WordPress is awesome! I love it’s flexibility and usability! We use it time and time again to provide our clients’ with websites they can easily maintain. With 68 million and counting websites using WordPress (.com or .org) in some way, hackers out there do target WordPress websites. Such attacks can crash your site, or even worse, put malware on your site damaging your reputation with Google and attacking your clients!
So, I am sure you are now curious, what you can do to try and protect you and your precious WordPress website. So, to help you out, I have constructed a list of 5 tips to help you secure your WordPress website!
First rule of thumb I like to follow is never use the admin user account!
This is the default user account. Why is this bad? Hackers know this is a default username for WordPress websites. So, they can try and guess your password for this account. If you use this account, log into your WP-Admin area and create you a new user with administrator access and a strong password, then logout. Log back into your WP-Admin with the new user, and change the admin user role to “— No role for this site —”.
This action disables the admin user account from accessing your WP-Admin area. You now have your own unique and harder to guess username. Simple, but you would be surprised how many people still use the admin user account!
Second, watch out for bad plugins
Read about the plugins before you install them. Check out the support link on them and see what other people have experienced with that plugin. I remember last year a couple of plugins and themes used a script called timthumb.php. It generated images on the fly for the website. It worked good, but there was a vulnerability in the script that hackers used to add in their own scripts to your website. BADDDD!!!
“Slow down…learn about the plugin before installing just anyone’s code on your WordPress website.”
Third, add in an audit tracking or logging plugin.
In the past, I have used Audit Trail, but are others out there like WP Security Audit Log. These trackers allow you to review site logs, if your site gets hacked, or content is changed without you knowing it. So, then you can see information about what account the hacker is using and what they changed. This makes recovery from an attack less painful and allows you to take better security precautions in the future.
Fourth, disable WP-Admin file editing.
Hackers are looking to add their own code to your site so they can put malware and viruses on your pages that will infect you and your website visitors’ computers. This code area on a WordPress site is in the WP-Admin file editing area. So, I recommend disabling file editing to help secure your site from hackers. You can disable file editing back make a simple line of code change to your wp-config file.
define('DISALLOW_FILE_EDIT', true);
This simple change will keep hackers from being able to add in their own code to your website.
Fifth, and the most securing tip, is to lock down the WP-Admin to your IP only.
What I mean by this, is block all other computers on the internet from accessing your WP-Admin area. Hardening WordPress talks about securing wp-Admin with a Basic Auth password protection, so it like double authentication. What I’m referring too, is to deny access to the wp-Admin from all internet addresses except your own. Adding this line of code (with your updated IP Address in it) to the .htaccess file in the wp-admin folder will protect you.
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
This will only allow your internet’s IP address to access the wp-admin area.
What are your ways to securing your WP-Admin area? Let me know in the comments below!