Basic Tips to Increase WordPress Security
WordPress website security is very important because a hacked site can cause serious damage to your revenue and reputation. What is more is that you might end paying ransomware to hackers just to regain control of your website. Making sure your website is secure will not just build trust in your customers but also help you rank better in search engine results. But where do you start? This post is meant to answer this question.
Change the default admin username
In the past, the default WordPress admin username was ‘admin’. As a result, hackers only had to break the password using brute-force attacks. WordPress has changed this. Users installing WordPress are required to provide a unique username. It is, however, good to note that some 1-click WordPress installers still set the username to admin. Make sure you change that when installing WordPress.
To change your current username, you need to create a new admin username and then delete the old one. You can also use the username changer plugin or update the username from the phpMyAdmin.
Disable file editing
WordPress has a code editor that allows you to edit the theme and plugin files from the WordPress admin area. This feature can become a security risk when it falls in the wrong hands. It is good to disable it. You can do so by adding this code in the wp-config.php file.
//Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
The Sucuri plugin has a feature for disabling this. You do so using the Hardening feature.
Disable PHP file execution
Another great way to improve your WordPress website security is to disable PHP file execution in the directories where it is not needed. A good example is at the /wp-content/uploads/. To do this, open a text editor and paste this code:
<Files *.php>
deny from all
</Files>
Save this file as .htaccess and then upload it to /wp-content/uploads/folders on your website using the FTP client. Again the Sucuri plugin offers a 1-click option using the Hardening feature.
Limit login attempts
By default, a user can try and login as many times as they can. This is a security risk. Hackers crack passwords by trying to login using numerous password combinations. Limiting the number of failed login attempts using a web application firewall plugin will increase WordPress security. From your Web Application Firewall plugin you can limit the number of failed logins.
Add two-factor authentication
This technique requires a user to log in by using two-step authentication methods. The first is to enter the username and password then the second step is to enter an authentication sent to a different app or device. To do so you need to install and activate the Two Factor Authentication plugin. You also have to install an authenticator app on your mobile device.
Log out idle users automatically
The best security for your WordPress website is to automatically log idle users out. You can do so using an Inactive Logout plugin. Set the duration and then add a logout message.