Millions of websites are powered by WordPress software and there’s a reason for that. WordPress is the most developer-friendly content management system out there, so you can essentially do anything you want with it. Unfortunately, that has some drawbacks as well. Most important hacking of a WordPress site. So in this tutorial i am giving some simple tips to make secure WordPress website or blog. In this post you will learn how to secure WordPress site from hackers, some important tips on WordPress security, familiar with WordPress security plugins. So i expect that you can improve your WordPress security with these 8 tips. It’s all about WordPress security.
For example, if you don’t change your default configuration, hackers immediately know where to log in to get into your admin area. In WordPress, you can just type in yourdomain.com/wp-admin and it will take you right to the login screen. At that point, it’s all about trying to crack your password. The most common method hackers use is brute force, which allows them to test millions of login combinations in a short amount of time.
8 tips for WordPress security
1. Limit Login Attempts:
There is a WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours. Well, with this plugin brute force attacks would be much harder to pull off.
The hacker would need to have many different proxies because the plugin would keep banning that IP address after a certain number of failed login attempts.
All options are customization in this plugin. You can select how many failed login attempts you will allow, how long they’re locked out, and how many lockouts it will take to issue a temporary IP ban.
2. Back Up Your Website Often:
Obviously, it depends on how often your website gets updated, but I would suggest at least a weekly backup. There are many WordPress plugins that can help you with that, but my favorite is BackupBuddy. BackupBuddy will run you about $100, which you would happily pay to be able to restore your hacked website in five minutes.
If you’re looking for a free alternative, you are in luck! Ready! Backup is a free plugin that allows you to create automated backups, send them off to Dropbox or FTP, and restore them quickly. I haven’t tried it yet, but so far most reviews are positive.
3. Protect your WordPress Admin Area
It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing yyy.yyy.yyy.yyy with your IP address.
<Files wp-login.php> order deny,allow Deny from all Allow from yyy.yyy.yyy.yyy </Files>
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from yyy.yyy.yyy.yyy statement on a new line.
If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a nice little plugin called Limit login attempts.
4. Use strong passwords:
You will be surprised to know that there are thousands of people that use phrases like “password” or “123456” for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.
5. Consider Automatic Core Updates
I’ve already talked about the importance of updating your WordPress installation whenever a new version is released, but it bears repeating. In fact, if you’re running an older version of WordPress than what is current, all of the security flaws in the version you’re running is common knowledge to the public. That means hackers have that info, too, and can easily use it to attack your site.
Though minor updates install automatically, major ones still require approval.
But updating your site might not be enough, especially if you don’t make site maintenance a regular habit. In these cases, the more automated you can make these tasks, the better. While I recognize it’s not for everyone, automatic updates might be a good option for those who want to take a more hands-off approach to site management but want a secure site, just the same.
Ever since WordPress 3.7, minor WordPress updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically.
It doesn’t get much simpler. Just insert this in the file and major core updates will happen in the background without the need for your approval:
# Enable all core updates, including minor and major: define( 'WP_AUTO_UPDATE_CORE', true );
6. Set Plugins and Themes to Update Automatically:
Now I realize this one also isn’t for everyone, but it’s worth mentioning anyway. Typically, plugins and themes are things you’ll need to update manually. After all, updates are released at different times for each. But again, if you’re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention.
Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. For plugins you’ll use:
add_filter( 'auto_update_plugin', '__return_true' );
7. Keep Track of Dashboard Activity:
If you have many users on your site, it might be a good idea to keep track of what they’re doing on your dashboard. Not that you suspect them of any wrongdoing, but sometimes when you have a lot of people involved in your site, a simple misstep can cause something to break. That’s why logging dashboard activity is so useful – it allows you to retrace your user’s steps up to the point of site breakage. You can even retrace your own steps.
This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.
A great, free plugin option for checking over activity on your site.
Yes, WordPress logs this information automatically but it’s not easy to use. It’s a much better idea to use a plugin to organize all of that data. So you can see if installing a certain plugin, making a specific code change, or uploading a file caused the issue you’re dealing with. But even if you’re not handling a site issue, being able to see what your users are doing on your site at all times can offer some peace of mind.
A good plugin to check out is WP Security Audit Log. This free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.
8. Pick the Best Hosting You Can Afford:
You can trick out your site all you want with all the latest security hacks but if you don’t have a good hosting provider, your efforts aren’t going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. That’s edging on half there, which means you need to do something about your hosting plan, ASAP.
So all these tips or steps help to get better WordPress security. If you like please share it. Will be back with my new post.