3 Tips to Make WordPress More Secure
When it comes to WordPress, it’s always been a bit of a security risk. By it’s very nature, WordPress is somewhat insecure due to the fact that its core is essentially PHP files (many of which are publicly accessible and only protected by server-side permissions) that connect to a database (that also accepts request from these files)—not exactly the recipe for a secure system.
Oddly enough, WordPress is still quite secure for what it is. The WordPress.org team does a great job of putting out free updates and making it better with each iteration. On top of that, there are best practices, plugins, and other things that a person can do to make WordPress much more secure.
Now, this by no means is an exhaustive or comprehensive list, but here are three things you can do right away to make WordPress much more secure.
Restrict Access to Your WordPress Admin Panel with .Htaccess
If you’ve got an Apache server running cPanel, you have a .htaccess file in the public_html folder of your web server. In case you don’t know, .htaccess is the file that sets server access rules as well as redirect rules.
The nice thing about .htaccess is it can be used to limit access to the back end of your WordPress site in the /wp-admin/ area as well as the wp-login.php file folder. Here’s how to do it:
1) Add the following lines to the .htaccess file in your public_html folder:
#limit login file
<files wp-login.php>
order deny,allow
allow from [example IP here]
allow from [example IP #2 here]
deny from all
</files>
Then, create a .htaccess file inside your /wp-admin/ folder, and add the following lines:
# alt block IP method
<Limit GET POST PUT>
order deny,allow
allow from [example IP here]
allow from [example IP #2 here]
deny from all
</Limit>
# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>
All you do for this step is replace the [example IP here] including the brackets with an IP address that you want to allow access to the website. For example, this could be your home, office, etc. With these two .htaccess files in place, your server won’t allow access to the back end of your WordPress site to anyone who isn’t accessing from a whitelisted IP address.
Can this be annoying if you need to access your site from somewhere that isn’t your home or office IP randomly? Sure, but how often is that really? Unless you’re doing a lot of posting from your mobile (which isn’t super common), then it’s definitely worth the convenience trade off for the added level of security.
Install a WordPress Plugin That Limits Login Attempts
If you’ve gone ahead and locked down access to the site using the .htaccess file, it’s very unlikely that anyone would even be able to get to the login screen for WordPress. But, there’s always the possibility that you leave your computer unattended, or something else happens that causes you to leave your login screen up while you’re not around.
To cover these cases, it’s good to have a plugin that limits login attempts to the WordPress page. Our favorite plugin is Login Lockdown by Michael VanDeMar.
With this plugins (and other similar plugins that limit login attempts), you simply install them like any other WordPress plugin, and then configure them to your liking, which includes the number of login attempts before a block is enacted and other various options. These plugins aren’t good enough in our opinion by themselves though, so don’t forget about that—but the combination of the IP block and a plugin that limits login attempts is typically pretty secure.
Don’t Leave Your Username as “Admin”
This should be pretty obvious—most people know that picking a good username and password combination is key to having any type of secure system, but often times in WordPress it seems people forget about this.
There are many software programs that use “admin” as the username by default, and this is not good. A lot of hackers and bad apples know this, so they’ll try to brute force their way into the WordPress installation with the default username and try various password combinations. And if you don’t have anything in place to limit login attempts or restrict access by IPs, then you might be in for an unfortunate surprise. So—always make sure to pick a good username/password combination, and never let the username be “admin.”