10 WordPress Security Tips for Advanced Users
When it comes to WordPress Security there are various things you can do to harden your website. WordPress has a solid framework and follows best coding practices but hackers always seem to find their way into it by exploiting new loopholes. WordPress website owners have to take security measures to protect their websites and blogs. We discussed basic steps to protect WordPress in the last post. This post takes a look at security measures for advanced users to protect WordPress from hackers.
1. Remove WordPress version: Let’s start with this simple yet effective step. It is important to remove your WordPress version number in the bigger scheme of things. When you display your WordPress version number, hackers can launch very specific attacks to exploit known vulnerabilities in that particular version of WordPress. To remove it, access your active theme, open the functions.php file and add the line of code below to it.
2. Disable Directory Browsing: It’s a bad idea to allow directory browsing. Since WordPress allows it, you should disable this right away to stop attackers from viewing your site contents and being able to pick and choose which files they’d like to target! Directory Browsing can be disabled easily by adding the line of code below to your .htaccess file.
Options –Indexes
3. Disable Custom HTML: Unfiltered HTML poses a potential security risk. If your blog doesn’t need it, you should disable unfiltered HTML. It can be disabled by adding the line of code below to your wp-config.php file.
define( ‘DISALLOW_UNFILTERED_HTML’, true );
4. Blacklist IP addresses: One of the simplest yet advanced methods for protecting your WordPress Admin area is to blacklist all IP addresses but your own. It’s an easy option only if you access your WordPress admin area from one or two location with a static IP address. However, updating the whitelisted IP address is not that time consuming, you can easily FTP into your hosting account and update your current IP address and be ready to login in less than a minute. Access your /wp-admin/ folder and add the code below to your .htaccess file:
[sourcecode]
order deny,allow
deny from all
# whitelist home IP address
allow from YOURIPNUMBER
# whitelist work IP address
allow from YOURIPNUMBER
[/sourcecode]
5. Block all known bots: Hackers tend to use bots as first line of attack to easily find and access unprotected WordPress admin areas. This is also easy to setup and is actually a one-time setup and forget security measure. To set it up browse to this Pastebin link and copy the entire text from the HackRepair.com Blacklist. Now open or create a .htaccess file in your root directory. Root is not /wp-admin/ it is the home directory of your hosting account. The code you copied above must be pasted on the top of the .htaccess file if it has other contents.
6. Disable Pingbacks and Trackbacks: They are both great ways to know who is referring to your posts. The problem with leaving this option enabled is that it can be used to spam you or sometimes used to launch DDoS attacks on other sites!
7. Use Secret keys: Secret keys were added in WordPress 2.6 to add an enhanced layer of protection to cookies. They are used for encrypting data saved in cookies. You don’t have to remember these keys. You can create your own – make them long – random secret keys or use an online generator. They are listed in the wp-config.php file.
8. Change File Permission: File permission often go unnoticed. Controlling file permissions helps close one more door for hackers. Never use 777 for file permissions, it means no restrictions on anyone! WordPress.org recommends that you use 755 or 750. Change permission of files to 640 or 644 and wp-config.php to 600.
9. Change the Database Prefix: Everyone knows the default “wp_” prefix for WordPress databases. To hack into your WordPress database, hackers have to know this prefix. Changing the prefix makes it harder for them to find a way in. Especially, if you’ve followed all the above steps.
10. Scan your website: Run a Free Website Malware and Security Scanner. The Sucuri SiteCheck scanner will check your website for known malware, blacklisting status, website errors, and out-of-date software. Use this security scanner to check WordPress as well as other types of websites and blogs based on other platforms.
If you are not an advanced user but want to apply such advanced security measures, use a WordPress security plugin. Here’s a shortlist and a good article with details on security plugins.
• Sucuri
• iThemes Security
• All In One WP Security & Firewall
• BulletProof Security
• Wordfence
All the shortlisted plugins above are known for securing WordPress but each has its own special features, take a look and select one that meets your requirements. However, don’t blindly enable security options as one wrong step may “kill” your WordPress websites! If you are not sure about a security feature in a paid WordPress security plugin, contact their support for assistance.
If you know other advanced security tips or suggestions for using WordPress Security Plugins, please let us know in the comments below.
