12 Best Ways to Secure Your WordPress Site
WP security is always a food for thought. Despite the fact that most of the latest updates deal with WordPress security issues, there is still a lot that can be done to improve the security even by the less tech savvy people. Here we will enumerate some suggestions to improve security on your WP site for the best WP security.
1)Do not use admin as a username:
This is perhaps the easiest baseline step for WP security you can take as a WordPress user. It does not cost you anything and the install makes it easy to do. Most of the attacks target your wp-login/wp-admin access points using a combination of admin and some password in what is known as “Brute Force attacks”. As per common sense if you remove admin then you can kill the attack outright. But some people may argue that the attacker can still enumerate the user id and name and pull the user name. No one can deny this approach. So security is about risk reduction rather than risk elimination.
2) Use a less common password:
An easy thing to remember is CLU – complex,long and Unique. This is where tools come into play (they have password generators). If you type in the length, it generates the password. After the password is generated you can save the link and the password and move ahead. The length determines the the security of the password.
3) Add 2 factor authentication:
If you are not using admin as the password, and are using strong, randomly generated password the Brute Force attacks can still be annoying. This is where the 2 factor authentication comes into picture. The 2 factor authentication can be a little troublesome. But there is no alternative for the time being. It is the standard today for enhanced security at your access points. As a matter of fact you are already using this method for Gmail, Paypal so why not use it for WP security as well.
4) Employ the least privileged principles:
The concept of least privilege is quite simple, just give permissions to:
-> Those who need it
-> When they exactly need it
-> only for the time that they need it
If anyone wants administrator access temporarily for a configuration change, grant it, and then remove it up on the task completion.
5) Hide .htaccess and wp-config.php
For better WP security you might need to add this to your .htaccess file so as to protect wp-config.php:
|3||deny from all|
This will protect the file from being accessed. And similar code can be used for the .htaccess file itself.
|3||deny from all|
6) Use WP security keys for authentication:
The Authentication salts and keys work together to protect your passwords and cookies in transit between the webserver and the browser. These keys are a set of random variables that are used to improve encryption security of information in cookies. Changing this in the wp-config.php can be simply can be done by getting some new keys here and add these. The keys change on the on a refresh of the page so that you will always get a fresh set.
7) Disable file editing:
If a hacker goes in, perhaps the easiest way to change your files is to go to appearance-> editor in WP. To lift your WP security, one could disable writing of these files via the editor. So open the wp-config.php and add this line
You can still be able to edit your themes through your favourite FTP app, you won’t be able to do it via WP itself.
8) Limit the login attempts:
The attacks like Brute Force Attack, target your login form. Especially for the WP security, the All in one WP security and Firewall plugin has an option to change the URL (the default one), for that login form.
Next to that one can also limit the times (attempts), to login from a given IP address. And there are many WP plugins to protect your login form from the IP addresses which fire many login attempts in your way.
9) Be selective with XML-RPC:
The XML-RPC is an API which has been around for a while. It is used by many WordPressthemes and plugins so the less technical is cautioned to be mindful how they implement this hardening tip. While disabling and functional can come with a cost. This is why we do not recommend disabling for everything. In WP if you use jetpack, you might want to be very careful here.
10) Hosting and WP security:
In the past site reviews, we have had our site owners saying that their hosting company could not help us with this. The hosting companies just see your site differently. There is no rule to decide on your WP hosting company.
Be mindful of host account:
The biggest challenges with respect to hosts is in their account config for site owners. Site owners are permitted to install and then configure as many sites as they want.
11) Stay up to date:
Staying up to date is an easy statement, however for site owners’, daily, we realize how difficult this is done. Our sites are complex beings, at any given time there are 150 things going on and sometimes it is very difficult to apply these changes quickly. According to a recent survey, 56 Percent of WP installations were running out of date versions of the core.
12) Best WP security plugins and themes:
Most of the WP users tend to apply plugins and themes at their will to their posts. Unless you are doing this on a server (test), for the purpose of testing the plugin or theme (that makes no sense), especially not with the reference to WP security. Many plugins and themes are free and unless you have a solid business model to guide these free giveaways. And if a developer is maintaining a plugin for the sake of fun, the chances are that he did not take the time to do proper security checks.