WordPress is a secure platform. However, its security still a big concern for us. We can do a lot of things to improve the security even when we are low-tech. In this post, we would like to introduce to you some of suggestions on how to improve WordPress website security.
- Don’t use admin as a username
It is very easy step but you should care about as a WordPress user. You just need to keep in mind this issue to avoid attacks because most of attacks target your wp-admin. Of course, attacker can still list user ID and name. We cannot eliminate all risk attach, we just can reduce it to the minimum.
You can create a new user in WordPress easily. You can go to User >> New User and make that a user with administrator rights, after that remove admin user. You don’t need to worry about the pages and posts which are created by admin user because WordPress will ask you to delete all content or assign it to a new user.
- Use a less common passwordYou should try to avoid using common password or use the same password for many different types of account. Complex, long and unique password will play strong role in security because it makes harder for attackers. You can look for some useful tools such as https://1password.com/ or https://www.lastpass.com/ as each of them has password generators. You just need to type the length and the password will be generated. You save the link, password and move on with your day. You can decide the length of password depending on how secure you want the password to be. Remembering to avoid using some popular characters such as * or #.
- Add Two-Factor Authentication
Brute Force attacks are still a problem whether you are not using admin or using a strong password. In this case, two-factor authentication is one of the keys to reduce the attacks. It’s a bit complicated but for now, it’s your Fort Knox. Its name implied its essence: two forms of authentication. It contributes to enhance security at your access points. You may hear about it for the first time but in fact, you are still using it for Gmail, Paypal and other works.
- Hide wp-config.php and .htaccess
This step is really simple especially when you are editing your .htaccess by using Yoast SEO for WordPress.
For better WordPress security, you’d need to add this to your .htacces file to protect wp-config.php:
1 <Files wp-config.php> 2 order allow,deny 3 deny from all 4 </Files>
It can prevent the file from being accessed. You can use the same code for your .htaccess file by the way
1 <Files .htaccess> 2 order allow,deny 3 deny from all 4 </Files>
- Use WordPress security keys for authentication
Authentication keys and salts are in correlation with each other to protect passwords and cookies in transit between the browser and web server. These authentication keys are installed in different random variables. You can change it easily by getting a new set of keys and add these. You page will be refreshed and you will have a fresh set. You can see new set of keys here https://api.wordpress.org/secret-key/1.1/salt/
- Disable file editing
If your files are hacked, the easiest way to change them will be going to Appearance >> Editor in WordPress. To lift your WordPress security, writing of these files could be disabled via that editor, then open wp-config. Php and add this code:
1 /define(‘DISALLOW_FILE_EDIT’, true);
Your templates are still edited via your favorite FTP application (not via WordPress)
- Limit login attempts
Your login form is usually targeted by some attacks like Brute Force. You can use All in one WP security and Firewall plugin to change the default URL. After that the number of attempts to login can be limited from a certain IP address. There are several WP plugins that can help you protect your login form. You can experience by yourself to know which one is the best for you.