9 WordPress Security Tips To Protect Your Website From Harm

Posted in Plugins, WordPress • Posted on 12 Comments

WordPress is the most popular Content Management System in the world, used by more than 60 million people around the globe. WordPress hosts more than half of the blogs itself. The popular CMS is used by huge companies and associations in the world such as TechCrunch, NBC, CNN, CBS or the National Football League of the US. There are more than 2.5 billion WordPress pages in the world, read by more than 300 million people daily, while around 500.000 new posts and 400.000 comments are posted each day.

This is huge and shows how important and widely used WordPress is. WordPress doesn’t show signs of slowing down either, so expect these numbers to increase dramatically in the near future. Therefore we also need to learn how to protect ourselves, because there is no popular web technology nowadays not targeted by hackers and robots.

Today I will talk about tips, tricks and plugins to keep your WordPress blog safe from hackers and robots. This doesn’t mean you have to do all of them, but using as many of them as possible is recommended.

1. Always Update

Keeping your WordPress updated all the time is important, because the developers work to solve security issues as well and if they release an update, it is a good idea to update. It takes only a few seconds, is safe (because WordPress backs up your data before actually updating, so you can’t lose anything) and will help your blog run better and be compatible with more plugins too. When you update, do it through your dashboard or if you want to do it manually, do not download the update from another site than WordPress.org.

2. Strengthen your password

Now this shouldn’t be something new to you. If you’ve been on the internet for some time you know strong passwords are recommended. Include small and capital letters, numbers and different symbols to make your password not difficult, but impossible to guess. Once somebody has full access to your blog, it’s not yours anymore!

3. Keep an eye on file permission

It is a good idea to keep an eye on the file permissions. You have a link at the end of the article with a guide about what file permissions are and how should they be used. You can set file permission with FTP clients and FileZilla works just fine, so I recommend it.

4. Use .htaccess

The .htaccess file is available by default in your hosting folder. You can use this file to block different IPs and you can learn how to do this by following the links at the bottom of the article.

5. Use SSL Encryption

SSL Encryption is used for encrypting data your blog sends. This means that nobody accessing your router can intercept the data you use, such as account credentials. This way your data is not only really difficult to intercept, but also to decrypt. The bad in general is that you have to pay for having an SSL encryption, but most of the services out there do a tremendous job and also help you set up the SSL server. However, for WordPress SSL encryption is free and you only have to add this particular line to your wp-config.php:

define (‘FORCE_SSL_ADMIN’, true);

6. Always Back-up

Backing up once a week is something I would like to recommend as well, because no matter how much you protect the blog, anything can happen. There are things you can’t even do anything about (like the host servers getting hijacked – which doesn’t really happen too often, but it is a possibility) and it is good to have a back-up which you can install again right away.

7. Protect the wp-config.php

This is one of the most important files in your WordPress folder, therefore you really have to protect it. You can hide it from public view by inserting few lines of code into your htaccess file:

<Files wp-config.php>

order allow, deny

deny from all

</Files>

This prevents the wp-config.php file from being seen by public users and makes it therefore more difficult to spot for hackers and robots.

8. Never use “admin” as login

A common mistake is to use “admin” as the login username. When you install WordPress, right after the process is done create a new account and use that one as default. The “admin” account is quite dangerous to use because all the robots go for it.

9. Use an SFTP

Most of the time people upload files by using FTP, but you could use a Secure FTP (SFTP) so that the files you send are encrypted. You can find a detailed guide about how to do this here.

Now we move onto plugins you can use to secure your WordPress.

1. Login Lockdown

You can use a plugin called Login Lockdown, but make sure you remember your password. Login Lockdown registers every failed login attempt and the IP of the person, and blocks the ability to login for a range of IPs if the number of failed logins exceeds the number you set. As a default setting, the plugin locks down IPs for an hour after 3 failed logins within 5 minutes. The IP addresses which have been blocked can be removed from the plugin panel in the WordPress dashboard.

Login Lockdown protects your WordPress login page from people trying to guess your password.

2. WP-DB-Backup

I told you earlier you should have backups for your database all the time. This is the plugin that I use for this purpose. It sends you backups on your e-mail or can also store them on the server. You can also set how often you wish the plugin to back up your data.

3. WP Security Scan

Removing the version of WordPress you have should be a basic option, but WordPress makes it difficult. Therefore you need to use a plugin to remove the version of WordPress from the header of your PHP page. Why? Because knowing which version you have means hackers know the security issues you have, therefore this makes it easier for them to hack you.

With all these plugins and tips being listed, I only wish to tell you that WordPress, although very popular and widely used, is threatened all the time by hackers and robots. WordPress security is something that has been discussed long and you should take a look into it, because finding out your blog is hacked and having no backup is definitely not fun. Try to avoid this by backing up regularly and following my tips and you will find yourself less often in troubles.

Further reading

You can read more about this topic on the following links:

Changing File Permissions on WordPress.org

Hardening WordPress on WordPress.org

Block IPs with .htaccess on htaccesstools

WordPress Security Tips and Hacks on Noupe

WordPress Security

11 Best Ways to Improve WordPress Security on ProBlogDesign

69 Written ArticlesWebsite

Christian Vasile is an enthuziastic Romanian web designer currently living in Denmark. He is passionate for the industry and writes about design, usability, coding and freelancing and is a regular publisher here at 1WD. You can follow him on Twitter at @christianvasile or visit his web portfolio by clicking on the link above.

12 Comments Best Comments First
  • Marie Yasis

    Sunday, November 13th, 2011 22:11

    7

    I learned most of these tips the hard way after one of my sites was hacked. I do have a question about the updates. I often won’t update as soon as it is possible because often I find most or at least some of my plugins don’t work with the new update. Does anyone else have any tips regarding this?

    +1
  • James

    Thursday, February 23rd, 2012 12:28

    12

    what about bruteforce login?can it?

    +1
  • Michael

    Saturday, November 12th, 2011 18:16

    1

    The most important thing that I have found to protect my website is to keep it updated and to use login and password that is impossible to guess by any hack tool.

    The other things like protecting config file and using .htaccess are important but for small blogs it’s not that crucial. One more thing that I can suggest is cloudflare, great free service that offers improved speed and security to your website.

    0
  • Miguel

    Sunday, November 13th, 2011 08:01

    5

    Good information Christian.

    0
  • Matthew Coleman (

    Sunday, November 13th, 2011 07:45

    4

    I hate to be so blunt, but I am so tired of people giving advice listed in #2. Please stop. I refer you to this: http://xkcd.com/936/

    0
    • ngassmann

      Tuesday, November 15th, 2011 07:09

      8

      @Matthew Coleman I wish I could like your comment 1,000 times.

      0
    • Rean John Uehara

      Monday, November 14th, 2011 04:06

      6

      It’s on xkcd, therefore it’s the truth?

      0
  • Ray

    Sunday, November 13th, 2011 06:30

    3

    I was thinking there is probably something additional I can do to wp-config.php file to make it more secure and protect it. I will see about giving number 7 a shot shortly. Good tips and it never hurts to review your WordPress security several time per year.

    0
  • Jenelle B

    Sunday, November 13th, 2011 02:57

    2

    Simple steps yet powerful enough to protect your website. Great tips :)

    -1
  • Andrew Groat

    Thursday, February 2nd, 2012 16:57

    11

    All of the above suggestions are great, but here is the one tip that I always recommend – it will prevent 99% of issues and is very simple. Install your wordpress in a subdirectory!!! then Modify the root index.php to reference the files from the subdirectory.

    Most attacks on open source frameworks are done automatically via scripts/bots etc, meaning they often rely on certain files to be in the default location. This method adopts the simple principle of security through obscurity.

    Peace!

    -1
  • Estiak Ahamed

    Sunday, November 27th, 2011 20:48

    10

    These tips really protect a website. Awesome tips for wordpress website.

    -1
  • Andrew Keith

    Saturday, November 19th, 2011 11:14

    9

    “Quick, write an article about WordPress security – everyone else has got one!”

    I hate to be harsh but there’s nothing new here that hasn’t been posted 100 times elsewhere.

    Login Lockdown hasn’t been updated for two years and is only tested up to WP 2.8.4. I use Login Lock which is a bit more up to date:

    -1
  • James

    Thursday, February 23rd, 2012 12:28

    12

    what about bruteforce login?can it?

    +1
  • Andrew Groat

    Thursday, February 2nd, 2012 16:57

    11

    All of the above suggestions are great, but here is the one tip that I always recommend – it will prevent 99% of issues and is very simple. Install your wordpress in a subdirectory!!! then Modify the root index.php to reference the files from the subdirectory.

    Most attacks on open source frameworks are done automatically via scripts/bots etc, meaning they often rely on certain files to be in the default location. This method adopts the simple principle of security through obscurity.

    Peace!

    -1
  • Estiak Ahamed

    Sunday, November 27th, 2011 20:48

    10

    These tips really protect a website. Awesome tips for wordpress website.

    -1
  • Andrew Keith

    Saturday, November 19th, 2011 11:14

    9

    “Quick, write an article about WordPress security – everyone else has got one!”

    I hate to be harsh but there’s nothing new here that hasn’t been posted 100 times elsewhere.

    Login Lockdown hasn’t been updated for two years and is only tested up to WP 2.8.4. I use Login Lock which is a bit more up to date:

    -1
  • Marie Yasis

    Sunday, November 13th, 2011 22:11

    7

    I learned most of these tips the hard way after one of my sites was hacked. I do have a question about the updates. I often won’t update as soon as it is possible because often I find most or at least some of my plugins don’t work with the new update. Does anyone else have any tips regarding this?

    +1
  • Miguel

    Sunday, November 13th, 2011 08:01

    5

    Good information Christian.

    0
  • Matthew Coleman (

    Sunday, November 13th, 2011 07:45

    4

    I hate to be so blunt, but I am so tired of people giving advice listed in #2. Please stop. I refer you to this: http://xkcd.com/936/

    0
    • Rean John Uehara

      Monday, November 14th, 2011 04:06

      6

      It’s on xkcd, therefore it’s the truth?

      0
    • ngassmann

      Tuesday, November 15th, 2011 07:09

      8

      @Matthew Coleman I wish I could like your comment 1,000 times.

      0
  • Ray

    Sunday, November 13th, 2011 06:30

    3

    I was thinking there is probably something additional I can do to wp-config.php file to make it more secure and protect it. I will see about giving number 7 a shot shortly. Good tips and it never hurts to review your WordPress security several time per year.

    0
  • Jenelle B

    Sunday, November 13th, 2011 02:57

    2

    Simple steps yet powerful enough to protect your website. Great tips :)

    -1
  • Michael

    Saturday, November 12th, 2011 18:16

    1

    The most important thing that I have found to protect my website is to keep it updated and to use login and password that is impossible to guess by any hack tool.

    The other things like protecting config file and using .htaccess are important but for small blogs it’s not that crucial. One more thing that I can suggest is cloudflare, great free service that offers improved speed and security to your website.

    0

Comments are closed.

54.166.105.24 - unknown - unknown - US