How to secure your WordPress Site

Secure your WordPress Site with these simple steps

We often talk to clients who have concerns about the open source nature of WordPress. But by taking a few extra steps, you can add extra layers of security to your website and alleviate many of the concerns. 

We take security seriously at ArtForm and go through multiple steps to secure your site. For WordPress we: 

Keep WordPress and all your plugins up to date: One of the advantages of using WordPress is that it has a great community which is constantly working to fix security vulnerabilities that are discovered. The same goes for your plugins.

Protect your site from brute force attacks: A common hacking technique is to run a password guessing robot on a website’s login page.  This is called a “brute force” hack.  There are several ways you can avoid this type of attack.  We configure all of these options in the plugin All In One WP Security & Firewall.

Rename your login page: Bots are looking for the /wp-admin extension. One of the best and easiest ways to prevent them from finding your site is to put your login page a different URL instead of on the standard 

Put a limit login attempts: Another great tactic is to limit the amount of times someone can enter an incorrect password before they are locked out, either for a duration of time or even permanently!

Use a captcha: For an additional layer of protection, make users fill out a captcha before they log in.

We encourage you to use a strong password and avoid generic usernames: This should go without saying, but if your login is username “admin” with password “pass123”, it’s a good idea to change it to something more secure.

If not needed,  disable or remove XML-RPC: XML-RPC is a component of WordPress that deals with connecting to external services. Apps that allow you to interface with WordPress, such as the WordPress mobile app, make use of this feature.  Unfortunately, leaving XML-RPC enabled can render your website vulnerable to a handful of attacks. The most common are brute force and DDoS attacks.  

Disallow access to wp-config.php: The wp-config.php is a critical file for WordPress, so it’s a good idea to disallow access to it from the world. You can do this by adding a few lines of code to your .htaccess file.

Disable the WordPress admin file editor: You can edit your theme files in the WordPress admin panel. It makes a hacker’s job a lot easier if they can edit files without having access to your server.  You can  add a line of code to wp-config.php to disable it.

Don’t use the default database table prefix: You may have noticed the option to change the database table prefix from “wp_” in the WordPress installation.  Not changing this can make your site more vulnerable to SQL injection attacks.

Disable client side PHP error: While error reporting is useful to developers, it may be just about as useful to hackers since it gives away valuable information about your site.  

Contact us for help with these steps or for more information on how to keep your site secure