I wanted to share some of the things we do for our clients’ websites in order to keep them more secure. We use WordPress a lot and, as you probably know, WordPress is constantly targeted by hackers all over the world as a way of taking control over your server for malicious purposes. Those hackers are well aware of the security breaches of famous content management system and they know how to use it to their advantage.
The number one and most important tip is:
1. Keep up with the updates!
This is crucial! Not updating WordPress or a plugin when a new version has come out can leave you wide open to savvy and malicious hackers. Developers at WordPress.org are constantly working on patching security flaws and keeping up with those updates. And the great thing about version 3.8 and later is that security updates are automatic! You don’t have to do anything or worry about it. But if you’re still running an earlier version of WordPress (earlier than 3.8), be careful. Keep themes and plugins updated at all times!
2. Use strong Passwords.
One of the most common ways of hacking a WordPress website is by discovering someone’s username. Then, by using an automated program, hackers try to login with a variety of different passwords from a list of commonly used words. If you don’t have a strong password, it will easily be discovered by this method.
Password tip: Use a minimum of 8 characters, with a combination of uppercase and lowercase letters, numbers and signs.
3. Disable file editing for themes and plugins from within WordPress
If a hacker does get into your WordPress dashboard, usually by discovering your username and password, he or she will try to edit some of your theme or plugin files, through the web-based file editor that comes built-in to WordPress, and add malicious code to it. The editor is found under the ‘Appearance’ menu. By removing the ability of editing theme and plugins files via the editor, you will be save against this treat.
I order to disable the file editor from, add this line to your wp-config.php file, in the root folder of your WordPress installation:
define( 'DISALLOW_FILE_EDIT', true );
4. Change the database prefix
This is another important security tip. By using a different database prefix than the most commonly used “wp_”, you could possibly prevent your data from being read by a hacker. If there is a flaw in a plugin or theme that you are unaware of, using a different database prefix makes it a bit more difficult for hackers to read information from your database, such as usernames and passwords.
Remember to backup your database before you do this.
If you are a programmer, you probably know how to do this, but if you are not, check the Change DB Prefix plugin. It does if for you.
5. Protect your wp-admin folder with an extra layer of security
By adding an extra authentication layer to your wp-admin folder, you’re protected in case someone discovered your username and password for the WordPress dashboard. We found this to be really helpful. It gave us peace of mind.
This second layer can be created through your hosting provider. If you have a shared hosting account with Goddady or HostGator, follow this link for a how to protect your wp-admin folder
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
6. Security plugins
Some security plugins offer an extensive range of security features for your website, such as protection against brute force attacks (the automated attacks mentioned above), file change monitoring, activity logs and so on. One of those plugins is the Bulletproof Security Plugin. We haven’t tested it, but it has been downloaded over 1 million times and it has great reviews. Give it a try and let us know what you think.
If you’re interested, I recently wrote about our favorite wordpress plugins here.
UPDATE: We’ve been using free versions of Wordfence and Sucuri Scanner together lately. They have very great featured to help protect your website.
Conclusion
There are many other things you can do to strengthen your WordPress installation. For instance, you could look into installing a SSL certificate on you website, or only allow wp-admin to be accessible by a specific IP address. A quick google search will reveal a bunch of other security tips, but we found these tips to be of great help to us and our customers. By following the information on this post, you will be well on your way when it comes to protecting your website.
Your turn:
What do you do to protect your website?
I am trying to implement SSL on my personal website. is it worthy to have one while I do not do any online transactions on my personal website? What can you suggest? it is very much expensive like 150 USD for the instant SSL alone.
Hi Neil,
I think it is a good idea to implement SSL on your website even if you’re not handling transactions. My reasoning is that SSL has been known to improve SEO too. You can find cheaper certificates here: http://www.namecheap.com/?aff=73497
Thanks for this Felipe. I got my domains at namecheap as well. We’ll probably check on that
Cheers