Top Tips and Plugins for a Secure WordPress Site
Did you know that WordPress today hosts more than 8.7% of independent website globally? This year only, 83% of new websites are powered by WordPress. The reason that there is a steep growth in the number of WordPress users is its policy of being an open source tool. In fact, "open source" means millions of developers worldwide are contributing to the WordPress project by creating plugins, themes, widgets and other tools to make WordPress an even better CMS.
Because of its exponentially growing popularity, WordPress also became one of the main targets for hackers and spammers alike. If you are running a WordPress site, it is your responsibility to take all the measures to secure both your server and website to minimize the chances of being hacked. Below are our top tips for a secure WordPress site:
This is THE most important tip of all. Despite all the security measures you can take, a serious hacker can always find a way in if they try hard enough. Backing up is generally something that should be done outside of WordPress. If you are using a large hosting company such as HostGator, you should have access to a cPanel or any other type of administrative interface to manage your hosting account. From there, you should have an option to backup your entire site. Sometimes you will have the option to set automatic backups to be executed every day or every week. Make sure you are doing FULL backups (Database & Files) at least once a week. If you have a very active website that has new content daily, consider running full backups a couple times a week or even daily.
Now this is something that many website owners ignore. They're probably thinking: why should I upgrade when everything is running fine? Yes we all know the proverb "Don't fix it if it's not broken", however in the case of WordPress, it is extremely important to keep updating your core WordPress engine AND your plugins, as many security holes are being fixed with every upgrade. Earlier WordPress versions have a much higher chance of getting hacked than newer ones.
Do not use "admin" as your username
Make sure you don't use "admin" as your username. It is much harder for a hacker to run scripts to find both your username AND password, rather than knowing the username already and having to figure out the password only. Simply create yourself a new admin account with your name or nickname, and delete the default admin account. You can do all this through the "Users" menu in your WordPress admin panel.
Move your wp-config.php file one level higher*
This is one of those secret tips that most people don't know about. the wp-config.php is the most important file of your WordPress website. It contains your database name/password and a bunch of other details that would allow a hacker to totally take control of your site and even delete it entirely. The wp-config.php file is always located on the root directory of your WordPress installation. (~/home/user/public_html/). We recommend that you move it one level higher (~/home/user/). It takes one minute to do through your favorite FTP program (we like using Filezilla). You can even ask your Hosting support to do it for you. WordPress knows to automatically look one level higher if it doesn't find it in your root folder.
*Note: this tip only applies to those that installed WordPress in the root of their domain name (www.domain.com). It does not work if you installed WordPress in a sub-directory (e.g. www.domain.com/blog)
Top WordPress Security Plugins to Consider
- WP Re-Captcha: Re-Captchas are one of the most secure captchas out there. Originally invented at the Carnegie Mellon University, it has since then been acquired by Google. the WP reCaptcha plugin will automatically insert strong captchas in every form of your WordPress site (login, comments, registration, etc...) which will block 99%+ of spambots from publishing content on your site.
- Limit Login Attemps: this is a very useful plugin that can help you set a maximum amount of login attemps before blocking the IP address that is trying to connect. By default, WordPress will allow you an unlimited amount of attemps to login to the admin panel. This is a problem because most experienced hackers can code scripts that will automatically attempt to login using different combinations of numbers and letters every milli-second until the proper combination is found!
- WordPress File Monitor: Oftentimes when your website is hacked, the hacker was able to get into the file system and make changes to one of your key files such as wp-config.php or .htaccess. WordPress File Monitor is a very useful plugin that will automatically email you whenever a change occurs in one of the important files on your server.
- WP DB-Backup: Earlier in this post we recommended that you execute regular full backups of your website. However, if your host doesn't allow you to achieve this easily, you can always install the WP DB Backup plugin and do a backup of the database locally. However, keep in mind that this won't backup your files, so if you made any modifications to your theme, consider doing a full backup as explained in our first tip.