Tag: Word Press

How to secure WordPress 3 sites

  1. Backup your site
    it’s highly suggested to backup the database regularly in case if the site gets hacked or crashed.
    One way to back up the entire site easily is true a plug-in called “backwpup”
  2. Keep your WordPress updated
    you need to keep your site updated in order to have the latest security and bug fixes. Here are the 3 things you need to constantly update, when the update is available.
  1. WordPress version
  2. Plug-ins
  3. Themes

Here is a plugin that notifies you whenever there is a new update available “Update Notifier”


  1. Choose a strong password
    using a random mix of numbers, letters, special characters and upper and lower case is a great way to create strong password.
  2. Choose trusted plug-ins
    When you are looking for plug-ins, make sure to choose the ones that have reliable recourses, good reviews, documentations, screenshots and ratings. Also you need to make sure that the plug-in is being updated periodically and compatible with your current version of WordPress.
  3. Remove unused plug-ins
    Eliminate all the unused plug-ins, files and themes by removing them in order to keep your site clean and organized
  4. Protect your configuration files
    the “wp-config.php” is a key file to your site security and you need to keep it protected
  1. Protecting it true htaccess
    drop the following code beneath all the other rules into your htaccess file:# PROTECT WP-CONFIG
    <Files wp-config.php>
    Order Allow,Deny
    Deny from all

    Check to see if it didn’t mess up your website and also you need to check and see if the code is actually working on your website.
    Try to go to your wo-config.php true your browser, here is the address:
    if it’s working you will see a 403 forbidden error as it is expected.

  2. Limiting access true file permissions
    make sure your htaccess and wp-config files access permission on your server is set on 644. 
  • Configuring authentication keys
    we can improve the security of WordPress user log-in process by setting up the secret keys to the site configuration file. In your wpconfig.php file if you look under database credentials where it says: “Authentication Unique Keys and Salts”, you will see that freely installed WordPress doesn’t provide any secret keys and we need to add our own keys in here. The quickest and strongest way to set up the key values is to visit the secret key service that is being provided by WordPress, here is the address:
    then copy and past everything into the wp-config.php file overriding the default code.
  • Customizing database prefix
    it is highly recommended to change the database table prefixes fro wp_ into something unique. The best way to do this is during the installation of your word press where you have the option of typing in any word ad your database table prefix. Here is how to properly name your prefix without messing up your database file naming and orders:
    You should keep wp_ in the beginning followed by the unique name and another underscore followed by the table name, here is an example.
    Changing your database table prefix after installation is still possible but it’s a bit more complicated step to take here is a link to a tutorial on that:
    1. 9.   Don’t be Admin
      admin is default username created by WordPress and it’s the first choice of the hackers in order to get into your website true admin logging panel. Changing it to any other name than admin is a good step towards your website security.
    1. Setting up file permissions
      you need to make sure your file and directory permissions are right and the best and most secure way that it can be. There is a very good plug-in that can take the guess work out and scan your files and directories and make sure you are on the right path: “WP Security Scan” 
    2. Preventing directory listings
      you have to make sure that your directories are lucked up and are not visible from the browser if there are no index files in there. If so you can easily secure the directories adding the following code into your .htacess file “Options -Indexes” put it preferably on the top of the file and upload it into the server. If the .htacess is not the option you can just add a black index file into each directory.
    3. Securing admin directory from other IP addresses
      we can improve security by preventing unwanted access to the WordPress admin directory using a small slice of code in .htaccess file that we create in the root of wp-admin directory. Simply create a brand new .htaccess file and paste the following code into the file:
      <FilesMatch “.*”>
       Order Deny,Allow
       Deny from all
       Allow from 123.456.789
      note:make sure to put the correct ip address in the code where it says Allow from and if you don’t know your ip address you can simply search for “what is my ip address” in the google and you will find a tool that will help you find out your IP address.
    4. Hide your version number
      hackers use your version number to attack your specific version security holes and that information is available for the public in your source code, RSS feed and other places. Here is how you do it: You need to copy and past the following code snippet into your “functions.php” which is located in your theme files if there is not one you need to create one and past the code to the bottom of the document.
      // remove version number from head & feeds
      function disable_version() { return ”; }
      remove_action(‘wp_head’, ‘wp_generator’);
    5. Protect your site from spammers
      In order to protect your site from spammers you need to install the anti spam plug-in “Akismet” simply get the activation code from the website and activated your plug-in.
    6. Secure your admin page
      we can secure our admin page using a plug-in that gives us many options to have more security. The name is “Login Lock