Limited Time

Cheap Resseller Hosting starting at just $5.95/mo

Claim Offer
Live chat
Telegram
WhatsApp
Home
Web Hosting
VPS & Servers
Reseller Hosting
Domains
Domain Registration
Domain Transfer
SSL Certificates
Server Hardening
Cloudflare Hosting
Proactive Monitoring
Company
About us
Support & KB
Blog
Datacenters
Reviews
Affiliates
Contact
Sign In

Wordpress Security Tips

optimizing-wordpress
Robben
CategoriesTips & Tricks Web Hosting
DateJul 2, 2013
Comments2

We host a ton of Wordpress based blogs and websites on our servers. Due to the fact that wordpress is extremely popular and widely used, it is also one of the most exploited web based softwares. So, I decided to put down a few lines of tips and tricks on how to secure that beloved wordpress site of yours.

 

  • Keep wordpress & plugins updated at all times

Wordpress is updated  as soon as a security issue is identified. Updating wordpress is very easy, just login to your admin dashboard and the home page should give you an option of updating your installation. The same applies for all plugins and themes that you use. The inbuilt wordpress update utility makes the entire process of updating your wordpress installation extremely easy.

Do not forget to backup your database and files before updating. Nothing is worse than a broken WP site.

  • Only use essential plugins

This perhaps is one of the most common reason why wordpress sites get hacked frequently. The wordpress plugin directory is undoubtedly a great resource but it should be noted that most of these plugins are not coded by professional developers and carry numerous loopholes and vulnerabilities in them. It is very important that you use only the plugins that you need. Check the reviews and ratings of plugins before installing them.

  • Change your username and password

The default wordpress admin username is admin, you should change this to something else. Create a new user from your dashboard and assign that user admin privileges and remove the default admin user from your wordpress installation.

There’s nothing worse than having “myname123′ as your password. Use something like StrongPasswordGenerator and create a strong password for your users.

  • Secure WP-Config

Your wp-config file should only be readable by the server and should be CHMOD’d to 400 or 440. You should also move the wp-config file to a different location. Move the file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

  • Restrict admin login

If you use a dedicated ip address at your home/workplace or access the web through a VPN, you can lock down access to the wp-admin folder to your IPs only.  To restrict logins based on IPs, do the following:

Add a .htaccess file to the root folder of your wordpress installation.

Open the files and place the following code inside it:

<Files wp-login.php>
        order deny,allow
        Deny from all

# whitelist First IP Address
allow from xx.xxx.xx.xx

#whitelist Second IP Address
allow from xx.xxx.xx.xx

</Files>

 

  • Use Login LockDown

Login LockDown acts as a firewall and if it detects too many failed logins to your wp-admin dashboard from a single IP, it will block that IP from accessing the login page. You can also modify the duration of the block.

  • Change your secret keys

Open your wp-config.php file to find the following 4 lines of code:

Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. They security keys are used to encrypt your password.
define('AUTH_KEY', ''); 
define('SECURE_AUTH_KEY', ''); 
define('LOGGED_IN_KEY', ''); 
define('NONCE_KEY', '');
  • Use the AskApache Plugin

AskApache adds an additional layer of security to your wordpress folders. The following is a quote from their official website:

AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.

  • Backup. Backup. Backup.

Disaster strikes and when it strikes it strikes hard. You should always keep updated backups of your wordpress installation. Use something like Wordpress Backup to Dropbox.

Just choose a day, time and how often you wish yor backup to be performed and kick back and wait for your websites files and a SQL dump of its database to be dropped in your Dropbox!

You can set where you want your backup stored within Dropbox and on your server as well as choose what files or directories, if any, you wish to exclude from the backup.

Tags:
CloudLinux – A New Way we Ensure Rock Solid Reliability for Your Site
Optimizing your server for WordPress

2 Comments

  1. Igal Reply July 11, 2013 - 1:25 pm

    Good list.
    You may also consider renaming or – better yet – removing xmlrpc.php from root, to prevent pingback DDoS abuse. (http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos)
    If you do, please note that this will disable pingback functionality.



Leave a Reply

Recent Posts

X-twitter Instagram Linkedin
System Status

System Status

Hosting
Company
Resources
Legal
© 2026 Host4Geeks LLC