WordPress Security tips – Protect your WordPress Site

WordPress is known to be the most-used blog tool today. Hundred’s of succesful websites and blogs are running on WordPress. After reading these types of lines you decides to start your blog on WordPress and one day you write an awesome post which gets too much attention, Social networking shares, people commenting on it and so on. Yeah, I know that’s a good thing but think again getting noticed also brings attention from Spammers, hackers etc and It is definitely something you really don’t wish for. So let’s have a look on some methods to toughen up your WordPress security.

WordPress Security tips

Secure your wp-config file

Belive me, this little few KB file is the most important file on your site. It conains your username, Password, database name and so much important data. The main problem is, by default it is accessible by any server. You can check your by copyng this in your browser http://www.yourwebsite.com/wp-config.php. If the world is allowed to see this file, You might see a blank page and if you find some plain text than you should start worrying about your WordPress security.

The easiest method to protect wp-config.php is move that file up one directory. For ex if your wp-config file is saved in this directory home/username/public.html/your_config_file than after moving the file up one directory it would be home/username/your_config_file. It’s that easy and almost anyone can do that with no problem at all.

Other method to protect wp-config is to modify your .htaccess file

For Apache, paste this code into your .htaccess file at the top. This will block anyone from accessing your wp-config file.

# Deny public access to wp-config.php
    Order allow,deny
    Deny from all

For Nginx Server

# Deny public access to wp-config.php
location ~* wp-config.php {
deny all;

If you had done everything right than you will find 403 ” Access forbidden” error or 404 “Not Found” if you follow the first method, whenever you try to access that file from your browser using “http://www.yourwebsite.com/wp-config.php”.

Change your WordPress tables prefix

Most of us install wordpress using default options. By default your wordpress table have wp_ prefix for ex wp_user. This can sometimes prove helpful for an attacker, leading him to a successful SQL injection attack. So, it is a good idea to change the prefix to some random value. Manually changing wp_ prefix is a tricky task so using a plugin like Change DB Prefix would be a better option for a non Tech savvy person.

Note: Please make sure that your manually added .htaccess rule(if you have added any) don’t collide with the changing of default wp-prefix. There is also a small chance that some plugins might not work after this change though I personally haven’t faced such type of issues. If you are using Cloudflare than i won’t recommend this to you.

Disable Directory Browsing

Have a a look at this example http://domain.com/wp-content/plugins/. Assume that this your directory path and domain = Your domain. Now if directory browsing is not disabled then hacker have to just type this in his address bar and he will get to know what plugins you are using. This will allow him to better target your site since many plugins can have vulnerabilities. Your first step should be to check yourself if Directory Browsing is enabled or not. If you found out that it is enabled than all you have to do is either upload a blank INDEX.html file or edit your .htaccess file by adding this code

# disable directory browsing
Options All -Indexes

Don’t Show wordpress version on your blog

The reason behind this is same as above. Your visitors aren’t really interested in which wordpress version you are using. So, there is no real good reason to show the wordpress version and help the attacker in any way. First remove the wordpress version from your website page and then delete the readme.html file in your wordpress installation directory since it can also advertise your WordPress version. You can also use a .htaccess rule to stop others from viewing your readme.html file

 # Deny public access to readme.html
Order allow,deny
Deny from all

Keep your WordPress updated

This is the most basic but essential tip that every experinced blogger will give. With every new release of new wordpress version, WordPress security bugs of the previous version goes public and if you are still sticking to the outdated version of WordPress than you are just inviting trouble for yourself.

Use of Security Plugins

Of course how can I talk about WordPress security and not include WordPress security plugins. Well, there are so many security plugins available that i can’t put my finger on one but I believe that Better WordPress Security also known as Better WP security plugin can be considered as one of the best plugin. You can find features of several security plugins in Better WordPress security. It allows you to change default admin name, keeping logs, can edit .htaccess files for you and the list keep going. I would recommend to check each and every feature and learn what it really does before applying since Better WordPress Security plugin plays with your website core files.

Note: Nobody can assure 100% security there is always a chance of getting hacked. So, learning new protection measures is always a good idea to make sure that you won’t get hacked that easily.

Found this post useful follow us on Facebook or Twitter to get more updates.