Although it isn’t possible to have a 100% secure website you can minimise your risk of being hacked by taking a few simple steps.
With security there are always many different levels that you can apply.
Here I want to cover the basic minimum security measures and practices that should be applied to all websites as well as to introduce more complex security measures that you might want to consider.
How many levels of security you apply will depend on what type of site you are trying to protect.
When implementing security there is always a trade-off between usability and security.
In addition for non technical WordPress site owners, some security steps are complex, and require a high level of technical know how.
The good news is that there are security plugins that can make implementing advanced security measures much easier.
In addition there are a number of WordPress focused hosting providers that offer advanced security as part of the package.
Basic Security Practices and Measures
These should (IMO) be applied to all websites/blogs
- Make Frequent Backups – If your site is compromised then the easiest way to recover is to restore the site from a backup. See backing up WordPress
- Keep your computer free of viruses and Malware – A virus or trojan on your computer can easily be programmed to steal website passwords.
- Keep your site Current – Many hacks are against known bugs in old software or plugins. Make sure you update WordPress and any installed plugins. See Updating WordPress
- Use Strong Password – Breaking a weak password is a very popular hacking method.
- Don’t use admin as your administrator – The user name password combination can be made more secure by not letting an hacker know the admin user name.
- Keep you site installation clean – Many sites have deactivated plugins that the owner tried and didn’t need. These plugins are rarely updated because they aren’t being used but they still represent a vulnerability that someone can exploit. In addition if you install a test site on your hosting package delete it when you no longer need it, and keep it up to date as you would with a working site.
Advanced Security Practices and Measures
These usually require editing the wp_config.php file or .htaccess file.
Because of this the preferred method of implementing these measures is to use the plugin All in One WP security.
You should consider implemented the following:
- Restrict access to admin area
- Change database table prefix
- Rename default login Page
- Restrict bad login attempts
- Disable file editing via the dashboard
- Restrict access to wp_config.php file
- Hide WordPress version
References and Resources:
- WordPress Setup and Configuration
- WordPress security 19 steps
- 11 Quick Tips: Securing Your WordPress Site
- Hardening WordPress « WordPress Codex