Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

10 Tips for a More Secure WordPress Blog

DZone's Guide to

10 Tips for a More Secure WordPress Blog

WordPress itself is a very secure platform. However, there’s a few mistakes that many WordPress users make and that can be exploited by potential attackers. In this article, I’m presenting you 10+ tips for maximum security.

· Web Dev Zone
Free Resource

Learn how to build modern digital experience apps with Crafter CMS. Download this eBook now. Brought to you in partnership with Crafter Software

WordPress itself is a very secure platform. However, there’s a few mistakes that many WordPress users make and that can be exploited by potential attackers. In this article, I’m presenting you 10+ tips for maximum security.

Stay Updated

As a rule of thumb, every time the WordPress core or a plugin you’re using has an available update, apply it. Updates bring new features, but also security fixes. Although WordPress has automatic background updates since version 3.7, you should always keep an eye on them, as automatic updates may fail to complete from time to time.

Plugins are also a sensitive part of your WordPress installation. Don’t forget to update them as soon as an update is available.

Pick a Strong Password

It might seem like a dumb tip, but working with WordPress (and websites in general) every day, I can tell you that most people are still using weak passwords to protect something as important as their own website.

A strong password has:

  • at least 15 characters
  • uppercase letters
  • lowercase letters
  • numbers
  • symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] :

A strong password is not:

  • your login or username
  • your name, your friend’s name, your family member’s name, or a common name
  • a dictionary word
  • like your previous passwords
  • your date of birth
  • a keyboard pattern, such as qwerty, asdfghjkl, or 12345678

Need help to pick a super strong password? Head over this simple but efficient web app.

Pick a Random User Name

Attackers know that most people are using usernames such as “admin” or the URL of their website. By picking a random user name, you’re making their task more difficult.

Host Your Website on a Reliable Web Host

Especially if you’re on a shared server (this is the case of most small websites such as a personal blog), attackers can use corrupted files on the server, even if they aren’t yours, to spread on other websites hosted on the server. This can’t be fully stopped by you alone, so you need to be sure that your web host is super serious about security and offers strong customer support that will always be helpful in case something goes wrong.

Below are the three web hosts I personally work with and recommend for their performance and security:

  • Vidahost: this company has been hosting CatsWhoCode since 2012. The speed and availability are amazing and the support service always responds fast, even on Sundays or in the middle of the night. The only downside is the somewhat expensive price, but just like cheap hosting isn’t good, good hosting isn’t cheap.
    Good news: by using the coupon CATSWHOCODE when checking out, you’ll get 10% off any hosting plan.

  • A Small Orange: A company that many of my partners and I work with, A Small Orange is offering an exclusive discount to CWC readers consisting of one year of hosting + a domain name for only $40. Definitely a great deal for serious websites owners.

  • In Motion Hosting: I haven’t worked with them directly yet, but I’ve been fixing quite a lot of websites hosted on their servers and everything was smooth. Definitely worth checking out!

Have Backups

If a problem happens, it is essential that you have a backup of both your database and files so that you can restore them to your server. Backups can be done manually or by using a plugin such as WP Database Backup. Your web host can also make regular back-ups of your website and database. The three hosts I mentioned above do free, regular backups for their clients and their support service can help you to restore it to your server in case of an attack.

Use .htaccess to Protect wp-login

Password protecting your wp-login.php file can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses AJAX on the front end, it’s usually sufficient to just protect wp-login.php.

To do this, you will need to create a .htpasswd file. To do so, go to htpasswd generator and follow the instructions. Once you have your file ready, upload it to your server.

Once done, you need to tell .htaccess where it’s at. Assuming you’ve put .htpasswd in your user’s home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess file:

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user mysecretuser
</Files>

If you’re looking for a plugin instead of doing it by yourself, have a look at AskApache Password Protect. Please note though, that it hasn’t been updated in a year. I haven’t tried it myself so I can’t really neither recommend nor advise against using this plugin.

Remove Unnecessary Error Messages

Login error messages are useful, but unfortunately, they can also provide information to attackers.

To get rid of login errors displaying on your wp-login.php page, open your functions.php file and append the code below to it:

add_filter('login_errors',create_function('$a', "return null;"));

Be Careful With Plugins and Themes

Basically, everything you add to your WordPress install (Themes and Plugins) potentially contains vulnerable code. In fact, anyone can write and offer a plugin or theme.

When choosing a plugin or a theme, make sure that:

  • You get it from a reliable source, such as the official WordPress.org repositories
  • The plugin/theme is well-maintained and has been updated recently
  • The plugin has a significant number of installs and/or ratings

Premium themes and plugins that you can find available for free might often contain malicious code injected in them. Sure, a premium theme or a plugin is an investment, but the average $60 you’ll spend is a lot cheaper than the help of a developer or security expert to help you with a broken or a hijacked website. Established premium theme/plugin sellers as such as ElegantThemes, ThemeForest, or Themify are very serious about security.

Rename Your Database Tables

By default, WordPress uses wp_ to prefix your database tables. While it can be easily changed when installing WordPress, unfortunately, most users don’t modify the default prefix. It makes it easier for attackers to target your database.

Happily, there’s a handy plugin called DB Prefix Change which allows you to easily change your database prefix from the default wp_ to something unique and virtually impossible to guess.

Disable File Editing

WordPress features a built-in file editor, which can be very useful to edit your theme on the fly. Unfortunately, if an attacker gains access to your WordPress dashboard as an administrator, he will be able to edit your files, and do much damage. For this reason, you might want to disable WordPress built-in file editor and use a regular FTP program to edit your theme files instead.

To do so, simply paste the code below into your wp-config.php file, which is located at the root of your WordPress install.

define('DISALLOW_FILE_EDIT', true);

Make Use of the All In One WP Security & Firewall Plugin

The All In One WordPress Security plugin will take your website security to a whole new level. Designed and written by experts, it reduces security risk by checking for vulnerabilities and by implementing and enforcing the latest recommended WordPress security practices and techniques.

Install All In One WP Security from your WordPress dashboard or download it from here.

Crafter is a modern CMS platform for building modern websites and content-rich digital experiences. Download this eBook now. Brought to you in partnership with Crafter Software.

Topics:
wordpress ,security

Published at DZone with permission of Jean-Baptiste Jung, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}