WordPress is a commonly used CMS for building websites and blogs online. It’s a secure platform and offers plenty of themes free & premium to build your website or blog easily. You should never have to worry about security as long as your WordPress installation, plugins and themes are always up to date and you are using a strong password.
WordPress is so popular, it’s a regular target for brute force & spam bot attacks and other security vulnerabilities. Insecure WordPress installations are commonly used to launch DDoS attacks on other sites or send large amounts of spam email causing IP blacklisting issues etc. These attacks are automated and target installations that are using default usernames, weak passwords or outdated plugins/themes and wordpress installations with security vulnerabilities .
Most website owners are unaware their website or blog has been compromised until it’s too late and they start losing site traffic, their site gets blacklisted in Google and their search engine rankings start dropping.
Implementing these simple 10 advanced security measures will secure your WordPress blog or website and prevent hacking attempts.
1. Make a new user account
First create a new user account different from the default ‘admin’ account, then delete the default ‘admin’ account. This is commonly targeted by bots and attackers to gain access to your WordPress installation. Don’t use common usernames such as ‘admin’ when creating the new user. You can easily setup a new account by navigating to “Users” and then “Add new” from your WordPress dashboard menu.
2. Always use secure & strong passwords
Never use easy to guess passwords or simple passwords such as your name, date of birth etc. They might be easy to remember but they are also easy for hackers to crack. Always choose a strong and secure password with eight or more characters, numbers, special characters, uppercase and lowercase letters. You can use an online password generator such as Norton’s Identify Safe password generator.
3. Change your author nick name
Don’t use the author name as your username, this will be displayed on every blog post. Change your WordPress account’s author name to something other than your username from your WordPress dashboard menu under “Users” and then “Your profile” by editing the ‘Nickname’ field. After you have selected a new nickname, select your new nickname under “Display name publicly as”.
4. Install a security plugin
There are several widely popular WordPress security plugins that can protect your WordPress blog or website by scanning for malicious code and blocking hacking attempts. The two most popular plugins which are regularly updated & maintained are WordFence security & iThemes security. Both of these plugins do plenty of things to increase the security of your WordPress site such as Brute force protection, strong password requirements, security & malware scans and blocking of bad bot traffic. You can also enable two-step authentication using Google with these plugins.
5. Block all IP addresses except your own from logging into wp-admin
Another great way to increase security for your Blog is by only allowing wp-admin access from your whitelisted IP addresses. You can do this by adding the following code inside the .htaccess file under your wp-admin directory through cPanel file manager or FTP.
deny from all
# whitelist home IP address
allow from 188.8.131.52
# whitelist work IP address
allow from 184.108.40.206
# whitelist holiday IP address
allow from 220.127.116.11
Add this code onto your .htaccess file and make sure to replace ‘18.104.22.168’ with your own IP addresses (search “what is my IP” in google to determine your IP address). You can add more IP’s to the .htaccess file if your IP changes quite often or if you move around a lot. This is not suitable if you have a dynamic IP which is constantly changing or if you travel a lot and use the internet from different locations. Anytime someone tries to access the wp-admin directory from a non-whitelisted IP, they will be presented with a Forbidden page. If you do this make sure to update the whitelisted IP each time your IP changes before accessing your wp-admin dashboard.
6. Change the URLs for WordPress dashboard areas including login, admin
Using the iThemes security plugin mentioned above, you can also change the URLs for your wordpress dashboard areas including wp-login and wp-admin. This means if an attack bot stumbles upon your website and attempts to login to your wp dashboard, they will not be able to access your login page.
7. Don’t allow guest user registrations
If your WordPress blog or website is not membership based, there is no reason to allow visitors to register a guest account on your site. To disable guest registrations, navigate to “Settings” and uncheck the “Anyone can register” option.
8. Disable ‘pingback’ option in WordPress
WordPress websites or blogs which have the pingback option enabled are commonly targeted for DDoS attacks. This option is enabled by default in WordPress so you must disable it manually by navigating to “Settings” then “Discussion” and in “Default Article settings” uncheck “Allow link notifications from other blogs (pingbacks and trackbacks)”.
9. Monitor your Google Webmaster Tools
Google Webmaster Tools is a valuable asset when it comes to monitoring your website security. The “Security Issues” section of your Webmaster tools account notifies you if Google detects malware or any other security vulnerabilities with your site. Keeping an eye on your Google webmaster tools prevents your site from blacklisting issues and your search engine rankings from plummeting.
10. Regularly update your WordPress, plugins and themes.
Always keep your WordPress installation, themes and plugins up to date with the latest version. The #1 cause for compromised WordPress websites is outdated core install, plugin or theme with a security vulnerability which was not patched with an update. The reasons developers update their software code for plugins, themes and wordpress core files is when security vulnerabilities are discovered through Security audits or other means. WordPress has made it incredibly easy and simple to update your installation, plugins & themes with a single click from your WP dashboard. When a new update is available, you will see a notification in your WordPress dashboard as “WordPress X is available! Please update now”. There should be no excuses or reasons for you to not update your WordPress installation, you can also enable Automatic background updates .
If you are not upgrading your WordPress installation because one of your plugins might break because it’s not compatible with the latest release of WordPress, please switch to an alternative plugin which is actively being developed and updated with support through the developers.
We do not recommend installing plugins or themes from unknown sources or 3rd parties other than the official WordPress plugins directory and official websites for premium wordpress themes. Always check recent reviews of any plugin or theme you are installing, also make sure it has recent updates, is actively developed and has a high number of downloads.
BONUS TIP!! Backups, backups and BACKUPS!
Downloading regular backups of your content and database is very important! Any upgrade, security vulnerability or hacking attempt on your WordPress website could possibly lead to unforeseen circumstances. Although our shared & reseller hosting servers are regularly backed up, you are ultimately responsible for maintaining your own regular backups as well.
Each WordPress website consists of two parts
1. Database, this is where all your settings, pages, posts and comments are stored.
2. Files, this is where all your media, attachments, themes and plugins are stored.
We always recommend downloading a full backup of the entire account from cPanel which includes your database and files. In case of a catastrophic event, we can restore your entire backup to revert your website to the way it was.
You can also install a backup plugin on WordPress to create automated backups of your files & databases and email them to you or upload them to a 3rd party service such as Dropbox or Amazon S3 . There are plenty of choices when it comes to Backup plugins, two popular plugins are BackWPup and Dropbox backup & restore. Activate these plugins to create automated scheduled weekly backups of your installation and either upload to your backup storage or emailed to your address.
Implementing these simple security steps will make your WordPress blog or website much safer and secure from hackers.