How to secure WordPress

How to secure WordPress

We all know that an open source application can be vulnerable and an easy target for hackers. It is not good if you one day find out that your website has been hacked and the files compromised. However, all of the above can be avoided if your website is secured properly. That is why we have gathered the best solutions for the security of your website in one tutorial.

Basic security of WordPress

Taking care of your website should start at the beginning of the installation so you could enable the basic security features for your website. However, if you have an installed website you can follow the steps below and secure it:

  1. Create a strong password for the admin area of your website when you create the website. Also, we would recommend you creating a different username than the default “admin”.
  2. Set a strong password for your FTP account, database file and hosting account as well.
  3. Always keep your application, plugins and themes up to date
  4. Move the wp-config. php file in order to protect it. You can move it in another folder and WordPress will still be able to view it.
  5. Disable the file editing to protect your plugins and themes by placing the following code into the wp-config. php file: define(‘DISALLOW_FILE_EDIT’, true);
  6. Always set the correct file permissions 644 and 755 for files and folders so you can avoid someone else accessing them
  7. Protect your directories by disabling the directory listing. All you have to do is place the following code into the .htaccess file: Options All -Indexes
  8. Disable the php file execution. This can be achieved by adding the following code into an .htaccess file. You can set it on the main .htaccess file or a file under a certain directory: deny from all

Secure the admin area of WordPress

The admin area of the website is one of the most vulnerable places of your website and important as well. If someone access the admin area of your website it can destroy your entire website. That it why we have prepared a few basic steps you should take to protect the admin area

  1. The admin area of WordPress by default can be accessed when you type wp-admin or wp-login.php after a domain. And hackers can then force the login credentials. What we would recommend you is to use a custom login page URL for your website.
  2. Use an email account to access the admin area or a stronger username
  3. Protect your wp-admin folder by setting a directory privacy(password) for the folder from your hosting account
  4. Secure your website by installing an SSL Certificate for the domain

Provide security using plugins

Plugins can help you a lot when it comes down to protecting your website and if you wish to avoid any malicious content or compromised files you should consider some of the following solutions:

  1. Install a firewall by using a plugin which will limit the login attempts is someone is trying to access your website. After a few unsuccessful times you will be notified that someone is trying to access your website
  2. Install a security plugin which will track your website and if there is any suspicious activity on it as well.
  3. Install the two factor authentication on the login page of your website with a plugin
  4. Force users to be logged out with a plugin, to avoid access to the admin area of your website from another account

Security for the database file of your website

The data and the information of any website is stored in its database file, so protecting it is really important. In order to protect your database file we would recommend you first to make sure the password for the database file is strong and also make sure to change the default wp_ prefix for your database.