Enhancing the WordPress security is an essential step in the creation of your secure WordPress blog. First of all you should know that 100% secure WordPress Blog or 100% security does not exist on the Internet nor in any field. Often when these problems occur we tend to think that the host is responsible, but its not. The host is a bit like the owner of a building who rents apartments. It will ensure that the amenities of bases related to the proper functioning of all are respected, but it can not be held responsible if you lose your keys or if you do not have a alarm system.
You still need to know that WordPress is very safe content management software but even this system can be hacked so thats why you need to secure WordPress blog. The problem of hacking is endless and unfortunately I found that on hard way because few weeks ago, my blog was hacked. And because no one is safe I’ll give you some tips which you can apply in order to have secure WordPress blog against attacks. This will also involve some plugins installation, but don’t worry all of them are free except the last two which are with good reasons payable options. Now, let’s begin with this list.
1. Password management
WordPress installation need 3 types of passwords: one for FTP, one for database, and one to connect to the WordPress admin section. It is obvious that most of these passwords are transferred between many people and with that the risks of getting hacked because of lost password are incresed. Tip: If one of your colleagues, employees, vendors terminates its relationship with your project, change these passwords. Also in order to secure WordPress blog, make sure you use strong passwords which include uppercase, lowercase, numbers, special characters…
2. Change the login name of “admin” account
After installation, a user “admin” is created with maximum permissions. It is inadvisable to use this profile, and it is better to create a new account with the administrator role and then simply remove the Admin user profile. Be sure to choose a complex username and password for your account.
Secure WordPress blog with new admin role username
3. Masquer plugins
If you specify what plugins and their versions you use, you potentially have a security problem. A simple way to hide your plugins and secure WordPress blog is to place an empty file inside your /Plugins/ folder located at “wp-content/plugins/index.html” or place the following line in the .htaccess file located in the root of your site:
Options All -Indexes
4. Hide the WordPress version you are using
Most WordPress themes add a meta tag containing the installed version of WordPress. Every secure WordPress blog can not contain this information’s and in order to hide it, you can edit the header.php file of your theme and delete the row displaying this information:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ? />” />
If you are not familiar with PHP and HTML code, you can also install the plugin Replace WP version which will do this job for you.
5. Deny access to your wp-config.php file
Secure WordPress blog can’t be imagined without password encryption, and since wp-config.php file contains unencrypted login and password to access your database, you really need to protect it. You can add the following line in the .htaccess file located in the root of your installation:
order allow, deny
deny from all
6. Save your blog and your database
Another thing without which we can not imagine secure WordPress blog are backups. I suggest you do a regular backup of your website so you do not lose your work. Make a copy of your files via FTP and export your database by phpMyAdmin. There are plugins that perform these operations for you, and here are three of them that I suggest and use on most of my secure WordPress blogs:
WP-db-Backup backup the database by email or registration on your server. However it does not back up your files, you must pair it with another utility.
Automatic WordPress Backup automatically backs up your blog and its database.
With Secure WordPress plugin you can secure WordPress blog by deleting alerts on login pages, hiding the WordPress version and much more.
7. Change the prefix of the tables in database
Before starting a new installation you must change the default prefix wp_ in the wp-config.php file. Also if you blog is already installed use plugin such as WP Secure Scan.
Update installed WordPress plugins and also your theme. So watch alerts, updates and do not delay when new updates show up!
9. VaultPress WordPress plugin
I have one final recommendation to sleep peacefully. It is VaultPress plugin developed by Automattic home mother of WordPress. This plugin monthly fee is $15, and once subscribed it will connect to your WordPress servers constantly. The site is regularly scanned and saved. What is interesting is that even if you have done your homework and an incident occurs, you can quickly restore your site with just few clicks. In addition you have access to WordPress engineers and technicians to advise you and guide you on how to proceed.
Regarding comment spam, of course there is also Akismet from Automattic. Note that Akismet is not free now, it will cost you about $5/month for a small business site or blog, but this is a great plugin and very efficient.
11. File transfer
Transferring files to your online account is a common thing to do. However, instead of using insecure FTP, you must use SFTP (Secure FTP). This will create an SSH connection and send all your encrypted files on the server.
Secure WordPress Blog Final Thoughts
The above information should be enough to allow you to create a secure WordPress blog. If you have not implemented all of these things, I invite you to do so now. What other methods do you use to secure WordPress blog?