15 Tips to secure your WordPress site

Some time ago we had a problem with our WordPress site suffered a little hacking. So to stop these happening again, we applied some tips to help secure our WordPress site. Here are some tricks that might help you too.

Updating and changing password:

1) We know it is boring but we will never repeat it enough, but a strong password is the best line of defense. Do not choose a traditional password as “admin”, “password”, “123” etc. You should take a moderate to tough password with uppercase and lowercase letters with numbers and signs “+ -* /” .

2) Your password should be memorable. Previously, we already wrote how to increase the strength of your password.

3) Always keep your WordPress version to date. The latest version, at the time of this writing, is 3.1.

4) Update the plugins installed on your WordPress site.

Interesting plugin for your WordPress site:

5) Backup your site more frequently with the tools provided by your host or the plugin WordPress Database Backup .

6) Use the plugin WP scanner to check for vulnerabilities in your site and thus can be corrected. We have used this plugin and it shows what to change to make your site more secure even if sometimes the changes are sometimes enough to be difficult.

Protecting your code and your files in WordPress:

7) In your search.php file, do not use this code as a search on your entire server should not be allowed:

<? Php echo $ _SERVER [‘>];? PHP_SELF ‘

Replace it with this code:

<? Php bloginfo (‘home’);?>

8) You can limit access to the wp-admin files by allowing a single IP address. Interesting, but there is a downside: if your ISP assigns you a dynamic address. You will need to update your .Htaccess file in your wp-admin folder (and not root.)

AuthUserFile / dev / null
AuthGroupFile / dev / null
AuthName “Example Access Control”
AuthType Basic
<Limit GET>
order deny, allow
deny from all
allow from <Your @ IP>
allow from other <An @ IP>
</ LIMIT>

9) Protect your wp-config.php with this code, you must write at the beginning of your. Htaccess at the root.

<FilesMatch ^wp-config.php$> Deny from all </ FilesMatch>

This will protect a little file that stores your username and password database.

10) The plugin AskApache adds a user name and password that will allow you to access files in your wp-admin folder. It is written in the htaccess file, encrypts your password and creates the file htpasswd.

11) Use SSH / Shell Access instead of FTP. Through the use of SSH, everything is encrypted even file transfers.

12) Do not show what plugins you are using by downloading a blank file index.html in the plugins folder.

More tips on securing your WordPress site site:

13) The version of your WordPress is displayed in the source page. Simply delete this line in header.php:

<Meta content = “WordPress <? Php bloginfo (‘version’);?>” /> <! – Leave this for stats please ->

But it is not over, to completely erase the version of WordPress, you need to do another manipulation:

wpbeginner_remove_version function () {
return “;
}
add_filter (‘the_generator’, ‘wpbeginner_remove_version’);

This code also allows you to remove the version number in your RSS feed.

14) The plugin Login Lockdown logs IP addresses trying to connect to your admin panel. If more than a certain number of attempts are detected within a short period of time with the same IP range, then the connection function is disabled.

15) The problem is that Google indexes all ! We will stop Google from indexing all files that are in the files that start with “wp-“. You must then write this code in the robots.txt file that you put at the root of your site.

Disallow: / wp-*