10 Tips for Securing and Hardening WordPress
With the introduction of free and open-source Content Management System (CMS), more and more people, particularly those who wanted to venture in online businesses, are now putting their own websites in order to introduce their products and services to their demographics to the online community. One of these content management systems is WordPress, an easy to use and open-source CMS which allows you to manage your contents in a form of website, blog or other web solutions.
However, as the number of websites using the WordPress platform grows, the number of hackers intruding the very core of it or simply injecting malicious files and spam in your website also grows which adds to not only your web security problems but also your viewers’.
Therefore, it is just more than fair that you, as the owner of a website base on WordPress, must do all the possible way to keep it away from the eyes of these hackers who will do everything to do ill to you and your viewers for their own benefits.
Here are 10 Tips in Securing and Hardening WordPress.
1. Keep WordPress Updated
Your task never ends after you have successfully deployed your WordPress website as after a certain period of time, WordPress itself provides updates to users in order to solve vulnerability problems. This is very important in order to replace old files which might play as a very good potential to hackers as an agent for intrusion. However, there is these fear to break the theme’s and plug-ins’ compatibility with the latest version so if this happens, never fear to look for replacements. After all, if your theme or plugin is not compatible with the latest WordPress version, it might also become vulnerable to hackers.
2. Keep your WordPress Theme and Plug-ins Updated
By extension in keeping your WordPress core updated, you should, by any means update your themes and plug-ins whenever there are update notification. This is very important as hackers also look through the files of the themes and plug-ins to look for files and folders that they can use to inject malicious files and spam.
3. Avoid Plug-ins that will come from outside Official WordPress Directory
Who knows, the plug-in that you are installing in your website might just be one of the ways hackers will do to fool you and get control of your website without you even knowing it. However, it doesn’t mean that all plug-ins found outside the WordPress directory are vulnerable to hacking; it is just that, plug-ins from the official directory were tested, cleaned and certified safe to use for your WordPress website.
4. Create custom login link and prevent access to “wp-admin” folder
This may require you an extra effort but with the “wp-admin” inaccessible to anyone but you make your security problem lesser as only a limited number of user is granted access to the entrance of your backend. You can do this by simply installing a plug-in to protect your admin login page or by url rewriting in your .htaccess. Remember, this folder is also one of the most commonly targeted areas in your WordPress website whenever someone is trying to intrude your site.
5. Don’t let anyone know you are using WordPress
If hackers know that you are using WordPress, particularly the version you are using, then you are just making the work easier for them. If hackers laid eyes on your website, then you might as well make it tough for them to guess what version you are using. By extension, you should also not let them see any WordPress footprints such as “wp-admin”, “wp-content”, “wp-login” and other names that will obviously expose that your website is indeed a WordPress website. There are plug-ins which are capable of hiding these footprints so you might as well install one.
6. Change the Database Prefix and Use a different Administrator Username
This is a very important step that most users usually forget – to change the database table prefix of WordPress. Usually, most are using the default value “wp_” as is, which is not a good practice as this will also become a vulnerability, particularly in your database because your tables are easily known by anyone who actually know WordPress because everyone is using the same database structure but just differ with the prefixes. Additionally, never use the default administrator username. Create a different username partnered with a strong password to keep your website safe.
7. Limit Login Attempts
In connection to Tip # 4, it is also good if you will limit the number of login attempts in your WordPress admin login especially when your attacker is trying all possible combinations for username and password manually or by using a robot. This will disallow them from doing further combination.
8. Put wp-config File in the Root Directory
Since this file is very crucial due to the database access credential that it contains, it is very important that you protect it from anyone who will try to access this file. Thus, you may actually move it outside your current WordPress directory in order to disallow hackers from attacking this file.
9. Regularly Scan your Website
Regularly check your website for malicious contents and for any changes that happened in a certain period of time. This will help you track if your website is still safe for your viewers to browse and most especially to know if there have been changes to files which you are unaware of. To make it more safer, schedule a regular maintenance and scan your directories. If you find an alien file or something that is not native to the files and directories of WordPress core or your Theme, delete it immediately. Or you can also install WordPress security scan plug-in if you want to do it the easy way.
Though this may not actually protect you from hacking, but this will protect you from losing everything is when worse comes to worst. Most people do not do regular back-ups which gives them troubles whenever their site crashes without prior notice. At least, if ever you get hacked, you can easily remove all the files and restore it to its previous good state.
In this time where open-source software (e.i. WordPress) are all readily available to the public, you should lay eyes on how to secure your files, contents and directory while using these open-source softwares in order to protect yourself and your data which makes your business run and grow. Just remember that you are not the only one using this, so change some things, make some files inaccessible to public and always customize!
- Author, G. (2011, April 23). 6 Tips to Secure WordPress from Hackers. Retrieved August 2012, from Orphic Pixel: http://www.orphicpixel.com/6-tips-to-secure-wordpress-from-hackers/
- Avinash, Z. M. (2011, December 3). 11 Quick Tips: Securing Your WordPress Site. Retrieved August 2012, from WP Tuts+: http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site/
- Cawley, C. (2012, April 21). 6 Things You Can Do To Secure Your WordPress From Hackers. Retrieved August 2012, from Make Use Of: http://www.makeuseof.com/tag/6-secure-wordpress-hackers/