Securing your blog/website is vital to your success. The following steps for WordPress will help make your blog secure and discourage hackers.
Always Use the Most-Current WordPress Version
Upgrading not only fixes bugs and adds new features, but more importantly, fixes security issues. To upgrade your installation, go to your Dashboard –> Tools –> Upgrade. I recommend choosing to Upgrade Automatically or you can download the latest version and upload through FTP. Effective by Design can take care of this for you with our Monthly Secure Service Plan.
Hide Your WordPress Version Number
Most themes include a line in the <head> section that looks similar to the following:
<meta name=”generator” content=”WordPress 4.7.3″ />
By viewing the page source a hacker could easily find out if you are running an out of date installation and use old security holes to hack your blog. For security, remove the PHP Script Effective by Design or remove that whole line.
Prevent Viewing of the Plugins Directory
Anyone can find out what plugins you are running as well as figure out if you are running an outdated plugin and exploit security holes just by going to the /wp-content/plugins directory.
To prevent this, simply prevent indexing, or add a blank index.php or index.html file to it.
If your webhost/server uses cPanel, you can disable indexes by going to Index Manager. Choose Web Root and click on public_html. Then, choose No Indexing and click Save. This option simply sets the above line to your root .htaccess file for you.
To test if this worked, browse to /wp-content/plugins to check if you see an index of your plugin folders. If you get a blank page or a 404 Error, then this worked.
Make Regular Database and File Backups
Its always important to have a database backup as well as a file backup to your blog and site. Backing up is simple and only takes a few minutes.
The MySQL database literally contains almost your entire blog, including all your posts, comments, and trackbacks. If you lose your database without a backup, you basically lost almost everything. So backing up your database frequently and regularly is extremely important.
WP-DB-Backup is a simple plugin which allows you to download a copy of your database without having access to the database thru the control panel.
Simply download your entire public_html folder through FTP. Again, Effective by Design can take care of this for you with our Monthly Secure Service Plan.
Change the WordPress Admin Username
By default, the WordPress admin password is ‘admin’. New WordPress versions allow you to change this — DO IT. A hacker trying to use brute force into the admin account already has the username. We provide a plugin to do this as well.
Protect your wp-admin Directory
If you log into WordPress from only 1-2 locations (and have a static IP), limiting access to the wp-admin by IP Address is an effective security solution.
Login Lockdown is a plugin locks out IP Addresses after a certain number of failed logins over a given amount of time.
Protect your wp-config.php File
Don’t allow your Database username and password to fall into the wrong hands. Its a php file so regular users shouldn’t be able to view it but you can make use of .htaccess file to prevent any possible vulnerbilities. Simply edit your blog’s root .htaccess file and add the following lines:
# Protect wp-config.php
Order allow, deny
deny from all
Set Proper File Permissions
Files on a server can have various file permissions (Chmod). Setting permissions too high may cause your blog to be vulnerable to attack and setting them too low may cause certain functions such as uploading media and editing themes to not work. A plugin called WP Security Scan can inform you of proper security permissions.
Change Your Database Prefix from the Default wp_
By default, the WordPress database prefix is wp_ therefore hackers will assume this when trying to hack via SQL Code Injection. By changing it to something else, it helps mitigate these attacks. WP Security Scan can perform this task for you.
Use a Strong Password
As always, use a strong password. Don’t worry about losing it as you can reset it via your email address.