If you are serious about your WordPress website, then you need to pay attention to WordPress security measures. In this guide, I will share WordPress security tips to help you protect your website from hackers and malware.
Table of Contents
- 1 Top-10 Tips to Secure WordPress Website
- 1.1 1. Change Default Username
- 1.2 2. Use Two-Factor Authentication
- 1.3 3. Change WordPress Login URL
- 1.4 4. Setup Website Lockdown Feature
- 1.5 5. Harden .htaccess and wp-config.php File
- 1.6 6. Use HTTPS
- 1.7 7. Change Default Database Table Prefix
- 1.8 8. Keep Strong Passwords
- 1.9 9. Use Correct Files and Folders Permission
- 1.10 10. Keep WordPress Updated
Top-10 Tips to Secure WordPress Website
1. Change Default Username
During a WordPress installation do not choose administartor username as a “admin” instead choose a name that is hard to guess. Username “admin” is very easy for hackers to guess, so all they need to do is to findout the password, then the entire website control will be in wrong hands.
2. Use Two-Factor Authentication
Another good security measure is the introduction of a two-factor authentication (2FA) module on the login page. In this, the owner provides login details for two different components.
Website owners decide what they both are. It can be a secret password, a secret code, a set of letters or a regular password followed by the Google Authenticator app, which sends a secret code to your phone. That way, only the person with your phone (you) can log into your site.
Also Read: How to Reduce Bounce Rate on Blog or Website
3. Change WordPress Login URL
By default, the WordPress login page is accessed easily by adding wp-login.php or wp-admin to the site’s main URL. Changing the login URL is an easy task to secure the WordPress login. There are many WordPress plugins available to do this, you can find any good one and use it.
4. Setup Website Lockdown Feature
The lockdown feature for unsuccessful login attempts can solve the massive problem of continuous bruteforce attempts. Whenever a hacking attempt occurs with repetitive wrong passwords, the site is locked, and you are notified of this unauthorized activity.
5. Harden .htaccess and wp-config.php File
Before adding any new entries to the .htaccess and wp-config.php file, take their backup. wp-config.php and .htaccess are the most important files on your WordPress website and it is very important to protect them.
To avoid a DDoS attack, paste the below code into the .htaccess in the root directory of your WordPress installation, so that no one can make changes to this important files without your permission.
<files .htaccess> order allow,deny deny from all </files> <files wp-config.php> order allow,deny deny from all </files>
6. Use HTTPS
Be sure to change your WordPress site to HTTPS to protect against hackers and other security attacks. HTTPS encrypts the connection between your web browser and your web server, which will keep the attacker away while transferring data from one server to another.
7. Change Default Database Table Prefix
When you install WordPress Website, its default database table prefix name starts with wp_. Hackers know this well, they can severely damage a site’s database by SQL injection.
Such an attack can be avoided by changing the Database Table Prefix. Change wp_ to any other prefix like xizq_, istc_, xzxi_ etc. You can also use number in it.
If you have already installed a WordPress website with database table prefix wp_, then this can be easily changed by the WordPress plugin “All in one WP Security and Firewall“.
8. Keep Strong Passwords
The most common WordPress hacking reason is weak password. You can simplify the problem by using strong passwords that are unique to your website. Not only for the WordPress admin area, but also for FTP accounts, databases, WordPress hosting accounts, and your custom email addresses that use your site’s domain name.
9. Use Correct Files and Folders Permission
Avoid configuring directories with 777 permissions. According to WordPress.org, you should opt for 755 or 750. While you’re at it, set the files to 640 or 644 and wp-config.php to 600.
10. Keep WordPress Updated
WordPress is an open source website creation tool that is regularly updated. By default, WordPress automatically installs minor updates. But for major version releases, you need to update it manually.