Blogger World

WordPress is, without a doubt, one of the most popular publishing platforms. More than 70 million websites from around the world use WordPress to run their blogs, including big names like The New York Times, CNN, Mashable, and eBay. WordPress is one of the easiest and most powerful content management systems (CMS) in existence today, but as with any widely used software, its popularity can make it a target for hackers. Fortunately, there are a few easy things you can do to secure your site from the majority of attacks. Here are seven WordPress security tips to keep in mind.

1. Get rid of the “admin” user.

If there is one golden rule of WordPress security, it is probably this: never use the default “admin” user. Obviously, on any WordPress site you’ll have at least one user with “Administrator” privileges, but make sure that username is something different than the default “admin.” By leaving the defaults in place, you make it easier for hackers to guess your password and gain access to your site.

If you DO currently have a user named “admin” on your WordPress site, simply set up a new user with a unique name and password, and give them administrative access. Then, login as that new user and delete the old “admin” user. Be sure to attribute any old content that was posted by the “admin” user to your new username.

2. Use strong, unique passwords.

This is true for ANY site you use across the Internet. You’ve probably heard news stories about mass data breaches by Russian crime rings and the Heartbleed security bug. Choosing strong, unique passwords for each site you register for, and changing them regularly, is one of the best things you can do to stay safe and secure online. Does the thought of remembering all of those passwords make you crazy? Use a secure password manager like LastPass to make sense of the madness and help you generate unique passwords for the sites you use.

3. Simplify WordPress security with a powerful tool.

WordPress security is complex, and many of the more technical aspects are beyond what an average user might feel comfortable implementing themselves. Luckily, there are handy tools and security plugins built to simplify this process. Use a plugin like iThemes Security or BulletProof Security to secure your site from most attacks in just a few steps.

4. Stay up to date.

One of the most important things you can do with any type of software, in terms of security, is keep it up to date. Software developers are constantly releasing security patches and updates, and WordPress is no exception. Make sure you’re running the latest version of WordPress, and keep plugins up-to-date. It typically only takes a few clicks and less than a minute to do so

5. Keep plugins to a minimum.

The more bells and whistles, the more chances there are that something can break. Extra plugins, even inactive ones, can become a security risk if they become outdated. In the world of WordPress, typically when something goes wrong with your site, the problem can be traced back to an old plugin or multiple plugins that don’t play nice with each other. Delete unused plugins and keep the number of plugins you have installed on your WordPress site to just the essentials.

6. Use a secure hosting company.

Your site is only as secure as the server it’s hosted on. Look for hosting companies that make security a top priority and offer support for the latest PHP and MySQL versions, as well as firewalls and intrusion detection systems. In the event that your site gets hacked, does your hosting provider offer support for that? If not, it may be time to look for another hosting company.

7.  Never use “admin” as your username

Earlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.

If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.

Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.

Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.

If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.

8. Limit 'Login' Attempts

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.

Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.

There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.

9. Disable file editing via the dashboard

In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.

The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

10. Keep a "backup"

I can’t overemphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late.

Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.

If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory.

The WordPress Codex tells you exactly how to backup your site, and if that seems like too much hard work, you can use a plugin such as WordPress Backup to Dropbox to schedule regular automatic backups.

11. Try to avoid free themes

We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.

The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.

If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.

Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.


Don’t Panic!
This may all sound pretty intimidating, especially if you’re a beginner. I’d like to point out that it’s not intended to scare anyone, it’s just important to discuss the topic of security regularly, as we want to make sure you stay one step ahead of the hackers!

You don’t have to do everything on this list (although it certainly wouldn’t hurt). Even if you just remove the ‘admin’ username and start using stronger passwords, your site will be that little bit safer.