Guide to WordPress Security
WordPress security is a growing concern as the popularity of this software continues to grow. The great thing about open source software such as WordPress is that it is available to everyone for free. The worst thing about open source software is that it is available to everyone for free. Although this great piece of software has many developers working on improving it and creating new plugins all the time, it is also extremely vulnerable to hacker attacks because everyone has open access to the source code. For this reason Open Source software such as WordPress receives a lot of security updates for each new version release. However, this is not enough and WordPress site owners can do a lot to increase the WordPress security of their sites.
The WordPress team has made the installation and launch of a new website very easy and fast. Some hosting companies even offer one-click installation. This simplified installation process can make one easily overlook the security steps needed to make their WordPress site very secure, which can take some effort. Whether you are using an open source CMS such as WordPress or custom built CMS, security is always a serious concern.
Here are the top tips for protecting your WordPress site:
Basic WordPress Security Tips
1. Use a good Web hosting company with proven track record. A good hosting provider will ensure their servers have the latest security patches, PHP/MySQL updates, firewall, brute force attack prevention, and other security features. One that specializes in WordPress business hosting is ideal.
2. Install your WordPress core admin files in some other directory than the root one.
3. Change the table prefix from wp_ to something else.
4. Use a very strong password for the database user.
5. Also use a strong password for your WP login and choose a username much less obvious than ‘admin’. WordPress now comes with a password strength indicator. Make sure that it shows that your chosen password is strong.
6. Delete the pre-installed pages, posts, and plugins.
7. Use only premium themes and plugins. Make sure that the plugin you install has good reviews and a good number of active installs. If the plugin is a security risk it likely will not have many installs and if it does, it will have a low star rating. Poor plugins have lazy or buggy code that can be easily exploited by hackers.
8. Use a good captcha plugin for ALL of your forms, including your wp-admin login. You can install a Google Recaptcha integration plugin or another anti-spam plugin keeping in mind point number 7 above.
9. Always update your core WordPress files, themes and plugins to the latest versions as soon as they become available. You may want to install “Advanced Automatic Updates” to help you automate the process.
10. Keep your computer virus-clean by regularly doing a virus scan with anti-virus software that also is regularly updated. Some hackers can get your password and username through malware installed on your computer.
Advanced WordPress Security Tips
1. Install and configure an anti-malware firewall plugin.
2. Activate 2 factor authentication (2FA). This is another step in your login process that gives you an extra peace of mind. You can search for 2 factor authentication plugins through WordPress plugin marketplace or Google. The two most popular currently are “Clef” and “Two-Factor Authentication (Google Authenticator)”. Both use your smartphone (iOS or Android) as the second layer of authentication.
3. Install an SSL on your website hosting account.
4. Ensure that none of you subdirectories can be viewed via http by creating a blank index.html(or php) file in all subdirectories.
These are some of the key ways you can beef up your WordPress security and stay protected from malicious attacks.