How to Secure Your WordPress Site

WordPress has come a long way since it was “born” in 2003 (I have actually used it since then! Yikes!), and it is important now more than ever to secure your WordPress site.

Back in the early stages WordPress lacked a lot of features and was also very vulnerable to hackers. While hackers and spammers find WordPress sites an easy target there are several ways to secure your WordPress site in order to put them right in their place.

WordPress itself has implemented several security features in order to keep your site secure such as the implementation of automated background updates for security patches (meaning your site will be automatically updated when a patch (new version) is released.

However, there are some basic steps you can do in order to secure your WordPress site from hackers and spammers.

Rename the admin username – If you are installing WordPress for the first time, do not choose admin, manager, etc.. as the username. Choose something unique. If you are already running WordPress, changing the username is simple via PHPMyAdmin. Not sure how to do that? There is a great article with simple to follow instructions located here.

Create a secure password – Use symbols, numbers, uppercase letters, and lowercase letters.

Keep plugins up to date – besides the WordPress software, plugins that are out of date could potentially allow hackers to gain access to your site. Make sure to check for updates regularly and delete those that you are no longer using.

Rename the WordPress database prefix – Per WordPress.org, many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

Hide Author usernames – This will stop hackers from finding the usernames of registered users (or the admin) and trying to gain access through the login page.

Rename your login page – Hackers know the default login page for WordPress. Make their job harder by renaming it.

Install Askimet plugin – This is a huge one to keep spammers out of your comments section. You can install it for free from the WordPress plugin directory.

Choose a good Host – Having the right hosting provider can mean a world of difference as well. If your host is relaxed in security with their servers then that leaves your site open for hackers. I recommend Webhostingbuzz (affiliate link) or WP-Engine (affiliate link) for hosting WordPress sites. While those are affiliate links, I have (or am) currently using them, otherwise I would not recommend them.

Create strong passwords for your database – While many will create a strong password for their site, they create short and simple ones for their database. Make sure your database password is strong and DIFFERENT than the password used for your login to your site.

Use a security plugin such as iThemes Security which will allow you to do all the above from within a plugin, plus provide you with extra options for securing your site even further.

Backup your site anytime changes are made. I choose to backup mine daily, but at the minimum, you want to back up your site at least once a week.

Disable directory listing using .htaccess by placing the following line of code into your .htaccess file Options All -Indexes

Hide your WordPress version number – Make it harder for hackers to guess which version of WordPress you are using. You can remove it by editing files or use one of the security plugins such as iThemes Security.

Limit Login attempts – There are plugins that you can install that will allow you to limit login attempts and ban that IP after so many attempts. iThemes Security is one of the plugins that offers that.

Delete plugins you don’t use – They could become out of date and vulnerable allowing hackers in. If you no longer use it, delete it.

Ensure File and Folder Permissions Are Correct – Folders should be set to 755 and files to 644.

Remove old themes – Just like plugins, you should remove any and all themes you are currently not using.