How to improve WordPress security
Security in WordPress is a must. Your WordPress site may be hacked or some security issues may arise. WordPress websites are favorite targets for hackers.
No one can make a site perfectly secured. This thing is impractical or impossible to achieve. But one can at least reduce the risk by applying different security measures. With this article, you?ll be able to keep your website relatively safe.
To protect your website and your viewer’s data following measures can be adopted. These steps will not eliminate the security risk but surely minimize the risk.
- Choosing a host
- Strong password
- Don’t use admin as username
- 2 step Login authentication
- Limit number of login attempts
- Disable login hints
- Change login page URL
- Trusted themes and plugins
- Use SSL
- Use WordPress security keys
- Use secure FTP
- Keep wp updated
- Keep it clean
- Disable trackbacks
Choosing a host
Choose a reputable and reliable host for your website. Don’t go for a cheap one. Your hosting company affects your site security in a great way.
There are many host providers who use outdated software. Outdated software does not guarantee the future safety even if there were no issue in the past.
Look for the following features for choosing a host.
- Attack monitoring and prevention
- Update their software
- Should be able to isolate sites which are hacked to prevent other sites on a shared server.
Pick strong password
Choose a complex password for your safety. Just follow three things (complex, long and unique) while choosing a password. Version 2.5 and above have the password strength indicator for your help to recognize whether your password is strong enough or not.
Keep the following points in mind:
- Use a fresh and unique password.
- Use a mixture of Capital and small letters, symbols and numbers.
- Avoid common information about you like mobile no, anniversaries or birthdays.
- Keep it long for at least 10 characters.
- Try to have a password which doesn’t make any meaning or sense.
- Change your password frequently.
Don’t use admin as username
WordPress has admin as the default username. Being the default, it is the most common username and hence easily crackable.
When people start using WordPress, especially for the first time they stick to the admin as the username. Changing username will make a bit harder for the hacker to crack it.
To change the username:
- Create a new user by clicking on Users > New User with administrative privileges.
- Delete the previous admin user.
- While deleting, WordPress will ask you “what to do with the content of this user”, and you’ll have the option either to delete all content or assign it to new user.
2 step Login authentication
Two step login authentication (also known as 2FA) add more security to your login page. It requires an authentication code that can only be received through a mobile message to log into your account.
There are some plugins available for 2FA.
Limit number of login attempts
Generally login pages are attacked by the hackers. They may attack a number of times for the correct username and password. Although their attempts may be unsuccessful but the number of attempts they made consumes an enormous amount of server memory. Due to this your website may slow down. On a shared server, this will affect your site as well as neighboring site.
One solution for this is to limit the number of login attempts. There are some plugins available for this like Jetpack.
Disable login hints
Whenever you type a wrong password or username, you’ll get a hint stating you that either your username or password is incorrect.
It is very useful information for the hacker. That’s why login hints should be disabled for a WordPress site.
Change login page URL
Hackers generally attack on the login page. If you’ll hide your login page from the hackers, it will increase your site’s security to a great extent.
This can be done by changing the login page URL with WPS hide login plugin. There are also some other plugins available for this. They simply intercept page requests and makes wp-admin directory and wp-login.php pages inaccessible. You have to remember the new login page set during the activation of the pluign.
Trusted themes and plugins
Plugins and themes are always in suspect when they are not maintained or updated. Before downloading a plugin or theme, check its reviews and comments, author is responsive or not and whether it is free or paid.
Before downloading a plugin or theme, do a backup of your website and theme.
SSL stands for Secure Socket Layer. It turns the http to https. It is important on the pages containing sensitive information. It is an extra layer of protection./p>
It scrambles your site information into an unreadable form, so when this information travels from your server to a browser, it is in unreadable format and does not make any sense. At the browser end, private key is used which makes the data readable again.
WordPress security keys
One extra layer can be added around this cookie with WP security keys. These are a set of random variables that improve stored information’s security in cookie.
A non-encrypted password can easily be cracked if one reconstructs the authentication key. But encrypting with WP security keys makes it very tough.
How to add WP security keys
- Open wp-config.php file.
- Go to the line “authentication unique keys and salts”
- Use an online automatic keys generator tool.
- Replace existing set of keys in wp-config.php file from online tool keys and save it.
You can repeat this process at fixed time duration. Whenever, you?ll change the security keys, users will be logged out from their accounts.
Use secure FTP (SFTP)
A file Transfer Protocol is used to carry information from your website to your host when you make some changes or update information to your site.
FTP connection increases the chances for intercepting data while SFTP greatly reduces it.
Keep wp updated
The best security for your site is to update it regularly. Updating all your files to the latest version increases the security of your WordPress site.
From version 3.7 WordPress automatically get updated. But your files, themes and plugins need to be updated via your dashboard or FTP.
Keep it clean
Always remove unused themes and plugins from your site as they might bring some security issues because they have not been updated since a long time. Always keep your website clean.
Trackbacks notify that your site content got linked up with another web page. Through trackbacks, hackers can attack your site.
So for a new WordPress site, disable this feature by clicking on Settings > Discussion. Uncheck the “Allow link notifications from other blogs” option.