I’m going to introduce you to 10 simple but very useful tips for improving the security of your WordPress.
1. Never use the default admin name as the administrator username
If for some reason this happened, just create a new admin user and delete the old one. Before deleting it, WordPress will ask you which user to associate the posts of the user to be deleted.
2. Create complex long passwords using letters, numbers and various characters
According to statistics, the most commonly used passwords are “123456”, “password”, “12345678”, “qwerty” and “123456789”. Naturally, sites with such passwords do not last long. It’s good if your password is not a dictionary word, it will have at least 15 characters, including lowercase, uppercase letters, numbers, and symbols.
3. Use two-factor authentication
For example, using the Rublon plugin or any other – the choice is wide enough. Two-factor authentication provides more reliable protection against unauthorized access and is already familiar to many users who use Internet banking, Google services, iCloud, DropBox, etc.
4. Be sure to turn off the prompts in the WordPress login form
After all, you know your username and password even without hints, even if you make a typo. And to the attacker, this information will only simplify the task of hacking. To do this, add a few lines of code to the functions.php file.
5. Use plugins only downloaded from the official WordPress repository
In an extreme case, with well-known proven resources such as CodeCanyon, GitHub always have positive user reviews. Never install hacked plugins downloaded from warez. Of course, if your site is dear to you.
6. Timely update WordPress, themes and plugins to the latest versions
Developers regularly release updates that close all discovered vulnerabilities. Current versions not only improve WordPress performance and compatibility but also significantly reduce the chance of hacking your site – this is a fact.
7. Keep your WordPress clean
Never store unused plugins and themes on the server. As a last resort, archive.
8. Disable trackbacks
There is little benefit from them, but they will certainly bring you troubles. Using WordPress trackbacks, cybercriminals can generate massive requests from such sites for the victim site, thereby causing a massive DDoS attack. Just go to your WordPress discussion settings and uncheck “Allow alerts from other blogs (notifications and trackbacks) to new articles.
9. Set the correct permissions for all files and directories on your site
For directories, this is 755, for files, 644. You should be aware that giving permission to a file/directory to write (or worse still full access – 777 ), you expose your site to a serious threat. You can learn more about rights in the WordPress Codex.
10. Prohibit viewing the directory index of your site
Very often, a crookedly configured server in the absence of index.php or index.html files in the directory displays a list of directory files. Attackers can take advantage of this. To avoid this, add the line in .htaccess. Also, make sure that the wp-content/themes and wp-content/plugins directories have an empty index.php file.