WordPress is an open-source platform for any type of websites: whether it is a blog, CMS or any other custom solution. Secure WordPress sites should be our first priorities. In this WordPress tutorial, you will find tips and tricks for securing WordPress and optimizing your WordPress site.
This section will be going to cover the tips related to securing your WordPress site. Tips include protecting files, login restriction, WordPress admin restriction, database protection, etc.
1. Server Security
Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
Directories should not be left open for public browsing
Make an empty index.html file, upload that index.html file to wp-content, wp-content/plugins and wp-content/themes or just add this line in your .htaccess file in your root:
Options All -Indexes
2. Regular Backups of WordPress Site and Database
You always have to take regular backups of your file directories as well as the database. Regular backup of your site will make you fill safer than any other above.
I consider Backups as an important step because many experiences with attacked sites have proved it takes a lot of time to fix your site after the attack without backup. Backup is a must if you have had put a lot of work and energy to your site
Few ways to backup WordPress sites:
i. Backup Buddy
Backup Buddy schedules and backs up your data to Amazon S3 server or an e-mail or an FTP / FTPS account, Restore your WordPress site with your themes, widgets, plugins etc., on the same server or migrate it to a new server with a new name and domain like Sandbox or Playground site.
WP-DB-Backup plugin creates a backup of your core database tables and also other tables in the database and gives you an option of saving your back up data either to your server or download to your computer or save get you backup file e-mailed to you.
A complete plugin to optimize, repair, backup, restore, and delete the backup database and also to run your queries are offered by WP-DB Manager. Also, manages the automatic scheduling of the back-up and manages your whole database.
3. Always Stay Updated with the Latest Version of WordPress
It’s the single most effective way to secure your site from attacks. WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress.
If you are not sure it could break your site, you should try to upgrade WordPress on local development before apply that to the live server.
4. wp-config.php file
i. Apply Custom Secret Keys or SALT to wp-config.php File
The wp-config.php file is the file that stores all the confidential details of WordPress. This file contains the name, address and password of the MySQL database that stores all of your user info, blog posts and other important content.
Using a secret key, you can make it even more difficult for someone to gain access to your account.
Salting passwords protects WordPress installations against brute force attacks by appending complex hash strings (these will be random hash strings that will look different on every page refresh). Go to this link, and it will generate the random keys for you and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.
ii. Protect wp-config.php file
An easy way to protect this file is to simply place the following code in your .htaccess file on your server. The .htaccess file will be available in your www root directory. If it is not there, then you can create the file and add the above code to it.
<Files .htaccess></pre> order allow,deny deny from all </Files>
iii. Change table prefix $wp
WordPress adds wp_ as the prefix to all WordPress tables by default. It is suggested you use a custom prefix for table names.
- Before WordPress Installation
- Open wp-config.php and change
$table_prefix = 'wp_' to $table_prefix = 'my_'
- Open wp-config.php and change
- How to change table prefix $wp on the live site
- Backup WordPress database
- Open wp-config.php and change the code
$table_prefix = 'wp_' to $table_prefix = 'my_'
- Login to your WordPress database (using phpMyAdmin)
- If you are using the cPanel WordPress hosting, then you can find the phpMyAdmin link in your cPanel.
- There are a total of 11 default WordPress tables, so we are using SQL query
RENAME table 'wp_commentmeta' TO 'my_commentmeta'; RENAME table 'wp_comments' TO 'my_comments'; RENAME table 'wp_links' TO 'my_links'; RENAME table 'wp_options' TO 'my_options'; RENAME table 'wp_postmeta' TO 'my_postmeta'; RENAME table 'wp_posts' TO 'my_posts'; RENAME table 'wp_terms' TO 'my_terms'; RENAME table 'wp_term_relationships' TO 'my_term_relationships'; RENAME table 'wp_term_taxonomy' TO 'my_term_taxonomy'; RENAME table 'wp_usermeta' TO 'my_usermeta'; RENAME table 'wp_users' TO 'my_users';
- You may have to add lines for other plugins that may add their own tables in the WordPress database. The idea is that you change all tables prefix to the one that you want.
- Now, you have to edit inside “options table” and “usermeta table” as they might be using the wp_ prefix for various fields. Just run the below query to complete this task:
SELECT * FROM 'my_options' WHERE 'option_name' LIKE '%wp_%'; SELECT * FROM 'my_usermeta' WHERE 'meta_key' LIKE '%wp_%';
5. Protect .htaccess File
This snippet basically stops anyone viewing htaccess, this will protect it and make it somewhat safer. Add the following code to your .htaccess file
<Files .htaccess> order allow,deny deny from all </Files>
6. Hide WordPress Version
WordPress 2.6 and above automatically includes the version of WordPress in the WP_head section of your WordPress installation. Although this won’t harm you but if a hacker knows the WordPress version that you are using then he will know exactly what vulnerability can be used to crack into your WordPress installation. Check your theme header.php code for the following code
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
Add the following code to functions.php of your active theme
7. Use Strong WordPress Account Password
Don’t use admin as username and password. As of version 3.0 you can change this username, admin during the initial setup.
Change your “admin” user follow the below steps:
- Login as Admin. Create a new user that you plan to assign administrator privileges. Logout as Admin.
- Login as new Administrator user. Delete the “admin” user.
- Before deleting any user WordPress asks you what it should do with posts and links owned by the user that you are deleting. Select “Attribute all posts and links to”.
Additionally, picking strong passwords for all of the users on your blog (and your MySQL database) are fundamental ways to boost your security. WordPress will tell you the strength of your password, but a good tip is to avoid common phrases, use upper and lowercase letters, and include numbers.
It’s also a good idea to change your password regularly — say once every six months.
8. Install WordPress Security Plugins
- TAC (Theme Authenticity Checker)
TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code
- Better WP Security
This is a really excellent plugin that not only accurately detects security issues with your blog, but also offers you the ability to fix the issues one by one. it is a great idea to run it before launching a new WordPress site in order to detect any possible weaknesses that need patching up. I advise taking a backup before applying any fixes though, that way if any fix goes awry you can quickly get back your site as it was before
9. Limit The Number of Failed Login Attempts
Login LockDown WordPress plugin can automatically block a certain range of IP addresses from where failed login attempts are made for a WordPress blog. The plugin locks an IP for an hour after 3 failed attempts. This can be changed in the Options panel. Also, admins have access to release the blocked IP addresses as and when required. Better WP Security plugin has this feature too.