How to secure a Wordpress website

Howdy,

First thing to understand is that security can never be 100%. No matter how hard we try, we are always playing a game of cat of mouse between developers/webmasters and hackers/hacktivists/douchebags.

You also need to remeber that WordPress and most of it's plugins are 100% open source which means anybody can view all of the source code, and if inclined deciper security holes.

The best you can do is to harden the utter crap out of your installs. There are many, many tips all over the internet but some of the most basic tips are the most effective.

• Always, always keep your plugins and WordPress installs upto date. The reason updates are pushed are not just to add features, but patch security holes and issues.
• Strong passwords are a must for at least admin level accounts. A good password is around 15 characters long and contains lowercase, uppercase, numbers and punctuation.
• Change the default username, so instead of the inital user being admin, make it anythign you want. The idea behind this is because it's a default, it's takes some of the work out of cracking the admin/master account as the username is already known.
• In your wp-config file you will want to change the salt keys to something new and it's also wise to change the database table prefix as well. Why let hackers have it easy with defaults, when you can make them work for it.
• Be cautious of installing plugins not found on the WordPress repository, or reputable sources like CodeCanyon. It is beyond easy as a developer to leave a backdoor into a website via a plugin they make.
• Also be cautious about those that you grant admin rights too. Hackers are not just your biggest threat a pissed off member of staff, or worse, an angry developer can trash a site in mere seconds.
• If possible find a plugin that limits the amount of attempted logins per IP. This will prevent brute forcing attacks, or at the very least considerably hamper them.
• If your coding anything that has access to the database, then it is of utter importance to always sanitize user input. It can never be fully trusted, ever!

Last of all, spend some time reading security guides for wordpress online and implement their advice. Also use reputable plugins to help make things harder for hackers such as the one i mentioned above.


Just remember nothing is a 100% security fix, one plugin, hell ten plugins won't make your sites impenetrable, but it will make it one hell of a pain in the ass for any casusal hacker attempting to mess with your site; more than likely they will just move on to the next target.


Hope that helps!

i always htaccess protect the wp-admin folder with access only to my IP

Also make all your passwords strong. By strong i mean completely random charaters, lower and upper case, special characters etc. Also make sure you have plugin which stops multiple login attempts.

ust hiding parts of your site is helpful but won't stop everything. After we hide sensitive areas of the sites we'll protect it by blocking users that shouldn't be there and increasing the security of passwords and other vital information.

Scan your site to instantly tell where vulnerabilities are and fix them in seconds
Ban troublesome bots and other hosts
Ban troublesome user agents
Prevent brute force attacks by banning hosts and users with too many invalid login attempts
Strengthen server security
Enforce strong passwords for all accounts of a configurable minimum role
Force SSL for admin pages (on supporting servers)
Force SSL for any page or post (on supporting servers)
Turn off file editing from within WordPress admin area
Detect and block numerous attacks to your filesystem and database

WordPress › Security Ninja Lite « WordPress Plugins can help you secure your site and tell you common vulnerabilities. I like bulletproof and better wp security, but haven't tried using them together because they affect the same areas

It is recommended to use the WordPress Firewall plugin:
WordPress › WordPress Firewall 2 « WordPress Plugins

Here I am giving you a link to get your wordpress website secure. I hope this will help you in the better way.

WordPress › How to Keep WordPress Secure

Always update latest version and config files on your server to increase secure for your website.

You have to be careful about mucking around with your .htaccess file, depending on other plugins you use. There are many less intrusive security plugins that will get you 95% there. I agree with Wordfence as a good one to use. It'll send you emails of any problems, such as out of date plugins and scans for any changes to your WP core files.

Your best defense is to stay up to date with WordPress releases. Also, use as few well made and supported plugins as you can.

The thing I do not see mentioned here is make sure to set your auto backups to your database nightly and you should have your current scripts in a minimum of 3 locations on the server. If you have mysql workbench or access to it do manual backups at least once a day. Also ftp a copy of your scripts to your workstation every time you make a change to the script and if you want to be really sure - burn a copy of all to a CD weekly.

That way if you get hacked you can be back up and running in minutes not days.

Is it a good idea to use htaccess protect the wp-admin folder and with access only to my IP?

Making sure your WordPress installation has the latest updates,Minimizing the number of plugins you use , Choosing passwords that are difficult to crack are few points to remember which are basics for wordpress security.