WordPress is one of the biggest open source content management systems on the internet, and as you may have recently read, WordPress is currently being heavily targeted by botnet owners. It’s now more important than ever to secure WordPress so you don’t fall victim to this type of attack. Here are our 10 tips to securing WordPress.

Security Tip 1: Don’t use the username admin

The main target of this hack is brute forcing passwords, and if your default username is admin it makes it so much easier to hack. Create a new user, give them administration rights and then simply login with that new user and delete the old admin account. We ask when you purchase a WordPress site that you don’t use admin as your username.

Security Tip 2: Keep WordPress up to date

Make sure you login to your WordPress installation regularly and update any themes or plugins, plugin and theme publishers are pretty good at patching security holes regularly, but it’s no use if you don’t keep the plugins/themes up to date!

Security Tip 3: Backup your WordPress site

Although we backup your site for you, it’s still good practise to take your own backups. We recommend the WordPress Backup To Dropbox plugin, you will need a Dropbox.com account but it means you files are stored in the cloud, externally from our systems.

Security Tip 4: Choose your plugins wisely

Before just blindly choosing a plugin, do a web search to find the best plugin, or to get reviews on the one you have chosen. A lot of the time plugins are the cause of many hacks as they don’t keep their code as secure as the main WordPress installation.

Security Tip 5: Protect Your wp-config.php File

All of your database connection details, including passwords are stored in plain text in a file called wp-conf. This file needs to be secure so hackers can’t access it. Add the following to your .htaccess file

<files wp-config.php>
order allow,deny
deny from all
</files>

Security Tip 6: Install a Failed Login Attempt Limiter

If an intruder trys a lot of passwords on your site and you’re using an easy to guess password, eventually they will crack it. But you know your password, and wouldn’t try to login more than once per time! so why not block people from logging in after a certain amount of attempts? You can do just that with the Limit Login Attempts Plugin.

Security Tip 7: Install a WordPress Security Scanner

Install a security scanner to check for vulnerabilities in your WordPress installation, For this our plugin of choice is Wordfence. Wordfence scans your site for viruses, malware, trojans, malicious links, protects your site against scrapers, aggressive robots, fake Googlebots, protects against brute force attacks and much more.

Security Tip 8: Hide Your WordPress Version

Many hacks search sites for WordPress versions as they know what security fixes have been released in what versions, so its a good idea to hide yours.To do this you need to place below code in function.phps of your active theme.

remove_action('wp_head', 'wp_generator');
function wpt_remove_version() {
return '';
}
add_filter('the_generator', 'wpt_remove_version');

Security Tip 9: Protect Your .htaccess File

Your .htaccess file can be targeted to redirect users, allow access to files and much more, so its a good idea to lock this down as well. Simply add this to your .htaccess file

<files .htaccess >
order allow,deny
deny from all
</files>