Even if you are a novice, you are likely to know some popular tactics to improve WordPress security. You probably also know that you can install one or two plugins to considerably improve your site security.
But in this post, I’m not talking about those. Instead, I will talk about 7 simple but vital steps you can take to secure your website that many people overlook.
1. Change the default admin username
When you are installing WordPress, you have to select a custom username. However, a lot of 1-click WordPress installers use the default “admin” as username.
Usernames make up half of login credentials. If your admin username is “admin”, it’s easier for hackers to do brute-force attacks.
You can change your admin username by:
Creating a new admin username and deleting the old one
Updating username from phpMyAdmin
2. Hide author username
It’s quite easy for people to find out each authors username for your site. Since a lot of the time the main author is the site administrator, people can easily find out the admin’s username. So it’s a good idea to hide the authors’ username.
To do this, you just need to add a bit of code into your functions.php file:
wp_redirect( home_url() ); exit;
After you add this code, when people inputs ?author=1 after your main URL, they won’t be presented with the administrator’s information. They will be taken straight to the homepage.
3. Limit login attempts
WordPress allows you to try to log in as many time as you want. This makes it easier for hackers to try to crack your passwords by trying to log in with different combinations.
If you limit the number of failed login attempts, you can easily avoid this. One way you can do this is by installing a web application firewall.
Sucuri Firewall is my favourite one. It does a lot more than limit failed login attempts. It will give you complete website security, monitor for security incidents and fix website hacks. The only downside is, it will cost you $9.99/month.
Cloudflare is a popular alternative to Sucuri. But it will cost you $20./month.
If you don’t want a firewall, you can just use the free Login LockDown plugin to limit login attempts.
4. Add security question to WordPress login screen
If you add a security question to your login page, it will be harder for people to get unauthorized access. You can do it easily by installing the WP Security Questions plugin. After installing it, just go to Settings » Security Questions page and add your security question and answer.
5. Set themes and plugins to update automatically
People usually update themes and plugins manually. But if you don’t pay too much attention to site maintenance, you should configure automatic updates. This way everything will stay up to date without you having to intervene regularly.
To do this, you just have to insert a line of code into wp-config.php. For themes, add this:
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
6. Disable file editing
WordPress has a built-in code editor. Using it, administrators can edit theme and plugin files from the admin area. If someone undesirable gets access to it, it may result in a catastrophe. So it’s better to turn it off.
To do this, just add this code in your wp-config.php file:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
7. Keep track of your dashboard activity
If you have more than one users on your site, you should keep track of their activity in the dashboard. Even if there is no chance of them doing any wrongdoings, sometimes a simple misstep can cause havoc. If you have a plugin that keeps track of dashboard activity, you can simply retrace the user’s steps up to the point of site breakage.
WordPress logs the activity of users. But it’s hard to use. It’s much easier to use a plugin that organizes the data. One that will show you the connection between a specific action and a specific reaction. One that will show you if a certain code change or a plugin is causing any problem.
WP Security Audit Log is my favourite plugin for this. It’s free and keeps a log of everything (and I mean everything) that happens on your site’s backend. Simple History and Activity Log is also very good if you don’t like WP Security Audit Log.
Always keep a backup of your site. It will come in handy if your site ever gets hacked.
If your site gets hacked, it’s better to let professionals handle it. Cleaning up a hacked site is a difficult and time-consuming process. If you don’t clean it properly, it’s likely to get hacked again.
What other things you do to improve WordPress security that many people don’t know about? Let us know in the comment section.