Implementing these WordPress security tips will help secure your site and save you the stress of having to repair a hacked website.
Invest 15 minutes now going through this list and implement as many of them as you can and rest easy knowing your site is hardened against the most common forms of WordPress attacks.
Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites. – Matt Cutts head of Google’s Webspam team
10 WordPress security tips you can implement now
1. Setup scheduled backups
This might not sound like a security tip but it’s actually the most important one. If anything goes wrong with your site, even if it’s not a security issue, you’ll be able to revert back to your backups.
Find out how to schedule WordPress backups.
2. Get the right web hosting
Having professional web hosting makes a huge difference, not only to how vulnerable your site is but in how it recovers if it is hacked. A quality hosting company will have good security as a first line of defence and a strong response when something does go wrong.
This is one reason why I recommend Hostgator. They also have an excellent free migration service if you decide to move to them.
3. Strong passwords
Weak passwords are one of the key ways that hackers gain access to your website.
I use a secure text document for all my websites, where I type a crazy password first and then paste it into the login screen, allowing Firefox to save it into the browser where I can retrieve it instantly later with the Secure Login addon.
This means I can use incredibly difficult passwords without having to remember them. Google Chrome does the same thing without any addons.
You can change your WordPress login password by visiting Users >> Your Profile and scrolling down to the About Yourself section.
4. Install the Limit Login Attempts plugin
The Limit Login Attempts plugin provides an extra layer of security on your now strong passwords system by blocking anyone from trying to guess them.
After a number of attempts the plugin will block their IP address (every computer network has this unique signature) and prevent them from accessing your website for a set time.
These settings can be changed from Settings >> Limit Login Attempts. Having setup a failsafe passwords system in the previous steps, we’re free to harden the settings considerably.
5. Change your login username ‘admin’
If when you login your username is ‘admin’ then any hacking attempts only have to guess your password. After changing this to something more complex it puts up yet another barrier to the most common hacking attempts.
Install and activate the Admin username changer plugin and visit the new menu item of the same name in WordPress.
Enter a new username and click the Change button. You will have to login again straight away with your new username and password.
6. Keep WordPress updated
The single best piece of advice I can give to prevent website hacking is “keep your web server software up-to-date and fully patched.” That prevention is much better than the hassle of cleaning up a hack. – Matt Cutts
Whenever you login to your self-hosted WordPress site, you can check for available updates by going to Dashboard >> Updates. Keeping the core WordPress software, theme and plugins updated is an important security measure.
If you’re using a plugin or theme that hasn’t been updated in a while you may want to search for one that is better supported.
If your theme files have been directly edited by yourself or a developer, then updating will wipe over those changes. If however you’ve made changes from an interface on the theme admin then you should be fine as this information is stored on your sites database.
7. Install the Sucuri Sitecheck Malware Scanner plugin
The Sucuri SiteCheck plugin will check your WordPress site for malware, spam, and other issues.
Scan your site for malware and spam
After activation you can perform a scan of your site by going to Sucuri Free >> Sucuri Scanning and clicking the Scan this site now! button. It should return an all green and clear report. If not then the plugin gives you some options for getting it clean again.
Harden your WordPress install
This is another important tool that secures some of the vulnerable folders on your WordPress site. Go to Sucuri Free >> 1-click Hardening and click the Harden it! buttons until they are all secured.
Keep this plugin activated for continued protection.
8. Scan your theme for malicious code
The Theme Authenticity Checker (TAC) plugin will scan your theme files to make sure there is nothing threatening your sites integrity. After activation visit Appearance >> TAC and the plugin will automatically scan your currently active theme.
If there are any issues, I would recommend using a different theme. Explore some excellent premium WordPress themes.
9. Remove inactive plugins and themes
Inactive plugins and themes present potential entry points for hacking attempts. Deleting all of them removes these holes as well as avoiding unnecessary updates.
Go to Appearance >> Themes or Plugins >> Installed Plugins to review and delete them.
10. Install the WP Security Scan plugin
The WP Security Scan plugin checks your site for various security vulnerabilities and suggests ways to fix them.
Scan folders for correct permissions
Start a scan by visiting WSD security >> Scanner. The plugin will alert you to any changes that need to be made.
The plugin provides a quick way to change your WordPress password by going to WSD security >> Password Tool.
Backup and change your database prefix
The database sits on the server and stores your theme and plugin settings as well all the content of your posts and pages.
Start by visiting WSD security >> Database and in the Database Backup section, click the Backup now! button. You can click the database links on the right hand side to download them to your computer.
Every WordPress install creates a database with a specific prefix (usually wp_). To fix this security vulnerability enter a short string of random characters into the field and click the Start Renaming button.
Keep this plugin activated for ongoing protection.
This isn’t necessarily a security issue but certainly one that comes up very often.
Rejoice my friends!
You’re now prepared for the most common attacks on your WordPress domain.
Any issues or questions please let us know in the comments!