The system WordPress is free, it has open code and is one of the most used on the Internet and below-described methods could not guarantee 100% security and protection for your site. This is because a security breach could be achieved through newly discovered and previously unknown weakness in the code of the system - or the most commonly used method for malicious access - security weaknesses to install WordPress plugin, components, module or theme.
This article describes the basic and most commonly used methods to protect and enhance WordPress system security.
1. Protection of the administrative panel
Protection of administration of the site could be done in two ways, but they are used only if the option for registration of new users is active (as new users – they will not be able to access your account).
First option: Restrict access to the administration panel only to certain IP addresses
If you want the administration to be accessed only by your IP address, it is necessary in a file called .htaccess, located in the directory wp-admin, to put the lines:
Deny from All
Allow from xxx.xxx.xxx.xxx
Note: You need to replace xxx.xxx.xxx.xxx with your IP address.
If you access administration from another IP address, you can activate and access to it by adding another line:
Allow from xxx.xxx.xxx.xxx
Second option: Protecting access with additional username and password
You can use the option in the control panel cPanel -> "Directory password protected Password Protect Directories"
After using the option in cPanel and protect directory/wp-admin, with access to the administrative panel on WordPress you may receive an error message. The message can contain text: "Redirect Loop". To restore access to the administration, please add the following line at the bottom of the file /wp-admin/.htaccess:
ErrorDocument 401 default
2. Change the password for access of the system
It is better to change the default password, which is set by the system during the initial installation, and choose safe, strong and complex password.
Regularly change your password for access of the administration. Use strong passwords that contain upper and lowercase letters, numbers and special characters.
a) Do not use consecutive numbers or letters.
Example: 123456, abcdef and others.
b) Do not use your personal name, last name, phone number, ID, nickname, and any other information that is or could become publicly available, due to which the password could be cracked by detractors.
c) Do not use common combinations.
Example: 13,579, asdasd, 1q2w3e4r, qwertyuiop, admin, password, administrator, etc.
d) When choosing a password, you can replace some of the characters in the selected word in accordance with the password pattern letters = numbers.
Example: I = 1, L = 1, A = 4, T = 7, E = 3, g = 9, v = 0, and so Under this scheme, for example the word 'hosting' can be written as 'Hos71n9'.
e) Use combination of numbers, uppercase and lowercase letters. Long passwords (over 7 or 8 characters) give greater security of your account.
Some tips how to choose a suitable password
Your username admin, which is also the default and is the same for all installations of the system could be changed. You can change it by access to phpMyAdmin, through the control panel.
Once access phpMyAdmin can run sql query to replace a user with admin user siteadmin, in the table wp_users, in the database:
update wp_users set user_login='siteadmin' where user_login='admin';
If you set a different prefix (other than wp_) for database tables, you should specify the correct name for the table wp_users, in sql query.
Important: Before you make any changes, it is recommended to back up the database. You can export the database from phpMyAdmin and keep a local copy to you.
Read also: Some Tips How to Choose a Suitable Password
3. Hide WordPress version
In the file header.php of the theme that you have activated, you can look for the line:<Meta name = "generator" content = "WordPress <? Php bloginfo ( 'version');?>" />
<! - Leave this for stats please ->
You can delete this line or only the part that showing the system version:
<? Php bloginfo ( 'version'); ?> "/>
If you use an older version of WordPress system everyone can see the source code and use the information to attempt to abuse.
4. Prohibition of display/listing the contents of directories
In older versions of the system WordPress, by accessing the web addresses:
http://my-domain.com/wp-content and http://my-domain.com/wp-includes
There is possibility to see the contents of these directories and to access/view files.
By adding one line in the file .htaccess, which file should be located in the root directory of the site, is carried out ban on the display of the content. The line is:
Options –Indexes
5. Check the role of consumers who register on the site
By default, it is not activated opportunity to register new users in WordPress. This option could be changed by the "Settings" menu. In case of enabling opportunity of users to register, you can also specify what role to play in the site. It is recommended that the roles by default to be "User". If some user should have access to administration of the site and can modify and add content, you can change the role for that user.
With activation of possibility for user registration is strongly recommended to add additional anti-spam protection on registration form. Such anti-spam defenses are as adding CAPTCHA code. Captcha code represents arbitrary code, mostly of letters and numbers that must be entered by the user upon registration, posting content, commentary or others. This makes verifying whether it is automate bot or real person. Installation and activation of the Captcha code in the forms for registration decrease drastically attempts to automatic (spam) registrations which aim is publication of spam content on your page.
6. Subscribe to news from the developers of the system
When the system has renewal / new version or repair of omission / security hole in the system, these updates will be posted at:
http://wordpress.org/news/feed
In versions of the system has a basic versions, for example 1.5, 2.5, 3.0, etc. and sub-versions, for example 1.5.27, 2.5.9, 3.0.3, etc. In sub-versions were made amendments to the code and gaps / holes in security, lost in the basic version.
It is strongly recommended as soon as possible after it came under a new version (eg 3.0.3) to perform system updates. Also when there is a new major version (eg 3.1) you can wait until it published its sub-version (eg 3.1.2, 3.1.3, etc.).
Thus you will effectively protect yourself from malicious attempts to access. It is important to perform an update of installed system plugins, modules and components, too.
It is necessary as soon as possible in presence of upgrade / update, to make updating any additional applications that use the system.
7. Reserved archive of your site
It is advisable to regularly perform back ups of files and database in WordPress. There are plugins that can help you perform back up - directly in the system administration. If you do not use the plugin, you can make a back up of the site through the control panel of your hosting account.
Full back ups can generate through section "Part Back ups", where you can download choosen database as a .sql file.
8. Additional protection of WordPress via Plug-in
There is plug-in for additional protection of the system, such as changing the URL of the administration, adding to the number of failed access attempts, then blocked possibility of access to the administration site and others.
Some of the most popular are:
Limit Login Attempts
User Locker
Better WP Security
Hide Login
Some of them have included features on the above recommendations.
By using such plug-in should be aware that a conflict may arise with a specific plug-in module, components or theme of your site. So before you install and activate the plug-in, it is recommended to back up the site.