We always recommend to use strong passwords and use different passwords for different accounts. If you use dictionary words as passwords they are too easy to guess. Robots on the internet try brute-force attacks where they try to log on to your site with easy to guess user name and password combinations. If successful the winning combination is transmitted to the hacker, who now has full access to your site. So if your user name is “admin” and your password is “password” you have a problem. Another trap is to reuse user names and passwords across different sites to make them easier to remember. If your combination is discovered it can be abused on other sites you are registered on. We are sharing WordPress essential security tips 2014 with you.
With the ever increasing number of user names and passwords we have to remember it is best to use a password manager.
A good password manager should help you:
- Generate strong passwords.
- Remember your user names and passwords for you.
- Automatically log you in to the websites you have accounts on.
If you already are using a Password Manager and you are happy with it don’t change anything. Otherwise we recommend LastPass. It slots into your internet browser and on top of remembering all your user names and passwords also automatically logs you in. It works on most browsers and Windows, Mac and Linux. And by the way… it’s free… unless you need the mobile version in which case it is very cheap. Drawback: It only works through your browser, so you have to manually copy your password into other programs, like your FTP client for example.
If you access your hosting account with an FTP client you need to use Secure FTP. If you connect via regular FTP the user name and password to your hosting account is sent over the Internet in clear text. So if someone is ‘listening in’ on your conversation they can steal your login information. This is especially risky when you are connected via public wifi. In your FTP client you have to change the connection method to Secure FTP. Secure FTP can go by many different names. Most often it is one of the following:
The type of Secure FTP you can use depends on what your hosting provider has enabled. If necessary ask them. If they have no way of connecting via Secure FTP you should probably consider changing hosting provider! The way to change the connection method depends on your FTP client.
WordPress Update Notifications
Subscribe to the official WordPress email notifications. These notifications are only for WordPress core updates – not plugins. It is extremely important that you keep your WordPress site updated. Once an update is released you need to apply it to your site as soon as possible to close any security holes identified in the release.
We recommend these security plugins to install and configure according to need.
- Login LockDown
- Semisecure Login Reimagined
- WP Login Security
- Google Authenticator
- WordPress File Monitor Plus
- iThemes Security
Schedule Backups Of Your WordPress Site
You need to backup the complete WordPress site on a regular basis. You also need to store the backups safely outside of your hosting account. No site will ever be 100% secure. If your site is compromised you need to be able to restore it quickly. The quickest and safest way to recover after your site has been compromised is by restoring a good backup. You need to keep a number of backups in case the attack on your site is discovered after some time.
Delete Unused Plugins And Themes
Remove anything you do not use from WordPress, e.g. disabled plugins and themes. All files in your WordPress root folder are accessible from the Internet regardless of whether you use them or not. Even if you disable a plugin the files are still there and they are accessible from the Internet. This is a potential security risk, as you may not pay attention to upgrading plugins and themes you are not using.
Remove The Default Administrator User
Most WordPress sites are installed with wp_ as the database table prefix and admin as the default administrator user. This makes it too easy for hackers to break into your site.
Disable User Registration If Not Used
Make sure you do not allow users to register as members on your site unless you need them to. If you do need users to be able to register make sure you give them the minimum user role required.
Follow these steps:
- In your WordPress administration panel go to Settings > General
- Make sure Anyone can register is unchecked.
Delete The install.php File
If the install.php file exists in your wp-admin folder delete it. Depending how you installed WordPress the installation file might still exist in your wpadmin folder. This potentially poses a security risk. Go to your wp-admin folder. If the install.php file exists simply delete it.
Move The wp-config.php File
If your WordPress site is installed in the public_html folder you can move the wp-config.php file one level up. This is typically the case if you only have one website on your hosting account. The wp-config.php file is a very important configuration file. It contains a lot of sensitive information about your WordPress site, like your database information for example. WordPress will automatically look for this file in the folder above the WordPress root folder if it does not exist in the root folder. Moving this file out of the public_html folder means the file will not be accessible from the Internet. If your WordPress site is installed in a sub-folder below the public_html folder you can only make use of this trick for one WordPress site. And please be aware that if you have another
site installed in the public_html folder the wp-config.php file might be visible on that site.
Disable File Editing From The Administration Panel
If a hacker gets access to your administration panel he can modify your theme and plugin files. By disabling file editing you ensure files can only be updated using SFTP or the file manager on your hosting account. Add the following code to the top of your wp-config.php file.
/* BEGIN WordPress Security Checklist Addition: Disable Editor */ define('DISALLOW_FILE_EDIT', true); /* BEGIN WordPress Security Checklist Addition: Disable Editor */
Use Unique Keys And Salts In wp-config.php
Your wp-config.php file contains a number of keys and salts that make it harder to hack your site. You need to ensure that these keys are unique. Depending on how you installed WordPress you might already have unique keys and salts. To verify open your wp-config.php file. If you see the code below you need to update the keys and salts:
Cloudflare For Security
Cloudflare has advanced security features. They screen all incoming traffic to your WordPress site before it reaches your site. Known threats are automatically blocked. Cloudflare can help protect you from comment spam, excessive bot crawling, malicious
attacks like SQL injection and denial of service (DOS) attacks and more. In addition to the security features Cloudflare also acts as a Content Delivery Network taking a lot of the load off your site by caching static content.