How to secure a Wordpress Website
Q Vulnerabilities on Your Computer
Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
Q Vulnerabilities in WordPress
Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end, you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
Q Delete and Update Wordpress
WordPress has a bit of a bad rap for being "insecure" In fact, a WordPress site only becomes insecure when you fail to keep it up to date. Any part of your site that is not updated to its latest version presents a security risk. Hackers find vulnerabilities in sites through outdated files, themes and plugins. So go now and make sure that you are updated to:
- The latest version of WordPress
- The latest version of all installed plugins
- The latest version of all installed themes
While you're in there, it's best to delete any plugins or themes that you don't use or need. These are likely to become outdated without you noticing, creating future security risks.
Q Delete the username "admin"
The default username when creating a WordPress site is "admin." Most people keep this username. This makes it very easy for hackers to guess your username. Then they are already half logged in to your site. So delete any account with the username " admin. "
If the account with username "admin" is the only user that currently has Administrator-level access, you won't be able to delete it until you first create and login with a different Administrator-level account. WordPress needs to ensure that there is some way to access Administrator functions for your site.
Q Improve your Access Controls.
You will often hear folks talking about updating things like Passwords. Yes, this is a very important piece, but it's one small piece in a much larger problem. We need to improve our overall posture when it comes to access control. This means using Complex, Long and Unique passwords for starters.
Remember that this includes changing all access points. When we say access points, we mean things like FTP, WP-ADMIN and MYSQL.
Q Download the WordFence plugin.
WordFence is a regularly updated firewall and malware scanner for your WordPress website. Once installed, WordFence is configured and ready to start protecting your site. The main features of WordFence are:
- Integrated malware scanner blocks requests that include malicious code or content
- Checks your site for known security vulnerabilities and alerts you to any issues.
- Login Security including Two-factor authentication and login Captcha to prevent bots from logging in.
- Live traffic tools to monitor visits and hack attempts with the ability to block IP addresses.
You can download a free version of WordFence here:http://wordpress.org/plugins/wordfence
Q Install Login Lockdown
This limits the number of login attempts from a given IP range within a certain time period. This helps to avoid any brute force attacks. You can get it right here - http://wordpress.org/plugins/login-lockdown/
Q Backup and scan your website/blog.
This is the most important thing. Doing a regular backup and scan will allow you to make a restore point of your blog, and if anything happens, you can easily revert to your blog without having any problems.
More information can be found here.