WordPress Security 101

WordPress is an open source software and sometimes hackers may use security exploits to compromise your site. Here are some things that you can do to better protect your site.

1. Always be up to date and use the latest version of WordPress. Older versions of WordPress are not maintained with security updates.

2. Make sure your plugins/themes are always updated. Also, if you are not using a specific plugin/theme, delete it from the system.

3. Use an admin ID other than 'admin' in new WordPress installations. If you are already using 'admin' as your admin ID, you can create a new one and remove the old 'admin' ID.  To setup a new Admin and remove the old Admin:

a) Go to WordPress admin panel.
b) Click on “Users” to add a new user, and set its role to administrator.
c) Remove the 'admin' user after the new user is created.

4. Many vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.

5. Make backups of your site and database on regular basis.

For the more advanced users, we also suggest the following changes:

i. File permissions: Allowing write access to your files can potentially be dangerous. It is best to lock down your file permissions as much as possible and to loosen those restrictions only when needed.

Folder: 755
php/html, and other files: 644
wp-config.php: 600

ii. Secure the wp-admin folder: It can be done through password protection inside cPanel.


iii. Disable File Editing: The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool that an attacker will use since it allows code execution. You can disable editing from the Dashboard. Placing this line in the wp-config.php file is the equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities for all users:

define('DISALLOW_FILE_EDIT', true);

This will not prevent an attacker from uploading malicious files to your site, but it will stop some attacks.

You can download the wp-config.php file through FTP, use a text editor to add the code to the very bottom of the file, save it, and then publish it to the server. Make sure you set the permission of the file to 600 after the upload.

If you have any problems making any of our suggested changes, please do not hesitate to contact our Customer Service Support Team.


Comments are closed.