WordPress is the most popular CMS on the web and as such it is a common target for hackers. These are the steps I take to secure and help prevent issues.
Install Sucuri Scanner #
There are a lot of ‘security’ plugins available for WordPress, most of them require a premium subscription and have nagging upgrade messages or limited functionality, but I’ve always found Sucuri Scanner to be a great help in locking down an installation and is always one of the very first plugins I install every time I setup a new WordPress site. Once installed go to the Hardening section and enable everything you can.
Use a custom .htaccess file #
Block bots with a custom
.htaccess file. I use Hack Repair’s Blacklist.
Update all your themes and plugins #
Delete any themes or plugins that you don’t need and update any that have updates available.
Use secure passwords #
It’s likely that your username can be gathered by bots by looking at the frontend of your site. These bots will try and brute-force logging in to the admin using common passwords. Create a strong, unguessable password. Give the Secure Password Generator site a try.
Don’t have a username called ‘admin’ #
Bots try and brute-force logging in with the username ‘admin’. Avoid using that username altogether.
Protect wp-config.php #
wp-config.php file stores your WordPress database username, password and other crucial information about your site.
You can (and should) keep this file one level above the root level so it isn’t directly on the internet. WordPress will automatically pick it up with no changes required.
Backup your site #
Although this isn’t really a tip for securing your site, it’s still a worthwhile reminder. Make regular (ideally automated) backups and store them safely.
Further Reading #
Hardening WordPress - an in-depth guide at wordpress.org.