Posted by: Kevin McNally
While we all know that a less common password and two-factor authentication can do a lot to improve WordPress security, there are further steps you can take to improve it even more, even if you consider yourself less than tech-savvy. Read on and find 6 steps to better WordPress security.
One of the easiest steps for a more secure WordPress is to reduce the chances for Brute Force attacks, attacks that try usernames and passwords over and over again until they get in - and often wp-admin and wp-login access points are targeted. WordPress comes with a default admin or administrator username, and many don’t change this so attackers can easily combine this default username with a password to get in. To reduce risk of this attack, you can add a new user with Administrator rights and delete the default admin user. Go to Users > New User and make a new unique username with Administrator rights.
To further protect you from Brute Force attacks, you can limit the amount of login attempts on your WordPress site. There are many WordPress plugins to help protect your login from IP addresses that are trying multiple login attempts to get in. For instance, the All in One WP Security & Firewall plugin has an option to change the default URL for a login form which will discourage attacks that target your login form.
This may seem like a no-brainer, but you should grant permissions only to those that need it, when they need it, and only for the time they need it. So if someone requires administrator access for a couple of days, grant it, but then remove it when the task is completed to reduce security risk.
Protecting your website’s wp-config.php file is a very important step for your WordPress security. Wp-config.php comes standard in your WordPress installation and contains sensitive information about your installation like your database access, secret keys and table prefix. The .htaccess file is a way to deny foreign access and tampering with your wp-config.php and should be treated with equal care in hiding.
Although this sounds like a complicated process, thankfully it is not. It’s especially easy to execute when you are using Yoast SEO for WordPress > Tools > File Editor to edit your .htaccess.
To first deny access to your wp-config.php file, you need to add this to your .htaccess file to protect wp-config.php:
deny from all
As stated earlier, this will deny access to the wp-config.php file itself. To make sure we tie up all loose ends, we can apply similar code to the .htaccess file too:
deny from all
You see? That wasn’t so complicated now was it. Make sure you hide both of these files to make sure you are completely secure.
The hosting company you choose can make a difference in your WordPress security. Unfortunately, many of the cheaper hosting companies usually don’t have the support needed to help you if your site is hacked, and most don’t include much to secure your site (like a Website Firewall). Also, when considering a shared hosting option, note that this usually implies that your hosting server is also populated with other websites - websites that could have security problems of their own which might affect your website security too. Specialized hosting products for WordPress from some hosting companies offer backups, malware scanning and DDoS protection, redundant firewalls and automatic WordPress updates.
Another huge responsibility that will really help with your site’s security is keeping your website up-to-date. This can be difficult, and timely, as many websites today are complex and have many different things going on at any given moment. Plugins also are a big component that need to remain up-to-date to keep from being vulnerable to security threats. Make sure you have a good Firewall that keeps you safe while you take the time needed to make updates.
Even if you don’t consider yourself very tech-savvy, these 6 steps will help you on your way to better WordPress security. Go further than a good password and two-step authentication to improve security even more by following these steps today.