WordPress is one of the most popular website development tool to create any website very quickly and easily. Now, different types of sites are creating and publishing in regular basis by using WordPress. So WordPress security is now a very important concern for the WordPress site owners. There are many security plugins available to provide security for WordPress site. These plugins are useful for the site but only using these plugins can’t make any site fully secure. You need to follow some careful approaches also to make your site more secure. Some useful ways that you can apply in your WordPress site to make it more secure are mentioned in this article.
WordPress Security Settings:
1. Choose better hosting plan
Hosting server is very important factor for your website security. Your site can be hacked after providing necessary securities if your site is not hosted in better hosting server. Security vulnerability of hosting server is one of the major reasons of hacking WordPress website. So, always try to select best hosting plan for hosting your site according to your budget.
2. Secure login
A. Set strong username and password for admin login
Default username of admin panel is ‘admin’ which is very easy to guess. So don’t set username as admin or any common name like your name or website name as username. So it is better to use uncommon or unpredictable word for username to login as administrator. Using strong password is another important requirement for admin login. Select password with the combination of capital letter, small letter, special character and number which will be difficult for the hacker to guess. You can also try to change the password of admin account regular basis for more security.
B. Apply two-factor authentication
User require to entry unique code with username and password to login the admin panel in two factor authentication. Here, unique code will send into a smartphone or device by SMS which is attached with the account by a phone number. So without this unique code no one will be able to login even he/she knows username and password of admin. You can use a plugin named Google Authenticator for WordPress for applying two-factor authentication.
C. Limit login
You can stop the hacker to guess your password and prevent brute-force attack by limiting number of login attempts. If you set login limit by using any plugin then login screen will be blocked after fixed number of tries and administrator will get a notification by email. WP Limit Login Attempts plugin can be used to provide this security.
D. Logout inactive user automatically
Many times we forget to logout after completing the task. If the user is inactive for long times after login then anyone can hijack the session, change password or able to change the account. You can use any appropriate plugin to logout all idle users after certain period of time. You can use Inactive Logout plugin to do the task.
3. Secure hosting setup
A. Disable File Editing
You can disable file editing option for admin for more security. In that case, the hacker will not be able to change anything of your site even he/she will be able to gain access to your account. You can do this by adding the following line in wp-config file.
B. Hide WordPress version number
It is easy to hack the site if the hacker know the WordPress version number. So by hiding version number you can give more security to your site. You have to add the following line in functions.php file to hide WordPress version number.
C. Protect necessary directory and file
Most important folder and file of WordPress site is wp-admin folder and wp-login.php file. So it is necessary to protect these resource from unauthorized access. For protection, you have to search your home IP address and add the following line in .htacess file to prevent other user to access these file and folder where xxx.xxx.xxx.xxx will be replaced by your IP address.
Deny from all
Allow from xxx.xxx.xxx.xxx
D. Disable PHP error Reporting
Displaying any type of error can be harmful for your website because hacker will able to know the real path of your site from the error information. So it is better to disable error reporting for your site. Add the following lines to wp-config,php file to disable error reporting.
@ini_set (‘display_errors’, 0);
4. Secure the database
A. Set strong database name and password
Try to use strong database name and password during WordPress installation. Avoid to use ‘WordPress’ or ‘wp’ as database name which is very common and easy to guess.
B. Change default database table prefix
Default database table prefix of WordPress is wp_ and avoid to use this prefix at the time of installation for preventing SQL injection queries and other attacks.
C. Keep database backup regularly
When your site is hacked or destroyed by any reason then you can easily restore the site in previous state if you keep the backup of your database regularly.
5. Enable SSL for data security
You can get many benefits by enabling Secure Socket Layer (SSL) in your WordPress site. SSL helps to prevent man-in-middle attack by encrypting all information during sending and receiving data in your site. It can also help to boost the site in Google ranking. There are many hosting provider who are providing SSL without any cost to their client. You can choose any hosting provider with SSL or can buy SSL feature separately later.
6. Secure WordPress themes and plugins
You have to update all themes and plugins regularly to increase the security of your WordPress site. If you notice any security vulnerability in theme or plugin then try to recover or replace it. Remove those themes or plugins that are not using in the site because unused resources create security holes for the hacker.
7. Always keep your WordPress up-to-date
WordPress updates very frequently and every new version releases after fixing different bugs and security holes. That makes WordPress more secure. So when you get any notification of new update in your admin panel then do the update quickly to secure the site.
8. Use Security plugins
Many free and paid security plugins are available to make WordPress site more secure. You can use any good security plugin to enhance the security of the site. itheme security, All in one WP Security & Firewall, Wordfence Security, Sucuri Security, Bulletproof Security etc. are popular security plugin of WordPress.
You can keep your WordPress site more secure from unwanted attacks from hacker if you follow the above tricks properly.