10 Little-Known, Super Effective Tips to Secure Your WordPress Blog

Getting a blog hacked and losing years on years of blogging work overnight is a unhappy existence that people indeed have left through. In fact, research shows that 37,000 websites are hacked each day, and with WordPress powering approximately 25.4% of all websites, we can be certain that a good understanding of WordPress blogs are hacked each day.

WordPress confidence is an wholly opposite ballgame; once we possess a WordPress blog, tips like carrying a username that is formidable to theory and a password that is as tough as rock is no longer sufficient. A single cart theme, a wrong plugin, or an wrongly stable file can outcome in your blog being hacked overnight.

Whether you’re fresh with WordPress, or you’ve been regulating a height given a existence, this essay has 10 unsentimental and repast effective ways to secure your WordPress blog that anybody can implement. You won’t find many of these tips in renouned “how to secure your blog” articles, though they could really good save your blog one day!

1. Disable a WordPress Theme Plugin Editor

WordPress has a accessible underline that give site owners some-more coherence by permitting them to customize and revise their themes and plugins right from a WordPress dashboard, though this underline has been a undoing of many blogs.

With this feature, a slight blunder can pile-up your site and close we out of your possess website. Hackers can simply insert antagonistic formula into your thesis to give them backdoor entrance to your site, or even take over your site completely, by gaining control of an comment that has adequate privileges to use a thesis and plugin editor.

You can strengthen yourself by disabling a plugin and thesis editor, making it unfit to cgange your themes and plugins though FTP access.

Do this by adding a following formula to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', loyal );

2. Enable Two-Factor Authentication

Two-factor authentication is fast apropos one of a many arguable ways to strengthen your online accounts, and many arguable websites will insist that their users capacitate it.

While WordPress does not indispensably have two-factor authentication built into it, we can capacitate two-factor authentication on your blog by installing a following plugins:

3. Limit Logins Based on Number of Failed Attempts

There are many ways hackers try to benefit entrance to your blog, and one of a many common techniques used is a bruteforce attack: a hacker tries a multiple of usernames and passwords, over and over again, until he/she is means to successfully entrance your blog.

By default, WordPress isn’t stable opposite this attack. By installing plugins that extent logins after a certain series of unsuccessful attempts from a sold IP, we can make it most some-more formidable for hackers to benefit entrance to your blog.

The Jetpack Protect Module plugin can also strengthen we from bruteforce attacks.

4. Regularly Scan Your Blog

Theme files, plugins, links, and other clearly submissive elements can be used to benefit entrance to your blog. Don’t wait until your website is entirely putrescent before we take measures. Instead, implement confidence scanning plugins to frequently indicate your website and forewarn we if your files changes.

A good instance of a confidence scanning plugin is Wordfence. Besides giving we a choice to manually/automatically indicate your WordPress blog, it also now notifies we when questionable activity is going on your blog.

It also sends information about potentially antagonistic comments, and it compares your thesis and plugin files with a WordPress repository to let we know if your chronicle of a plugin or thesis has been modified and can potentially offer as a backdoor for hackers to your site.

Other confidence plugins that can assistance we indicate your blog for malware and exploits are:

5. Change Your Host

While this sounds like uncomplicated advice, it indeed has a lot of weight. Research shows that 41% of hacked WordPress websites were hacked by confidence disadvantage on their hosting platform. This is most some-more than from other sources, including carrying a diseased password.

Your horde can play a vital purpose in either we will be hacked or not; make certain we usually go for arguable web hosts that have stood a exam of time and that comply with attention best practices.

6. Hide Your WordPress Version Number

By default, WordPress displays your WordPress chronicle number; this creates it easy for WordPress to keep lane of how many WordPress blogs are active worldwide. However, this can also be a outrageous source of problem; hackers and bots can scan a web for blogs regulating a WordPress chronicle series with a famous vulnerability, creation we an easy target.

You can simply solve this problem by hiding your WordPress chronicle number. To censor your WordPress chronicle number, simply supplement a following formula to your functions.php file:

add_filter( 'the_generator', '__return_null' );

7. Disable PHP Error Reports

When a plugin or thesis isn’t operative good on your WordPress blog, PHP blunder reports can assistance by display we a summary that reveals a means of a error. However, in this advantage lies a disadvantage: when PHP blunder is being reported, it includes a full server trail of a error, divulgence information that hackers can use opposite you.

You can strengthen yourself by disabling PHP blunder reporting. Simply supplement a following formula to your wp-config.php file:

  @ini_set(‘display_errors', 0);

8. Work on Your WordPress File Permissions

When it comes to preventing your WordPress site from confidence exploits, it is essential to ensure that we have a right record permissions. This creates it formidable for a hacker to manipulate plugins, themes, or files on your server to take over your website.

Make certain that WordPress folder permissions are set to 755 or 750; file permissions are set to 640 or 644; and that wp-config.php accede is set to 600.

9. Ensure Regular Backups

Even large websites with a group of confidence experts and consultants get hacked, and while following best practices can make your website stronger than 99.9% of websites, things can still break.

The best confidence we have opposite WordPress penetrate attacks is a good backup; make certain you’re creation backups of your site on a unchanging basement – if possible, daily. This way, if your website is hacked we have your files in place and can revive things immediately.

Here are some of a best WordPress backup plugins:

10. Limit Access to Your Login Page

When pull comes to shove, we usually competence have to take some extreme action. A really arguable approach to strengthen your blog from penetrate attempts is by entirely restraint entrance to your wp-admin and wp-login.php page.

This is usually endorsed if we use one IP residence that doesn’t change (you don’t wish to close yourself out of your blog!). You can still use this choice if we use some-more than one IP residence though keep lane of those addresses.

To extent entrance to your login page, supplement a following formula to your .htaccess file:

  IfModule mod_rewrite.c
  RewriteEngine on
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
  RewriteCond %{REMOTE_ADDR} !^Your IP residence 1$
  RewriteCond %{REMOTE_ADDR} !^ Your IP residence 2$
  RewriteCond %{REMOTE_ADDR} !^ Your IP residence 3$
  RewriteCond %{REMOTE_ADDR} !^ Your IP residence 4$
  RewriteCond %{REMOTE_ADDR} !^ Your IP residence 5$
  RewriteRule ^(.*)$ - [R=403,L]

Be certain to revise Your IP residence 1 by to Your IP residence 5 with a opposite IP addresses we wish to give entrance to; we can simply supplement or mislay a line to concede or forestall some-more IPs from accessing your site.


Of course, we shouldn’t omit simple confidence tips like not regulating a predicted username, carrying a clever password, updating your WordPress designation regularly, etc. However, a above are some little-known, often-ignored confidence tips that can make your WordPress blog usually a bit some-more secure.

Editor’s note: This guest post is created for Hongkiat.com by John Stevens. John is a WordPress and hosting expert. He is a owner and CEO of HostingFacts.com, a portal where he reviews and rates web hosts formed on performance.

Add Comment