You all know how much WordPress development is popular in the industry since its inception. Millions of websites; small as well as large-scale are built using WordPress because of the unconventional feature it offers to provide user-friendliness. But securities is the biggest drawback of the website, and trust me, I know what kind of blunders it creates. I have spent so many years working on the WordPress, that by this time I am quite confident about helping you out with a good number of Security tips while building your next WP site.
My team and I have used these tips for many projects and we have received a positive feedback from our clients. Here’s the list of guidelines that will help you too.
Secure WordPress Hosting
- Always try to use secure and trusted host server for your WordPress site and also try to use trusted domain.
Latest Version
- Always use the latest version of your WordPress version, Themes, and plugin.
- Delete unused plugins, theme, and users.
- Always on automatic updates for a theme, plugin, and WordPress version. You could add below code in a wp-confiq.php file.
- WordPress Auto Update
<?php define( ‘WP_AUTO_UPDATE_CORE’, true ); ?> - Plugin Auto Update
<?php add_filter( ‘auto_update_plugin’, ‘__return_true’ ); ?> - Theme Auto Update
<?php add_filter( ‘auto_update_theme’, ‘__return_true’ ); ?>
- WordPress Auto Update
Disable PHP Error Reports
- When a plugin or theme isn’t working well on your WordPress blog then it’s giving errors. However, in this advantage lies a disadvantage. When PHP error is being reported, it is showing server’s full path with that error. So using that information hackers can use against you.
- Add below code in the wp-config.php file.
<?php
error_reporting(0);
@ini_set(‘display_errors’, 0);
?>
Don’t Download Premium Plugins for Free
- Always try to use premium themes and Plugins and do not try to use premium plugins for free.
- Download pirated plugins and themes are often corrupted with malware by the time they hit these illegal download sites.
Remove WordPress Version from Site
- Remove WordPress version from the site. WordPress having all the changelog for the version and its changes so using version hackers can easily attack the site.
- You could remove it from header.php file
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> - Open your php and add the following function:
<?php
function wpbeginner_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpbeginner_remove_version’);
?>
Database Name.
- Do not use site name as a database name. Make it in a different way so hackers will not guess and identify it.
Table Prefix
- Do not use default WordPress table prefix (wp_).
- You can change it while installing the WordPress or if you have installed already then you could change it from security plugins.
Unique Keys and Salts.
- WordPress are storing all the database information in wp-confiq.php files and in API.
- Default salts are well-known to hackers to get all the details so I will recommend to you that please change it from below link.
https://api.wordpress.org/secret-key/1.1/salt/
Do not use admin as a username.
- Make sure, your administrator username is not easily guessable like ‘admin’, ‘yoursitename’ or ‘yourname’.
- If you already did then you need to change it.
- Remove a user with id 1. Here you can change the user id from security plugin.
Hide your username from the author archive URL
- By default, WordPress displays your username in the URL of author archive page. e.g. if your username is akashwagh, your author archive page would be something like https://yoursite.com/author/akashwagh
- So, with username hacker can easily attack the site so I recommend to you that please change it.
. Limit login attempts
- In the case of a hacker or a bot attempting a brute-force attack to crack a password, it can be useful to limit the number of failed login attempts from a single IP address.
- Limit Login Attempts allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
- Always use a strong password.
Disable File Editing Via the Dashboard
- In a WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
- The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files, and execute whatever code they wanted to.
- So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
<?php define( ‘DISALLOW_FILE_EDIT’, true ); ?>
Use CAPTCHA
- Use captcha in all the forms like login, register, contact etc.
- It will prevent brute force attack.
Child Theme
Always use a Child theme of your current theme and use its function.php file to add functions.
So, after updating theme your data will never loose which is place in the Child Theme.
Deny access to your Plugins and other directories
- A lot of bloggers are not protecting access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows the entire plugins name that you are using.
- Many WordPress plugins can have vulnerabilities which the attacker could harm your blog. So, it’s a good idea to block access to these directories.
- You can use a .htaccess file or upload a blank ‘index.html’ file to that directory to block access to these directories. add blank HTML file or create a .htaccess file in the folder.
Backup Your Data
- Always keep backups of all the important files.
- You can use backup plugins to take a daily, weekly etc. backup of your site.
- Here is few popular WordPress Backup plugin list.
- VaultPress
- BackupBuddy
- BackWPup
- BackUpWordPress
- UpdraftPlus
- Duplicator
- WP-DB-Backup
Be careful when you upload something to your site
- When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be careful as it could harm your site if it was designed to do so. Only upload authentic content to your site.
- Never download a plugin or a theme from a torrent or file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm the site when uploaded to your server.
Secure Your Debug Logs
<?php define( ‘WP_DEBUG’, false ); ?>
Security Plugins
- Here are some other plugins that can help you amp up your security:
Hope, these WordPress security tips will help you tweak your website. If you have any query, you may feel free to leave a comment and I’ll be happy to respond.
Digital Marketing Manager
Responsible for developing and managing web presence, Sarah has been associated with eLuminous Technologies for 7+ years. Strategic and innovative with a passion for Content Marketing and enhancing brand awareness. Administered all business marketing operations and advertisement campaigns that eventually increased web traffic. She works under the motto “Think like a Publisher, not a Marketer.”