WordPress. How to Improve the security of your WordPress site

“I am powering website using WordPress. What security measures should I take?” Have you ever ask yourself this question?

This WordPress security tutorial will show you how to protect your site. We are going to show a few simple steps:

1. Use secure hosting

   Secure, protected, trustworthy hosting is must-have. Take some time to do a research and choose a host that reflects all your needs and has strong security measures. After surfing the Internet you will see a great variety of WordPress hostings. We can recommend Bluehost or Siteground. They take extra measures to protect their servers against hacker attacks.

2. Keep your site updated

   To maintain your website security update WordPress, themes and plugins after every new release. Each update contains bug fixes, new features, and security fixes.

   Make sure to perform all the major updates. Don’t disregard update messages in your admin panel. You will be notified about new releases in your WP dashboard Updates section.

   

   To get information about theme update open Appearance > Themes page, and to see plugins update messages navigate to Plugins > Installed Plugins pages in your backend.

   Make sure you backup your site before performing any updates. We will talk about backup further.

3. Always use strong login details

   The most popular way to hack sites is to steal WordPress login details. This task is too easy for professional hackers and could be done using a great variety of additional tools.

   • Username. Never use “admin” as your username. We strongly recommend using email instead of login. Or use some other username that is not so simple.

     

   • Password. Do you know that the most popular passwords are admin, admin123, qwerty or 123456? Try to avoid such simple login details.

     You can easily generate a strong password from your WordPress site admin panel. To access password generator open your user profile under the Users tab. Scroll the page down the Account Management section to get the strong password. One click on Generate button and you have a new strong pass. Or you can create it by yourself. Make sure your password contains upper and lower case characters, numbers and symbols.

     

   It’s a good idea to use different access details for WordPress backend, FTP, and hosting cPanel. Different login details allow you to minimize risks.

4. Limit login access

   To avoid a brute-force attack you can limit the number of failed login attempts from a single IP address. There are two possible ways to do that:

   • You can find a lot Limit Login Attempts plugins at official WordPress website. Those plugins allow you to limit login attempts and lock IP address after too many failed login attempts.

   • Another great way to protect your site is to allow access for one or several IP addresses. To do that add following code to file:

     RewriteEngine on
     RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
     RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
     RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
     RewriteRule ^(.*)$ - [R=403,L]

     123\.123\.123\.123 has to be changed to your IP address. Once this change is performed you will be the only one person who can access site backend.

5. Avoid free themes

   Using free theme is always a great risk. Such themes may contain spam or malicious code. That effects your site security. If you don’t use free themes we recommend that you remove from your WordPress install. You can do that under Appearance > Themes section.

   

   If you really want to use free theme choose those developed by trusted theme companies. Just make sure you delete the stuff you are not using anymore. It is not only free themes matter but plugins as well.

6. Disable file editing via the dashboard

   WordPress comes with inbuild file editor. You can find it under Appearance > Editor page. It allows you to edit any of your theme files right from the dashboard. In wrong hands, this feature could cause great troubles. If a hacker managed to access your admin panel, he will be able to manage code from your site backend. It’s a good idea to disable this option to avoid risks. To disable it edit the wp-config.php file from your server root directory. Add following lines:

   // Disallow file edit
   define( 'DISALLOW_FILE_EDIT', true );
   

   

7. Keep a backup

   The last but not least is site backup. You cannot be 100% sure that your site will not be hacked. Having a backup is always a good idea. You can use backups to restore your WordPress site if something bad has happened. Feel free to check a great guide on how to make full website backup.