10 Tips for Securing Your WordPress Site

Thanks to its established large developer community and offering two Beta releases before major versions are pushed out for use on production sites, WordPress is generally kept free of bugs; if site owners remember to update!

One downside to using WordPress is that since 22.8% of websites use it, it has become a prime target for hackers.

For example, a bug was recently identified in WordPress and Joomla installations which would allow a hacker to run a highly resource-intensive process which would result in the server crashing and the website going down.

WordPress swiftly released 3.9.2 which fixed this, however many people will still be on older versions which are still vulnerable.

1. Use a Secure Password

One of the most obvious tips is to make sure you have a fairly complex password, and not something which will be easily guessed by a potential hacker.
If you think you’ll forget it, simply use a password manager such as LastPass.

2. Update WordPress Core & WordPress Plugins

I regularly see WordPress sites which are heavily outdated. If you’re running an older version of WordPress, you may as well be asking to be attacked.

So if you see a yellow bar/banner at the top of the WordPress admin area, don’t delay – hit update!

3. Remove any unused plugins

These not only have to potential to slow down your site, but once they become outdated, they can pose a security risk.

If you spot any plugins you’re no longer using and will become outdated and forgotten about, deactivate and delete them.

4. Install a WordPress security plugin

Plugins such as Wordfence can be great to help you implement some quick security features, such as changing the URL of the admin login from ‘/wp-admin’ to a URL of your choice.

5. Delete any unused WordPress accounts

If you’ve had a blog running for a few years or more. have a blog, it’s likely you’ll have created accounts for contributors.

Additionally, developers often create test accounts within WordPress that they might have forgotten to delete afterwards, so it’s always good to double-check.

6. Limit Dashboard Accessibility by IP Address

You can easily restrict access to the WordPress dashboard by a specific IP address. For example, if you only want people to be able to access the dashboard at your workplace, you can find out the IP address and add it to the below code, which can be added to your .htaccess file.

order deny,

allow

allow from YOURIPADDRESSHERE

deny from all

7. Force HTTPS (SSL) in the Admin Area

To do this, simply create a new .htaccess file within the wp-admin folder, then paste in the following code:

define(‘FORCE_SSL_ADMIN’, true);

8. Only Install Well-Known and Secure Plugins

Since you’re installing WordPress plugins right into your core directories, it’s important that you can trust them. If there’s a brand new plugin that has very little ratinga

Always look for plugins which have had plenty of reviews.

9. Perform Regular Backups of your Website Files and Database

You have three options here.

1. Manually create backups in your hosting account

The first being you manually create backups of your whole hosting account (if you use cPanel/WHM, there’s a backup tool).

2. Using a WordPress plugin

Alternatively, you can install a WordPress plugin such as Backup Buddy or VaultPress which makes the process as simple as possible for you.

3. Automatic cloud backups

Alternatively (and my preferred option) is to use a cloud backup service such as CodeGuard, which runs nightly backups to the cloud for you.

10. Pick a Reliable and Secure Hosting Provider

You should also consider support here. If your WordPress site does get hacked, you’ll probably want it back up and running again as soon as possible. So it’s important to choose a provider that offers 24/7 support in case you need it.