Along with content building and SEO practices for your WordPress site, security is another important factor that needs to be addressed at an early stage. You can never tell when your website would be hacked or suffer from malware infection. Yeah, we all know how terrible it would be. So why not buckle down to implement strict security methods right away to save your site, our sites from constant dangerous attacks. In this article, I am going to share with you some tips & tricks on how to harden security in WordPress.
Keep your site up-to-date with the latest version of WordPress, plugins and themes
Security risks come when you use old or outdated versions of WordPress or plugins and themes being used for your site. We ourselves are themes and plugins developers so we totally understand this point. Whenever we release an update version for our products, we have made improvements and fixed bugs and errors in our products. We would expect our users to update our product for better performance and security.
Therefore, it is recommended to log into your admin panel and check for any new updates. Believe me, spending couple minutes on update will save you big time and money later on.
Another point is that you should steer away from null plugins or themes which are being shared broadly on the Internet. You can never tell if those plugins and themes are inserted with malicious code or not. We should only stick to the reliable sources, like WordPress.org.
Stronger, better passwords
According to a recent article on the most common passwords, you must be surprised to know this simple password “123456” is up on the top. It’s a bad practice to use simple and predictable passwords like “password” or birthdays/ anniversaries information for the admin login details. Some even save all passwords in an email, doc file or use one password for all accounts (I did, once). If you are doing this, seriously drop it.
It won’t take much time and effort for a hacker to break into your site and the ultimate consequence is surely unbearable.
Recommendation from security experts is to use strong passwords that meet the following criteria:
- Have 8+ characters in length
- Contain a mix of numbers, uppercase/lowercase letters and special characters like @ , $ and %
- Never use One password for all accounts
If you find it hard to remember, use a password manager service like LastPass for better password storage and management.
Limit failed login attempts
You should limit the number of failed login attempt to your site to avoid Brute-Force attack (an approach of password guessing). Some typical WordPress plugins can come in handy as Limit Login Attempts, Login Security Solutions, Login Lockdown or Better WP Security.
Change admin URL path
The default URL path to WordPress admin panel is /wp-admin. Everyone knows that! Changing this URL is also a way to secure your login site and avoid attack.
You can change the admin URL manually, which is a bit complicated and risky. The fast and safe way is to do it using a plugin. Here is how you do it using Better WP Security plugin:
- Install the plugin
- Navigate to Security -> Hide Backend
- Change URL in Login slug, Register slug and Admin slug.
You can refer to this blog post for more details.
Another thing to keep in mind is not to set the administrator account as “admin” since this is the default login in WordPress that everyone knows. You can use plugin like Better WP Security to change your administrator account.
Files and folders permissions
By default, CHMOD is set as 664 for files and 775 for folders. However, there are important files that need special permission and wp-config.php file, for example, is one of them. This file stores login information to your site database. We rarely edit this file so let’s set its CHMOD to 444 so that all user groups are able to read but not to modify, including the owner. You can also set CHMOD for wp-config.php file to 400 and .htaccess file to 404 for more restriction. If you want to modify wp-config.php, change CHMOD to 664 and remember to return its original value when you are done. Modifying .htaccess file is similar.
Regularly backup your site
Regular backups help limit attack risks and reduce damage extent to the lowest. In case your data are lost, you can still make a quick site recovery using backup files. There are many both free and premium WordPress plugins for backing up your data regularly and automatically. Free plugins include:
- WordPress Backup To Dropbox – Much like its name, this plugin will help you schedule automatic backups and send the backup files to your Dropbox account.
- UpdraftPlus – This plugin supports uploading backup files to S3, Dropbox, Google Drive, FTP, SFTP, Email and so on.
- XCloner – Like UpdraftPlus, XCloner supports both backup and restore website.
Premium plugins are like BackupBuddy, VaultPress
You can always use the backup function in the cPanel of your host. Choose a method that you are comfortable with.
WordPress plugins for security
Here are the 4 WordPress security plugins that I find helpful and useful for better site security. If you know more, feel free to suggest us.
Better WP Security
Better WP Security is a free yet powerful plugin with useful features such as daily data backup, limit login attempts, changing admin username, changing administrator account ID and many more.
WordFence Security
WordFence Security can scan and detect malware or bugs in codes on your website. It also tracks login statistics according to IP address to implement IP blocking when needed. There are more advanced features for the fee of $39 per year. One disadvantage of WordFence Security is that it consumes a lot of system resources which may lead to site crashes. Therefore, you should not use this plugin on weak servers.
Bulletproof Security
BulletProof Security protects your WordPress websites from such attacks as XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and so on. This plugin will automatically optimize your website or you can customize it if you are a security expert.
6Scan Security
6Scan Security scans your entire website for security bugs and divides its alert levels from normal to urgent. It also points out where the vulnerability comes from and how to fix it. The free version only supports manual fix while the premium version offers Auto fix in addition.
In short
You will find more and more tips on the internet and above are just basic tips and tricks you can try to enhance your WordPress site security. That’s it for now. So what is your favourite tips? Any more tips that you think we should cover in this blog post?
Nice tutorial. Using some of them already, will try others soon. Thanks for the writing.
Thanks Anik!
We have more tutorials coming 🙂 Is there any specific topic that you would want us to cover?
My pleasure Jin!
You wrote about security, its precaution. That’s good. How about writing, what users should do after being compromised. How to identify the hole, clean the whole system without loosing data, if it’s affected by any virus, how to disinfect it or if someone gain access to the system how to regain the privilege, etc. Most of the users use Linux as OS & WP or Joomla as their CMS. Joomla tend to get hacked easily. How to prevent, Linux to do’s etc. There’s lots of people who are getting compromised everyday and they have very little technical knowledge. Your article will help them.
Anyway, I was a long time JoomlaArt user and now spotted designwall’s Q&A plugin at the very first time of its launch. I will try my best to contribute to this project over time.
Best Wishes.
Anik
What you suggest is great, Anik. I can have a follow-up blog for this one and will dig more on how we should handle the attack.
Guess I should get started with the research now 🙂
Your time starts now. 😉
Here we go: http://cmspioneer.com/designwall/blog/how-to-handle-a-wordpress-security-attack/
Thank you for this useful tutorial.
All In One WP Security is also a better security plugin for WP.
Oh is it? Thanks, we will check it out.