Essential WordPress Security Tips To Keep Your Site Safe

WordPress Security Tips
Written by Karan Arya
(Last Updated On: May 17, 2019)

WordPress is the most popular content management system (CMS) on the Internet. The software is available open source for all, hosted on Github, and hackers are always looking for bugs that can be exploited to gain access to other WordPress sites. The main point is what about WordPress Security Tips.

In this post, I’m sharing some newbie tips to secure your WordPress blog. These are basic tips, but sometimes missing these basic tips may lead to losing your WordPress blog to some hacker.

Most hack attacks are done by something called an SQL injection.

You can do to keep your WordPress installation secure is ensure that it is always running the latest version of WordPress software and also the used themes and plugins are updated version. Here are some few other things you can do to improve the security of your WordPress blogs.

Here are some few other things you can do to improve the security of your WordPress blogs.

#1. Log in with your WordPress account

When you install a WordPress setup on your server, the first user is created default called “admin”. You should create a different user to operate your WordPress blog and otherwise remove the “admin” user or change the role from “administrator” to “subscriber.”

You can either create a completely random username or a better alternative would be that you enable single sign-on with Jetpack and use your WordPress.com account to log into your self-hosted WordPress blog.

#2. Hide your WordPress version to the world

WordPress sites always publish on the version number thus making it easier for people to understand if you are running an outdated non-patched version of WordPress.

Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

Also Read:

It is easy to remove the WordPress version from the page but you need to make one more change. Delete the readme.html file from your WordPress directory as it also advertises your WordPress version to the world.

#3. Rename your WordPress tables prefix

If you have installed WordPress using with the default options, your WordPress tables names like wp_posts or wp_users. You just change the table prefix (wp_) to some random value. To Change DB Prefix plugin lets you should rename your prefix table to any other string with a click.

#4. Update WordPress Regularly

Keeping up to date your WordPress software, this is the most basic security tip for any WordPress blogger. This is something that you never want to miss.

Whenever WordPress send an update, it means they have fixed some bugs, added some new features, and most importantly, added some advanced security features and fixes.

wordpress update

When you see the message: “WordPress x.x.x is available!”

Update it.

Nowadays, with one click updates, it’s very easy to upgrade your blog.

#5. Hide The Plugins Directory

lugins folder /wp-content/plugins/ should not be showing the list of folders and files inside of them.

Try visiting your plugins folder (replace domain.com with your domain name):

  • domain.com/wp-content/plugins/

If you see a list of folders and files, you need to hide them.

To hide these folders, you need to create a new .htaccess file and drop it in your plugins directory.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress

Secure your WordPress Login Page

Your WordPress login page is accessible to the worldwide but if you wish to prevent non-authorized users from logging into WordPress follow this three points-

  1. Password Protect with .htaccess –  Protecting the wp-admin folder of your WordPress with a username and password in addition to your regular WordPress credentials.
  2. Google Authenticator –  This plugin creates two-step verification to your WordPress website similar to your Google Account. You have to enter the password and also the time-dependent code generated on your smartphone phone.
  3. Password-less Login – Use the Clef plugin to log into your WordPress blog by scanning a QR code and you can easily remotely end the session with your mobile phone itself.
User Review
0 (0 votes)

About the author

Karan Arya

Karan Arya is a Mechanical Engineer, founder, and author of Minidea. He's a blogging enthusiast and very fond of coding. He's been blogging since 2016 and has learned so many interesting things pertaining to blogging, SEO, and online earning. He has launched this blog to cover blogging related topics.

1 Comment

Leave a Comment