How to Secure WordPress
These days you have to be on your toes when it comes to online security. Even though WordPress is widely regarded as one of the best pieces of web software out there, it has its own share vulnerabilities. This is why you need to implement these tips in order to stay secure.
Note: In this tutorial I’m gonna have you guys paste stuff into a file called .htaccess. If you don’t have a file like that in your server, here’s how to create one.
1. Open Notepad
2. Save that file .htaccess, be sure to change the file type to “All Files”.
3. Paste the pieces of code that I’m going to provide to you in .htaccess through Notepad
4. When you’ve added the code you want, simply upload it to your web server, make sure it’s in the same directory as the wp-admin and wp-content folders
1. Check for Vulnerabilities
Before you start to implement security measures, you have to know if your WordPress blog has security holes. The best way to go about checking this is with Sucuri’s free website malware checker. This scanner will check to see if you’ve already been compromised, giving you a good starting point to shoring up your website’s security.
2. Protect Yourself Against SQL Injections
An SQL injection is one of the most popular methods when it comes to hacking a website. Essentially, hackers inject SQL commands somewhere on a page where a normal visitor would interact with the database (like a login form). This injection allows them direct access to the database, giving them the ability to steal all information and wipe the database. To avoid this, put the following code in your .htaccess file.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
This code will stop anyone from changing the GLOBALS and _REQUEST variable in your database(s).
3. Use Security Keys in WP-Config
In your WP-Config file, there are a couple lines of code that look like this:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
These are called security keys, they make your user’s cookies and passwords safer. These are just extra layers of security to prevent your passwords from being compromised.
To get your own unique security keys you can use WordPress.org’s own key generator here.
4. Hide Your WP-Config File
Your WP-Config file holds very very sensitive data. Remember that when you installed WordPress, you added your database name and password. Simply put, if someone got their hands on that info then it would be pretty bad. In order to hide your WP-Config file from anyone with malicious intent, paste this in your .htaccess file:
Order Allow,Deny
Deny from all
5. Hide your .htaccess File
If someone gets a hold of your .htaccess file, then they’ll know what kind of protection you have running. They can see what files you’re protecting and what you left vulnerable. Your .htacccess file holds information about all sorts of things related to website structure like mod_rewrite settings, SetHandler directives, etc. The best way to put a stop to anyone looking for a way in is to protect .htaccess through .htaccess. Paste this in .htaccesse to hide .htaccess:
order allow,deny
deny from all
6. Restrict WP-Admin access
You don’t want people to get into wp-admin (for obvious reasons). As a blog owner, you and maybe a couple other people are the only ones who need access to wp-admin. Use the following code to restrict access via IP addresses:
order deny,allow
allow from a.b.c.d # This is your static IP
deny from all
7. Keep WordPress, Themes, and Plugins Updated
One of the important tips when it comes to keeping WordPress secure is to make sure that everything is up to date. Official WordPress, theme, and plugin developers are always updating their work to make sure it is as safe as possible. You can only take advantage of this added security if you keep updating.
All of these are really simple tips that go a long way when it comes to protecting your website from hackers. If you use the above steps your website will be safe from people looking to cause trouble.