WordPress is one of the most popular platforms to build sites. It’s easy to learn and makes running a site manageable for just about anyone. But the popularity of WordPress also leads to an intense interest in it from hackers. The core WordPress installation, if kept up to date, is somewhat secure. But as you add plugins and themes, that slice of security dwindles quickly.
How Do I Secure my WordPress Site?
There are several things you can do to help ensure your site is safe from would-be security threats and hackers.
- Stay up to date – By far the most simple and easiest thing you can do is keep your WordPress installation up to date. You can even choose to let WordPress update automatically. Not only do newer version come along with more features, they almost always include new fixes in regards to security. On top of this, when a new version is released and it included fixes for security, those possible security hiccups are released to the public in their changelog… making it easy for hackers to identify soft spots. Just make sure you keep regular backups of your site in case something breaks when you update.
- … This includes plugins and themes – Not only do you need to keep your WorPpress installation up to date, running the newest version, but the same should be done for plugins and themes. For the same reasons. And if you don’t absolutely need a plugin, delete it. If you have copies of themes you’ve tried in the past and aren’t using, delete them also.
- NO ‘admin’ usernames – It’s the most common login username and just makes it that much easier for hackers or their scripts to gain access to your site. On that note, change your password every so often, too, and use long difficult ones. Use a password generator like LastPass.
- Use the right file permissions – Set your files to 640 or 644, except your wp-config.php file. Set that one to 600. Set directories to 755.
- Limit login attempts – This is easily done with a plugin called WP Limit Login Attempts.
- Use an official, valid theme – Don’t trust themes from places that aren’t well known and don’t download premium paid-for themes for free. You never know if they’ve included malicious code that will harm your site or allow access to your site. You can scan your site with services like Sucuri or Code Guard’s MalwareGone or plugins like Exploit Scanner.
- Use official, valid plugins – Same as above… Don’t trust plugins from places that aren’t well known and don’t download premium paid-for themes or plugins for free.
These are the basics, but we’ll be updating this with more tips and details how to close up even more security holes.