How to secure your WordPress web site?
Security is the most important issue for web sites these days as per Google’s statistics. More and more web sites are getting compromised on daily basis and used for malicious activity such as sending spam, uploading phishing materials or attacking other networks. WordPress is the most used open source software used for serving millions of web sites all over the world. That makes it a pretty good target for hackers to work on to compromise and use for malicious activity. There are multiple steps to have in mind when securing your WordPress web site such as choosing the best WordPress hosting plan for your web site, setting the proper permissions of your files containing sensitive data such as login details, installing a security plugin or multiple plugins, regularly auditing your web site’s access logs, keeping WordPress and all plugins and themes up to date and of course configuring your server to block most of the web attacks by running a WAF (web attacks firewall), HID (host intrusion detection) system, a firewall and a server with hardened security measures. The last is up to your web hosting company as long as you are not running your own server and you are the systems administrator managing it.
Here are the most important steps to follow which will guarantee your WP web site is safe.
- Change the permissions of your wp-config.php file to 600. By default its permissions will be 644 which means that anybody with an account on your server will be able to read your WordPress MySQL login details, access your database and compromise the web site. Keep in mind that even the best WordPress hosting will not help if you are neglecting the security of your account and WordPress application.
- Make sure you are using a hard to guess password for both your backend and the MySQL database username. That will stop the brute-force attacks that are happening 24/7 and attacking WordPress web sites around the globe. A strong password is considered a password that contains letters, numbers and characters such as “,;:)(#@!
- Remove any themes that you are not using. Forgetting you have a theme uploaded which you don’t update is a security risk. A vulnerability for it may be discovered and your web site compromised due to a theme you never needed. Just keep only what you need and remove everything else.
- Keep WordPress, the plugins and themes up to date at all times. It’s easiest to do that when you enable automatic updates in wp-config.php. To do that you need to add the following lines in wp-config.php in case they are not already there.
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
- Install a security plugin such as WordFence or Securi.
- Restrict access to wp-login.php and xmlrpc.php to your IP. That will block tones of attacks. You can do so by adding the following to your .htaccess file.
allow from 220.127.116.11
deny from all
Replace 18.104.22.168 with your IP address. If you want to access the scripts from multiple IP’s you can add more by putting each IP on a new line with the “allow from xxx.xxx.xxx.xxx”.
Contact your web hosting company and make sure they have mod_security installed to block attacks to your web site and a firewall to filter the malicious activity targetted to your WP web site. All that will result in your WordPress installation being secure and you will not have to waste time to fight with hackers. Good luck!