WordPress is becoming one of the more popular CMS for new websites. Not only is it easy to use, it also comes with many plugins and themes for you to choose from, making it extremely customizable. However, like all other popular platforms, it is also more prone to hacking. For those who are not sure how to beef up your WordPress security, here is a checklist for you to follow to keep your site safe.
1. Secure the login
The best way to block hackers is to prevent them from logging into your site. You can use a lockdown plugin such as Simple Login Lockdown that can limit the number of login attempts from an IP range within a certain timeframe. It will help to prevent hackers from brute force attack. You can also add two-factor authentication, which will require you to enter an additional code to login. For those who are uncomfortable with usernames, you can log in with your email address, which is probably more difficult for the hackers to guess.
For a more extreme measure, rename the “wp-login.php” file to something else (such as “log-in.php”) so that the hacker won’t know the correct login URL. You can change this via an FTP client.
2. Remove login link from the theme.
Some WordPress themes have login links in the themes to allow easy access to the login page. There is no need to advertise your login page and invite everyone, particularly the hacker, to access it. Either you remove the login link from the theme, or if you can’t remove it, change to another theme.
3. Add password authentication to wp-admin folder.
This is something that many of the more popular sites do. Add a password protection to the “wp-admin” folder. Anyone who accesses this folder will have to enter the correct username and password (in addition to the user login).
The easiest way to add password authentication is via CPanel. Log in to your CPanel and select the “Password Protect Directories” option.
4. Don’t use themes from questionable sources.
There are a lot of really great and interesting themes out there, and they are accessible from just a simple Google search. The problem is, not all themes are safe to use, and some aren’t properly coded.
To find a reputable theme:
1. Search from the WordPress theme repository. All the themes listed in the repository are vetted thoroughly by the WordPress team, so they will be safe to use.
2. Search through a reputable marketplace like ThemeForest.
5. Update WordPress, theme and plugins to the latest versions.
The WordPress team and the plugin developers work hard to make WordPress and their plugins safe, but you can reap the result of their hard work only if you continuously upgrade them to the latest version. If you are on an older build of WordPress or a plugin or theme, there could be security loopholes that are waiting to be exploited.
6. Change the default table prefix in the WordPress database.
WordPress uses a pre-defined prefix for your database so it can distinguish itself from other databases. The default prefix is “wp_”. It is best to change it to another prefix so hackers can’t hack your database easily.
For a new WP installation, you can change the table prefix in the “wp-config.php” file (you must change it before installing WordPress).
For existing WordPress users, you can follow the instructions listed here to change your table prefix.
7. Replace the default administrator account
If you have used WordPress since the early days, chances are your administrator account is still using the “admin” username. One way to protect yourself is to create an additional admin account with another username and delete this default “admin” account. Use this new administrator account only for administrative work and never post any articles with this account (you can setup another Editor account for that). It is harder for hackers to get ahold of your administrator username.
8. Implement SSL for the WordPress Admin.
An SSL connection is useful to prevent others from eavesdropping on your connection and access the data you are transmitting over the network. You can connect your web host and get them to implement SSL for your WordPress Admin area.
9. Scan your site regularly for virus and malware
Anti-virus for WordPress are just plugins that can scan your site for virus and malware. Plugins such as WordFence, Sucuri, WP Security Scan, VIP scanner and Exploit Scanner are all useful scanner plugins.
10. Use a strong password
The same old rule applies: choose a password with upper and lower case letters, numbers and special characters. It should also have nothing to do with a birthday, anniversary, address, etc. It should also be changed fairly often.
11. Perform regular backups of WordPress.
This is a preventive measure so that if your site is hacked into and destroyed, you still can restore it from the backup.
One useful backup plugin is BackWPup that allows you to back up your site to the various cloud services.
12. Uninstall and remove unnecessary themes and plugins
If something becomes outdated on your site, such as a theme or plugin, make sure you remove it right away. Those old plugins and themes aren’t as safe as the newer ones. Additionally, make sure you don’t leave any files around that could give away pertinent info.
13. Audit your Web host.
This isn’t part of WordPress, but the server hosting your site can still help with WordPress security. Make sure your Web host is worth its salt. Some Web hosts provide cheap hosting plans for a reason, and you often have to pay for it via other means (like slow network, time spent fixing a hacked site etc). Make sure you read reviews and check out the Web host thoroughly (and make sure they’re implementing all needed security measures) before committing your money to it.
Above all, remember the three rules suggested by WordPress – limiting access, containment, and preparation and knowledge. If you stick to those base rules as well as run through this checklist, your efforts at WordPress security and protecting your site from hackers will be successful.
We have compiled this checklist into a PDF file so you can easily save it and access it. Download it here.
What other ways do you use to protect your WordPress site?