WordPress is the most used open-source platform nowadays for any type of websites: whether it is blog, CMS or any other custom solution. WordPress is naturally based on PHP (among other languages), so, as a PHP developer I always make sure to cover/apply some tips for WordPress to make secure and speedup the site which I develop. In this WordPress tutorial you will find tips and tricks for securing WordPress and optimizing your WordPress blog.
This section will going to cover the tips related to securing your WordPress site. Tips includes protecting files, login restriction, WordPress admin restriction, database protection, etc.
Tip 1: Stay Updated
The most important tip for securing the self hosted WordPress websites is also the most obvious; WordPress provides updates with security fixes all of the time. When you get the notification in admin panel, don’t ignore it! It’s the single most effective way to secure your site from attacks, and yet so many people leave their site (and their client sites) un-updated for fear of breaking their themes and/or plugins.
Here’s the real tip though: If you themes and plugins don’t work with the latest version of WordPress, they’re probably not all that secure to begin.
Tip 2: Create Custom Secret Keys for Your wp-config.php File
All of the confidential details for your WordPress site are stored in the wp-config.php in your WordPress root directory. Secret keys are one of the bits of information stored in that file… so make sure you change the default secret keys to something else.
If you are not sure for what to place in the default values, go to this link, and it will generate the random keys for you.
Tip 3: Change the Database Prefix
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.
Tip 4: Protect Your wp-config.php File
As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it’s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
order allow,deny
deny from all
Tip 5: Protect Your .htaccess File
We can protect your wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
order allow,deny
deny from all
Tip 6: Hide Your WordPress Version
Another good idea is to remove the generator meta for the WordPress. This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.
To do this you need to place below code in function.php of your active theme.
[php]
<Files .htaccess>
order allow,deny
deny from all
</Files>
[/php]
You can go one step further and additionally remove it from RSS feeds using this:
[php]
<Files .htaccess>
order allow,deny
deny from all
</Files>
[/php]
Tip 7: Install WordPress Security Scan Plugin
This is a good plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for below things:
- Passwords
- File Permissions
- Database Security
- WordPress Admin protection
Download the plugin from here.
Tip 8: Limit The Number of Failed Login Attempts
This nice plugin can limit the number failed login attempts; Useful in case of someone is trying to guess your password manually or using a robot.
You can download plugin from here.
Tip 9: Ask Apache Password Protect
Here is one more good plugin provided by the Ask Apache. which gives you more control over your blog in terms of security.
You can protect your site with 401 authorization in easy steps. All these you can manage from the WordPress admin panel.
You can download this plugin from here.
Tip 10: Don’t Use “admin” As Your Username (and Pick Strong Passwords)
This one’s perhaps the easiest of them all – WordPress normally will setup your main admin account name as “admin”, so it’s usually the first username that hackers will try using. As of version 3.0 you can change this during the initial setup, but it’s easy to forget that you can go back and change it even if you setup your site before version 3.0. So, pick a new name other than admin
Additionally, picking strong passwords for all of the users on your blog (and your MySQL database) are fundamental ways to boost your security. Use the Strong Password Generator if you can’t come up with one on your own.
Tip 11: Last but not Least, Backup!
I have placed the backup as the last item here. but don’t consider it as a less important. Regular backup of your site will make you fill safer than any other above. There are several plugins available for WordPress which manage the backup for you.
Here are some free plugins for WordPress backup.
But if you are more serious about the backup for your blog then you should go with the paid solution.
Many people have websites (for their businesses as well as for personal use) and many people have blogs. The issue is whether people truly understand the difference between a website and a blog. They certainly are not the same thing.
The following explains the basic differences between a blog and a website:
Blog
- Content is regularly updated.
- Not formal.
- Interactive.
- Informative and educational.
- Interactivity about industry/customer issues.
- Some people have a blog.
Website
- Content is static.
- Formal/professional.
- Interactivity does not exist. There is only one-way communication.
- Transactional.
- Communication about products and/or services.
- Almost everyone has a website. In fact, it is almost a requirement in business today.
A good way to think about a website is in terms of it being a virtual store that sells products and/or services. A website is the perfect forum to self-promote and advertise. Promotion and buying and selling are exactly what people expect when they visit a website. When they are at the point of making a purchase of some kind, they go to a website that will satisfy their needs.
It is also basically impossible to build relationships with your potential customers and existing customers on your website because the website is static. Once a person has purchased something from you, there is no potential for interactivity so the relationship will never have a chance to develop and grow.
Blog
A blog; however, is constantly supplying potential customers and existing customers with interesting and useful content and the blog enables them to interact with the blogger and the discussions that they have together can be potentially unending. Not only can you and your customers have discussions but they can also ask questions that you can answer.
Blogs have a lot of useful features that are very helpful in promoting interactivity. Blogs enable visitors to subscribe to them so they can receive updates on a very regular basis. They will always be informed when new content is added or there has been some update to the social media profiles of the people with whom they interact.
The true purpose of a blog is to provide helpful, valuable, informative and interesting content that helps other people and that they find interesting. A blog’s purpose is definitely not to advertise or to do a hard sell on anyone. If you try to use your blog in that way, you will be very disappointed with the results. You will not be able to build relationships with anyone and you most likely won’t sell very much. People don’t buy from people whom they don’t trust. The only way that they will trust you is if they get to know you.
All in one
One approach that has proven very effective is building your website with blog software, such as WordPress. Blog software has the capability of providing you with both static web pages (pages) and blog pages (posts). Since both are necessary for the success of your online exposure, this allows you to design a web presence that contains a traditional website and a blog using one tool. Among the other benefits are:
- One homogenous look and feel.
- Ease of optimization for SEO.
- Sharing of add-on plugins between the pages and posts.
- Ease and speed of designing and developing the web presence.
- Ease of maintenance and updating of content since the entire web infrastructure is based on a content management system (CMS).