All PostsTutorialsWordPress

WordPress is one of the most popular CMS in the world it is used not just by bloggers. WordPress has tons of plugins and themes available but these facts d not make it the safest platform for your next project. Security is very important nowadays, a lot of hackers are taking the websites and yours might not be the exception. If you want to make your WordPress theme as secure as possible you will find some nice tweaks, tips and plugins for improving the security of WordPress CMS.

I have collected some simple but useful tips and plugins for protecting your WordPress installation. Hopefully you will find these resources and tools handy.

1. Upgrade to the newest version of WordPress

Upgrade to the newest version of WordPress

This simple tip might sound obvious but it is one of the best ways to secure your blog from hackers. Most of the time WordPress releases new updates dedicated for security so do not ignore the notifications that inform you to upgrade your WordPress. It is really easy to hack your website if you’re using old version of WordPress because hackers already know every hole in it.

2. Upgrade all your themes and plugins to their newest versions

Another important thing is to update all other parts of your blog like plugins and theme you’re using. By keeping all your themes and plugins up to date and upgrading immediately when a new version is released you will be much more secured.

3. Get rid of the “admin” user

If your WordPress core files, themes and plugins are up to date, you are probably using “admin” username for your admin panel. This default user exists on most WordPress sites, so it is very easy for hackers to get into your dashboard because all they have to do is to get your password. Solution is pretty simple. You have to create a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

4. Smartly protect wp-config.php

wp-config.php is one of the most important files in your WordPress blog. This file contains some of the very important administrator credentials that can help a hacker gain access to your WordPress database. Therefore, it is suggested that you add the piece of code below into your .htaccess file:

# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all

The .htaccess file will be available in your www root directory. If it is not there, then you can create the file and add the above code to it.

5. AskApache Password Protect plugin

This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.

6. Protect your WordPress blog using .htaccess

The .htaccess file have lots of possibilities. You can use it to protect WordPress blog from scripts injection, and unwanted modification of _REQUEST and/or GLOBALS.

Simply paste the following lines into your .htaccess file. This file is located at the root of your WordPress install.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Note: Remember to always make a backup of your .htaccess file before editing and you’ll be able to restore it if something went wrong.

7. Use a strong password

Use a strong password

Another simple but effective tip for making your blog more secure. Create a strong password including lowercase, uppercase letters and numbers. Do not use it anywhere else and change it from time to time.

8. Restricting access to wp-admin with htaccess

To restrict wp-admin you have to put a .htaccess file into your wp-admin directory with code below.

You can resrict it by IP:

order deny,allow
allow from a.b.c.d # This is your static IP
deny from all

The above code will prevent browser access to any file in these directories other than “a.b.c.d” which you should change to be your static IP address.

9. WP Security Scan plugin

WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as: passwords, file permissions, database security, version hiding, WordPress admin protection/security and more.

10. Website malware scanner

Sucuri SiteCheck

Enter a URL and the Sucuri SiteCheck scanner will check the website for known malware, blacklisting status, website errors, and out-of-date software.

11. Ultimate Security Checker plugin

This plugin identifies security problems with your WordPress Installation. It scans your blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself. You can fix the problems yourself, or you can use our help to do it for you automatically.

12. BulletProof Security plugin

BulletProof Security

WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection.

13. Limit Login Attempts plugin

Limit Login Attempts

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

14. One-Time Password plugin

One-Time Password

This simple to use plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.

15. WordPress Backup to Dropbox plugin

WordPress Backup to Dropbox

WordPress Backup to Dropbox has been created to give you piece of mind that your blog is backed up on a regular basis. Just choose a day, time and how often you wish your backup to be performed and kick back and wait for your websites files and a SQL dump of its database to be dropped in your Dropbox.