WordPress is used by 24.6% of all the websites, due to its popularity hackers usually target it. Vulnerable websites are easy target, In this post I will give you 7 tips which will help you boost your wordpress site security.
Limit Login Attempts
By default WordPress allows unlimited login attempts, Even if your password is strong, brute-force attack will crash your server or just increase load on your server.
Manually Hide WP-Admin
If you’re like me and don’t want to use plugins then follow below instructions:
- Create a .htaccess file
- Add following lines of code in it.
deny from all
allow from 184.108.40.206
- Replace 220.127.116.11 with your own IP address. To find you IP address just search my IP in google.
- Now Upload .htaccess file to your site’s wp-admin/ folder. This will make you access the WordPress admin area, but will block other WordPress users.
If you want any other user with different IP to access wp-admin then simply list the IP addresses and separate them using commas. For example:
allow from 18.104.22.168, 454.422.214.171.124, 874.457.45.45
WordPress plugins to limit login attempts
There is always a plugin, if you don’t want to do it manually then follow below steps:
- Install “Limit Login Attempts” plugin, there are many advanced alternative to this plugin but it has good ratings and just do the work without adding bloatware.
- After activating this plugin, you can customize it by going to set Limit Login Attempts Settings page.
wp-config.php contains login details for your site’s database, It is one of the most imporant file in root directory, to prevent other users to access this file, add following lines of code in .htaccess file of root folder.
deny from all
Use Secure WordPress Themes
Never use nulled themes, why would someone distribute premium themes for free? It contains malicious code. We at howlthemes.com create secure wordpress themes and update them frequently.
WordPress has build-in debugging tools, if your current theme will have any deprecated functions then you’ll start seeing PHP notice. Either hire someone to fix those error or use different theme. To Enable WP_DEBUG follow below steps:
- Login to your server and go to wordpress root directory and open wp-config.php file.
- Now find WP_DEBUG
- If you see something like define( ‘WP_DEBUG’, false ) then replace false with true.
- If your wp-config.php file don’t have WP_DEBUG defined then simple add following code to it:
define( 'WP_DEBUG', true);
Use Theme Check
You can go to http://themecheck.org/ and upload your theme file there to check it, even wordpress.org use this service.
Disallow file edit
If hackers managed to get access to your wordpress admin panel then first thing they will do is edit your site code, So its good practice to disable file editing from admin panel. Add following code in your wp-config.php file to disallow file editing:
define( ‘DISALLOW_FILE_EDIT’, true );
Use secure hosting
Most time WordPress site get hacked because of hosting vulnerabilities, Do some research before purchasing hosting from any company, I recommend DigitalOcean, they provide fast SSD cloud hosting at very affordable rate. You will pretty much have to do everything for yourself but there are sites like Serverpilot which make it easy for non-geeks to launch their application with DigitalOcean, Serverpilot has one click wordpress installation.