By now you’ve probably read about the recent massive botnet attacks on WordPress websites. While it’s true that WordPress core developers work hard to keep the WordPress platform safe, if you own or operate a WordPress website then you also have a responsibility to keep your site from being compromised.
Here are some of the ways to harden your WordPress security:
- Best practices
- Security plugins
- Signing up for CDNs
- Configuring .htaccess
1. WordPress Best Practices
Some of the most important things for hardening WordPress include:
- Making sure your WordPress installation has the latest updates
- Minimizing the number of plugins you use (and deleting the ones you don’t)
- Choosing passwords that are difficult to crack
- Performing regular data backups
- Protecting your WordPress using .htaccess
Once you apply these, you can then install a plugin which will monitor your WordPress core files and traffic.
2. WordPress Security Plugins
Wordfence is a great plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.
Better WP Security is another great plugin that will allow you to sleep a little better at night. It’s really a full package, but you should read the FAQ section first before activating it, as it makes some significant changes to your database that you should be aware of.
BackWPUp is a free plugin that backs up both your WordPress files and database. I can recommend this plugin because I use it on many websites and I’ve never had any issues with it. There are, of course, a lot of other free and paid backup plugins out there and you are welcome to try them all until you find the one which suits you, but please put one to use.
3. Free CDNs
There has been a lot of talk whether free content delivery networks actually do any good or do they exist only to lure you into one of their paid services. Well, I’ve tested the two most popular free CDNs and I can honestly recommend both, even without the paid add-ons.
CloudFlare is a free content delivery network that filters all your traffic and minimizes the risk of your WordPress website from becoming a target.
PageSpeed Service by Google does something similar and we can all presume that Google takes online security seriously.
Read a complete list of pros and cons of Google PageSpeed and CloudFlare CDN.
4. Configure .htaccess
.htaccess stands for Hypertext Access. It’s a configuration file which controls the directory in which it is placed and all sub-directories. We’re going to talk about configuring .htaccess for Apache webservers and Linux.
Editing .htaccess file is a serious business and you should not play with it unless you have at least basic coding knowledge. If you don’t feel comfortable editing .htaccess, you can download and install a plugin from WordPress.org repository called WP htaccess Control. It provides an easy interface for editing the file, but also for configuring WordPress permalinks, categories, archives, pagination and custom taxonomies.
You can easily become overwhelmed by the number of options this plugin offers, so just go straight to “htaccess Suggestions” tab once you get to the plugin configuration page. You can then check all the options and your .htaccess will become configured for security.
If you don’t want to install a plugin or need maximum control and want to manually configure it, you can read this post on WordPress Security through .htaccess.
There isn’t a way to make your WordPress 100% secure, but limiting your website vulnerabilities will repel almost all malicious attacks, because hackers are not known for their patience. If you do however become a victim of a WordPress security breach, you can read and get informed about what to do on WordPress official My site was hacked page and you can report all security issues here.
As you already know, prevention is the best cure, so what are your plans to harden WordPress security?