PHPMatters Help You Better Hosting Your PHP-based Sites
Top 10 Tips You Must Take for WordPress Security

Top 10 Tips You Must Take for WordPress Security

Nothing is 100% safe and secure, and WordPress is no exception. Even, being widely used by millions of webmasters for website building, this open source CSM is the main target for malicious hackers. Therefore, if you are a WordPress user, you’d better check the following 10 measures and try them accordingly on your website, with which you can increase WordPress security greatly and protect your site against the potential dangers.

Tip 1 – Pick A Secure WordPress Hosting Provider

This practice at least can guarantee you a server-side security. Generally, a quality and secure web host only adopts the robust web servers to host your site, utilizes suPHP as the handler of PHP, keeps backing up your site on a daily basis, and offers some advanced features such as Hotlink Protection and Password Protection. All of these things can keep you away from the hacking issues effectively.

Besides, the truly secure WordPress hosting providers do not oversell their hosting service to much. Instead, they will keep the number of hosted sites on a single server machine to a moderate level. This can reduce your chances to be affected by bad neighborhoods effectively.

As for our recommendations of safe WordPress hosting, you can take the following three options into account. All of them are leading web hosts that have been trusted by a large number of WordPress users.

Tip 2 – Update WordPress, Themes and Plugins

We have to note that every piece of the new release for WordPress includes the fixes and patches that can deal with the current or potential vulnerabilities. Therefore, if you fail to keep your WordPress updated with the latest version, you may leave your site open to dangers and attacks. Even, as the security issues or the loopholes of the previous version are likely to be known on the web, many hackers intentionally target the websites that are using the old-version WordPress. Therefore, you’d better keep an eye on your dashboard and never ignore the notification of “Please Update Now”.

WordPress Update Notification

The same applies to your current templates and plugins. According to the online research, 43% of WordPress hacking issues are caused by the loopholes of plugins and themes.

Tip 3 – Set Up the File and Folder Permission

To keep some malicious intruders away from entering your valuable data and contents, having the file and folder permissions proper configured is essential. This practice simply determines that who can do what for your files, such as reading, editing, accessing and modifying, etc.

The detailed information for this aspect can be found in this how-to tutorial. Here, we only want to mention you one thing – do not set the permission mode to 777, for this mode allows anyone to access, read and execute your files.

Tip 4 – Disable the Function of File Editing on Your WordPress Admin

By default, WordPress allows you to edit all your theme files via the dashboard. You only need to click the Editor button from the Appearance tab, thus can make some modifications using the coding stuff. Likewise, if some hackers get your dashboard login credential and enter your website back-end, it is easy for them to do something bad via the function.

Therefore, you’d better disable file editing using the following line of coding. After adding it to your wp-config.php file, you can remove the capability of editing all your theme files totally.

define('DISALLOW_FILE_EDIT', true);

Tip 5 – Safeguard Your Login Page for Better Admin Security

The login page is an effective barrier for preventing bad guys from entering your website back-end, so protecting this special webpage is essential to benefit WordPress security.

The common tips about this aspect include utilizing strong password and username, customizing the login URL, restricting the login attempts, hiding login error messages, adopting the two-factor authentication and many more. You can check this post to know how to carry out them in a detailed manner.

Tip 6 – Fight Against the Brute Force Attacks

Some malicious intruders try to hack your site by focusing on the vulnerabilities of WordPress, while others simply use the Brute Force Attacks to gain access to your site. These hackers guess your login information over and over again, thus being able to hack a site that uses the default username of “admin” and a simple password such as “1234567”. This is the main reason as why we always emphasize the importance of hard-to-guess username and strong password.

Besides, you also need to take some other practices to defend against this kind of attack, such as adding an account lockout, injecting password pauses, using the CAPTCHA for authentication, prompting the secret questions and many more. The detailed information can be found in this post.

Tip 7 – Change the Value of user_nicename Using phpMyAdmin

Many WordPress users are unaware of the fact that their username might be exposed easily via the author archive page.

By default, if your username is “susan”, then your author archive link is http://www.domainname.com/author/susan. In this case, you should make some configurations to make your username and the suffix of your author archive URL different. For this, you need to enter into your WordPress database and target the user_nicename. Below are the detailed steps.

  • Log into your control panel and click the phpMyAdmin button.
  • Target the right database for your current WordPress installation and then click wp_users.
  • Click the Edit button next to your username. Here, you can find that the values of user_login and user_nicename are the same. Now, you need to make them differently by changing user_nicename and making it match the value of display_name.

Change user_nicename

Tip 8 – Take Advantage of WordPress Security Plugins

This is an effective method of newbies. The Plugin Directory of WordPress offers a large number of useful tools to improve your website security greatly. Among all the options, the BulletProof Security, Wordfence Security and Sucuri Security are the most widely used plugins.

Tip 9 – Backup Your WordPress Site Regularly

We have to tell you a truth that you can never wipe out the hacking issues totally no matter what methods you have taken on your site. You can only try your best to prevent the potential dangers with the above-mentioned tips. Even in this way, we cannot guarantee you a risk-free WordPress site in total.

Therefore, it is recommended for you to back up your site regularly just in case. With these backup files, you can bring everything back to normal with much ease. Here, we have concluded some tips about this method.

  • Never count on the backup service offered by your web hosts. They are not responsible for this practice and will not compensate you if the backup files are not complete.
  • Backup your WordPress site in a thorough manner, including all the files, data, folders and contents.
  • Keep the backup frequency at twice a week and locate the back files at a safe place.

Tip 10 – Monitor Your Website

In fact, when hackers attack you, they always leave some traces on your site. Therefore, you should keep a close eye on your whole site. Once there are something abnormal, you should have a check to figure out whether there are someone is trying to hack you.

At present, Watcher and OSSEC are the hot options for WordPress users to monitor their sites, with which you can be altered automatically and promptly for some changed or added files, folders and logs.