10 Tips To Secure Your WordPress Blog in 2024 (Ultimate Security guide)
There are lots of tricks and tips you can implement to harden your WordPress security and protect your site from various cyberattacks.
WordPress is one of the most popular platforms for self-hosted blogs and websites. WordPress itself is a very secure platform. While WordPress is pretty secure out of the box, there are always going to be individuals who want to make trouble by finding a way to crack into accounts or sites to cause damage or inject hidden Spam links. That’s why it’s important to make sure that your WordPress installation is as secure as possible. Here we have a few tips, apply to secure & Protect WordPress blog.
Tips To Secure Your WordPress Blog
Here are some of our tips for keeping your WordPress website or blog more secure and less susceptible to malicious attacks.
WordPress is secure, as long as publishers take website security seriously and follow best practices
Make sure you are updated
If you aren’t running the latest version of WordPress, upgrade now. Leaving your site on an old version is like keeping your door unlocked when you leave for vacation. As a rule of thumb, every time the WordPress core or a plugin you’re using has an available update, apply it. Updates bring new features but also security fixes. Although WordPress has automatic background updates since version 5.7, you should always keep an eye on them, as automatic updates may fail to complete from time to time.
Plugins are also a sensitive part of your WordPress installation. Don’t forget to update them as soon as an update is available.
No software system is immune to bugs and vulnerabilities. Security holes will be discovered and bad guys will do their best to exploit them. Keeping your software up-to-date is a good way to stave off attacks because reliable software vendors will fix their products once security holes are found.
Pick a strong password
In addition to adding a secret key to your wp-config.php file, also consider changing your user password to something that is strong and unique. WordPress will tell you the strength of your password, but a good tip is to avoid common phrases, use upper and lowercase letters, and include numbers. It’s also a good idea to change your password regularly — say once every six months.
A strong password has:
- at least 15 characters
- uppercase letters
- lowercase letters
- numbers
- symbols, such as
` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] :
A strong password is not:
- your login or username
- your name, your friend’s name, your family member’s name, or a common name
- a dictionary word
- like your previous passwords
- your date of birth
- a keyboard pattern, such as qwerty, asdfghjkl, or 12345678
Use Secret Keys in your WP-Config File
In WordPress, the wp-config.php file is the file that stores the database information that WordPress needs to connect its circuit, so to speak. This file contains the name, address and password of the MySQL database that stores all of your user info, blog posts and other important content.
Using a secret key, you can make it even more difficult for someone to gain access to your account.
Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.
Pick a random username
Attackers know that most people are using usernames such as “admin” or the url of their website. By picking a random username, you’re making their task more difficult.
Use .htaccess to protect wp-login
Password protecting your wp-login.php
file can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses ajax on the front end, it’s usually sufficient to just protect wp-login.php
.
To do this, you will need to create a .htpasswd
file. To do so, go to htpasswd generator and follow the instructions. Once you have your file ready, upload it to your server.
Once done, you need to tell .htaccess
where it’s at. Assuming you’ve put .htpasswd
in your user’s home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess
file:
# Stop Apache from serving .ht* files <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # Protect wp-login <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName "Private access" AuthType Basic require user mysecretuser </Files>
If you’re looking for a plugin instead of doing it by yourself, have a look at AskApache Password Protect. Please note though, that it hasn’t been updated in a year. I haven’t tried it myself so I can’t really neither recommend nor not recommend this plugin.
Remove unnecessary error messages
Login error messages are useful, but unfortunately, they can also provide information to attackers.
To get rid of login errors displayed on your wp-login.php
page, open your functions.php
file and append the code below to it:
add_filter('login_errors',create_function('$a', "return null;"));
Be careful with plugins and themes
Basically, everything you add to your WordPress install (Themes and Plugins) potentially contains vulnerable code. In fact, anyone can write and offer a plugin or theme.
When choosing a plugin or a theme, make sure that:
- You get it from a reliable source, such as the official WordPress.org repositories
- The plugin/theme is well maintained and has been updated recently
- The plugin has a significant number of installs and/or ratings
Premium themes and plugins that you can find available for free might often contain malicious code injected in them. Sure, a premium theme or a plugin is an investment, but the average $60 you’ll spend is a lot cheaper than the help of a developer or security expert to help you with a broken or hijacked website. Established premium theme/plugin sellers as such as Elegant Themes, ThemeForest or Themify are very serious about security.
Disable file editing
WordPress features a built-in file editor, which can be very useful to edit your theme on the fly. Unfortunately, if an attacker gains access to your WordPress dashboard as an administrator, he will be able to edit your files and do much damage. For this reason, you might want to disable WordPress’s built-in file editor and use a regular FTP program to edit your theme files instead.
To do so, simply paste the code below into your wp-config.php
file, which is located at the root of your WordPress install.
define(‘DISALLOW_FILE_EDIT’, true);
Make use of the All In One WP Security & Firewall plugin
The All In One WordPress Security plugin will take your website security to a whole new level. Designed and written by experts, it reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
Host your website on a reliable web host
Especially if you’re on a shared server (this is the case of most small websites such as a personal blog), attackers can use corrupted files on the server, even if they aren’t yours, to spread on other websites hosted on the server. This can’t be fully stopped by you alone, this is why you need to be sure that your web host is super serious about security and offers strong customer support that will always be helpful in case something goes wrong.
These are some best tips To Secure Your WordPress Blog from hacker attacks. I hope you find this helpful, Have any queries or suggestions feel free to discuss in the comments.