HostOnNet Blog


Basic Things to Secure WordPress

1. Keep Your WordPress Site Up-to-Date

Make sure you update your wordpress files, themes and pluggins to the latest version (even if it is deactivated). If you keep everything up-to-date your site is much less likely to get hacked.

2. Never install themes or plugins from an untrusted source.

Never use a pirated version of premium themes or pluggins. The main reason for this is that free themes and pluggins can contain malicious codes.

If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.

The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.

3. Never use “admin” as your username

If you use “admin” as your username, and your password isn’t strong enough, then your site is very vulnerable to a malicious attack.

Create a new Administrator user, login as that user, and delete your “admin” user account. Make sure that you transfer any posts and pages owned by the old admin user when doing this.

4. Make your passwords more complex

Create a completely unique password for your account, ideally included upper and lowercase letters, numbers, and symbols.

5. Do not publish your administrator account name on your blog (e.g. in the meta data above a post).

By default WordPress displays your username in the URL of your author archive page. e.g. if your username is melbin, your author archive page would be something like http://yoursite.com/author/melbin.

Hiding this will prevent an attacker to find your username.

6. Limit login attempts

It can be useful to limit the number of failed login attempts from a single IP address.

Limit Login Attempts allows you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.

7. Disable file editing via the dashboard

Default wordpress installation allows you to edit theme files by navigating to Appearance > Editor from the dashboard.

If a hacker gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

You can disable this by adding the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

8. Backup

Create regular backups of both your database and files.

9. Install one or more of the following security plugins:

Wordfence Security
BulletProof Security
Better WP Security

This list is by no means complete but it give you some ideas to identify the potential security holes in wordpress and solutions to protect your site from hackers.


Posted in Wordpress