Posted: October 5, 2013 in All Category, WordPress

Due to the fact that WordPress is extremely popular and widely used, it is also one of the most exploited web based software’s. So, I decided to put down a few lines of tips and tricks on how to secure that beloved WordPress site of yours.

Keep WordPress & plugins updated at all times
WordPress is updated as soon as a security issue is identified. Updating WordPress is very easy, just login to your admin dashboard and the home page should give you an option of updating your installation. The same applies for all plugins and themes that you use. The inbuilt WordPress update utility makes the entire process of updating your WordPress installation extremely easy. Do not forget to backup your database and files before updating. Nothing is worse than a broken WP site.

Only use essential plugins
This perhaps is one of the most common reason why WordPress sites get hacked frequently. The WordPress plugin directory is undoubtedly a great resource but it should be noted that most of these plugins are not coded by professional developers and carry numerous loopholes and vulnerabilities in them. It is very important that you use only the plugins that you need. Check the reviews and ratings of plugins before installing them.

Change your username and password
The default wordpress admin username is admin, you should change this to something else. Create a new user from your dashboard and assign that user admin privileges and remove the default admin user from your wordpress installation. There’s nothing worse than having “myname123′ as your password. Use something like StrongPasswordGenerator and create a strong password for your users.

Restrict admin login If you use a dedicated ip address at your home/workplace or access the web through a VPN, you can lock down access to the wp-admin folder to your IPs only. To restrict logins based on IPs, do the following: Add a .htaccess file to the root folder of your wordpress installation. Open the files and place the following code inside it:

<Files wp-login.php>
order deny,allow
 Deny from all

# whitelist First IP Address
allow from xx.xxx.xx.xx

#whitelist Second IP Address
allow from xx.xxx.xx.xx


N.B: xx.xxx.xx.xx mean your own IP address. dont know your ip address? click here

Use Login LockDown Plugin L
ogin LockDown acts as a firewall and if it detects too many failed logins to your wp-admin dashboard from a single IP, it will block that IP from accessing the login page. You can also modify the duration of the block.

Change your secret keys
Open your wp-config.php file to find the following 4 lines of code: Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. They security keys are used to encrypt your password. define(‘AUTH_KEY’, ”); define(‘SECURE_AUTH_KEY’, ”); define(‘LOGGED_IN_KEY’, ”); define(‘NONCE_KEY’, ”);

Use the AskApache Plugin AskApache adds an additional layer of security to your wordpress folders. The following is a quote from their official website: AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.

Make Everyday Backup 
Disaster strikes and when it strikes it strikes hard. You should always keep updated backups of your wordpress installation. Use something like WordPress Backup to Dropbox. Just choose a day, time and how often you wish yor backup to be performed and kick back and wait for your websites files and a SQL dump of its database to be dropped in your Dropbox! You can set where you want your backup stored within Dropbox and on your server as well as choose what files or directories, if any, you wish to exclude from the backup.


Comments are closed.