In the last year I’ve seen a number of WordPress sites that have been hacked due to lapse security measures – most of which are easily fixed. This article will provide some basic security enhancements to protect your WordPress website from attack. Even with the following security improvements, it’s highly unlikely that you will be able to protect your website from hack attempts so I would always suggest you regularly backup your WordPress themes and ensure you make regular WordPress backups.
Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.
1. Password protect the wp-admin directory
By password protecting the WordPress admin area, if a malicious user tries to access your WordPress admin area login page to launch a brute-force attack, or any other file which resides in the wp-admin directory to send a harmful crafted HTTP request, they are greeted with a server side login prompt.
AuthUserFile /etc/httpd/.htpasswd AuthType Basic AuthName "restricted" Order Deny,Allow Deny from all Require valid-user Satisfy any
This security precaution may be a bit overkill for most people and its not recommended for begginner WordPress users. Alternatively you can install and use a plugin to help maintain security.
2. Don’t broadcast what version of WordPress you’re using
Unknown to most average users of WordPress, there is a HTML tag in the markup of your page called “Generator”, and this will show what version of WordPress your website is using. Normally this isn’t an issue if your using the latest version of WordPress but I personally think that having this in the markup of your page is a bad idea. To remove this from your page and RSS feed markup, simply add the following code to the functions.php file inside your active theme.
3. Install and use the Login LockDown plugin to restrict failed login attempts
If a hacker is trying to gain access to a WordPress powered website then Simple Login Lockdown prevents brute force login attacks/attempts on your WordPress installation. I use and would recommend Simple Login Lockdown as this has a variety of customisation options available.
4. Don’t use the default WordPress admin account
When you setup a self-hosted WordPress website the default account is ‘admin’. Most people don’t change this from the default. It is a potential security risk keeping this account active and in use as most automated scripts try to use a brute force attack to try and guess the password for the admin account. In WordPress click on “Users” on the left hand side and create a new user account with a strong password and make sure this account has full administrative access. Once you’ve done this you can then go back to the user overview screen and delete the admin account.
5. Use strong passwords for your user accounts
I would highly recommend using different and strong passwords for every website you frequently use. I use a website called SafePass (safepasswd.com) to generate random and secure passwords. If a hacker is using a brute force attack on your WordPress website then it will run through a list of words – if your password used special characters, numbers and letters in a random sequence then it makes it harder for a brute force attack to succeed. It is recommended that passwords are longer than 10 characters in length but you can always have longer passwords for maximum security.
6. Keep WordPress up to date with the latest updates
Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates. I always ensure my hosting clients are running the most up to date version of WordPress, as you can see from my Website hosting blog.
7. Make regular backups
Backing up your WordPress website isn’t really going to improve the security of your WordPress website, but its vital if security on your website has been compromised. There are many different plugins for WordPress but I use and would recommend. When backing up your website you need to ensure you backup the following:
- The Database – This is where your WordPress content is stored
- The WordPress uploads folder – This is where any uploaded media is stored
- Your theme directory – These are the files that define how your website looks
If you make regular backups of your website then its a good safeguard if your WordPress website is hacked. In most cases you can restore your website from a backup if its been hacked and change all your user password to reduce the chance of the site being hacked again.