How To Secure Your WordPress Site


WordPress is one of the most popular platforms to build websites. It’s easy to learn and makes running a site manageable for just about anyone. But the popularity of WordPress also leads to an intense interest in it from hackers. The core WordPress installation, if kept up to date, is somewhat secure. But as you add plugins and themes, that slice of security dwindles quickly.

There are several things you can do to help ensure your site is safe from would-be security threats and hackers.

Stay up to date – By far the most simple and easiest thing you can do is keep your WordPress installation up to date. You can even choose to let WordPress update automatically. Not only do newer version come along with more features, they almost always include new fixes in regards to security. On top of this, when a new version is released and it included fixes for security, those possible security hiccups are released to the public in their changelog… making it easy for hackers to identify soft spots. Just make sure you keep regular backups of your site in case something breaks when you update.

Update Plugins and themes – Not only do you need to keep your WordPress installation up to date, running the newest version, but the same should be done for plugins and themes. For the same reasons. And if you don’t absolutely need a plugin, delete it. If you have copies of themes you’ve tried in the past and aren’t using, delete them also.

NO ‘admin’ usernames – It’s the most common login username and just makes it that much easier for hackers or their scripts to gain access to your site. On that note, change your password every so often, too, and use long difficult ones. Use a password generator like LastPass.

Use the right file permissions – Set your files to 640 or 644, except your wp-config.php file. Set that one to 600. Set directories to 755.

Limit login attempts – This is easily done with a plugin called WP Limit Login Attempts.

Use an official, valid theme – Don’t trust themes from places that aren’t well known and don’t download premium paid-for themes for free. You never know if they’ve included malicious code that will harm your site or allow access to your site.

Use official, valid plugins – Same as above… Don’t trust plugins from places that aren’t well known and don’t download premium paid-for themes or plugins for free.

Move wp-config.php – The next thing that we’re going to do is move the wp-config file. By default, it sits inside the root folder of your website. So that will be inside your public HTML folder, if your site is on your main domain, or inside whichever subdirectory you’re building your site in. But WordPress actually allows you to take that wp-config file and move it up one level, so it’s outside your public folder.

If you’re working offline, you can simply drag and drop this file, but in your online setup, you can use the move tool in your file manager. So just select your wp-config file, hit the move tool, and then change the directory that you want to have the file put into. WordPress Tool Kit
On our WordPress hosting, you can use WordPress Tool Kit and do all jobs above from one interface simply and fast from your control panel.