Whenever you talk about WordPress security, every gig hands you a list of security plugins. My point of view and approach are different. I am not saying that using security plugins will not provide you efficient security. All I am saying is that only using security plugins will not completely secure your website. You have to take actions out of the box to tackle any kind of security breach in your website. Here, in this post, I am not going to babble about those common security practices you probably know already. Although I am going to remind you those practices just to make sure you know them already. These actions are essentials, and you must ensure all these steps to have a better security solution for your WordPress website.
1. KEEP WORDPRESS UP-TO-DATE
Always update your WordPress, as older versions have more loopholes. If you think an update can crash down your site, just make a backup. Here, the most important thing is that you update. Newer updates mostly try to cover older security loopholes, so it is recommended you keep your WordPress up-to-date.
2. KEEP PLUGINS & THEMES UP-TO-DATE
The same parameters are for plugins and themes. Keeping them up-to-date will not only make those plugins and themes perform better but also keep them safe from any kind of security breach.
3. DELETE UNUSED PLUGINS & THEMES
If you’re not using a plugin or theme, what is the point of keeping it? Delete it and get rid of it, as there is the possibility that those plugins have not been updated in a long time. These kinds of plugins can allow direct access to a hacker in the backend of your WordPress website.
4. NEVER DOWNLOAD THEMES & PLUGINS FROM UNKNOWN SOURCES
Always prefer plugins and themes from the sources you know. Plugins and themes from an unreliable source can give malicious software access into your account, and it can create a hell of a blunder. So, always check the source of a plugin before downloading it.
5. ALTER FILE PERMISSIONS
If you’re configuring directories with 777 permissions, change the permissions to 755 or 750. You can further set files to 644 or 640. Configure wp-config.php with 600 permission.
6. NEVER USE “ADMIN” AS A USERNAME
Always avoid using the username as “admin” because it is a default setting of WordPress and you will not like Mr. Hacker to guess your username.
7. REGULARLY CHANGE YOUR PASSWORD
The alphanumeric sequence of special characters and a mix of small caps and large caps can keep the hacker from guessing your password.
8. ADD TWO-STEP AUTHENTICATION
One of the most effective methods to stop any brute force attack is set two-step authentication. This enables you to first enter your password and then receive an authorization code that's sent to your cellphone via SMS. This bolsters your security and certainly minimizes the threat of any brute force attack.
9. ENABLE FIREWALL ON YOUR COMPUTER
Always activate the firewall on your computer. This adds an extra layer of security for your website to prevent you from any kind of hacking.
10. PUT LIMITS ON LOGIN ATTEMPTS
There are plugins that allow you to limit the login attempts from a certain IP address. It is advised to use them, for doing so will help sabotage any hacking attempt.
So, these are some common practices one should go for in order to immunize a website against brute force attacks. These actions are essential and very much effective, as well. Now that those methods are out of the way, I want to give you some practices that you may not have thought of before. These practices are very efficient and provide robust solutions to your website’s security issues. Before you start making these changes in your functions.php file, please make sure that you create a child theme.
11. REDUCE THE LIST OF PLUGINS
Now, you might think this the same point we made earlier but I want to clear up one thing here. Uninstalling useless plugins is an effective step; however, avoid installing useless plugins in the first place can be the best move. So, strategize your plugin usage. Make a list of which kind of plugin you might be using, then think about the long-term use of those plugins. Remember one important consideration: the number of plugins you use is directly proportional to the number of ways that can give a hacker access your WordPress website.
12. NEVER FALL FOR A TRAP >> PREMIUM PLUGINS FOR FREE
I can understand that budgets are one of the important assets of a website. However, I also understand that a security breach is even more important than budget. What is the point of saving money at the cost of your website’s security? If there is a need for a premium plugin, never download it illegally. It is also unethical. In addition to that, this action may lead to serious consequences. A premium plugin with clean code from a free download link can make a way for a hacker into your website’s back-end.
13. APPLY AUTOMATIC CORE UPDATES
I have mentioned this point above, but I want you to know one important thing. Updating your WordPress is not a one-time event; it is a recurring process. Site maintenance should be one of your habits. Try to automate these updates. The same applies to all the plugins and themes, as they are also a part of your website. You should not leave any loopholes in the matter of security. Constantly update your themes and plugins.
14. ELIMINATE PHP ERROR REPORTING
Many of you are familiar with the term PHP error reporting – they are good for troubleshooting purposes. Ever notice that these reports contain details of your server path? My point is that if a hacker wants to get into your website, he just needs to look into your error reports to find the server path. So, it is advised that use this code snippet in your wp-config.php. error_reporting(0); @ini_set(‘display_errors’, 0);
15. HIDE THE AUTHOR USERNAME
Leaving your WordPress credentials intact is extremely dangerous. Everyone who uses WordPress knows those default credentials, and so does Mr. Hacker. The main Author is also the administrator of the website; hence, it is crucial to hide the author’s username. In order to hide it, you just need to put these code in your functions.php. add_action(‘template_redirect’, ‘bwp_template_redirect’); function bwp_template_redirect() { if (is_author()) { wp_redirect( home_url() ); exit; } }
Securing a WordPress site is not just about installing a number of security plugins. It should be a well-executed plan covering all the loopholes and limiting the number of ways to cause a security breach. Did I miss something? Let me know in the comments, and we can discuss a lot more possibilities to minimize the probability of a security breach on a WordPress website.
About the Author: Emily Johns is a WordPress Developer by profession and writer by hobby. She is associated with WordSuccor Ltd. helping business owners to maintain their WordPress Website Security and protecting it from malware attacks. She loves to share her intangible knowledge on the web related to WordPres development tips and tricks. If you are about to find WordPress programmer for hire then get in touch with her. Follow her on Twitter. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.