If you’re running a WordPress site, then it’s important you know how to make the WP site secure. The good news is that it’s generally very straightforward to implement robust security on a WordPress site.
How to Secure Your WordPress Site
If you’re looking at how to make the WP site secure, there are eleven key steps you need to take. Here is a quick list:
- Customize your login page
- Limit your user accesses
- Implement two-factor authentication
- Log out idle users
- Block users after repeated failed login attempts
- Keep WordPress and all software up-to-date
- Move your wp-config.php file
- Disallow file editing
- Choose the right permissions for your directories and files
- Update your .htaccess file
- Invest in robust security tools
Customize your login page
The default login page for WordPress is your domain followed by either /wp-login.php or /wp-admin/. This can, however, be customized to essentially whatever you want. It is, however, a good idea to change it to something which makes sense to users. For example, you could change /wp-login.php to /wp-userlogon.php. This gets rid of the default without confusing genuine users.
Limit your user accesses
This isn’t just how to make the WordPress site secure, it’s how to make any site secure. The fewer users you have, the fewer people have the opportunity to create issues with your website, be that through ignorance or malice. In particular, limit the number of administrator accounts, because these are the ones that can cause the most damage.
Having said that, if someone does legitimately need access to your website, then they need their own login credentials. Never allow users to share them, not even temporarily. This is how you get confused about who is doing what and when.
As a final point, never use “Admin” as your username for your main administrator account (or any administrator account).
Implement two-factor authentication
Implementing TFA on WordPress is as easy as installing a plugin, literally. It really boosts your security. Be aware, however, that it can be cracked, especially if you implement it through text messages rather than through tokens. Also, remember that you still need to use a strong and unique password, not one you recycle for every account (even if you vary it slightly).
Log out idle users
Users have to log into sites to access them. They should log out when they are finished but since they aren’t forced to do so, they don’t always remember. Logging out people automatically after their account has been idle for a certain time will improve security by making it harder for someone to use another person’s login credentials without their permission. Again, this can be implemented via a plugin.
Block users after repeated failed login attempts
Even the strongest password will be cracked eventually if someone keeps trying for long enough. Blocking users after a certain number of failed login attempts is a straightforward way to stop this and can be easily implemented by using a plugin. You can always unblock them if there is a legitimate reason for the repeated attempts.
Keep WordPress and all software up-to-date
Many updates are designed to fix security flaws which have only just come to light and hence need to be applied promptly. If you are using third-party add-ons that are not kept updated, for example, because they are free and the developer has lost interest in maintaining them, then you should either uninstall them or make your own arrangements for them to be updated.
Outdated software, especially plugins and scripts is a huge security issue for WordPress sites.
Move your wp-config.php file
By default, this is found in your site’s root directory. Move it to a different folder (generally one just above the root is best). Your site will still find it but a lot of hackers won’t.
Disallow file editing
Speaking of your wp-config.php file, add
define ('DISALLOW_FILE_EDIT', true);
to the very end of it. With this activated, nobody will be able to modify files, even if they have admin access to your website. If you find yourself needing to modify files, just change true to false and make sure to change it back again as soon as you are finished.
Choose the right permissions for your directories and files
Setting permissions is too large a topic to explain in detail here. You should, however, be aware that you can set permissions for files and directories and that it is very much in your best interests to do so particularly if you are using a shared server. If you don’t fancy getting into the mechanics of setting permissions, then you can get a plugin to check them for you.
Update your .htaccess file
One of the quirks of WordPress is that visitors will get a full listing of everything a directory contains unless you either put an index.html file in it or add
Options All -Indexes
to your .htaccess file. The latter is the safer option since it avoids having to rely on your memory.
Invest in robust security tools
No article on how to make a WP site secure would be complete without a mention of robust security tools. You want a website vulnerability scanner for your website itself, plus a robust anti-malware solution for all devices used to access the back-end.
Please click here now to have your website scanned, for free, by cWatch from Comodo.