General Tips on How to Secure Your WordPress Blog
WordPress is the world's most powerful content management system (CMS) and blogging platform, which makes it a easy target for hackers. With that in mind, you need to make it an effort to protect both you and your visitor's data. Below is a summary which describes the best practices for securing a WordPress site. It is wise to take note that these measures below does not guarantee 100% protection against all types of hacking attempts because there is no "one-size-fits-all" security protection. However, implementing the security measures below will protect you against the majority of attacks.
It is vital to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.
For more information on that matter, check our tutorials on how to update WordPress and how to use WordPress auto updates.
It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get your home IP address (you can use a site like www.whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address:
<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.
If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a the plugin called Loginizer.
Most of the attackers will assume that your admin username is "admin". You can easily block a lot of brute-force and other attacks simply by using a different admin username e.g. Zainal. If you're installing a new WordPress site, you will be asked for the admin username during the WordPress installation process. If you already have a WordPress site and you have the goal to you can follow the instructions in our tutorial on how to change your WordPress username.
The most commonly use phrases for passwords are " qwerty " or " 123456 " for their admin login details. Needless to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.
If your computer is infected with virus or a malware software, a potential attacker can gain access to your login details and make a valid login to your site, bypassing all the measures you've taken before.
This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
Keep your WordPress site and plugins up-to-date
It is vital to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.
For more information on that matter, check our tutorials on how to update WordPress and how to use WordPress auto updates.
Protect your WordPress Admin Area
It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get your home IP address (you can use a site like www.whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address:
<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.
If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a the plugin called Loginizer.
Don't use the "admin" username
Most of the attackers will assume that your admin username is "admin". You can easily block a lot of brute-force and other attacks simply by using a different admin username e.g. Zainal. If you're installing a new WordPress site, you will be asked for the admin username during the WordPress installation process. If you already have a WordPress site and you have the goal to you can follow the instructions in our tutorial on how to change your WordPress username.
Use Strong Passwords
The most commonly use phrases for passwords are " qwerty " or " 123456 " for their admin login details. Needless to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.
Ensure Your Computer is Free of Viruses and Malware
If your computer is infected with virus or a malware software, a potential attacker can gain access to your login details and make a valid login to your site, bypassing all the measures you've taken before.
This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
Updated on: 09/01/2019
Thank you!