Few days back I wrote an article telling you about most important settings to change after installing new WordPress blog, but I feel after installing fresh copy of WordPress you must work to make it hack proof. As a blogger, you must understand the importance of WordPress security and also work to make your blog secure and safe. Today, I am going to give you a WordPress security tips and guidelines. Lets start :
I’ve divided this tutorial into three sections :
Basic Security Techniques
Update regularly
Update your WordPress version and plugins as soon as they get released but make sure you backup your database before clicking on update button. To upgrade WordPress automatically you can use this plugin called Automatic WordPress Upgrade
Keep root directory clean
Do not keep unnecessary php or html files in the root directory. Keep it as clean as possible.
Disable directory view
You can easily view the themes and plugins directory of any blog. It can be a security factor, so it is recommended to disable directory view. For it, open Notepad, do not write anything in it and save it as Index.php and upload it in your Themes as well as Plugins folder. Have a look :
Change default username and password
It is not at all recommended to keep the username as admin. So you must change it, to do this you can use this plugin called Username changer. Also change the default password.
Note : Always keep a fresh and new password for your WordPress blog that you’ve never used before. Do not keep your blog’s password same as email password.
Research before your install plugins
Before installing any plugin, you must read the reviews on other blogs because you blog can be hacked with bad coded plugins. So, be careful.
Advance security techniques
Remove WordPress Version
There are many WordPress themes that displays the current WordPress version, if you’re using an old version of WordPress, hacker can know easily about it, so it is must to remove it. How ? I’ll tell you :
- In the dashboard, Under Appearance Click on Editor and open header.php file
- Now, search for the following code and remove it
<meta name=”generator” content=”Wordpress <?php bloginfo(‘version’); ?>” />
- Removing this code, will not display the WordPress version in the source code.
Disable “WP-” access to search engines
There is no need to index all your content to search engines, this can be a security issue as it becomes easy for a hacker to search for vulnerable files through advance search methods. It is recommend to limit access to search engines to those folder that starts with “wp_”.
To disable the access, refer to this article.
WordPress Secret Keys
Secret keys is used to generate random salts for WordPress cookies. It is a better way to encrypt information that is stored in WordPress cookies. Follow the steps below to add secret keys to wp-config :
- Visit this link and copy the code from there. Basically, they are randomly generated secret keys.
- Open wp-config.php file and paste those 4 lines in it
- Save your work and you’re done
WordPress Security Plugins
Login Lockdown
With this plugin you can record the IP address of every failed WordPress login attempt. After ‘n’ number of failed attempts, this plugin will block that particular IP for 5 minutes. This helps to stop brute force attack to your blog. Click here to install.
WP Security Scan
We all know that the default WordPress database prefix is “wp_”. Many hackers and bad coded plugins uses this prefix to make SQL injections, so it is must to change it. You can change it by installing a simple plugin called WP Security Scan
User Suggestions : Make sure the theme developer works on future updates
Robin gave a comment that, recently one of his blog got hacked due to the vulnerability spotted in his theme. He used a free version theme, developed by ThemeJunkie. So, make sure the theme or plugin developer works on it to bring future updates in order to get maximum security.
Did I left something ? The check out these links also
- A to Z of WordPress .htaccess Hacks
- 20+ Powerful WordPress plugins
- WordPress security tips and hacks
{ 5 comments… read them below or add one }
Hello, This is a nice article.. But Use of Plugins Slows down our site. I will be very much happy if you posts an article purely based on htaccess. Thanks
Yea, plugins do make a blog slow but there are few plugins that we must install … I’ll surely write about htaccess in my future posts … Thanks and keep visiting …
Nice list. I already make use of Secure wordpress and Limit log-in attempts plug-ins. They work well too.
With bad plug-ins, a safe bet is to only download plug-ins from the wordpress download site as they are always scrutinized before release to the public
Recently one of my blog got hacked, due to the vulnerability spotted in my theme. I used a free version one, developed by ThemeJunkie.
So make sure the theme or plugin you use in your blog is uptodate and the developer is working on it to bring future updates. That is, make sure the theme is still in development.
I use 2 of the plugins you have recommended. Cheers.
- Robin
nice post. if you install WP using fantastico, then you can set the custom username there itself instead of default “admin”. i am curently using only 1 plugin that u mentioned above that’s loginlockdown. will try to use the others.