One of the most important things you can do when building a WordPress site is make sure it’s secure.
While you can never get site security up to 100%, you can certainly shoot for 99% and you can accomplish that by enacting measures — both big and small — that account for every access point of your site and its vulnerabilities.
[source: WPExplorer] Now, some of you might already think your site is pretty secure. And that’s great, but why not take a couple of minutes and run through this list I’ve put together of things to look for with regard to WordPress site security? You’ll walk away with an action plan or feel more confident about your existing measures — and both are good things.
Here are 10 things you should look for or pay attention to to ensure your site is as secure as it can be.
Limit Dashboard Accessibility
When someone has access to your WordPress dashboard, they can add new posts and pages, upload files, and change your settings. An inexperienced person could make a mistake without realizing. Or, the intent could be more malicious. Regardless, you should only give those access to your dashboard whom you trust.
You can whitelist your IP address to restrict anyone not at your IP from accessing your dashboard, which can greatly reduce hacking attempts. Of course, you’d need to always access your site’s admin from the same IP.
To do this, add a new .htaccess file to your wp-admin folder then add this code:
order deny,allow
allow from YOUR IP ADDRESS
deny from all
And if you want to protect your theme and plugins from editing by unauthorized users, you can add this code to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’ , true );
Block Directory Browsing
You likely already know that websites are set up so that files are contained within folders on a server. Typically, someone can browse the contents of each folder or directory, which could leave you open to malicious hacking attempts. You can make it so the contents of certain folders aren’t viewable to the public at large, however. This is an obscurity tactic and though it won’t make your site 100% safe, it gives hackers less info to work with, and less info is what you want.
To block directory browsing, open up your .htaccess file again and insert the following code at the very bottom:
Options -Indexes
That’s all there is to it!
Remove WordPress Version Information
WordPress themes used to automatically output the WordPress version number you’re using in thetag of the site. However, WordPress itself now inserts this information and while it’s useful for WordPress to know when analyzing who is using what, leaving this information so it’s available to anyone who takes a peek at your code is a security hazard.
Why? Because giving a hacker the version number outright makes their job easier. And you don’t want to make a hacker’s job easier! Instead, just insert this code into the functions.php file for your theme:
function remove_wp_version() { return ”; }
add_filter(‘the_generator’, ‘remove_wp_version’); This will remove the version number and add another layer of security to your site.
Evaluate Your Username and Password
You’ve heard this advice time and time again but you really, really need to listen to it. Choosing a difficult username and password is important for your site’s overall security. First of all, never use “admin” as your username. Since it’s the most popular username for WordPress, leaving this the same is like giving hackers half of your data.
Second, use a series of numbers, letters and symbols for your password. Basically, make it impossible for a human to guess, and extremely difficult for a machine to crack.
Perform Regular Site Backups
Many people roll their eyes when they hear they need to backup their sites often. Not because they don’t understand it’s important; rather, because the thought of backing up an entire site is exhausting. A lot of people just don’t want to commit the time and effort into the project.
Thankfully, backups can be completely automated these days and are actually a wise solution because they can be scheduled in advance. That way, you’ll never forget to backup your site again. The WordPress Codex has detailed instructions on how to backup your site manually. Or, you can opt for a plugin-based solution (Backup Buddy and VaultPress are two options we’ve used before here at WPExplorer).
Keep Your Site Up-to-Date
Hackers come up with new strategies to wreck websites on a daily basis. So running an outdated version of WordPress is just asking for trouble, especially since WordPress publishes the flaws and security holes in previous versions as soon as a new version is released, as seen in the above photo. Always make sure your site is running the latest version for optimum security.
Pick Secure Themes
It’s also important to select themes that have a good reputation. Those made by less than reputable developers or that don’t have the cleanest code could open up your site to security vulnerabilities once installed. Read reviews of themes before you install them and if you’re purchasing a premium theme, always purchase one from a well-known site.
Likewise, always install theme updates when they become available. What was said above about keeping the WordPress core files up to date applies here as well.
Pick Secure Plugins
What I said above about themes applies to plugins, too. Though the advice is likely doubly true for plugins since they can sometimes contain malware or malicious code. Don’t download a plugin from a developer you don’t recognize and always install updates when they become available to maintain site security.
Protect Your Files
One of the most important files on your entire WordPress site is the wp-config.php file. It stores a tone of data about your site, include details about your database and the settings for the site as a whole. A hacker with the right knowledge-base could change everything about your site just with this file’s info. So, as you can imagine, it’s important to protect it.
Thankfully, you can with a relatively simple fix. All you need to do is add the following code snippet to your .htaccess file just below where it says # END WordPress:
order allow,deny
deny from all
Pick the Right Hosting Provider
A lot of your site’s security comes down to the WordPress hosting provider you choose. While I can’t tell you which host is best — there are way too many variables to consider to discuss in this article — I can tell you that reading reviews is imperative to making a wise decision. Be sure to evaluate a host’s security, backup solutions, and server type before coming to a final choice (we talk mare about what to consider when choosing a host in our post about selecting the right host and our post about the best host for you).
Remember: the host you select will play a direct role in how quickly your site loads, its uptime, and how secure your public and private data are. It’s not a decision to be taken lightly.
Conclusion
This list is by no means complete but it should definitely give you a well-rounded place to start in terms of identifying potential security holes and enacting solutions to protect your site from hackers. It should also have the benefit of giving you a little bit more peace of mind. After all, it’s typical to invest hundreds of hours in the development and implementation of a website. Protecting it is imperative.
What measures do you take to protect your site? Do you prefer taking a manual approach or using plugin-based solutions? Let us know in the comments!