WordPress Security Tips – Here are five great steps you can take to really help secure your WordPress based photography site.
Security is a major concern for every person that has a WordPress based photography website since the platform can be very vulnerable to hacking if it is not properly maintained. However, WordPress itself is not always to blame as you do need to be responsible for being aware of the strategies and techniques you can use to help secure your WordPress website.
If you don’t know of these techniqies, read on for a comprehensive breakdown of the exact steps you should take:-
WordPress Security Tips Step 1: Limit Access to Your WordPress Website
Here are some steps you should take to limit access to your website.
1. Set up Lockdown for Your Site and Ban Unauthentic Users
Setting up a lockdown feature on your website for failed logins can address many security issues such as preventing sustained brute force attacks. If an attacker tries to gain unauthorized access by inserting passwords repetitively, the attacker’s IP address will be blocked by your website and you will receive an email informing you of the activity. One of the best plugins for this purpose is iThemes Security plugin. However, you can still use others such as Login Lockdown and WordFence.
2. Use 2-Factor Authentication (2FA) When You Log in to Your Website
Two factor authentication adds a completely new level to your security. Once you have set up 2-Factor Authentication for your website setup, you will be required to provide two things before you gain access, which can either be password + security code or password + security question. You can use plugins for 2FA such as Google Authenticator or Two Factor Authentication.
3. Use an Email Address Instead of a Username When You Are Logging In
By default, you are required to enter your username before you log in, but you can customize thus to use email since it is more secure. Email is more secure since it is not as easy to guess as the username. In the past, you needed a WordPress plugin for this, but this is no longer the case since the feature is now included in the WordPress core.
4. Customize the Login URL
The Default WordPress login URL is known to almost everyone that uses the platform. An attacker can easily access your website’s back end by simply adding wp-admin or wp-login.php at the end of your domain name and afterwards use brute force attacks to gain access. Fortunately, it is quite easy to customize the default WordPress login URL. You can change wp-admin to something like –admin and from wp-login.php to something such as –login.php or something of your choosing.
5. Use Strong Passwords
Keep changing the password of your website regularly, at least once every week. You can even try generating a password using a password generator, but the important thing is to ensure that your passwords are strong and not easily hacked.
WordPress Security Tips Step 2: Secure the WordPress Admin Panel
The admin panel is the most important part of a WordPress website, which is why it needs to be the most secure part of your website. Here are some effective tips for improving the security of your WordPress admin panel.
1. Use a Strong Password to Protect the WP-Admin Directory
The WP-Admin directory is literally the heart of your WordPress website, which means that securing it with some additional measure does make sense – but this tip is not the easiest to implement for beginners. A strong password can be used to limit access and protect the wp-admin directory using an entry in your site’s .htaccess file. This would mean that you would have one password for accessing your website and another to access the wp-admin dashboard.
2. SSL Data Encryption
Implementing a Secure Socket Layer (SSL) is a great way not only to secure the admin panel, but also your website as a whole. It can even help you improve your website’s ranking on Google. The SSL protocol ensures a secure transfer of data between the client’s browser and the server, which makes it hard for hackers to access the data. It is not hard to set up the SSL since you just have to request your hosting provider to enable the SSL certificates and you can even get free certificates these days.
3. Be careful When Adding Users
This one seems obvious, but if you allow guest posts on your WordPress blog or website and have multiple authors who have access to the admin panel, you could be more vulnerable to a security threat. Don’t forget the access you may have given your webmaster or web designer. It’s not that you can’t trust them, it’s can you trust them to use properly secure password? Well one way around this is to use the Force Strong Passwords plugin to ensure that all users registered on your system use strong passwords for logging in.
4. Change the Username from Admin
If there is one golden rule when installing WordPress, it is this – NEVER EVER KEEP “admin” as the administrator account. The problem with using “admin” is that it is the first one attackers use to try and then guess your password. Once an attacker knows that the username is admin, they will be one step closer to being able to hack into your website.
WordPress Security Tips Step 3: Secure the Database of Your Website
All the data and settings of your website are stored in the website database, which is why it is very important to secure it. Here are some tips for doing exactly that.
1. Change the Database Table Prefix
The WordPress database table uses the wp-table prefix by default, which is very vulnerable to hacking since attackers are aware of this. It is advisable to change it to something unique such as mywp or whatever you prefer. If you already have WordPress installed with the default table prefix, you should use the iThemes security plugin or Wp-DBManager plugin to make changes to your table prefix.
2. Use a Strong Password
You should set up a very strong password for accessing the WordPress database, which is the one you enter when installing WordPress. You should always use a password generator to create your passwords.
WordPress Security Tips Step 4: Secure Your Plugins and Themes
WordPress plugins and themes are the building blocks of your website. Unfortunately, they can also be the target for hackers. Here are some tips for securing them.
1. Update Your WordPress, WordPress Themes, and WordPress Plugins Regularly
This is vitally important – WordPress and its associated software is constantly updated to overcome any errors and vulnerabilities that may be present in the softwar. It is therefore vital to update your WordPress, WordPress themes, and WordPress plugins regularly since most of the vulnerabilities and errors will have been addressed in the updated versions.
2. Hide the Version Number of Your WordPress
It is easy to find the current version number of your WordPress since it sits next to the source. It is better to hide it since hackers will have an easier time formulating a plan of attack if they know what version you are using.
WordPress Security Tips Step 5: Securing the Hosting
All hosting companies promise to offer the best security, but you can still do more when it comes to securing your website. Here are some tips to do just that.
1. Protect the WP-CONFIG File
The WP-CONFIG file holds all the passwords and details about your website such as username, database name, etc., which is important data with regards to the security of your website. If you make the WP-CONFIG file inaccessible to hackers, it will be hard for them to hack your website. Fortunately, it is quite easy to do. All you should do is change the directory of the wp-config file, which is just moving it a directory higher then create a new wp-config file in your existing wordpress directory which reference the real one in the secure non-public (i.e. add one line of PHP code in you wp-config file which reads : include(‘/path-to-the-new-file/wp-config.php’);. You can even rename the file to something else
2. Disable File Editing
If multiple users enjoy admin access, then it means that all of them can access the website plugins and themes core file. However, if this feature is disabled, the core file cannot be altered, which means that your themes and plugins will be secure. To disable file editing, go to cpanel and find the wp-config file in your WordPress directory and add the following line of code: define (‘DISALLOW_FILE-EDIT’, true); and you will be done.
3. Set Up File Access Permissions Properly
If you are using a shared hosting, then having the wrong file access permissions can lead to serious consequences. In such a situation, you can secure your website by setting up proper file and directory permission. You can set the directory permission to “755” and the file to “644” to protect the website a whole at hosting level.
4. Disable the Directory Listings Using .htaccess
If you have created a directory on the server with the name “Website”, but you fail to add a proper index file (e.g. index.html, index.php etc) then you might be surprised to learn that a visitor can access all the listings of the directory without the need of a password by visiting the link like “demo.com/website”. You can prevent such a scenario by adding the following code to the .htaccess file: Options All –Indexes
WordPress Security Tips – The Bottom Line
The importance of securing your WordPress website cannot be overstated. Now we are not suggesting all these steps are completely necessary, but if you really wish to secure your WordPress website properly, you wont go wrong by following the 5 steps provided here.
Want Help Securing Your Website?
All of photographers who sign up to MyPhotoCTO’s Managed WordPress support services benefit from a full secure audit of your site when we take your site on – we’ll check for obvious and not-so-obvious vulnerabilities and we’ll even install a full copy of the iThemes Security Plugin free of charge on your site saving you $80 per year if you were to purchase it yourself.