If you are running a WordPress-powered website, its security should be your primary concern. In
most cases, WordPress blogs are compromised because their core files and/or plugin are outdated;
outdated files are traceable and it’s an open invitation to hackers.
How to keep you blog away from hackers?
For starters, make sure you are always updated with the latest version of WordPress. There are more to do,
Keep wp-admin Directory Protected
Keeping “wp-admin” folder protected adds an extra layer of protection. Whoever attempts to access files or directory after “wp-admin” will be prompt to login.
Protecting your “wp-admin” folder with login and password can be done in several ways:
- WordPress plugin – Using the WordPress AskApache Password Protect plugin.
- cPanel – If your hosting supports cPanel admin login, you can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface. Find out more from this tutorial.
- .htaccess + htpasswd – Creating a password-protected folder can also be done easily by setting the folders you want to protect inside .htaccess and users allowed to access inside .htpasswd. The following tutorial shows you how to do it in 7 steps.
Keeping backup copies of your entire WordPress blog is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert.
We’ve previously covered a list of solutions to backup your WordPress files and database, including both useful plugins and backup services.
Prevent directory browsing
Another big security loophole is having your directories (and all its files) exposed and accessible to public. Here’s a simple test to check if your WordPress directories are well protected:
- Enter the following URL in browser, without the quotes. “http://www.domain.com/wp-includes/”
If it shows blank or redirect you back to home page, you are safe. However, if you see screen similar to the image below, you are not.
To prevent access to all directories, place this code inside your .htaccess file.
# Prevent folder browsing
Options All -Indexes
Keep WordPress core files & Plugins updated
One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. Here are couple of ways (practices) you can do:
- Login to Dashboard often – A yellow notification will appear at the top of the Dashboard if update is available. Login often and keep yourself updated to the latest copy of WordPress core files.
- Deactivate and remove unused plugins – Unused plugin will eventually get outdated and may pose a security risk. If you are not using it, delete it.
- Subscribe to WordPress Releases RSS.
Pick a Strong Password
Is your password safe? A strong and safe password is more than just something memorable with numbers (e.g., john123). For starters, it should consist of more than 12 characters with the combination of numbers and alphabets in lower and uppercases.
Here are some applications that allow you to generate strong password:
Alternatively you can also check how strong (and safe) your current password is with howsecureismypassword.net.
Remove admin user
A typical installation of WordPress comes with a default user named “admin”. If that’s the username to your WordPress site, you are already making hacker’s life 50% easier. Using user “admin” should be avoided at all times.
A safer approach to logging into your admin securely is to create a new administrator and have “admin” removed. And here’s how you do it:
- Login to WordPress admin panel
- Go to Users Add New
- Add a new user with Administrator role, make sure you use a strong password.
- Log out of WordPress, re-login with your new admin user.
- Go to Users
- Remove “admin” user
- If “admin” have posts, remember to attribute all posts and links back to the new user.