Six Steps to Secure Your WordPress Sites

Written by the team at Plesk, one of our sponsors. 

Hackers seem to be targeting WordPress sites more and more. We always hear about the ease and speed of setting up WordPress sites, but what about WordPress security? Don’t risk your company and customers’ info and follow these steps for the best security practices.

1. Update files and plugins regularly

Any vulnerability is a risk, so we wouldn’t take any chances if we were you. There are new WordPress security patches and plugins released all the time to fight the latest threats. So being equipped with the most recent version enhances your WordPress site’s security.

2. Limit access to WordPress admin panel

Here’s where you access and perform all your site actions. Well, you and everyone who has access. So, it’s important to restrict /wp-login/ or /wp-admin/ access to those who really need it.

3. Manage your locations

Take your home IP and add text lines to the /.htaccess/ file you’ll find in your WordPress admin panel. Replace the current location with your home IP address, like this:

  1. <Files wp-login.php>
  2. order deny, allow
  3. Deny from all
  4. Allow from xx.xxx.xxx.xxx
  5. </Files>

Multiple locations

If you want to allow logins from multiple locations, add another “Allow from” statement in the text line to insert more addresses.

Do you switch locations and use Wi-Fi?

Then you need access to your admin panel regardless of IP address. So security, in this case, will come from limiting login attempts to a small number. Meaning you’re safe from those trying to guess your password.

Start by adding the “WP Limit login attempts” plugin. Then choose the number of wrong password entries before one gets locked out. This makes you less vulnerable.

4. Change the admin username

You may think this is obvious, but you’d be surprised to know many users never change the WordPress username. Keeping the default username gives hackers a window to login as “admin” because all they need is a bot to try and guess the password repeatedly. And even worse, they’re often successful. So best avoid all that and change your username right away.

5. Make your passwords harder

No matter how unique you think your password is, the fact is – many will have the same or similar. Think about it this way, you don’t think too much about what goes into your password, but a hacker, whose mission it is to break through your barriers? They will!

 

Here’s how you do it. Think of a sentence that’s characteristic to you and use the first letter of each word. Mix in some numbers and symbols intermittently to add to the complexity – and voila!

6. Wipe out viruses and malware

You probably know that the biggest threats aren’t actually direct attacks but an intelligent malware or virus that sits on your computer for ages, collecting important info.

This is how a hacker quickly acquires your login details when you access your site. Hence why you need a good antivirus installed. Just make sure you update it and scan your computer as often as possible for optimal security.

But can you be 100% secure?

There’s no such thing online. However, follow these necessary steps and you’ll get significantly fewer chances of hacking, data theft, and misuse. Going one step further, tools like Plesk WordPress Toolkit let you perform security checks on content, databases, files, directories, installations and more. You can have this if you install Plesk panel on your system.

8 Replies to “Six Steps to Secure Your WordPress Sites”

      1. Hi Robert,
        There is no ‘best’ answer to that question, unfortunately. And that is the issue with .htaccess files nowadays – https://www.acunetix.com/blog/articles/htaccess-security/.

        A better .htaccess example uses an IfModule condition to check for mod_auth_core, because the example in #3 will fail if mod_access_compat is not available (and it shouldn’t – https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html).

        A better .htaccess is something in the lines of:


        # Apache 2.2

        order deny, allow
        Deny from all
        Allow from xx.xxx.xxx.xxx

        # Apache 2.4

        Require all denied
        Require ip xx.xxx.xxx.xxx

        But this leaves out users of Windows Server IIS and Nginx.

Comments are closed.

WordCamp Seattle 2018 is over. Check out the next edition!