Improve WordPress Security
WordPress is a great platform for creating your website and is constantly being updated to improve functionality and security. But not taking security seriously and amusing WordPress will completely protect you from everything could result in your site being compromised. To help you out we’ve put together some tips on how to improve your site’s security to minimise the risk of it being attacked.
WARNING: Some of these tips require you to make changes to WordPress code. Always remember to make a full backup of your site and SQL database before attempting to make these changes as errors could leave your site unusable.
1. Keep up-to-date
Using the latest version of WordPress ensures that you are getting the most up to date security features and will included fixes to older versions. It’s also important to keep your plug-ins up to date for same reason.
Before attempting any updates always remember to take a backup of your site and SQL database.
2. Keep regular back-ups
Although this doesn’t directly improve your sites security, if it was to be compromised it’s a lot easier to restore if you have a recent backup of the site and SQL database. More information on backups can be found here.
3. Force SSL on admin area and login
If you have purchased a personal SSL for you domain name why not increase the security of your admin area and login page by sending information over your encrypted channel. For more information on SSL please visit sgis.co.uk/ecommerce-SSL.php
If you have a personal SSL It’s fairly easy to implement as WordPress can be forced to do this by adding the following line to your wp-config.php file.
define('FORCE_SSL_LOGIN', true);
Please make sure the above is added before the below line of code, otherwise it will not work;
/* That's all, stop editing! Happy blogging. */ require_once(ABSPATH . 'wp-settings.php');
4. Remove the WordPress version number from the header
By default WordPress displays the version being used in the header of your site and this could lead to problems if a hacker is aware of certain weakness to the version you’re using. Luckily there is a quick fix to this be adding the below code to your functions.php file;
<?php remove_action('wp_head', 'wp_generator'); ?>
If you don’t have a functions.php file for your theme you will need to create one via file manager
5. Don’t use admin as your username
By default older versions of WordPress would force the main admin username to be admin. Luckily WordPress now allows you to choose a custom username when creating your site so avoid using “admin” as your username.
6. Delete unwanted plugins
If you have a large collection of deactivated or unused plugins it would be worth completely deleting them. Keeping your plugins organised and up to date will help improve your site’s security.
7. Remove the tick from “Anyone can register”
If this box is ticked it means anyone can sign up to your WordPress admin area, even if you don’t advertise on your site. If you have no need to allow anyone to registration then go to Settings >> General and remove the tick from Anyone can register. If you have a need for this and wish to allow anyone to sign up, make sure the New User Default Role is set to Subscriber and keep a track on who is signing up via the user menu.
8. Use a secure password
Although obvious make sure you use a secure password that contains lowercase and uppercase characters as well as numbers and avoid words found in a dictionary. Random passwords are effective and there are many tools on the net for creating them such as www.pctools.com/guides/password/. Finally changing your password regularly is never a bad idea.
Got any more tips you’d like to share? Let us know and we’ll add them to this post.