WordPress is a great CMS, we use it for this blog! It is the most popular CMS platform in use on the Internet today. People use it for blogs, websites and eCommerce as well as other purposes. When a software is this popular, it attracts positive and negative attention. A website that uses WordPress as its CMS has to make sure it takes measures to implement basic security. Relying completely on WordPress to provide security can be dangerous and lead to a hacked website. While managed WordPress hosting is a great idea to let the service provider handle the updates and basic security, there are a few things you can do to protect your website. Today, we’ve put together the top 7 security tips and tweaks for WordPress based blogs, websites and eCommerce sites.
1. Update WordPress and Plugins
WordPress features one click updates, make use of it as soon as you see an update. Most updates need less than a few minutes. The latest updates always feature security updates along with other features. Same applies to plugins. Plugins can also be easily updates from your WordPress admin panel. SiteGround has a tutorial on how to update WordPress and plugins here.
2. Create strong passwords
This applies not just for WordPress but for all your online accounts that are protected with a password. A weak password is the easiest way for hackers to gain access to your account. Lifehacker has a great tutorial to create a strong password which is also easy to remember.
3. Add Two-Factor Authentication
If you have Gmail or Yahoo Mail, you may already know what two-factor authentication is. It is an additional password which is sent only to you after you enter your password. In a scenario when a hackers gets access to your WordPress password they won’t be able to access your account without this second password.
4. Restrict bots and unwanted visitors
Bots are used by hackers to sniff for loopholes they can exploit or simply use up bandwidth, etc. WordPress has a default .htaccess file, use the comprehensive server side 5G blacklist by Perishable Press to check all requests for authenticity.
5. Restrict access to directories and wp-content
Disable directory browsing by modifying your .htaccess file with the code below:
Disable access to /wp-content/ directory by creating a .htaccess file in your /wp-content/ directory and adding the code below:
Deny from all
<files ?.(jpg|gif|png|js|css)$? ~>
Allow from all
6. Add another layer of security for WordPress admin page
Depending on the control panel you are using, password protect your admin directory. This adds another layer of security in a scenario when users are able to gain access to WordPress.
7. Change default admin user
Most users use the default settings but this makes it easier for hackers. By default admin is the default user in WordPress. Change it to a username you can remember.