7 Easy Ways to Secure WordPress

WordPress is an excellent application used the world over. This unfortunately makes it also a target for hackers. There are some very simple steps you can take, completely non-technical, that can help secure your WordPress blog.

1. First things first. Eliminate all known vulnerabilities. Now.

Update your WordPress installation to the latest version. This is the absolute most important and most effective first step. Do it now.

2. Don’t make your WordPress blog so easy to target

Install WordPress in a folder rather than document root, this makes it slightly more difficult for large scale hackers to find your system files. There are so many root installations of WordPress to keep hackers busy that the effort returned finding sub folders is not usually worth it.

3. Do not delete the admin account. Yes, you read it correctly.

So we need to secure admin, do this by creating a new administrative user, then downgrade the admin account to subscriber. This will make it impossible for a hacker to administrate your site using admin. By not deleting the admin account the hacker is kept busy trying to guess the password and the focus is away from the ‘real’ administrator account.

4. Control failed login attempts.

Lock the account after a number of failed attempts. This will render dictionary attacks on your account pointless for the hackers. Use a plugin such as Login LockDown to control failed log in attempts.

5. Implement easy eveyday plugin security

Use some WordPress security plugins such as Stealth login, AskApache password protect and WP security scan.

6. If they get in – don’t let them take you out

Take regular backups. Should a hacker gain access at least you don’t permanently lose your site. You will be able to restore, tighten up and continue. Don’t let them take you out!

7. Honestly, this is the step that is most often ignored

Have an absolutely ridiculously difficult to guess password. Have some numbers, uppercase and lowercase letters and maybe a punctuation mark or two. They’ll never guess it – maybe not even with a quantum computer.

Security is an ongoing job, it is never complete. There are other ways using file permissions,  .htaccess with IP restrictions that can further secure your blog but these are a little more technical. So, be on the look out for part 2.
We hope you enjoyed this article and found the information useful. Happy blogging!

I’ve uploaded my website but I just get a Forbidden error message

The forbidden error message is usually given when there is no index.html or index.htm file present in a directory.

Make sure that you upload your index file correctly. As soon as you upload your index.htm or index.html file the Forbidden error message will no longer show.

Make sure that your index.html or index.htm file is in lowecase, a file named “Index.htm” (uppercase ‘i’) is not the same as “index.htm” (lowercase ‘i’) and will still result in the “Forbidden” error message. Filenames are case sensitive.

If you do have an index file in place then the problem may be related to the mod_security rules on your server. A 403 Frobidder error can usually be resolved by removing mod_security. Contact the Helpdesk to disable this service.