WordPress’ extensibility increases its vulnerability? plugins and themes house flawed logic, loopholes, Easter eggs, backdoors and a slew of other issues. In WordPress’ core, all security issues are quickly addressed; the WordPress team is focused on strictly maintaining the integrity of the application. The same, however, cannot be said for all plugins and themes. Over the past two years, Web malware has grown around 140%. At the same time, WordPress has exploded in popularity as a blogging platform and CMS, powering close to 17% of websites today.
This post will suggest 10 tips to make WordPress ten times more secure.
#1 Stay updated to the latest wordpress version. Thankfully, WordPress is pretty secure out of the box and they provide frequent security updates. The most imporatant for self hosted wordpress websites is stay upadated to the latest wordpress version.
#2 Create Custom Secret Keys for your wp-config.php
Secret keys are one of the bits of information stored in that file… so make sure you change the default secret keys to something else. If you are not sure for what to place in the default values, go to this link – https://api.wordpress.org/
#3 Change the Database prefix values
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.
#4 protect your wp-config.php file
As mentioned earlier this file contains all the confidential deatails of your website. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
<Files wp-config.php>
order allow,deny
deny from all
</Files>
#5 protect .htaccess file
We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
<Files .htaccess>
order allow,deny
deny from all
</Files>
#6 Hide your wordpress version
To do this you need to place below code in function.php of your active theme.
view plaincopy to clipboardprint?
remove_action(‘wp_head’, ‘wp_generator’);
You can go one step further and additionally remove it from RSS feeds using this:
view plaincopy to clipboardprint?
function wpt_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpt_remove_version’);
#7 Install wordpress security Scan Plugin
Download it from here
http://wordpress.org/extend/
#8 Don’t Use “admin” As Your Username (and Pick Strong Passwords)
WordPress normally will setup your main admin account name as “admin”, so it’s usually the first username that hackers will try using. As of version 3.0 you can change this during the initial setup, but it’s easy to forget that you can go back and change it even if you setup your site before version 3.0. So, pick a new name other than admin 😉
#9 Backup
I have placed the backup as the last item here. but don’t consider it as a less important. Regular backup of your site will make you fill safer than any other above. There are several plugins available for WordPress which manage the backup for you.
Here are some free plugins for WordPress backup.
Backup WordPress
WP DB Backup
Dropbox backup
#10 Always, always connect securely to your server. SFTP and SSH is preferred
A quick and easy method is to change ownership of the file, or to reduce the file’s permissions so that only the owner has permission to modify it. However, if your root account is compromised, that won’t do you much good.
Sources:
http://wp.smashingmagazine.
http://www.problogger.net/
http://pcadvisor.co.uk