Not for the technically faint of heart
Each of us is in business to do what we do best. Some are more technically-oriented. Others are self-professed “technophobes.”
You might skim through these WordPress security measures and decide they are beyond your comfort zone. I totally appreciate that. You might prefer to simply use security plugins. Or you might consider discussing them with a website developer. You might even dismiss them entirely.
But for the more technical adventurous business people, these WordPress security measures can help discourage hackers.
Remember that no security measure can guarantee the security of your website. But each step you take can dramatically reduce the number of website security threats.
1. Protect your wp-config.php file
The wp-config.php file contains sensitive information (like your database username and password). If a hacker gains access to this file, they could do some real damage.
You can give it a bit more protection by moving it up one level on the server (out of wp-admin folder).
Going a bit deeper, use your htaccess file to block it from everyone using this code:
<files wp-config.php> order allow,deny deny from all </files>
You can find more htaccess security tips here.
2. Change the default “wp_” prefix
By default, the WordPress database tables all have the prefix “wp_”. Hackers know this of course and will target these database files. But if you change the prefix to something else, you can make it more challenging for hackers to access your database information.
The prefix can be anything you like. Technically, you can change this any time, but it’s much easier to do when you first install WordPress.
If you have already installed WordPress and your website has been active for a while, here’s a tutorial for changing the prefix. Remember to backup your website before proceeding!
3. Use strong Administrator usernames
It might be tempting to use “admin” as your primary Administrator username. However since this used to be the default for all WordPress installations, it is the first username hackers will try. If they guess correctly, all they need to do is discover your password (which is hopefully not easy to guess!). Instead of “admin” choose a username that is more difficult to guess.
4. Reduce website Administrators
For added security, limit the number of users who have the WordPress “Administrator” role.
Not everyone needs an Administrator role so limit it to one or two if you can. This will limit hacker options since they are mostly interested in the Administrator role.
Furthermore, create separate roles for users who are only blogging or updating pages. If the post author name is publicly displayed, it might make it easier for a hacker to think this is an Administrator name and attempt a brute force login.
5. Use Two Factor Authentication for logins
Two factor authentication adds a protective layer to your login page. Instead of just typing in a username and password, you will also need to enter a randomly generated code. Two great options for two factor authentication are Clef and Google Authenticator.
Two factor authentication is available in security plugins like iThemes Security or Wordfence. You can also try a dedicated plugin like Duo Security.
6. Limit the number of login attempts
If someone has guessed your username (which is easy if it’s “admin” or displayed on your website somewhere), they can run code to attempt various passwords. But if you have set up your WordPress security measures to limit login attempts, a hacker will be locked out after a specified number of failed login attempts.
The easiest way to do this is with a plugin. There are many plugins options for this, but be sure to get one that is well supported and has a good track record of keeping up to date.
7. Disable plugin and theme editors
The last of the WordPress security measures I mention is a bit more technical, but it can be effective.
If unwanted users get Administrator access, you can prevent them from editing files from the WordPress dashboard by disabling the plugin and theme editor. You rarely need (or want) to edit these files, but a hacker can do some damage to them. As the primary Administrator, if you ever do need to edit these files, you will be able to do so via cpanel or FTP.
Here’s the code and instructions for disabling the plugin and theme editor.
If in doubt, consider a Security Plugin
Many of the WordPress security measures mentioned here can be performed by a security plugin like iThemes Security or Wordfence.
What WordPress security measures have you implemented?
