Is your wordpress secure? How to secure wordpress site?
WordPress security is the next important thing after wordpress installation.
You have purchased a domain name and hosting space. You have installed the WordPress Blogging platform. Completed the database setup and started writing wonderful posts. But is this enough to secure wordpress blog from malicious attackers? Definitely not. You are missing the most important part of your WordPress installation the wordpress security. Secure wordpress blog and keep it safe from vulnerabilities. We need to safeguard your blog against the malicious applications and individual hackers. The WordPress system should be configured to minimize the amount of damage that can be done by these attackers.
Let us discuss the primary steps to be done to secure your WordPress installation.
1. Make sure you are using a trusted host
There are many cheap web hosting services available , but may not provide the adequate infrastructure to keep the hosted websites safe and secure. The web server (most cases Apache) running your WordPress could have vulnerabilities. The database (normally MySql) with the WordPress data, scripting/programming language like PHP used for plugins or helper apps also could have vulnerabilities. Your hosting provider should make sure that you are running secure, stable versions of your web server, database, scripting interpreter.
The other important thing to note here is that the vulnerabilities if you choose a shared hosting environment. If some other site is in the same shared environment is compromised then there are a high probability that your site also could be compromised.
When you choose your host consider all the above important points.
2. Always use the latest version of WordPress and Plugins
WordPress and its plugins periodically releases new version which would have important updates like updated for security vulnerabilities. Moreover the older versions of wordpress are more prone to attack because of these security loop holes. Similarly old versions of plugins are vulnerable to attacks.
Secure your own Computer against threats
You always use your computer to upload files to your WordPress host or to post new posts to your blog. If your computer is infected then the probability of our wordpress installation getting infected is very high. Use the latest version of a good antivirus software and security tools. There are many high quality antivirus programs are available. Read here. 10 Top AntiVirus Software of 2011 .
3. Use strong password and username for all your accounts
Passwords are required to access your database, your wordpress admin interface, FTP account etc. You should never use easy password that breaks easily.
Related:
Top Ten Tips to Keep Your Passwords Safe and Strong
How To Recover WordPress Admin Password or Reset Admin Password
Password Protecting website Pages and Directories using .htaccess
4. Change/ Rename the administrative account user name.
WordPress admin interface user name by default is “admin“. You can change this to something unique. You can change this by accessing phpMyAdmin interface or by using sql query. This is very simple and you can use the below SQL query to do that.
1 | UPDATE wp_users SET user_login='admin' WHERE ID=1; |
Here the Vlaue of ID (ID=1) should be the ID of Admin user column in your WP_USERS table.
or use the blow query
1 | UPDATE wp_users SET user_login = 'New Username' WHERE user_login = 'admin'; |
Where “New Username” will be your new admin user name. Execute this query and you will be done.
5. Restrict File Permissions
You need to lock down the file permissions of your hosting account as much as possible. Your wordpress installation folder has many directories and folders. Setting up the file permission or folder permissions will help you to reduce the malware attack on the wordpress files.
If you are the webmaster and account holder then all files should be owned by your user account. All the files should be writable by you.
Root Directory or /
All files in the root should be writable only by your user account except .htaccess. This is because you may need to allow wordpress to rewrite the .htaccess rules.
/wp-admin/
This is the admin files. Here all the files should be writable only by your user account.
/wp-content/
The wp-content folder contains themes and plugins folder. If you are the only one who would be editing the files then only you should have access. Otherwise the permissions may vary.
As suggested by wordpress the ideal permissions should be,
- All directories should be 755 or 750.
- All files should be 644 or 640
- wp-config.php should be 600 to prevent other users on the server from reading it.
- No directories should ever be given 777, even upload directories.
You can change the folder/file permissions by any of the following methods.
- Access your cPanel and then File Manager link. Here you can modify the file/folder permissions
- Using chmod command. If you have shell/SSH access to your hosting account, you can use chmod to change file permissions.For example,
1 | chmod 744 myfile.txt |
Only you can read, write to, or execute myfile.txt Everybody can read myfile.txt;
- Use the FTP tools like Filezilla to change the folder permissions
6. Database Security: Change the table prefix
By default wordpress creates database tables with “WP_” prefix. Since this is default attackers can guess the table name to execute queries through SQL injection or other mechanisms. It is a good idea to change the table prefix to something different.
7. Password protect folders like /wp-admin
To make sure a double protection you can add server side passwords to important directories like “/wp-admin/“. How to setup password protected directories is discussed in the below post.
Password Protecting website Pages and Directories using .htaccess
8. Backup your data and files regularly
You should have a regular backup mechanism for your wordpress files and the MySql database. To make sure data integrity you can secure your backup using passwords or similar mechanisms.
Before you go, subscribe to get latest technology articles right in your mailbox!.