A common misconception is that newly launched websites are problem-free, never go offline, and never need an update. Many website owners will ignore required WordPress updates and upgrades to the programs running their website; Until their website gets hacked and they now need to pay hundreds – or thousands – of dollars to get the server cleaned up and the site back online.
There are WordPress security measures you can take in order to prevent (as much as possible) your site from getting hacked in the first place.
This is, of course, a short list of things you can do right now in order to help secure your WordPress site.
1. Secure wp-config.php
One of the most important files in your WordPress installation is the wp-config.php file. This file is located in the root of your WordPress file directory and contains your website’s base configuration details, such as database connection (login) information.
When you first install WordPress, the wp-config.php file isn’t included. The WordPress setup process will create a wp-config.php file for you based on the information you provide. The install does, however, come with a sample file named “wp-config-sample.php” that you can use if you’re doing a manual install (instead of a one-click install).
After your wp-config.php file has been created, delete the sample file from your server. To help secure the wp-config.php file you can add the below code to to the top of your .htaccess file. BE VERY CAREFUL when making changes to your .htaccess file; You could end up taking down your entire website. So, BEFORE you make any WordPress security changes to that file make sure you have a backup copy ready to replace your edited copy.
Locate and open the .htaccess file to edit it in the default text editor on your computer (or in the Edit window if you’re doing this in your cPanel).
Add the Deny from all code to the very top of the .htaccess file to secure the file from being seen by any bots or search engines.
While you’re already editing that file, you can also hide your .htaccess file by adding this to the top of the file.
Remember to save the file when you’re done editing.
2. Create Strong Passwords
When it comes to WordPress security, weak passwords continue to be one of the key ways that hackers gain access to your website.
- Strong passwords do not include common words that can be found in a dictionary.
- Never use personal information for your password, such as birthday, your email address, your (or family members) name.
- Use long – and different – passwords for EACH of your online accounts. If you’re having a hard time coming up with a password, you can use an online password generator, such as the 1Password Generator.
You can change your WordPress login password by visiting Users > Your Profile and scroll down to the Account Management section.
3. Install a Security Plugin
Wordfence has been downloaded over 200 million times so they must be doing something right. This is one of a few plugins that get installed on every WordPress site I set up. There’s a free version available, however, if your business is not global, I highly recommend their paid version. Reason being is that the paid version comes with added WordPress security features. One of which is Country Blocking. You can block every country on the planet! I’ve found this extremely useful!
Wordfence also has a Web Application Firewall. According to the good folks at Wordfence, the Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
Don’t want to use Wordfence? Hubspot lists 16 WordPress security plugins (with Wordfence being at the top of their list).
4. Change Your Login Username if You’re Using the Default ‘admin’
If you didn’t change the default “admin” username when you installed WordPress, change it right now. Every time hackers try to perform one of their brute-force attacks on any WordPress site, they’ll use ‘admin’ as their go-to username. Words like “admin,” “info,” and even “wordpress” are the most often used usernames I see in hacking attempts. If you’re using “admin” to log into your site change it to something more complex.
You can change your WordPress username by:
1. Manually creating a new user with administrator rights
2. Changing the username in phpMyAdmin or
3. With the help of a plugin
The easiest way to change your username is by creating a new user and assigning the role of administrator. To do that, log into your Dashboard, and click on Users > Add New.
Create a new user with your desired username and assign yourself as an administrator. Make sure to use a different email address, or change the old admin email address if you want to use it for your new admin name.
Then Logout and Login with your new username and password. Next, go to Users, and simply delete the old user with the name ‘admin.’ It will ask you what to do with the existing user’s content. Assign it to the new admin that you just created.
5. Keep WordPress Core Files, Themes and Plugins Updated
Whenever you login to your site, you can check for available updates by going to Dashboard > Updates. Keeping the core WordPress software, theme and plugins updated is an important MUST DO WordPress security measure.
If you’re using a plugin that hasn’t been updated in over two years, you may want to search for one that is better supported.
If you’ve installed the Wordfence plugin you will receive email notices whenever there’s an upgrade that needs to be done, or whenever there are login attempts from unauthorized users.
NOTE: If your theme files have been directly edited (i.e. code changes or customization) by yourself or a developer, then updating will over write those changes unless you’ve made changes from an interface in the theme admin.
6. Be Cautious of Free Themes
Many free themes can have malicious code in them, so consider the source and reputation of the theme developer. If you’re really set on using a free theme, there are online tools and WordPress plugins that you can use for detecting malicious code — both before you start creating your website and at any point in time once your site goes live.
Also. Remember to remove inactive themes and plugins. Inactive plugins and themes present potential entry points for hacking attempts since (most likely) you’re not updating them. Deleting all of them will save you time and also helps speed up your website.
7. Setup Scheduled Backups
This may not be a “security” tip, but it’s definitely something that needs to be included under the Safe and Secure umbrella. If anything goes wrong with your site, even if it’s not a security issue, you’ll be able to revert back to your backups. There are many options for backing up your site. My personal fav is to simply use the VaultPress plugin. This plugin has come to the rescue for a few of my clients.