WordPress is open-source and free, which is one of the reasons for its popularity. The theme and plugin architecture of WordPress makes it suitable for beginners as well as professionals. But the security of the WordPress site should be one of your major concerns as a blogger or webmaster. This article features 8+ Key WordPress Security Tips for Beginners.
WordPress is the most popular open-source blogging platform available but it is a target of notorious hackers also. It is very important for all webmasters to keep their WordPress blogs secure.
Being an open-source blogging platform, It has many protective plugins, functions, and techniques available to save you. These tools can defend your site from various attacks, spam, and other threats.
8+ Key WordPress Security Tips for Beginners to Secure WP Site
Following WordPress security tips are the most recommended practices by the pro bloggers to secure WP site
#1 Back-up your site Regularly
The first WordPress Security tip on my list is back-up your site regularly. This is one of the important tasks but is often overlooked due to various things. Even if you have taken all the appropriate security measures taking regular backups is very important.
I would recommend you use UpdraftPlus WordPress Backup Plugin to take back-ups of your site. You can use this WordPress plugin to automate the backups of your WP site. The plugin allows you to save backup files outside of your server i.e. Google Drive. You can download this plugin from the WordPress repository for free.
#2 Keep your Themes and Plugins Updated
Make sure that you keep your WordPress theme(s), plugins, and WordPress updated to the latest updates. These updates actually include security patches and fixes vulnerabilities. Most of the time notorious hackers gain access to an old version of WordPress websites very easily because of available security vulnerabilities.
#3 Remove the Un-used Plugins and Themes from WP
Always delete the unused plugins & themes from your WordPress site which are no longer in use. There’s no sense in keeping them on your server, as it takes up space on the server & increases the load.
#4 Change your Default Login Username
Initially, prior to WordPress version 3.0, WordPress used-to assigns the administrative account, a username “admin” by default. That’s the reason why ‘admin’ was used as a username on many WordPress sites back then.
However, in the onward version, there is no restriction to use the default username ‘admin’. During the period, hackers launched a series of brute-force attacks at millions of WordPress-powered websites, attempting to sign in by pairing the username “admin” with common passwords.
Now, let’s learn how to fix it. There are two popular ways you can choose to fix this:
- Create New Account – The best and simple way to change the default username is to add a new user and give admin access to the newly added user. Then you can delete the old admin user. It will give you the option to associate all the existing posts to the new account.
- Change username through PhpMyAdmin – Login to your cPanel and click on phpMyAdmin, then select the database where your WordPress site is hosted. And then navigate to the wp_users table. There you can see all the usernames on your site. You should replace the user_login entry under the account with any unique name.
#5 Hide Login Username
Unfortunately, in WordPress, it is very easy to see the username of WordPress user, all one needs is to check the author archive page slug.
By default, WordPress will show the account username there.
Ex: https://your-domain-name.com/author/user-name/
However, to hide your login username there is a simple solution. You can download WP Author Slug plugin to fix this issue. This plugin simply changes the username (author slug or login) with a sanitized version of the user’s Display Name.
#6 Use a Strong Password & Change it Regularly
According to a study, about 8% of WordPress-powered sites are hacked due to a weak password. Passwords consisting of names and correctly spelled words are extremely vulnerable to brute-force attacks, so it would be a wise idea to use a strong password.
A password should be strong and can’t be guessed. For a strong password always use at least 8 characters containing upper-case, lower-case, Special characters, and Numbers. Alternatively, you can use a password generator.
Nowadays, if you use Google Chrome or Safari for browsing, you might have noticed that, while creating an account on any site. Google or Safari automatically offers random passwords. These passwords are very strong to crack and you can save them in your browser for ease to use.
#7 Limit Login Attempts in WordPress
It’s possible to block a suspicious IP trying to hack your WordPress website by limiting login attempts.
This can be possibly done with the help of plugins like Limit Login Attempts Reloaded WordPress plugin.
This plugin automatically blocks a suspicious IP after it exceeds the login limit, and allows admins to specify how long that suspicious IP address remains blocked.
#8 You should Hide your WordPress Version
You might be aware that the version number of WordPress is included in the metadata of the WordPress theme.
And the installed version of WordPress can be easily checked by viewing a page source header.
Notorious hackers can easily find the installed version of WordPress and exploit it. As the vulnerabilities of previously released versions are known to everyone through channels.
To hide your WordPress version number, you need to add the following code to your ‘functions.php‘ file:
//Add the below code to Remove version of your WordPress function wp_ver_remover() { return ''; } add_filter ( 'the_generator', 'wp_ver_remover' );
#9 Migrate your site from HTTP to HTTPS
Host and transfer your WordPress site through an encrypted channel will provide another layer of security.
Check with your hosting provider to see if you have an already available SSL certificate with your plan (free or paid).
Then add this line of code at the top of your “wp-config.php” file to force using https everywhere:
define(’FORCE_SSL_ADMIN’, true);
Otherwise, you can use the WordPress HTTPS (SSL) plugin, which allows SSL control of your site.
#10 Disable Server Directory Browsing
Server Directory browsing (if enabled) in your WordPress site is very dangerous. It is comparable to keeping your door always open and inviting the thief to see and steal your wealth inside the house.
A simple way to disable directory browsing on your site is to upload a blank index.html file in all directories and subdirectories except the root. However, modern hosting providers by default disable the server directory browsing.
Wrapping It Up
This is a comprehensive list of WordPress security tips, which should help you to secure your WP site. You can also have a look at the security measures taken by WordPress.org here.
Hope these Key WordPress Security Tips for Beginners would be helpful to secure WP Sites. Do let me know if you find any difficulty to implement these WordPress Security Tips on your site. I would be happy to help.