Securing Your WordPress Site: 10 Tips to Keep Your Site Safe
When building a WordPress site, one of the most important things you can do is ensure that it’s secure. While you can never get site security up to 100%, you can certainly aim for 99%. By enacting measures that account for every access point of your site and its vulnerabilities, you can accomplish this goal. Some of you may already think your site is pretty secure, but why not take a couple of minutes and run through this list of things to look for with regard to WordPress site security? You’ll walk away with an action plan or feel more confident about your existing measures.
Here are 10 things you should look for or pay attention to in order to ensure your site is as secure as it can be:
1. Limit Dashboard Accessibility
When someone has access to your WordPress dashboard, they can add new posts and pages, upload files, and change your settings. An inexperienced person could make a mistake without realizing it, or the intent could be more malicious. Regardless, you should only give access to your dashboard to those whom you trust.
You can whitelist your IP address to restrict anyone not at your IP from accessing your dashboard, which can greatly reduce hacking attempts. Of course, you’d need to always access your site’s admin from the same IP.
To do this, add a new .htaccess file to your wp-admin folder then add this code:
order deny,allowallow from YOUR IP ADDRESSdeny from all
If you want to protect your theme and plugins from editing by unauthorized users, you can add this code to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
2. Block Directory Browsing
Websites are set up so that files are contained within folders on a server. Typically, someone can browse the contents of each folder or directory, which could leave you open to malicious hacking attempts. You can make it so the contents of certain folders aren’t viewable to the public at large, however. This is an obscurity tactic and though it won’t make your site 100% safe, it gives hackers less info to work with, and less info is what you want.
To block directory browsing, open up your .htaccess file again and insert the following code at the very bottom:
Options -Indexes
That’s all there is to it!
3. Remove WordPress Version Information
WordPress themes used to automatically output the WordPress version number you’re using in the
tag of the site. However, WordPress itself now inserts this information, and while it’s useful for WordPress to know when analyzing who is using what, leaving this information so it’s available to anyone who takes a peek at your code is a security hazard.Why? Because giving a hacker the version number outright makes their job easier. And you don’t want to make a hacker’s job easier! Instead, just insert this code into the functions.php file for your theme:
function remove_wp_version() {return ”;}add_filter( ‘the_generator’, ‘remove_wp_version’ );
This will remove the version number and add another layer of security to your site.
4. Evaluate Your Username and Password
Choosing a difficult username and password is important for your site’s overall security. First of all, never use “admin” as your username. Since it’s the most popular username for WordPress, leaving this the same is like giving hackers half of your data.
Second, use a series of numbers, letters, and symbols for your password. Basically, make it impossible for a human to guess and extremely difficult for a machine to crack.
5. Perform Regular Site Backups
Backups can be completely automated these days and are actually a wise solution because they can be scheduled in advance. That way, you’ll never forget to backup your site again. The WordPress Codex has detailed instructions, or you can use a plugin-based solution (Backup Buddy and VaultPress are two options we’ve used before here at WPExplorer).
6. Keep Your Site Up-to-Date
Always make sure your site is running the latest version for optimum security.
7. Pick Secure Themes
It’s important to select themes that have a good reputation. Those made by less than reputable developers or that don’t have the cleanest code could open up your site to security vulnerabilities once installed. Read reviews of themes before you install them and if you’re purchasing a premium theme, always purchase one from a well-known site.
8. Pick Secure Plugins
Though the advice is likely doubly true for plugins since they can sometimes contain malware or malicious code. Don’t download a plugin from a developer you don’t recognize and always install updates when they become available to maintain site security.
9. Protect Your Files
One of the most important files on your entire WordPress site is the wp-config.php file. It stores a ton of data about your site, including details about your database and the settings for the site as a whole. A hacker with the right knowledge-base could change everything about your site just with this file’s info. So, as you can imagine, it’s important to protect it.
Thankfully, you can with a relatively simple fix. All you need to do is add the following code snippet to your .htaccess file just below where it says # END WordPress:
10. Pick the Right Hosting Provider
A lot of your site’s security comes down to the WordPress hosting provider you choose. While I can’t tell you which host is best — there are way too many variables to consider to discuss in this article — I can tell you that reading reviews is imperative to making a wise decision. Be sure to evaluate a host’s security, backup solutions, and server type before coming to a final choice.
Remember: the host you select will play a direct role in how quickly your site loads, its uptime, and how secure your public and private data are. It’s not a decision to be taken lightly.
This list is by no means complete, but it should definitely give you a well-rounded place to start in terms of identifying potential security holes and enacting solutions to protect your site from hackers. You could also check out and follow along with this WordPress Security Guide for more easy tips to secure your WordPress site. It should also have the benefit of giving you a little bit more peace of mind. After all, it’s typical to invest hundreds of hours in the development and implementation of a website. Protecting it is imperative.
What measures do you take to protect your site? Do you prefer taking a manual approach or using plugin-based solutions? Let us know in the comments!
