22 Tips to Secure Your WordPress Blog
There is no doubt that WordPress is the best CMS for a self hosted blog. WordPress being a popular and open source means more security threats as the full source code is in the hands of the hackers. So if your are running a self hosted WordPress website or blog you need to be more concern about the security of your blog. This article covers all major parts where you need to be more concerned. Here I have tried my best to provide all the security tips for WordPress. So here goes “22 Tips to secure WordPress Blog”.
1. Keep your WordPress installation up to date
Always update your WordPress installation with the latest one if available. The latest version of WordPress contains major security fixes with other features. So to be at a safe side always use the latest version of WordPress.
2. Make your login Encrypted
You should make your login encrypted so that no one can hack your user name and password by hacking the network. There is an easy way to encrypt the login by using the Semisecure Login Reimagined WordPress plugin. This plugin increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. This plugin is very useful when you do not have an SSL available. This is highly recommended.
3. Avoid plugins that are not in the WP plugins directory
As mush as possible try to avoid using the plugins which are not available in the WordPress plugin directory. Using plugins from unknown source may contain harmful code which can send potential information like admin account details to the plugin author, but plugins in the WordPress directory are safe to use as those plugins have passed the security assessments.
4. Do not give a chance for Brute Force attack
Hackers can hack your blog by Brute force attack, so you need to be careful and do not give a chance to the hackers for brute force attack. You can use Login Lock plugin to decrease the chance of brute force attack. Once installed and activated the plugin records the IP address and timestamp of every failed login attempts. If more than a certain numbers of failed login attempts are detected within a certain time interval from the same range of IP then the login functionality will be disabled for that IP range for a certain period of time. This will prevent any brute force attack.
5. Setup regular backup service
One of the most important aspect of securing your WordPress site is “back up service”. You need to setup back up service for your site to prevent any unwanted data loss and if any point of time something goes wrong you can restore your blog or web site.
6. Change the default admin username
After installation the default admin user name is “admin”, so do not use this user name as the chances of hacking is more. Change your admin user name to some thing else after installation. You can check the procedure to change admin user name.
7. Hide the WP version
Do not show your WordPress version. There is an article which tells how to hide the WP version.
8. Hide the wp-content directory
Wp-content directory contains all vital contents of your blog, it contains plugins, themes etc. So you need to hide the wp-content directory to be at more secure side. You can use a .htaccess file to hide the content of your wp-content directory. Alternatively you can put a blank index.html file inside the wp-content directory to prevent directory access.
9. Prevent direct directory listing by using proper .htaccess rules
Direct directory listing can cause a big problem for your website, so use proper .htaccess file and appropriate rules to prevent direct directory listing of your important directories.
10. Block all wp-* directory from being indexed by search engines
All the wp-* directories should be kept away from being indexed by the search engines. wp-directories are the most important things for WordPress, so those directories should not be indexed. You can make use of robots.txt file to disallow the indexing of the wp-* directories. Add the below code to the robots.txt file of your site:
Disallow: /wp-admin/ Disallow: /wp-includes/ Disallow: /wp-content/
11. Do weekly security audit/scan on your blog
Security audit or security scanning is one of the most important thing for securing a website. Hence try to perform regular security audit on your WordPress site to make it more secure.
12. Use strong password policy and change password regularly
Make sure that you use strong password policy and change it on a regular basis to decrease the leaks. If you have installed Login Lock plugin you can configure password policy related settings from the Login Lock settings options.
13. Keep your theme and plugins updated with latest version
If your are using theme from a vendor or from a third party or you have made it of your own then make sure that you find the security leaks and update the themes to the latest version to be at safe side. Similarly plugins can also be a path to security leak for your site, hence it is always better to use the latest version of the plugins.
14. Make use of SFTP while transferring files to your hosting server
If you are using FTP file transfer system then change it to SFTP to make sure that no one else will be able to hack your files. Use of SFTP will encrypt your files while transferring and thus it will not be possible for others to hack your content.
15. Disable direct user registration
WordPress provides user registration functionality, but some times it can be harmful for your website as hackers can register with your website and can perform harmful activities. So it is always better to disable any kind of user registration on your website. If your want you can create user account on request basis if you feel the person is authentic.
16. Protect the wp-config.php file from being accessed publicly
The wp-config.php file is the heart of WordPress installation and it contains all configuration related settings. Hence no one should be able to see the content of the wp-config.php file. So protect the access of wp-config.php file from being accessed publicly by using a proper .htaccess file.
17. Change the DB table prefix
The default installation of WordPress makes the DB table prefix as wp-, which is well known to all. So to prevent any kind of SQL injection change the DB table prefix to something else. Do not worry if you have already installed your WordPress you can make the changes by following the procedure here.
18. Setup DB backup service on a regular basis
To be at more safe side take the DB backup on regular basis. It is advisable to take nightly backup of your data base. But if your are using VaultPress service then no need to worry as it will take the real time backup.
19. Create Custom login links
The login link for a WordPress site is very common and everybody knows that. So to hide default login link you need to create a custom login link. You can make use of the Stealth Login plugin to create custom login link.
20. Password protect wp-admin directory
To access wp-admin directory you need the admin rights which only an admin user holds. But if you add a password protection to the wp-admin directory it would be a second level security to the admin area. If you are using cPanel then easily you can give a password protection to the wp-admin directory, alternatively you can use a .htaccess file to password protect your wp-admin directory. Even you can use AskApache Password Protect plugin to protect the desired directory with a password.
21. Disable html codes in comments
You should never allow html codes in the comment section. Hackers can inject unsafe scripting codes to the comments which will lead your site to be hacked. So disable the html in comments. You can do so in the setting of the WordPress.
22. Moderate the comments and Regularly delete all spam comments from your blog
You should set moderate mode for the comments, so that before any comment is published you can review it and then either your can approve it or reject it. Delete the spam comments on regular basis to protect your WordPress site.