1. Use HTTPS and SSL
An SSL Certificate is so important, not just for a WordPress site but for every other site. HTTPS stands for Hypertext Transfer Protocol Secure while SSL stands for Secure Socket Layers. In short, HTTPS allows visitor’s browser to establish a secure connection with your hosting server (and therefore, your site). The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all the information between a visitors’ browser and your site is encrypted.
SSL certificates also help you with SEO.
2. Choose a Host company with Security Features
The first and most important step towards securing your WP site is by choosing a good web hosting company (Like Zimwebtech) which implements proper security features like supporting the latest version of PHP, MySQL and Apache etc.
3. Use strong passwords
You obviously know that already but what makes a strong password? A strong password contains Uppercase and Lowercase letters,symbols and numbers.Its not easy to remember these kind of passwords-Make use of password managers/write it down somewhere.
4. Don’t use the ‘Admin’ username
I have been using the Wordfence plugin to secure some of my WP sites for some time now. 70% of the login attempts have ‘Admin’ as the username.If you use the Admin username, you just made it easy for hackers-all they have to do guess your password.
5. Never use nulled themes
Before you use a nulled theme, think about this: Who is making them and why?Nulled themes come bundled up with malicious code which will provide them access to hijack your account/add themselves as admins/serve ads on your site/simply lock you out.Mostly these hackers would love it if your site remains fully functional for as long as possible, their changes cannot but reflect badly on you, and if they are not detected fast enough, destroy your site in the end.
6. Disable Plugin and Theme editing through your admin dashboard.
Having the option to edit your theme and plugin files right within your WordPress dashboard is handy when you need to quickly add a line of code. But it also means that anyone who logs into your site can access those files and edit them.
To disable this, simply add the following line in your wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
7. Logout idle users
Idle users can pose a security risk to your site. All you have to do is use a plugin like inactive logout which automatically terminate inactive sessions.
8. Disable XML-RPC
XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it’s also a favorite of WordPress hackers because they can abuse this protocol to execute several commands at once and gain access to your site.You can use a plugin like WP Hide to disable XML-RPC.
9. Use 2FA (Two-Factor Authenticatin)
Using 2FA means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site.Its a very good idea to set it up. You can make use of plugins like Wordfence or Google Authenticator.
10. Secure the admin area.
This includes changing the admin url and limiting the number of failed login attempts.By default, the admin url of WP sites looks like this: http://domain.com/wp-admin/. A lot of people know this and they attempt to login once they find the admin login area.To change the admin url, simply use a plugin like WP Hide or WPS Hide Login.To limit login attempts, you can use a plugin like Wordfence or Security Malware Firewall.
11. Move wp-config.php file to a non www directory
Your wp-config.php file is the most important file in your WordPress installation. It contains your DB username and password among other important information hence, you need to protect it by moving it to a non www accessible directory.All you have to do is:
1.Cut the contents of your original wp-config.php
2.Create a new wp-config.php in a non www accessible directory
3.Paste the content you have cut on 1
4.Go back to your old wp-config.php and add the following line of code
Before changing your WP Database prefix, be sure to backup your site in case something goes wrong.
First of all, open your wp-config.php and find the table prefix line which looks like this: $table_prefix followed by a = sign and the table prefix itself. Replace the default string with your own prefix using a combination of numbers, underscores, and letters like so:
$table_prefix = ‘hfjs_4452_’;Once you are done, access your phpMyAdmin so that you can change table names.There are 11 tables that you need to edit in total. To make this easier, you can input an SQL by going to SQL and then input something like this(According to the table prefix you have set in wp-config.php. In this case its hfjs_4452_):
RENAME table `wp_commentmeta` TO `hfjs_4452_commentmeta`;
RENAME table `wp_comments` TO `hfjs_4452_comments`;
RENAME table `wp_links` TO `hfjs_4452_links`;
RENAME table `wp_options` TO `hfjs_4452_options`;
RENAME table `wp_postmeta` TO `hfjs_4452_postmeta`;
RENAME table `wp_posts` TO `hfjs_4452_posts`;
RENAME table `wp_terms` TO `hfjs_4452_terms`;
RENAME table `wp_termmeta` TO `hfjs_4452_termmeta`;
RENAME table `wp_term_relationships` TO `hfjs_4452_term_relationships`;
RENAME table `wp_term_taxonomy` TO `hfjs_4452_term_taxonomy`;
RENAME table `wp_usermeta` TO `hfjs_4452_usermeta`;
RENAME table `wp_users` TO `hfjs_4452_users`;While the above query should change your database prefix everywhere, it’s a good idea to run another query to make sure any other files using the old database prefix get updated:
SELECT * FROM `hfjs_4452_options` WHERE `option_name` LIKE '%wp_%'
15. Don’t display WordPress version number
Anyone who inspects your WordPress site can tell which version of WordPress you are using.Since each WordPress version has public changelogs that detail the list of bugs and security patches, they can easily determine which security holes they can take advantage of.To fix this, simply put the following code in your theme’s functions.php
//Remove WordPress version number
remove_action('wp_head', 'wp_generator');16. Keep your WordPress files up-to-date
Outdated WordPress files refer to the WordPress version, theme and plugin files. They pose a security risk because they leave your site exposed to other vulnerabilities such as backdoor exploits,pharma and wp-vcd hacks.
