Webriti Themes Blog

Stay updated with our latest news

9 tips to enhance security of your WordPress powered website

Ashwini Sah | Mar 11,2014 |   No Comments

WordPress is easy to install, easy to manage, easy to operate and at the same time, easy to hack. Yes! there are more loopholes than you can imagine to allow hackers to peep in to your blog.

Better safe than sorry!

Getting your website hacked is a nightmare. You can lose your website and its contents all of a sudden. But that doesn’t mean nothing can be done to prevent it from hacking. With some tweaks and hacks, you can make your website secure enough to avoid falling prey to wrong hands. And in case they manage to pull it down, you would be able to  put it up and running within no time. Here are nine quick tips which will make your WordPress blog more secure and hack-proof.

Tips to secure WordPress blog

Let’s start with basics first. The easiest way to hack a website is to make unauthorised login attempts, which could be either a hit-and-trial guesswork or a brute-force attack. The next few steps focus on protecting your WordPress-powered website from such login attempts.

1. No ‘admin’ username –  While installing WordPress, it suggests your user id as ‘admin’ by default. Hence, it’s definitely the first choice for hackers while trying to peep into your blog.

As a rule of thumb, you should always choose a unique username while installing a WordPress blog. In case you already have an established blog with ‘admin’ username, you should change it to something else.

While trying to change, you will notice WordPress doesn’t allow change of username, so there’s a workaround. You can create a new user, assign it admin privileges, and then delete the original administrator (or limit its role) by logging in to the new account. Alternatively, you can change the WordPress username through your cPanel as well, here’s how:

– Visit your cpanel > phpMyAdmin. In the sidebar, chose the WordPress database of your blog.

change-username-wordpress

– Once you are in your database, click on the table named ‘wp_users’.

change-username-wordpress-1

– Here you will see a list of all the users of your blog. Click on your own and change it ot something else.

change-username-wordpress-2

2. Hide you username – Reiterating what we said earlier, WordPress has more loopholes than you can imagine, and one of them is leaking your user name through author archive. If you notice, author archive of your articles will be something like http://yoursite.com/author/username. Isn’t that unsafe again?

Technically, when you create a user, WordPress automatically creates a ‘nicename’ same as the username, which is then used in the author archive url mentioned above.

If you notice in the screenshot above, you also have an option to change ‘user_nicename’. Follow the same steps and this time click on your nicename to change it to something else.

change-author-archive-url

3. Use strong passwords – Now when you have secured your username, the next step is a no-brainer. If you are one of the folks fancy of using common paswwords like ‘password’, ‘abcdefgh’ or ‘12345678’, you are offering hackers an open gate to peep in. Change it immediately to a strong and hard-to-guess password. Here are a few tips to create and maintain strong passwords:

  • Avoid using common passwords
  • Make your password long
  • Make it a mix of numbers, alphabets and special characters
  • Don’t use the same password everywhere
  • Change your password often

4. Limit login attempts – Brute-force attack is one of the most popular methods to hack a website, or anything protected by password for that matter. By default, WordPress doesn’t put a limit on login attempts, making it easy to get abused by such attacks.

A plugin called ‘Limit Login Attempts‘ can come handy in this case. It limits the number of login attempts a particular IP address can make, making it almost impossible to perform a password-guessing and brute-force on your website.

Few more steps…

All the workarounds mentioned above protect your website from invalid login attempts, and not from server-side loopholes. Here are a few more steps to make your website a fool-proof setup.

5. Keep your WordPress updated – The WordPress development community keeps a watch on its security holes and bugs, and keeps fixing it by releasing regular security updates. It’s always a good idea to update your WordPress install as soon as a new version is released. Same stands true for themes and plugins as well.

wordpress-updates

6. Choose your themes and plugins carefully – The true power of WordPress lies in extending its functionalities through themes and plugins. However, you should be careful while chosing a theme or plugin for your website. Using one from unreliable provider might mean you are injecting a malicious code in your setup yourself.

If you like using free themes or plugins, prefer the official WordPress repository. If you wish to buy one externally, go for reputable publishers only.

7. Use a security plugin – Using a security plugin will let you implement the protective measures with ease. The WordPress repository contains a host of such plugins. A plugin called ” lets you implement many of the steps, if not all, mentioned above. Additionally, it scans your codes periodically, changes login urls and content paths, changes database prefixes and implements a lot of other security measures.

8. Use a secure host – Are you on a free or cheap shared hosting? If yes, you might not be serious about your website. With a shared hosting, you always have many websites on a single server, allowing every owner to put its own codes and scripts. Doesn’t this make the whole server very much vulnerable to attack?

If you are running a serious web business, don’t fall prey to free or cheap hosting offers. Choose only a good, reputable and secured den for your website.

9. Most important of all, back-up – The hacking game is like a cat-mouse run, where hackers are always a step ahead of protectors. Regardless of how much you have firewalled your website, there’s always a fare chance of it getting abused. Taking regular backups is the best way to ensure that you are up and running soon after any such attack.

While the security plugin mentioned above can take regular backups, you might also prefer to go for a standalone plugin. ‘BackUP WordPress‘ is good handy plugin for that matter.

Over to you…

As said, hackers are always a step ahead, and you can hardly make a website hundred percent secure. Hence, we welcome you to come up with your own tips and suggestion to make this list even better, if not fool-proof.

Leave a Reply