avert a site hijacking situation by simply not using ‘Admin’ as your administrator username.
Take the following steps:
- Create a new administrative user.
- If the previous ‘Admin’ username was the only user on the site, you’ll want to assign all your existing content (pages and blog posts) to the new user that you have created.
- Now delete the previous ‘admin’ user from WordPress.
This settles it. It takes just 45 seconds of your time but can be a significant step towards boosting the security of your WordPress site.
2. Set a strong password
According to Mark Burnett, a security professional who analyzed over 10 million passwords on the web, the most commonly used passwords are:
If you are still using these or other guessable passwords, then you’re putting your WordPress site in great jeopardy. Passwords are extremely vital to the security of your site, and they should be as complex as possible.
Make sure to use passwords that:
- Are not words (which can easily be hacked via a dictionary attack),
- Include numbers and symbols,
- And that are at least 15-characters long.
If you have no idea how to piece together a password that strong, there are tons of free online tools that can help you generate very secure passwords. A few example include the Strong Password Generator and Phonetic Password Generator.
3. Setup login lock-down
This entails locking down your site whenever there’s a number of failed login attempts. For instance, if a hacker tries to break into your site through brute force attack, this means that they try multiple wrong passwords. Immediately, the lock-down feature will block any subsequent login attempt from that user, and you’ll be notified of this suspicious activity.
Setting up login lock-down on your WordPress is a simple step to boost security. Better yet, it just takes about a minute of your time. You can use a reputable security plugin such as iThemes Security, which has this feature. Alternatively, if you’re not interested in a comprehensive security plugin, simply install Loginizer. This is a very simple plugin that automatically blocks repetitive, wrong login attempts. You can install Loginizer in a couple of seconds and there is no plugin setup required. Once you install and activate it, you’re ready to go.
4. Remove plugins from insecure sources
Plugins are a fundamental part of the WordPress architecture. To maintain the security and integrity of your site, you should only download plugins from secure sources. The WordPress plugin repository currently has tens of thousands of secure plugins available. However, plugins can also be found from other places such as Mojo Marketplace, Code Canyon, and GitHub.
Before you install a plugin (especially from little-known marketplaces), always make sure that you:
- Read reviews and comments from other users who have already installed the plugin.
- Do a little research on the plugin author to see whether they have been linked to any compromised plugins in the past.
- See whether there’s support for the plugin (could be either free or paid).
- See whether the plugin author responds to users’ queries.
It’s also important that you do a backup of your site before installing a plugin.
So go right ahead and make sure that you’ve only installed reputable plugins from well-known sources.
5. Update your site and plugins
Keeping your WordPress theme(s) and plugins updated is another simple step to boost the security of your site. You also need to make sure that you are running the latest version of WordPress. Theme and plugins updates are usually released to patch security issues that have come up. Failing to update your WordPress environment means that you’re leaving your site vulnerable to known security issues.
Whenever you log into your site to publish a post or edit something, make sure that you check Dashboard > Updates to see whether there’s anything that needs updating.
6. Keep your site clean
For purposes of security, it’s important that you keep your WordPress site clean. This means that you get rid of ‘unused stuff’ such as old themes, deactivated plugins, etc. It’s very easy to forget to update old themes and deactivated plugins, so you are better off just getting rid of them.
7. Disable trackbacks
The purpose of trackbacks and pingbacks is to notify you when your content has been linked from an external web page. Hackers could use these trackbacks to propagate massive DDoS (Distributed Denial of Service) attacks.
Simply navigate to Settings > Discussion and disable ‘Allow link notifications from other blogs (pingbacks and trackbacks)’.
It’s something you can get done within a few seconds, but one that can go a long way towards boosting the security of your WordPress website.
8. Prevent directory browsing
By default, your web server will show a listing of your directories if it does not find an index.html or index.php file. This might expose crucial information related to your themes, plugins, and other contents to everybody.
To check whether directory browsing is turned on for your site, simply create a new folder and place a simplistic text file within it. Then open your web browser and visit it.
For instance, I’ll create a folder named ‘Exposed’ in the root folder of my domain, and then put a text file called ‘myfile’ within it.
Then I’ll open my web browser and navigate to www.wpdiscounts.com/Exposed.
If directory browsing is turned off, I should get a ‘Page Not Found’, or ‘Forbidden’, or get a blank page. Otherwise, I should be able to see the contents of my directory (myfile) listed.
If directory browsing is turned on, follow the procedure below to turn if off:
- Open your .htaccess file and add this line
Options All –Indexes
- Open wp-content/plugins and wp-content/themes folders and put a blank index.php file in there too.
9. Conduct regular site backups
Maintaining an off-site backup of your website is perhaps one of the best security antidotes that you can stash. With a backup, you can restore your website back to working order within a couple of minutes if at all you get hacked. How good does that sound?
With the help of efficient, easy to use plugins, backing up your WordPress site can be super easy. You can use VaultPress or UpdraftPlus to automate the backup process. Just install any of these plugins and it’ll take just a minute or two for you to configure automatic backups after specified time intervals.
10. Protect your wp-config.php file
This is an important file that stores crucial information on your WordPress site installation. Indeed, wp-config.php is the most important file within your website’s root directory. Protecting this file should be a priority.
If wp-config.php is not accessible to hackers, then it’ll get very difficult for them to break into your site.
Follow the following steps to protect your wp-config.php file.
- Use your FTP client to download the .htaccess file located in the root directory of your site. For security purposes, use SFTP or FTPES secure protocols to encrypt the file transfer to your computer.
- Use Notepad or any other text editor to open the .htaccess file.
- Copy the following code at the very bottom of your .htaccess file to deny access to your wp-config.php file:
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
Note: If you’re using Notepad to edit your .htaccess file, make sure that when saving the changes, you select ‘All Files’ in the ‘Save as Type’ field. This prevents notepad from adding a .txt extension to your .htaccess file.
11. Disable file editing
Users who have admin privileges can edit any files within your WordPress installation. This includes theme and plugin files.
However, you can disallow this to boost the security of your WordPress site. If a hacker obtains administrator privileges and accesses your WordPress dashboard, they will not be able to edit any file if you have disabled file editing.
You can install this security safeguard in less than a minute. Simply Add the line below at the very end of your wp-config.php file.
12. Hide your WordPress version
What if you forget to update your WordPress site, or just get a little bit lit at doing it? Your WordPress site version is usually accessible to visitors via the ‘Source Code’ viewer on their browser. Hackers could get a better idea of how to break into your site by looking at this number.
If you’re running a premium theme on your WordPress installation, there’s a pretty good chance that the developer disabled the Version number already. But it’s always good to be certain. If you’re using a security plugin such as iThemes Security, you’ll be able to turn on the option to hide version number.
If you have no security plugin installed, you can just simply drop this one line of code in your functions.php file.
<?php remove_action('wp_head', 'wp_generator'); ?>
13. Secure your computer
It’s possible that hackers could break into your site due to security vulnerabilities on your PC. If you’re using a Windows PC, make sure that Windows Defender is updated to the latest version. The important thing is to ensure that your PC is secured and up to date with a reliable Antivirus software. There are many different antivirus programs to choose from. To start with, you can purchase and install Avast, AVG, or Panda. Both Panda and Avast have free versions that you can download online right now if you’re not ready yet to purchase a premium antivirus version.
14. Pick a secure host
Think of this as more of a bonus tip, but one that all the same impacts the security of your WordPress website. According to WP White Security, about 41% of WordPress websites were hacked due to security vulnerabilities on the host. What does this tell you? However much you do to boost the security of your WordPress site, your hosting company also has a part to play.
If you’re using shared hosting, your plan should have account isolation. This prevents other people’s sites from affecting yours. It’s also advisable to work with hosting that’s designed to directly cater for WordPress. Do a little background research on your hosting company to see whether WordPress site owners are complaining about their websites being hacked.
It’s your turn
Keeping your WordPress website secure is a priority. Your website is an investment that’s probably worth a lot of time and money. It takes just a few minutes of your time to boost the security of your site. Take action now. Start with the first step above and follow through down to the last step and you’ll be positioned to put up a good fight whenever a hacker tries to poke holes into your site.
If you need clarification on any of these steps, simply let us know in the comments section below.
LAST UPDATED ON: May 20, 2017
POSTED UNDER: Tutorials