WordPress Security

As a website owner, you can do yourself a lot to improve your website security, regardless whether you are technical or not. Here, I will walk you through top 10 suggestions on how to improve security on your WordPress website.

Basic Steps

* Up-to-date WordPress: Update the WordPress and its installed plugin in regularly interval of time.
* Strong Password: Try to make strong password and change it frequently.
* Hosting Provider: Secure hosting provider is also an important role for your WordPress security. A good shared hosting providers take the extra measures to protect their servers against regular common threats.

1. Rename default "admin" username
A majority of threats target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attack. If you remove / rename admin, you'll also kill the attack outright.

2. WP Security Questions Plugin
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings >> Security Questions page to configure the plugin settings.

3. Disable File Editing
It is recommended to disable file editing within the WordPress dashboard. WordPress has a constant that disabled this editing via the wp-config.php file. Append the following two lines to the end of your wp-config.php file:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

4. Disable PHP File Execution under /UPLOADS directory
The uploads directory is need to be writable by the web server. It is where, all files are uploaded remotely. To prevent PHP execution, you can do this by placing an .htaccess at the root of /UPLOADS by using the following code:

# Kill PHP Execution

deny from all

5. Limit Login Attempts
The attacks like Brute Force always target your login form. Specifically, for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form.

You can also install and activate the Login LockDown plugin. In this plugin you can restricts max number of login retries.

6. Hide wp-config.php and .htaccess files
Go to Tools > File Editor to edit your .htaccess and wp-config.php files.

You'd need to add these codes at the bottom to your .htaccess file to protect .htaccess and wp-config.php files:

# wp-config.php file hiding

order allow,deny
deny from all

#.htaccess file hiding

order allow,deny
deny from all

7. Password Protect WP-Admin and Login
You can use additional password protection on a server side which will effectively block those requests.

8. Disable Directory Indexing and Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.
You need to add the following line at the end of the .htaccess file:

Options -Indexes

9. Disable XML-RPC
XML-RPC can significantly amplify the brute-force attacks.
This is why if you're not using XML-RPC, I recommend that you should disable it.

10. Automatically log out Idle Users
Logged in users can sometimes wander away from the screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.
You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings >> Idle User Logout page to configure the plugin setting.

Like adding new posts or pages, checking your WordPress security should be a regular routine for every WordPress website owner.

This isn't the full list of all the things you can do to secure your WordPress website but at-least provide the first layer of defence from the all major security threats.