WordPress Security is less compared to other custom built solutions. As WordPress is an open source project the source code is available with every one, and a hacker can easily find out loop holes in the source code to hack the website. Keeping your WordPress website secure is most important because your data should remain safe and the performance of your website should not be compromised. Here I will share with you some important points about securing your WordPress website.
- Use a secure username and password:-
You should use a secure username and password which cannot be guessed by any one. You should never use the default ‘admin’ username which makes things easy for the hacker. Latest version of WordPress supports creation of unique username as the administrator account. For the older versions of the WordPress there are plugins available which will help you to change the ‘admin’ username. While creating the password try to include numbers and special characters in it, so that the password becomes more secure.
- Securing wp-admin folder :-
You can add a second layer of protection by password protecting your wp-admin folder. You can use basic HTTP Authentication to password protect the folder. There are many plugins available which will enable HTTP Authentication for the folder. You can also achieve this by using .htaccess file, for that you will need to know a little bit of coding. A sample code is given below.
<Files wp-login.php> AuthName "Authentication required" AuthUserFile /path/to/password/file/passwords AuthType basic require valid-user </Files> <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> <Files "\.(css|gif|png|js)$"> Order allow,deny Allow from all Satisfy any </Files> <Location /wp-admin/> AuthName " Authentication required " AuthUserFile /path/to/password/file/passwords AuthType basic require valid-user </Location>
Above code will protect wp-login.php file and wp-admin folder by authenticating it with the username and password given in the password file.
- Securing wp-config.php:-
You can secure wp-config file by moving it one level above the WordPress installation directory. So if your WordPress is installed in the root directory then you can place wp-config.php outside the root directory so that it cannot be directly accessed. You can also deny access to wp-config.php by placing the below code in .htaccess file.
<files wp-config.php> order allow,deny deny from all </files>
- Disable file editing :-
If a hacker somehow broke the security features and was able to login to the WordPress, he will be able to edit the theme and plugin files from the dashboard. He can insert malicious codes into the files and execute them. To prevent file editing from dashboard WordPress provides a constant. You can place the below code into the wp-config.php to disable editing from dashboard.
- Use latest version of WordPress :-
You should always update WordPress to the latest version. Because each version comes with new bug fixes and security fixes, which will help you in preventing attacks from common vulnerabilities.
- Use latest version of themes and plugins :-
You should always update your theme and plugins to avoid common vulnerabilities. Similar to WordPress the new version will come with bug fixes and security fixes which will help in preventing attacks.
- Choose your themes and plugins wisely:-
Plugins help you in adding new functionality to your website. There are plugins for almost every functionality required by a website. While selecting the plugins and theme always use actively maintained and popular ones. Also check if there is any review of the plugin or theme which will help you decide if you have to use that plugin.
- Choose your hosting wisely:-
Host your WordPress website on a hosting provider that gives good security. Choose a established, popular hosting provider who has a good review. If you have enough budget use managed WordPress hosting. They offer premium services and keep your WordPress website secure.