10 Tips to Improve Security of Your WordPress Site
WordPress is one of the simplest and versatile content management systems. Any beginner can quickly build a professional website with it.
It offers basic security out of the box to get you started. It also allows you to harden your site security.
In this post, you will learn 10 tips to easily enhance the security of your WordPress website even if you are a beginner.
Tip #1: Two-Factor Authentication
This is one of the simplest yet most effective steps you can take to improve the security of your WordPress website.
Two-factor authentication means that, in addition to providing a password to log into the site, users will also need to undertake an additional verification step.
That usually involves entering a specially generated code that they receive via e-mail or SMS.
Implementing two-factor authentication will protect you from brute force attacks effectively, and there are a number of plugins that turn the implementation of such a system into a breeze.
In order to set up two-factor authentication, you will first need to head to the WordPress website on the relevant device.
From there, navigate to the “security: link. You should see an option for two-factor authentication.
Here, you can nominate the cell phone number for the 2-factor authentication process.
Tip #2: Implement Login Limits
Limiting the number of login attempts that users can make within a certain time period will protect you against brute force attacks.
If potential hackers can try as many different password combinations to access your site as they like, it is only a matter of time before they breach your defenses and access the heart of your website.
Adding login limits is not difficult to do; in fact, there are numerous plugins that will take care of things for you.
Some of these plugins also offer additional security features for keeping your login page safe from intruders.
In order to limit login attempts to your WordPress site, you will need to install an appropriate plugin.
There are a number of these available. You can look here for specific instructions.
Tip #3: Change the Admin Login URL
This is a simple way of making your website that little bit harder for an intruder to crack. Most people make the mistake of leaving their admin login page URL at its default value.
A simple measure you can take to improve the security of your website is to change the login page URL to something different.
Taking this one simple step will instantly protect you from the majority of automated brute force attacks that are set to look for default login pages to attack.
Changing the WordPress login URL is not a simple and straightforward process on its own.
The best way to go about this is to download a plugin such as the “WPS Hide Login” plugin.
Once you have that installed, you can then look in the settings menu for the option to configure the plugin and set your login URL.
Tip #4: Make Passwords Secure
Your password is the first line of defense you have against potential intruders.
It is your password that keeps your website secure and prevents people from being able to walk in as they please.
You’ve probably had this piece of advice drilled into your head by every service you use.
Your online passwords should use a mix of letters and numbers and include upper and lower-case letters.
Tip #5: Make Sure the WP-Admin Directory is Protected
This is the most important directory in the whole WordPress web architecture. This directory, therefore, needs to be protected with an appropriately strong password.
By utilizing the right plugin, you can set a password for logging into the admin area of your site that is different to your normal login.
If you plan on attempting to implement this security measure, you will need to access the root folder of your site and make changes there. You should not attempt this if you aren’t certain of what you are doing.
Once in the relevant directory, you will need to create a .htpasswords file. There are online generators you can use to do this. once you have done this, upload the resulting file outside your /public_html/ directory.
Then, you will need to create a .htaccess file and upload it to the /wp-admin/directory. Once you have done that, you then need to add the following code.
AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile /dev/null AuthType basic require user putyourusernamehere
Make sure to place your own username in there and you will be ready to go.
Tip #6: Force Secure Passwords
Left to their own devices, your users will find all sorts of new and creative ways to undermine your security efforts.
In order to protect both them and yourself, you should make sure that the users have to choose strong passwords when they first register for your site.
The best way of forcing your users to choose a secure password is to install the Force Strong Passwords plugin.
This plugin will ensure that anyone with high-level access to your website is using as strong a password as possible.
Tip #7: Switch to HTTPS
A man-in-the-middle attack happens when an attacker intercepts a message sent between two parties.
Often, neither the sender nor receiver can tell that their data has been snatched. Switching to HTTPS will keep your traffic secure by using SSL certificates.
The first thing you will need to do is to get yourself an SSL certificate. How difficult this is will depend on your host.
Many hosts will be able to automate the process of moving your website over to HTTPS, whereas others will require you to manage it yourself.
You will need to open wp-config.php and edit this file to reflect the change.
Once you have moved the backend over to HTTPS, you should then be able to move the rest of your site using WordPress settings.
Simply add ‘https://’ to the beginning of your WordPress address and your site address.
There are services that can notify you of SSL issues.
Tip #8: Monitor Your Files
You should install plugins on your WordPress site to allow you to watch any activity.
This way you can become aware as soon as possible of any intrusions or unauthorized access.
Look for plugins that don’t just monitor files but also provide you with a summary of any modifications that are made.
The most reliable way of monitoring your WordPress files for any unauthorized activity is to install the WordPress File Monitor plugin.
This plugin will monitor your website for any changes made to its files and will alert the website owner via email.
Tip #9: Backup Regularly
No matter how many precautions you take, no system is ever going to be 100% secure.
However, if you follow proper backup procedures and ensure that you regularly create copies that you can restore from, you will never have to worry about losing everything.
If your server is infected with malware, you might first try to remove it from your servers.
Unfortunately, the most aggressive malware might not be so easily erased. In those cases, having a backup is vital.
Most WordPress hosts will offer a backup service, which should be relatively easy to find and use.
Some hosts will automatically back up your data daily, these are the best ones to use.
If you are looking to back up your WordPress website manually, the safest way is to back up your entire WordPress directory.
Tip #10: Keep Everything Updated
This is perhaps the most basic piece of security advice there is, and it is also one of the most important.
It is vital that you keep WordPress and any plugins you have installed updated at all times. If you don’t, you are unlikely to be properly protected against the latest threats.
The best way of ensuring that your WordPress site stays up-to-date is to make sure that you have it set to automatically download and apply updates.
However, you should note that it is only the major WordPress updates that will be automatically applied, the rest will need to be manually installed.
In order to manually install updates, navigate to your WordPress dashboard and click the ‘Updates’ option.
If you make sure to follow these 10 tips, your WordPress site will be as secure as can be.
Why worry about a potentially devastating hack when, with relatively little effort, you can shore up your defenses like this?
Another thing we can do is protecting wp-config.php file.
1. create a php file under the root of the host. ( the folder ./ and not /public_html)
2. cut wp-config.php content (from the beginning up to “stop editing from here”) and paste that into that custom php file we created before.
3. and then include this php file in wp-config.php by this line: include(‘/home/USERNAME/config.php’);