Killer Strategies To Secure Your WordPress Blog
These days Websites, blogs, forums, online applications available on Internet could become the victim of hackers, cracker, spammers, malwares. It is essential to identify those security risks and create the mitigation strategies to build the security walls to secure your WordPress blog.
When we think of most famous Content Management System (CMS) & Blogging, WordPress is always the tool comes in our mind and this is the reason why it is not only widely used but also the target of professional hackers. We have heard the figure that around 60 million of users around the globe are benefiting from this very comprehensive CMS. Any product or tool when used by some big entities, this is itself a proof if its quality and effectiveness. Similarly many big organizations are associated with WordPress e.g. BBC, CNN, CBS, NBC, National Football League of US etc. Almost more than 2.5 billion of web pages based on WordPress.
It is therefore always recommended to the bloggers to make sure the security precautions are properly taken care to make your website & contents secured because even the most popular technologies are targeted by hackers and robots.
The purpose of these articles is to provide the good practices using which even a beginner level user can secure WordPress. However the measures we are going to mention will not save you 100% from the hacker’s attempts but definitely it will enhance the security as no site in the world is 100% safe.
Following are listed some measures which can be used to secure your web site:
Method 1: Making sure the WordPress plugins & Site are Up to Date
It is always recommended to keep your WordPress site & Plugins updated because every new release of WordPress may have solution to some of the security issues OR any new release is considered as a more secure version than the previous one.
Method 2: Always Use Strong Password
It is a normal practice to always use a strong password no matter which tool you are using, even on your personal computer this practice should be followed. Even in today’s world many users leave their password easy to hack or identify and keep the security unhandled. For strong password following tips can be considered:
1. User Small & Capital letters
2. Use special characters
3. Use numbers
4. Make your password not easy to guess (it should not be anything obvious related to you for example: your date of birth, mother’s name, your name etc.)
5. A small sentence is a better option
Keep in mind, if someone knows your password that system/tool/site no more belongs to you.
Method 3: Never use “admin” as Username
Always avoid to use default user name i.e. admin, this is the first option tried by even a beginner level hacker. By using any username other than ‘admin’, most of the brute-force attacks can be avoided. During WordPress installation user is asked about the username however when there is a site always existing you can modify your username. This could be easily achieved through WordPress security plugins.
Method 4: Keep your Computer Virus/Malware free
No matter whether you have WordPress installed on your computer or not, keeping your computer virus free is always a good practice. Because of the presence of virus, hacker can access your login details of WordPress. Make sure antivirus in your machine is up to date and keep your computer secure from any sort of threat or illegal access.
Method 5: Blocking IPs using .htaccess
In order to maintain your WordPress admin area secured, access should only be restricted to users who are authorized. If there is a limitation of site that there is no support registration process then your visitors must not be allowed to use/access neither the admin area nor the wp-login.php file. The best way is to add following lines .HTAccess file, which will allow only the mentioned IP authorized to access the admin area.
Deny from all
Allow from xx.xxx.xxx.xxx
You only need to replace RED characters with your IP so that only this IP can be authorized to access the admin area and rest of IPs becomes unauthorized for any access.
To know your IP you can explore this link whatismyip.com
For those users who access the WordPress admin area from multiple IPS for example: from home computer, from office, from personal laptop. There is an option to allow more than one Ips the access to admin area by repeating the following line with another IP
Allow from xx.xxx.xxx.xxx
Method 6: Regular Backup
Taking regular backups of your WordPress data is always a good practice to be on a safe in case it got accessed by an unauthorized user, following this practice you can save your data and blog protection can be achieved. As per the standards at least weekly backup should be taken so that in the worst case restoration of the data can be done.
Following are the plugins which can easily backup your WordPress blog.
This is the plugin which will backup your WordPress blogs files and database as per the defined schedules. This plugin is free of cost and can be easily downloaded from WordPress directory.
Dropbox Backup & Restore
Dropbox Backup & Restore Plugin will create Dropbox Full Backup (Files + Database) or Restore, Duplicate, Clone or Migrate of your Website
Other recommended plugins include; WP Database Backup, BackWPup Free – WordPress Backup Plugin, WordPress Backup to Dropbox and many others.
Method 7: Carefully Upload Data
Always make sure that the data (scripts, plugins etc) you are uploading to WordPress site can be dangerous for the site. Always check the authenticity of the content being uploaded. Best practice is to avoid downloading any plugin or material from file sharing web sites (like Torrent) and then directly uploading it without verification as this may cause harm to your site.
Method 8: Don’t Mention WordPress Version
By taking small precautionary measures you can either totally secure your site or at least make it difficult for the hacker to do any harmful thing to your site. One of such measure is to avoid mentioning version number WordPress for the user, this will give attacker a chance to think & attack accordingly so never take this chance.
Method 9: Make Plugins & Directories Inaccessible
One of the major mistake most of the bloggers do is that they don’t even think of protecting their plugin directory.
Example: Just go to your plugin directory using the following URL:
You will be able to see the plugins being used by that site and same can be viewed by any unauthorized user who tries this, which is very dangerous for the site. The reason is there may be many plugins associated with the site which have some vulnerabilities which is what the attacker is looking for so why to take risk and give a chance to hacker and why not to protect the plugin and other directories.
Method 10: Make use of SSL Encryption
It can be a good idea to use SSL Encryption for blogging data using this approach no one will be able to intercept your data for example your credentials and in the worst case the data is intercepted, doing decryption won’t be an easy task for the attacker.
Although for SSL Encryption, you will have to pay but for WordPress it is free and very easy to use. You only need to add following line in the wp-config.php file:
define (‘FORCE_SSL_ADMIN’, true);
Method 11: Better to Use SFTP
Many people use FTP in order to upload their files which is not a secure way instead a better way SFTP (Secure FTP) should be used so that the files being transferred are encrypted properly.
Method 12: Security Related Plugins
As mentioned in the above part of this article that regular database backups should be taken to make sure you avoid data loss in case of any failure, This plugin helps you in this regard and server the purpose. It actually sends the database backup on your email or it can also be saved on any of the machine server you want. The backup in this way can be scheduled as per your need and desired frequency.
WP Security Scan
As mentioned above it is better to hide the version of WordPress to stop hacker getting a chance to attack and the better of doing it is using this Plugin because the traditional way of doing this not so easy.
There is a popular plugin call Lockdown can be used for the purpose of adding some more security to your word press. Lockdown records every failed attempt of login and the IP address of that person as well and then block that IP if number of attempts exceed to the counter you set. Its default setting blocks the user on 3 attempts within 5 minutes. The blocked IP addresses can then be removed as per the need from the Plugin Panel.
Method 13: Disable File Editing
It is a default feature of WordPress it allows the editing of PHP files e.g. Plugins & Themes. This can be an advantage for an attacker if he is able to login because this will allow code execution. However to cater this problem WordPress provides a solution that is a use of Constant in order to disable the files editing via dashboard.
Following line of code can be inserted in wp-config.php will disable the file editing feature (e.g. editing of themes, editing of plugins and editing of files)
define (‘DISALLOW_FILE_EDIT’, true);
Method 14: External Monitoring of Server
If unfortunately an attacker got the access of your site for the purpose of spoiling your site and adding malware, you have the ability to detect & find out those changes made by an attacker for his own purposes by using a web based integrity monitor solution.There are different forms of such solution are available you can easily get one on Google by searching Web Malware and Recommendation