How to secure WordPress Site
Keeping WordPress secure is important in order to ensure that your site isn’t compromised. Uptime is maximized, your data is safe, and your site runs as quickly and reliably as possible.
In this article, we are going to secure WordPress site.
1) Update Themes/Plugins
WordPress provides updates with security fixes all of the time. When you get the notification in admin panel, don’t ignore it! It is the most effective way to secure your site from attacks, and yet so many people leave their site un-updated for fear of breaking their themes and/or plugins.
2) Delete plugins,folders and files you don’t use
There is no point in holding those Plugins that you don’t use at all.
3) Limit login attempts
If you are the only person who needs to login to your Admin area and you have a fixed IP address, you can deny wp-admin access to everyone but yourself via an .htaccess file
For set Limit Access to wp-admin you can add below code in .htaccess file.
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
Replace x.x.x.x with your IP address
4) Ensure File and Folder Permissions Are Correct
As a basic guide, WordPress folders should always have 0755 permissions, and WordPress files should always have 0644 permissions
5) Use a strong password
Do not use simple passwords on your WordPress. Simple passwords might make it easy for you to remember it, but they are also easier for a hacker to crack.Use stronger and more secure passwords instead
6) Back up regularly
You always should have an up-to-date backup of your WordPress site, just in case something goes wrong and you have to restore your blog.
7) Use security plugins
There are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.
8) Never use “admin” as your username
If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.
9) Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database
10) Disable file editing via the dashboard
In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );