1. Change your login

Still using the original Admin username? This is the first thing bots and exploits will look for, so change it. Log in with that username and create a new Administrator level account with a more distinctive username. Then log out and log back in again using the new account so you can delete the original one.

2.Creative passwords

Nobody likes having to remember 20 different passwords, but it’s vital that your account password is as unique and character-rich, as possible. Use uppercase and lowercase letters, numbers and punctuation characters. If it resembles somebody swearing in a comic book (B*%1£#S!) you’re on the right track.

3.Keep it updated

One of the most common causes of vulnerabilities for WordPress sites is the continuous use of outdated versions. It is vital that you keep your installation up to date. WordPress will notify you in the Dashboard when a new version has been released. Follow the prompts and update. It takes a few minutes and could save you a few hours in the long run.

4. Avoid free themes
There are countless websites out there that offer free, pre-built themes for your WordPress site. Beware. Most of these themes come packaged with a few invisible surprises under the hood. It’s much better to stick to trusted sources through the site, build your own theme using a free framework, or buy one at reputable sites such as Theme Forest.

5. Plugin awareness
Plugins can be vital additions to your site, giving you great functionality beyond the basics. However, some plugins can present an open door to hackers. Make sure you get your plugins only through the WordPress extension and check the reviews for any warnings. And, like the platform, be sure to keep them updated.

6. Keep only what you need
Do you have a bunch of plugins on your site that you don’t use? Even a deactivated plugin can be a threat. Remove as many inactive plugins, themes and files as you can, including the readme file in the root folder. Simple rule: the fewer the scripts, the fewer the vulnerabilities.

7. Back it up
The importance of keeping your site backed up at regular intervals cannot be stressed enough. Not all attacks and hacks will cause you to lose it, but you don’t want to be the one who got caught out. And sometimes, a clean reinstall of the site and content is the only way to be sure you are rid of any malware.

8. Keep your PC clean
It’s not just your WordPress website that you need to keep an eagle eye on. It is essential that you make sure you have a good antivirus running on your PC or laptop, too. Ensure that this is reputable and also kept up to date. You don’t want to end up being the one that infected your own website simply because you placed a few corrupted files there! This should be a matter of course even if you don’t own a website and can save you a lot of time and money in just a few clicks.

Top tip
For that little extra precaution, there are security plugins available, including Better WP Security, Wordfence, and Sucuri Scanner.

9. SFTP not FTP
All connections to your server for file updates should be done through SFTP, rather than just FTP, assuming your host provider allows it. If they don’t, consider moving to a host that does. The extra encryption protocol is a valuable safeguard against your login details being intercepted by bad boys and girls.

10. Protect the config file
Advanced security can be achieved by adding a .htaccess file in your site’s root. If you don’t already have one, open a text file and rename it .htaccess. Place it into your site’s root folder with the code listed below. The code listed above # BEGIN WordPress prevents your database login details from being accessed in the browser in the event of a PHP failure.

001 # don’t allow wp-config.php to load
002 <Files wp-config.php>
003 order allow,deny
004 deny from all
005 </Files>
006 # BEGIN WordPress
007 <IfModule mod_rewrite.c>
008 RewriteEngine On
009 RewriteBase /
010 RewriteRule ^index\.php$ - [L]
011 RewriteCond %{REQUEST_FILENAME} !-f
012 RewriteCond %{REQUEST_FILENAME} !-d
013 RewriteRule . /index.php [L]
014 </IfModule>
015 # END WordPress

11. Change WordPress prefix
This is a step for fresh installs only (see the box above for existing sites). By removing the default ‘wp’ prefix  for all  database entries, you make it much harder for attacks to find access. Simply open wp-config.php in the root, scroll down to find the table prefix and change the wp_ to something else, such as a movie.

001 $table_prefix = ‘wp_’;
002 To
003 $table_prefix = ‘movie_’;

12. Prevent directory browsing
To prevent anyone from accessing files in your WordPress directory by typing the directory path into the browser, place the code below into the .htaccess file, above #BEGIN WordPress. Placing a blank index.html file into every directory will have the same effect. However, this is quicker and simpler.

001 # prevent directory browsing
002 Options -Indexes

13 Protect the .htaccess file
It may seem odd to place code within the .htaccess file that, in essence, protects itself, but with a great deal of your security nested here, why not play it safe? Any access to this file could mean access to the fortifications you have worked so hard to put up. Let’s lock every door.

001 # protect the htaccess file,
002 <files .htaccess>
003 order allow,deny
004 deny from all
005 </files>

14 IP address restrictions
If you and your contributors have static IP addresses, you can use the .htaccess file to restrict admin access to just those IPs. This technique offers a great security option, with obvious restrictions to accessing your own site should you suddenly find yourself at an unauthorised IP address. Just pop the code into the .htaccess file, filling in the IPs.

001 AuthUserFile /dev/null
002 AuthGroupFile /dev/null
003 AuthName “Access Control”
004 AuthType Basic
005 order deny,allow
006 deny from all

007 # authorised IP address
008 allow from ??.???.???.???
009 # authorized IP address
010 allow from ??.???.???.???

15 Limit login attempts
Restricting the amount of login attempts that can be made by any IP gives you an added layer of security against ‘brute force’ attacks. Install the Limit Login Attempts plug-in through the plug-in search facility. This gives you a customizable series of features and notifies you when an IP lockout has been enforced.

16 Disable HTTP Trace
Cross Site Tracing (XST) and Cross Site Scripting (XSS) are common attack methods. They work by using a server’s default trace HTTP TRACE function to steal cookie and server information through header requests. You can guard against these attacks by turning off the functionality. Just place the above code in your .htaccess file, above # BEGIN WordPress.

001 RewriteEngine On
002 RewriteCond %{REQUEST_METHOD} ^TRACE
003 RewriteRule .* - [F]

17 Protect against SQL injections
SQL injections are one of the more common forms of attack on WordPress sites. Most web hosts take every precaution to protect against these exploits, but you can add your own check by inserting this code into the .htaccess file. Place it just underneath RewriteBase /, below # BEGIN WordPress

001 # return 403 Forbidden when someone puts
script tags or GLOBALS or _REQUEST stuff in
the URL
002 #
003 RewriteCond %{QUERY_STRING}
(\<|%3C).*script.*(\>|%3E) [NC,OR]
004 RewriteCond %{QUERY_STRING} GLOBALS(=|\
[|\%[0- 9A-Z]{0,2}) [OR]
005 RewriteCond %{QUERY_STRING} _REQUEST(=|\
[|\%[0- 9A-Z]{0,2})
006 RewriteRule ^(.*)$ index.php [F,L]

Leave a Reply