How to Improve the security of your WordPress website and blog?
Wordpress is the most popular self-hosted open source Content Management System available on the internet. Since it is open source and easily available to everyone on GitHub repository hackers can see the code and scan if there are any vulnerabilities that can be exploited to gain access to the website. So how to protect the websites from this and improve the security of your WordPress website and blog?
Many of the bloggers use WordPress CMS to host their website because of the simplicity and features it provides. Any person who has basic knowledge of programming or the internet can start a blog by installing WordPress. In fact, there are millions of WordPress blogs running currently all over the world.
How to improve the security of your WordPress website and blog
Do not use “admin” username for managing WordPress site
Usually, when you install WordPress sites using GoDaddy or any other hosting provider by default they create one user called as “admin” with super privileges. Most of the hackers will assume that username is admin and try brute force attack for admin users. Make sure that to change the username to something else apart from admin or administrator when you are installing the WordPress for the first time.
If you have already installed the WordPress login to the dashboard click on users and then All users and change the admin username to something else. Also, make sure that username is different than the first name and last name, usually, bloggers give their first or last name as the username which makes hackers guess easily.
Use Strong Passwords for Administrator Accounts
Never use the passwords like “password”, “welcome”,”123456″ which are easily guessable to hackers. Most of the hackers have a dictionary of common passwords used widely and they try a brute force attack with those common terms. A good password should be very complex to guess and should be minimum 10 characters. Mix with Special characters, Capital letters, Numbers.
Delete “readme.html” file from your WordPress site which displays WordPress version
WordPress installation comes with “readme.html” file in the root directory of your website which exploits the version of WordPress you are using and other important details on installing, upgrading the WordPress guides.
If the hacker finds out the bug on a particular version of WordPress then he can search for readme and exploit the issue on your WordPress website.
Prevent Directory Browsing of your WordPress site
If the directory browsing is enabled then people will be able to access and download all the files in the website directory. We can block directory browsing access by adding a simple line of code in .htaccess file.Open the .htaccess file in an editor and add the following code at the top.
Rename the database table prefixes and have a strong database password
When you install the WordPress by using default options it will name tables with prefixes which start from wp Eg(wp_posts,wp_users etc.). It’s a good idea to change the table prefixes to some random name so that even if some hackers try SQL injection on your website it will be difficult to get the table names. If you have already used the default prefixes then you can change by installing a WordPress plugin Change DB Prefix to update the prefixes.
Make sure that the DB name, Username, and password is unique. Most of the people use DB name or username as their name or site name which becomes easy for a hacker to exploit. Generate a complex DB password and update your WordPress site.
Enable Error log of your website.
Use plugins like Error Log monitor to get the complete log of your website. The error log displays any invalid DB queries hit and file requests for your WordPress site if any hackers have tried attacking your blog.
Keep your WordPress site and plugin update
It is very important to update your WordPress as well as the plugins to the latest version as soon as they release because it might contain security patches which could fix the vulnerabilities of plugin or WordPress itself.
Protect your WordPress Admin Area
If your WordPress site does not have any public registration or login functionality then its a wise idea to disable the admin related pages to the public users. You can restrict the wp-admin folder itself or wp-login.php page. The best you can do is to add your IP address to the .htaccess file so that admin area will work only for these IP’s.
order deny, allow
Deny from all
Allow from xx.xxx.xxx.xxx
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.
Secure WordPress Hosting
The hosting account should be very well secured else it won’t matter what kind of security you have on WordPress site any hacker can easily get into your hosting account and hack your site.
Things that needs to be verified in the Hosting Environment are –
- Support for Latest PHP and MySQL version
- Antivirus and Malware Scans
- Intrusion Detecting Systems
- DDOS Prevention