WordPress security is often referred to as “hardening.”. After all, the process is pretty generic like adding reinforcements to your castle. It’s all about securing the gates and putting guards on every tower for better watch.
WordPress is the most popular blogging and CMS tool on the Internet which makes it an easy target for hackers. That means if you have a WordPress site you should take some extra care in order to protect your site from hackers, malware, ransomware and other nefarious infestations.
This article will introduce you to some of the best practices for securing your WordPress site though nothing can guarantee 100% protection against all threats. Staying vigilant about security is your responsibility and you must not ignore it.
1)Keep your WordPress site and plugins up-to-date. Consider Automatic Core Updates
This is very simple act. Just insert this in the file and major core updates will happen in the background without the need for your approval:
# Enable all core updates, including minor and major:
define( ‘WP_AUTO_UPDATE_CORE’, true );
As an alternate, you may install the plugin ‘WP Updates Settings’
2)Protect your WordPress Admin Area
You can add these lines to your .htaccess file in your WordPress directory replacing xx.xxx.xxx.xxx with your IP address.
Deny from all
Allow from xx.xxx.xxx.xxx
3)Make sure you create a child theme before making any changes to your functions.php file.
Even otherwise it is a good practice to make a child theme and then customize the child theme. Protects your hard work from being over-written when WordPress is updated or the theme is updated.
4) Don’t Download Premium Plugins for Free.
Whoever is distributing paid plugins for free has ulterior motives. They most likely have infected them with malware or adware.
5)Keep Track of Dashboard Activity
This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.
plugin suggestion: WP Security Audit Log
6)Don’t use the “admin” username and Use strong passwords
7)Pick the Best Hosting You Can Afford
8) Spam Protection
Suggested Plugin: Akismet
9)Clean your site like you clean your castle
Did you know that your WordPress installation could easily have ticking time bombs embedded in it that you’re not aware of?
If you are using old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach. A messy site also makes it much more difficult for security professionals to operate should your site be compromised.
A Few good Security Plugins For WordPress:
Paid Version Available – $99/year (More at: https://www.wordfence.com/wordfence-signup)
Secure your website with the Wordfence security plugin for WordPress. Wordfence provides free enterprise-class WordPress security, protecting your wesite.
We can say this plugin is THE MOST DOWNLOADED WORDPRESS SECURITY PLUGIN
Secure your website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. Our Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of addtional tools round out the most complete WordPress security solution available.
Wordfence Security is 100% free and open source, though the Paid version is available to enjoy plenty of new and adorable features. This plugin also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing and we even check if your website IP address is being used to Spamvertize.
Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel. you can See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing. Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
- WordPress Firewall
- Blocking Features
- Login Security
- Security Scanning
- Monitoring Features
- Multi-Site Security
- Caching Features
- IPv6 Compatible
- Major Theme and Plugins Supported
A user-friendly, comprehensive and all in one WordPress security and firewall plugin for your site.
The All In One WordPress Security plugin will take your website security to a whole new level.
This plugin is designed and written by experts and is easy to use and understand.
It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account’s where display name is identical to login name is bad security practice because you are making it 50% easier for hackers because they already know the login name.
Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time, Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
Identify files or folders which have permission settings which are not secure and set the permissions to the recommend secure values with click of a button.Protect your PHP code by disabling file editing from the WordPress administration area.
This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site. So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site. Ability to add a simple math captcha to the WordPress login form to fight against brute force login attacks.
- User Login Security
- User Accounts Security
- User Registration Security
- Database Security
- File System Security
- htaccess and wp-config.php File Backup and Restore
- Blacklist & Firewall Functionality
- Brute force login attack prevention
Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.
iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.
Most WordPress admins don’t know they’re vulnerable, but iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.
Manage Away Mode, release lockouts and keep your themes, plugins and WordPress core up to date from one dashboard with iThemes Sync. The iThemes Brute Force Attack Protection Network will automatically report IP addresses of failed login attempts and will block them for a length of time necessary to protect your site based on the number of sites that have seen a similar attack.
You can use iThemes Security to create and email database backups on a customizable schedule. This plugin also works on multi-site (network) and single site installations. This plugin gives you the freedom to manage important tasks such as user banning and system scans right from the WordPress dashboard.
- iThemes Sync Integration
- Brute Force Attack Protection Network
- blocking bad users and increasing the security of passwords and other vital information
- monitors your site and reports changes to the filesystem and database
- hides common WordPress security vulnerabilities, preventing attackers from learning too much about your site
- regular backups of your WordPress database
- Two-Factor Authentication. – Premium Feature
- WordPress Salts & Security Keys. – Premium Feature
- Malware Scan Scheduling. – Premium Feature
- Password Security. – Premium Feature
- Password Expiration – Premium Feature
- Google reCAPTCHA. – Premium Feature
- User Action Logging – Premium Feature
- Import/Export Settings. – Premium Feature
- Temporary Privilege. – Premium Feature