Using WordPress as a blogging or content management platform makes changing web content easy for users who don’t necessarily have experience with coding or HTML. This is one of the great strengths of WordPress and a primary reason why I use it for building almost all of my new websites for clients.
However, along with this convenience comes the potential opportunity for breaches of the site’s security. Thankfully, there are a number of things we can do to mitigate the risk of our site being hacked.
In addition to keeping your WordPress core version and plugins current, here are a few ways to improve your WordPress blog or website’s security:
1. Install the Wordfence Security Plugin
If you do nothing else, at the very least install the Wordfence security plugin on your site. This plugin offers both free and premium features, but has fantastic functionality for non-paying users.
The plugin has lots of great protection options including a firewall, IP blocking, IP whitelist, login protection and a real-time network that tracks attacks on other sites to help protect yours. This plugin is still actively being developed and new features are released regularly.
2. Install WordPress in a Sub-Directory
Automated attacks will usually look for your WordPress files in the root directory so keeping your files outside this folder is a good idea. It’s easy to make WordPress run from another sub-directory. Simply copy your index.php and the .htaccess file from your WordPress install and place them in the root directory. Open up the newly copied index.php in the root and change the line that says require(‘./wp-blog-header.php’); to require(‘./your-sub-directory/wp-blog-header.php’);. Then finally, change your WordPress Blog address in the Settings –> General section of your admin to the root directory (eg. http://mydomain.com).
Your WordPress install will now act as if it is located in the root directory!
3. Remove the user “Admin”
The default username for the administrator account is “Admin”. Most automated attacks on WordPress installs will attempt to log in with this username as many users never change it to something else. It’s best practice to not use this username at all and change it to, well, pretty much anything else.
4. Use a Strong Password
If possible, be sure to set a strong password on your admin account. I know it’s tough remembering those complex generated passwords, so using a password manager like LastPass can be incredibly helpful. LastPass will help you generate a strong password for any of your web logins (not just WordPress!) and will ensure you have it available when you need it.
5. Log In Securely
Setting up SSL (encrypted log in) for your average WordPress site may be a little overkill in terms of security. But if you access your admin area from public WiFi areas, it would be nice to know your log in credentials are protected. Well, thankfully there is a simple solution. Wpengine.com, a hosting company that specializes in WordPress, offers a free service called MIXBOARDPORTALPANELPRESS which allows you to log in securely to your own site after installing their free plugin. This is a quick and easy way to ensure your log ins are as secure as possible.