In this tutorial i will teach you every possible way of securing your WordPress website. By following my steps hackers will never be able to gain access to your WordPress Website. Why secure your WordPress Website? Millions of people use WordPress as their number one choice for developing their website or to blog. This makes it a major target for hackers. If left unsecured, your WordPress site can be exposed quite easily by methods such as brute force login attacks or access through unsecured code developed by third parties. In April of 2013 over 90,000 WordPress sites were targeted by hackers and today I am going to show you the right way to secure & protect your WordPress site. Be careful before installing any WordPress Plugin I always make sure to read reviews about plugins before installing. If you want to keep your WordPress site secure do not just install any plugin because it does the job. Take your time & read some reviews about other peoples experiences with third party plugins. Some Plugins break your site's CSS and others even if kept up to date can cause a security loop hole in your site that can easily be exploited by Hackers. I normally have a back up domain that i use specifically to test plugins based on performance and security. The Plugin must pass both tests before i install it on my main Site. If the Plugin does the job but breaks my security i stay away from it and look for a competitor plugin that does the job. Keep your WordPress site and Plugins up to Date It is imperative that you always have the latest version of WordPress installed as hackers feed on the loop holes of previous WordPress versions. WordPress automatically alerts you when an update has been made available so always be on the look out. Every time WordPress releases a new version they fix previous known bugs. These fixes help make your WordPress site more secure so do not be lazy and install the latest version as soon as it comes out. The same applies for plugins. Always update your plugins as soon as a new update is released. There is no excuse for not updating your plugins as the process is extremely easy and automated. You can even update all your plugins at once automatically. Protect your WordPress Admin Panel There are two ways to protect your WordPress Admin Panel area. For those of you who only access your WordPress Admin area from Home or Work you can add the following code below to your .htaccess file. The code simply allows you to deny IP Addresses access to your admin area and allow other IP addresses access. In the code below you can add as many IP addresses as you wish. If you are someone who likes to access your admin area on the go i would suggest using a lovely plugin called Limit Login Attempts. This is personally one of my favorite plugins which I install on all my WordPress Sites. The plugin limits the number of login attempts made to your Site from a single IP address. It detects if a Brute Force Attack is taking place and deny's the user access after a few failed attempts. To install this Plugin navigate to Plugins >> Add new and search for Limit Login Attempts. Install and activate the plugin. Once activated, navigate to Settings >> Limit Login Attempts and here you are able to configure the plugin. I normally set it to lock the user out for 60 minutes after 3 failed attempts. Make sure you tick the email any lockouts to admin option. This way you will be notified which IP address has had 3 unsuccessful attempts. You can then block their IP address from your .htaccess file. Avoid using the admin username This is the most obvious username to use ever! Even your great Grandma who knows nothing about computers would be able to hack your WordPress site if your username was 'admin'. What i am basically trying to say is avoid the admin username at all costs. This does not mean that you should use usernames such as 'username' or 'administrator either. nice try. Choose a username that is unique to you. Choose a username that is personal to you and one that cannot be easily guessed. Always choose strong passwords I cannot emphasize enough the importance of this step. All i can say is that there are tons of websites out there that can generate a strong password for you. Visit them by typing strong password generator into Google. Once you generate a strong password save a copy somewhere. A WordPress site that uses a strong password is 100% less likely to get hacked than one that does not. I made up the maths but it makes sense! Use two-factor Authentication Two-factor authentication is the best way to protect your WordPress site from Brute force login attacks. I normally use a plugin called Google Authenticator because it is so easy to use & reliable. To install this navigate to plugins >> Add New and install Google Authenticator. Next you will need to install the mobile App version of this plugin. It is available on all Mobile platforms. As a proud owner of an iPhone i will demonstrate using an iPhone. To dot his go to your App Store and install the Google Authenticator App. If you use an android phone install it from Google Play. After installation is complete open the App and click on scan bar code. The next step is to go to your WordPress admin panel and navigate to your users profile. You will notice there is a new option for Google Authenticator. Give your authentication a description so it can be recognized by your App and scan the bar code. Now every time you log in to WordPress you will need to access the app to grab the Pass code. This changes every 4 minutes if you tick the relaxed mode option. From experience i can honestly advise you that this method is one of the most important methods to secure your WordPress Website. Protect your computer by using Anti-virus software If your computer is safe then your WordPress site will remain safe. There is not much to add here other than to warn or politely advise that you should use Anti-Virus software to protect your computer from malicious attacks. If someone gains access to your computer they may be able to gain access to your WordPress login details if they are stored in Notepad or Word. Run virus scans on a regular basis to ensure there is no Malware found. This step is just as important as any other step and is sometimes taken for granted. I assure you if your computer is hacked your WordPress Site will follow, so please take this seriously. Host your WordPress site with a Secure Hosting Providor If your hosting provider is not so secure then neither is your WordPress site. Take time to choose the best hosting provider. Look for factors such as do they provide an intrusion detection system, a firewall, or the latest PHP and MYSQL versions. There is no point in joining a hosting provider just because they are cheap and offer none of the security services. If you are not on the latest PHP version get in touch with your host provider and they should be able to take care of that. Here is a conversation i had with my host provider webintellects.com when i asked them what PHP version my Website is hosted on. It turns out i was on PHP 5.2 while 5.4 was out. They were extremely helpful and offered to migrate my hosting space on to the latest version of PHP free of charge. Whats better is that the WordPress migration is apparently seamless. However, bear in mind your site may be down for 4-6 hours while the migration takes place but that is a small price to pay compared to your site being vulnerable to a hack attack. Conclusion We have learned all the right ways of securing your WordPress site. Now it is down to you to follow the steps outlined in this article to protect your WordPress site. Please use the comment section below for any questions.
