How to Secure Your WordPress Site ?

Though the WordPress platform is secure enough, it is vulnerable to attacks. The popularity of the platform makes it a favourite target for the hackers. You need to take precautions to make it more secure. Securing the platform is named Hardening. Though those steps do not ensure 100% safety, you can stay protected.

Here are a few tips to make your platform more secure -

1. Update your plug-ins
Keep your core files of WordPress and the plug-ins updated. These updates contain security patches.
In fact, it would be more advisable to restrict the usage of plug ins. Use them only when absolutely necessary.

2. Restrict access to admin area
Provide access to your admin area only to people you trust. More so, give access to only those who are actually needed. Limit the incorrect login attempts.

3. Do not use "admin" password
Name your admin username differently than the usual. Most of the hackers assume that you are using "admin" username. By changing it to some other name, you block majority of hacking attempts.

4. Use stronger passwords
Use a stronger password. Do not use easily guessable ones. Using longer sentences makes it better to secure you from hacking attempts.

5. Keep track of Your dashboard activity
If you have a huge number of members on your dashboard, make it a habit to keep track of what they are doing. Your members may not be doing something wrong to hack your site, but a wrong step by any one of them - even though not deliberate - can make your site vulnerable.

6. Keep your computer clean
An infected system can result in making your WordPress installation prone to hacking attacks. Protect your computer from viruses and malware. Invest in a good anti virus and anti malware solution.

WordPress is constantly updated software and every six months or so, it requires to be checked for security issues. With PHP 7 being launched shortly, you have to revise the WordPress security on regular basis.

Here are some of the common security issues and process to patch those issues.

File Permissions - If you are on Linux server then it helps to change the file permission to 655. Very few php files from the WordPress require you to keep 755 permission set on the file by default. In case of Windows, you have a different method to set the permissions over your directories and files.

Upgrade PHP Environment Do note that for this to work you have to contact your host. You have to make sure that your wordpress is hosted on PHP environment that is securely supported by WordPress team. Some versions may likely to have security issues. And for this reason it helps to ask your host to move PHP installation to WordPress supported version.

Change WP-Admin Dashboard URL : It helps to keep the attackers away from your dashboard for any brute force attacks. You can simply rename the WordPress dashboard URL using a plugin.

You can check the procedure on how to do that in this video: https://www.youtube.com/watch?v=7NmapUVm1fo

Limit login attempts You can add captcha or the IP address login attempt count. This way you can restrict the brute force attacks on your WordPress dashboard. It will also keep some of the bots and the hackers away as they perform multiple attempts to guess the password. Do note that if you fail to login yourself then you have to disable the plugin by changing directory name by going through Cpanel or file manager.

Protect WP-Config This file holds the information about your database access including password. So you have to keep this file outside the root directory once you are finished with installation. WordPress will try to find this file on it's own if kept inside any other directory within root directory.

Sucuri is one of the most trusted firewall and anti malware plugin written for the WordPress platform. It is however paid plugin and is suitable only if you are using the blog or website for some small business. Otherwise you have to use the free available plugins for security purpose. There are different types of antivirus and sitescan plugins available for you to use on WordPress.

Protect .htaccess If hacker gains access to this file, he can make it harder for your website to be displayed. So this file is very important and needs to be protected. Make sure the file permission set for this file is 644 or even higher security. Make sure the file is only editable by the owner or the person who has admin access.

Limit Root Access Be it Linux server or Windows server, you have to limit the root access to your control panel or the server account. You have to only allow limited users to access the control panel. This helps protect your website from the bots and hackers from modifying your website if any access leak is compromised.

Trusted Plugins and Themes There are plenty of free or hacked WordPress themes are out there. Many people choose hacked themes and plugins because they don't want to pay for stuff. And such plugins lead to the hack script inside your website. If these themes and plugins run on your wordpress it can compromise and affect your website. So only download the free themes from official wordpress website. Be careful with plugins that require write access on your server disk. Only enable the CDN and the cache plugins to access your server HDD. And never download the hacked themes and plugins, instead save some money and buy themes or plugins.

Strong Passwords WordPress installer scripts doesn't create "admin" accounts anymore. So only thing you are supposed to do here is create better username and get stronger password. So if you do these two things then you can easily protect your WordPress installation. I'd say use the Lastpass password generator online or use WordPress account settings itself to create stronger password.

Remove WordPress Version Meta Some themes call for WordPress version meta which shows the version you are running on server. This is security risk because if any hacker script found out the version then you'll be facing some brute force attacks on dashboard. So if any theme is using that query, you can go ahead and edit it from the header.php file.

Restrict Read Only access to Folders Some folders such as WP-Includes can be set to read only mode. This can be done using the file manager permissions or .htaccess. Depending on the type of server you use the method to restrict folders and files will be different.

SQL Injection If you have set simple passwords for the database access then SQL injection is a possibility. You can avoid this by setting strong password to your MySQL or PostgresSQL admin dashboard. Also if you are on SQL Express then you can also set different root password as well.

Backup You can use the plugins that backup the WordPress blog to Google Drive or Dropbox at the end of every month. This helps backing up your website in case if any attack succeeds in breaking your website backend. Use Google drive or dropbox or onedrive for backing up the content.

Note: With launch of PHP 7 you'd likely to find some new issues around the corner. I am guessing within next 8-12 months PHP 7 will be adapted on most of the CMS such as WordPress. So make sure you keep tab on WordPress official website to learn more about these security issues.

WordPress site are vulnerable to hacking and hackers try their hand on some of the websites, so security of your site is important and these are the required things you need to do to secure your WordPress site.

Download the plugin Wp DB manager and by this change your default login URL. Usually the login for your WordPress site will be www.xyz.com/wp-admin, so this will be predictable. Instead, change it to some other.

Using Jetpack modules limit your login attempts and also protect by locking the IP after failing in some attempts. The firewall also rescue's the site when a huge attack is undergone. All these features are available in jetpack plugin.

Don't use third part plugins or null themes and also backup your word press database. In any case, your website is hacked delete the core files and directory in c panel and using backup restore it to other root folder and tighten your security and use strong passwords.