WordPress is now powering millions of websites. It is very easy to build 30+ different type of websites with WordPress, getting started with WordPress is easy.
But the downside of the popularity is that it makes it a bigger target for hackers. In this article, I am going to list some best practices to make WordPress more secure and safe. You will learn How to make your website secure and safe with some best practices and WordPress plugins.
WordPress itself is very secure and safe Content Management System. WordPress developers release the new version every few months. But sometimes hackers can access your WordPress based website.
Sophos labs have found that 30,000 new websites are hacked every day and you can read How To Recover Hacked WordPress Website? to learn more.
Out dated version of WordPress, themes and plugins can be very dangerous. Some times cheap shared hosting plans can cause damage as well. Weak password and easy to guess or too common user name are also a reason of successful hacks.
10 Best WordPress Security Tips To Make Your Website Secure
Here are some best practices that you should absolutely take to increase the security of your WordPress website.
1. Use Latest version of WordPress
Out dated version of WordPress is very dangerous. Always install the latest version of WordPress. Download latest version of WordPress from the official WordPress website. If you have several WordPress based websites, update them regularly.
2. Disable PHP file editing feature from WordPress Dashboard.
Most users will need access to the WordPress admin area but they will not always need access to plugin files or theme files.
If you want to stop any user from having access to edit the WordPress theme or plugin files in the WordPress admin area. You can add the following line of code to the wp-config.php file to stop anyone having access to the file edit mode in WordPress.
define( 'DISALLOW_FILE_EDIT', true);
3. Enable Two Factor authentication
WordPress Two Factor authentication can make your website more secure and safe. There are many free plugins available to enable two-factor authentication.
Two Step Verification can make your WordPress website more hardened against brute force attacks, even if your WordPress username and password becomes compromised, logging in to your website will not be possible without the six-digit code.
You can install Google Authenticator for WordPress. It is a free plugin. This plugin uses the Google Authenticator app available in Google Playstore.
4. Disable Dashboard Login for your customers/subscriber
There are various reasons why you might want to keep people off your dashboard, For example on a membership site, you can disable access to the WP-Admin panel.
There are many free plugins available. WP Hide Dashboard and Remove Dashboard Access lets you restrict Dashboard access to Administrators only or users with a specific capability and hide the Dashboard menu, Personal Options section and Help link.
Further Reading : How To Recover Hacked WordPress Website?
5. Change Dashboard login URL
If possible change the Dashboard login URL, by default it is www.yoursite.com/wp-admin change it to something else. There are a number of WordPress plugins available for this task.
Rename wp-login.php is popular free plugin to change wp-login.php to anything you want. This free plugin is also compatible with any plugin that hooks in the login form, including BuddyPress, bbPress, Limit Login Attempts and User Switching.
Peter’s Login Redirect is a free and popular plugin. This free plugin redirects users to different locations after logging in and logging out.
6. Host your site on dedicated servers
Choosing a good web hosting really matters. There are thousands of web hosting providers available but not everyone offers great service. If you are serious about your blogging business, choose a good hosting provider with dedicated servers.
7. Restrict the number of login attempts
Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in. There are many free plugins to limit login attempts on your WordPress website.
WP Limit Login Attempts plugin limit rate of login attempts and block IP temporarily. It is detecting bots by captcha verification.
Limit Attempts by BestWebSoft allows you to limit the rate of login attempts by the IP, and create whitelist and blacklist.
8. Store the wp-config.php file one level above the WordPress Installation
Yes! You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your web space, you can store wp-config.php outside the webroot folder.
You can read The Easiest WordPress Security Tip Ever! at SitePoint to learn more.
9. Enabling HTTPS for all logins and wp-admin
HTTPS is usually synonymous with shopping carts and Internet banking, but in reality, it should be used whenever a user is passing sensitive information to the web server and vice-versa.
To ensure that login credentials are encrypted during transit to the web server, define the following constant in wp-config.php.
define('FORCE_SSL_LOGIN', true);
To ensure that sensitive data in transit (such as session cookies) is encrypted when using the WordPress administration panel, define the following constant in wp-config.php.
define('FORCE_SSL_ADMIN', true);
To learn more you can visit WordPress Administration Over SSL page.
You can also use WP Force SSL plugin to Redirect all traffic from HTTP to HTTPS to all pages of your WordPress website.
10. Choose 3rd party themes, plugins wisely
Always remember there is no reason to keep un-used themes and plugins. Why open up your site to problems when you are not even using themes and plugins.
Always download and install plugins from trusted developers and market places. Delete all out dated and un-necessary themes. We have created a list of best places to buy premium WordPress Themes from trusted developers and market places.
WordPress theme directory is the best place to find free themes and if you want to use premium themes, always buy from reputable developers and marketplaces.
Further reading: How To Choose A Perfect Free Or Premium WordPress Theme
Final Words
I know this is not the complete list, but I have tried to share some quick tips and best practices. You can also read this in-depth guide about WordPress security at Kinsta. Feel free to share your thoughts in comments below.