One of the most important things you can do when building a WordPress website is making sure it’s secure. While you can never get site security up to 100%, you can certainly shoot for 99% and you can accomplish that by enacting measures — both big and small — that account for every access point of your site and its vulnerabilities.
Now, some of you might already think your site is pretty secure. And that’s great, but why not take a couple of minutes and run through this list I’ve put together of things to look for with regard to WordPress website security? You’ll walk away with an action plan or feel more confident about your existing measures — and both are good things.
Here are 10 things you should look for or pay attention to ensure your site is as secure as it can be.
1. Limit Dashboard Accessibility
When someone has access to your WordPress dashboard, they can add new posts and pages, upload files, and change your settings. An inexperienced person could make a mistake without realizing. Or, the intent could be more malicious. Regardless, you should only give those access to your dashboard whom you trust.
You can whitelist your IP address to restrict anyone not at your IP from accessing your dashboard, which can greatly reduce hacking attempts. Of course, you’d need to always access your site’s admin from the same IP.
To do this, add a new .htaccess file to your wp-admin folder then add this code:
order deny, allow allow from YOUR IP ADDRESS deny from all
And if you want to protect your theme and WordPress plugins from editing by unauthorized users, you can add this code to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
2. Block Directory Browsing
You likely already know that websites are set up so that files are contained within folders on a server. Typically, someone can browse the contents of each folder or directory, which could leave you open to malicious hacking attempts. You can make it so the contents of certain folders aren’t viewable to the public at large, however. This is an obscurity tactic and though it won’t make your site 100% safe, it gives hackers less info to work with, and less info is what you want.
To block directory browsing, open up your .htaccess file again and insert the following code at the very bottom:
Options -Indexes
That’s all there is to it!
3. Remove WordPress Version Information
WordPress themes used to automatically output the WordPress version number you’re using in the <head> tag of the site. However, WordPress itself now inserts this information and while it’s useful for WordPress to know when analyzing who is using what, leaving this information so it’s available to anyone who takes a peek at your code is a security hazard.
Why? Because giving a hacker the version number outright makes their job easier. And you don’t want to make a hacker’s job easier! Instead, just insert this code into the functions.php file for your theme:
function remove_wp_version() {
return '';
}
<span style="line-height: 1.8em;">add_filter( 'the_generator', 'remove_wp_version' );
This will remove the version number and add another layer of security to your site.
4. Evaluate Your Username and Password
You’ve heard this advice time and time again but you really, really need to listen to it. Choosing a difficult username and password is important for your site’s overall security. First of all, never use “admin” as your username. Since it’s the most popular username for WordPress, leaving this the same is like giving hackers half of your data.
Second, use a series of numbers, letters, and symbols for your password. Basically, make it impossible for a human to guess, and extremely difficult for a machine to crack.
5. Perform Regular Site Backups
Many people roll their eyes when they hear they need to back up their sites often. Not because they don’t understand it’s important; rather, because the thought of backing up an entire site is exhausting. A lot of people just don’t want to commit the time and effort to the project.
Thankfully, backups can be completely automated these days and are actually a wise solution because they can be scheduled in advance. That way, you’ll never forget to back up your WordPress website again. The WordPress Codex has detailed instructions on how to backup your site manually. Or, you can opt for a WordPress plugins solution (Backup Buddy and VaultPress are two options we’ve used before here at WPExplorer).
6. Keep Your Site Up-to-Date
Hackers come up with new strategies to wreck websites on a daily basis. So running an outdated version of WordPress is just asking for trouble, especially since WordPress publishes the flaws and security holes in previous versions as soon as a new version is released, as seen in the above photo. Always make sure your site is running the latest version for optimum security.
7. Pick Secure Themes
It’s also important to select themes that have a good reputation. Those made by less than reputable developers or that don’t have the cleanest code could open up your site to security vulnerabilities once installed. Read reviews of themes before you install them and if you’re purchasing a premium theme, always purchase one from a well-known WordPress website.
Likewise, always install theme updates when they become available. What was said above about keeping the WordPress core files up to date applies here as well.
8. Pick Secure Plugins
What I said above about themes applies to plugins, too. Though the advice is likely doubly true for plugins since they can sometimes contain malware or malicious code. Don’t download a WordPress plugins from a developer you don’t recognize and always install updates when they become available to maintain site security.
9. Protect Your Files
One of the most important files on your entire WordPress site is the wp-config.php file. It stores a tone of data about your site, includes details about your database and the settings for the site as a whole. A hacker with the right knowledge-base could change everything about your site just with this file’s info. So, as you can imagine, it’s important to protect it.
Thankfully, you can with a relatively simple fix. All you need to do is add the following code snippet to your .htaccess file just below where it says # END WordPress:
<Files wp-config.php> order allow,deny deny from all </Files>
10. Pick the Right Hosting Provider
A lot of your site’s security comes down to the WordPress hosting provider you choose. While I can’t tell you which host is best — there are way too many variables to consider to discuss in this article — I can tell you that reading reviews is imperative to making a wise decision. Be sure to evaluate a host’s security, backup solutions, and server type before coming to a final choice (we talk more about what to consider when choosing a host in our post about selecting the right host and our post about the best host for you).