Seven WordPress Security Tips
By Charis Mitsakis
Most WordPress users think that the chance of getting attacked by a hacker is
slim to none. The truth is that it happens more often than you think and unfortunately
most people are not aware of that danger.
Have you noticed sometimes when searching on Google that some results are
labeled "This site may harm your computer"? Those are websites that have been hacked
and therefore blacklisted by Google. Needless to say, most users will freak out and
might never visit your site again. Even if you manage to recover your site from such
an attack, this would definitely give a bad reputation to your business.
I compiled a list of tips that can greatly improve the security of your WordPress
website. Please note that the following tips apply to all versions of WordPress.
1. Use Strong Passwords
It may seem obvious but you would be amazed by how many users ignore this.
No matter how much you work securing your website, a weak password can ruin
everything. Your whole website's security is dependent on that password. Do not
even bother reading the rest of this article if your password is not strong enough.
Here are three tips when selecting your password:
• Use something as random as possible (no single words, birthdays, or personal information)
• Use at least eight characters. The longer the password the harder it is to guess
• Use a mix of upper and lower-case letters and numbers. Passwords are case-sensitive, so use that to your advantage.
2. Keep WordPress Always Updated
It goes without saying that you always have to update your WordPress installation.
If a vulnerability is discovered the WordPress development team will fix it by releasing
a new version. The problem is that now the vulnerability is known to everyone so old
versions of WordPress are now more vulnerable to attacks.
In order to avoid becoming a target of such an attack it is a good idea to hide your
WordPress version number. This number is revealed in page's meta data and in the
readme.html file of your WordPress installation directory. In order to hide this number
you have to delete the readme.html file and remove the version number for the header
by adding the following line to your functions.php file of your theme folder.
<?php remove_action('wp_head', 'wp_generator');?>
3. Beware of Malicious Themes or Plugins
Some themes and plugins contain buggy or even malicious code. Most of the time
malicious code is hidden using encryption so it's not easily detectable. That's why you
should only download them from trusted sources. Never install pirated/nulled themes/plugins
and avoid the free ones unless they are downloaded from the official WordPress
themes/plugins repository.
Malicious themes/plugins can add hidden backlinks on your site, steal login information
and compromise your websites security in general.
4. Disable File Editing
WordPress gives administrators the right to edit theme and plugin files. This feature
can be very useful for quick edits but it can also be useful to a hacker who manages to login
to the administration dashboard. The attacker can use this feature to edit PHP files and
execute malicious code. To disable this feature add the following line in the wp-config.php file.
define('DISALLOW_FILE_EDIT', true);
5. Secure wp-config.php
wp-config.php contains some important configuration setting and most importantly
contains your database username and password. So it is crucial for the security of your
WordPress website that nobody will have access to the contents of that file.
Under normal circumstances the content of that file are not accessible to the public.
But it is a good idea to add an extra layer of protection by using.htaccess rules to deny
HTTP requests to it. Just add this to the .htaccess file on your website root:
<files wp-config.php>
order allow,deny
deny from all
</files>
|