WordPress is one of the most popular publishing platform and many Bloggers and even big companies use WordPress to develop their site. It has really got a great potential because its open source and there are many plugins and themes available to choose from and one doesn’t need coding knowledge to run their site. WordPress has evolved from Blogging platform and now fully fledged websites are made, thanks to its flexibility and popularity. This CMS comes secure out of the box, but there are some people who always find a way to harass others by finding even a small security loophole. That’s why its important to secure WordPress Blog and be on the safe side as best as we can.
Below are some tips to tighten up the security of your WordPress site:
Tip 1: Always use the latest version of WordPress
Its always recommended to use the latest version of WordPress. In past, we have already seen how users who were using old versions were attacked. They learnt it the hard, and if you are still using an older version, then its better to update it. Always, use the latest version of WordPress.
To know which version you are using, just login to WordPress Dashboard and and in the “Right Now” window, you can see which version of WordPress are you using. You can update WordPress via two ways. Manually and automatically. Whenever a new version of WordPress is out, you will be able to see a notification in Dashboard. Just click on it to update WordPress. To update manually, please refer to the codex from here.
Note: Before updating, its recommended to do a complete backup of your WordPress.
Tip 2: Update Plugins and Themes
Just keeping WordPress updated won’t do the trick. But you should update all the plugins and themes also. To know or check about update for plugins and themes, login to WordPress Dashboard and click on “Updates”.
Tip 3: Use Strong Username and Password
Well, this is the modified version of what others say. Other’s will just guide you to use strong password, that’s great, but here’s a catch. Your username should also be strong, and something which cannot be guessed easily. Many times people make the mistake to set their username as “admin”, don’t do this. Change your username to something more secure, and something which is hard to guess. If possible, then delete this “admin” user and assign its posts to some other user. When installing WordPress, you will be presented with an option to enter a username. And if you have already installed, then you can also change WordPress Admin username.
And your password can be a combination of upper and lowercase letters, symbols, and numbers. Use all these characters and your password would be super strong.
Tip 4: Secret Keys
As you must be knowing, wp-config.php file stores all the database related information. This is very important file and contains database name, username and password of MySQL file which stores all blog posts, settings, pages, etc data.
Secret key helps to make this information more secure. A secret key makes the site harder to hack by adding random elements. Here is how this section looks like:
Go to this online generator, and it will generate secret key. Just open your wp-config.php from the root of the theme, and find the above section and copy and paste the secret key which was generated online.
Tip 5: The Htaccess file
This is the section which is somewhat hard to delve in. This useful .htaccess (also sometimes referred to as HyperText Access) file can set access limits to browse particular folders and can set limitations and block certain IP addresses from accessing your site. Read this AskApache Ultimate Htaccess Guide.
If this seems complex, then you can also block particular IP addresses from cPanel.
Tip 6: File Permissions
File and folder permissions should not be too liberal. By default, folders should have 775 permission and files should have 644. Some caching plugins and also some scripts like the popular TimThumb script may require 777 permission. Read this codex on changing file permissions. CHMOD 777 may have its own consequences and usually not recommended.
To change permissions, open FTP client like FileZilla or you can also use File Manager of cPanel. Right click on the folder/file, and then click on File Permission. Now just directly type in the permission, e.g. 644, and click on ok.
Tip 7: Change Table Prefix
When installing WordPress, you are asked to enter WordPress table prefix. By default, its WP_. Some don’t care to change this prefix, may be that’s because they don’t exactly know what it is. So, when installing, its recommended to change this table prefix, and if you have already installed WordPress, then WP Security plugin can help you here. Install this plugin, and then go to Security > Database. And then enter the new prefix which you want to set, it should be something random e.g. tps_ or something like kol_. Also carefully read the instructions in this page, and follow them first. But before doing anything, please take a complete backup of your MySQL database. This WP Security Scan plugin also scans your installation for security vulnerabilities and suggests some corrective actions. It also has a strong password generator tool, although this strong password is “too strong” to remember then.
Tip 8: BACKUP
It always is the best option to stay safe. Therefore, always have your backup ready. And you cannot have your backup ready, until you backup it. So a good practice is to do complete backup of all files and database. Use FileZilla to take backup, or the easy way is to do a complete backup from your hosting cPanel.
Open your cPanel and go to Backups > Download or Generate a Full Website Backup . And then enter your Email address and click on Generate Backup. In case, it needs to be restored, go to Backups, and from this section “Restore a Home Directory Backup”, browse to your downloaded file and upload it. This seems to be the most easy way to generate and restore backup. Also this method can be used if you are moving from one webhost to another. A weekly complete backup is a good way to stay safe, who knows when the disaster strikes. If you are using Dropbox, then you can also backup WordPress to Dropbox. This will automate the backup process.
Ofcourse, there’s much more, and it doesn’t ends here. There are many more plugins and many more hacks for this purpose, but the purpose here is to just cover the important aspects of protecting WordPress from hackers. Its better to take these precaution, and stay on the safe side then to be sorry. Go ahead and implement these suggestions, but don’t forget to backup first, just in case, something screws up.