WP is one of the common installation today and probably one of the most hacked ones as well. I am not blaming the script, mostly its because of lack of awareness of the users about security related issues.
This article covers important changes you should consider in order to secure your WordPress site:
- Update your WP regularly- update, update, update - its simple, easy. WP continously issues security updates, you miss it, the hacker would take you.
- Select your plugins very carefully - the advantages of an open community are endless but what you need to know is that adding random plugins can be a security threat to your site. The problem comes not necessarily due to malicious intentions of the plugin creator, but mostly due developer’s lack of experience or secure web site development knowledge.
- Remove disabled and NOT needed plugins – It is recommended to perform this on a regular basis because it is almost automatic to install and later disable a plugin, and you could easily forget about this which could cost you your site being compromised.
- Select strong account & admin passwords – This so essential that we have created a whole separate article focusing on strong passwords.
- Login Limiter – it is very common to break a user account via brute force password attack. It means that in a very short period your login page will be bombarded with different combinations of usernames and passwords. You can prevent this from happening by setting a login limiter.
- Disable user registration – If you do not need users to register on your site, make sure that you disable this option. You can do so from your admin panel and then from the Settings menu disable the ‘Anyone can register‘
- Limit the IPs that can log into your admin account - this is another measure you can take in order to secure your site. The easiest way to do this is by using a plugin that will limit the IPs allowed to access your admin account.
- Remove the WP version info from your site– When you install WordPress it automatically adds the version to the header of all your blog pages. Removing it is important, because if you leave it freely published on your site, you make the life of a potential hacker much easier. You should remove it from the page header meta, and since it is also contained in the readme.html file, renaming (removing) this file as well could do the trick. If the version is still shown add this line in your theme’s functions.php file
- WP security keys – If you do not have such keys, make sure you add them. These WordPress security keys, also known as Secret keys, will further protect your password by adding ‘salt’ to it thus making it very difficult to be broken.
- Stop search engines from crawling your WP admin area – make sure that the search engines do not crawl and index your admin directories. This is done by simply adding the ‘disallow’ statement in your robots.txt file. In case you do not have such file on your site, you should create one, and place it in your hosting account public_html folder. The file should look like:
Disallow: /wp-admin/
Disallow: /wp-includes/