An independent research held in 2014 showed that more than 73% of WordPress websites contained critical exploitable vulnerabilities such as remote code execution.
Of course, the team at WordPress also does as much as they can to create updates that harden security and fortify your WordPress website, but there are many things that you can do to keep it secure.
Here are ten tips to secure your WordPress website.
10. Perform Your WordPress Updates
You must install any updates as they become available. When you log into your WordPress account it will alert you to any new updates. Back up your database and files first, and then click to install the new update available to you.
9. Change Your File Permissions
WordPress recommends using 750 permissions rather than 755. Set your configurations (wp-config.php) to 600.
8. Change Your Password
Ideally, you should be changing your password once a month. Use a strong password every time. A strong password contains capital letters, lowercase letters, numbers, and symbols. You can use the WordPress password generator to help you create random, strong passwords.
7. Delete Plugins You Don’t Use
You might have disabled plugins that you don’t use that can leave an opening into your WordPress account. Those disabled plugins put you at a higher risk of getting hacked. You might have them there just in case you need them again, but it’s better to delete them. If you really feel you need to hold on to them, download them to your hard drive, and then delete them from your site.
6. Don’t Use “admin” as a Username
Just like a good password, you need a good username as well. The admin username is default and all too often it’s left that way. Always change it. Don’t make it easier for the hackers with an admin username.
You can change your admin username by running the following SQL query:
UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';
5. Keep Your Theme Updated
Your WordPress theme can have openings for hackers and attacks. Developers do try to keep up with these problems by releasing updates to patch the holes. Check for updates and install them when available.
4. Setup Two Factor Authentication
Two-factor authentication simply means that you’re logging in twice with special criteria in each. Ideally, something that has a temporal code that changes such as Google Authenticator or RSA. There are many good plugins out there that will enable two-factor authentication. Most of them only require you to answer a few questions or register for the components.
3. Use Scanners to Test Your WordPress Site for Vulnerabilities
You can’t truly know the risks that your site may have without having a way to analyze them. A security scanner will check for malicious code in your core files, plugins, and theme to ensure nothing has been tampered with. You could even consider installing permanent scanners in your site.
2. Use an Application Firewall / Antivirus such as Word Fence
Being able to see your traffic through tools such as JetPack are great, but they really don’t give you the bigger picture on who and what is accessing your website. Javascript code is notorious for opening holes in WordPress and tools like Word Fence (even the free version) can help to prevent such exploits.
1. Allow Only Your IP Address to Login to the Admin Area
Blocking all IP addresses but your own from accessing the Admin Dashboard of your WordPress installation is probably one of the best ways to protect your site. However, if you are on a network where you use DHCP and your IP address changes regularly, you may not be able to do this. But in the event you can, you may simply change the .htaacess file, changing <<IP address>> for your own IP Address
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^<<IP address>>$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>