How to secure your wordpress based website?

Securing your wordpress installation is the very first task that every webmaster or blogger should do before making your website public. With the advent of automatic scripts and other automatic tools, hacking has become a doodle. Even a 13 year old script kiddie can sit front of his computer and start hacking websites. To protect yourself from this here are the few tips that one can follow to make their wordpress based websites more secure.

Keep your wordpress installation updated

WordPress as you know has a large pool of developers and they release updates from time to time in order to add functionality and to cover up any security holes or exploits found. If you don’t update your wordpress installation than you will be vulnerable as there is always a probability that your present wordpress install has some security holes which can help hackers to compromise your website. Updating wordpress installation is probably the most simple and easy as compared to updating of other CMS such as Drupal and Joomla. Just with two clicks you can update your website to the latest version.

Always keep a backup

Backups are always important. Even if somehow your site is hacked than also you can always restore your backup and come back online and than fix the exploits which were responsible for the hacking of your website. If you are on a cPanel server than there is a option in that where you can download the entire backup copy of your account. If you don’t have cPanel than there are wordpress plugins available that can help you to backup your sites database.

Changing the default database table prefix from wp_ to something random

If you perform this step than you can save your website from automatic or script attacks. This is not a full proof method. It is just a added layer of security for your website. If one is determined he can still know your new table prefix.

Removing the generator attribute from your wordpress

Hiding the version of wordpress from hackers is always an important towards site security. WordPress by default add generator attribute to a meta tag in your HTMLs head tag. You can download the WSD security to remove this attribute.

Protecting your WordPress admin panel

Secure you wordpress admin using a .htaccess file. This will allow only you to be able to login into the admin panel of your wordpress. Click here to know more about securing wordpress admin directory with wordpress.

Turn of the database errors

If something wrong occurs in core functionality of wordpress than it produces database errors. These are useful to admins for debugging purpose but it can also provide some sensitive information to the hacker. Hackers deliberately tries to produce database errors. You can turn them off using plugin WSD Security

Do not install untrusted plugin

Always install plugins from wordpress plugin directory. Do not install plugin from sources other than the official one.

How to secure your wordpress admin directory?

As you all might know that the Admin directory of a default WordPress install is located at wp-admin folder. This folder contains all the administrator files and should be accessed by an administrators only. We can add a layer of security to this wp-admin folder or to our admin folder by creating a file named .htaccess inside the wp-admin folder ( How to create .htaccess file ? ). In this file add the following lines of code:

deny from all

#white list

allow from your_isp_static_ip

Instead of your_isp_static_ip please put in the IP address assigned to you by your ISP ( How to check your IP address ? ). If the IP address assigned to you by your ISP is dynamic in nature than also you can protect your admin folder. In that case instead of your_isp_static_ip put in the {xxx.yyy.zzz.aaa} where the expression in the curly bracket represents your IP address.In this do not put the entire IP address. Here first of all you have to check which part of your IP remains constant that is whether xxx remains constant and than check for yyy and so on. in most of the dynamic IP cases xxx part always remains constant. After checking which part of your IP address remains constant form a expression accordingly for example i am here assuming that for my IP xxx and yyy remains constant than instead of you_isp_static_ip put in xxx.yyy

In this way you can restrict access to your wp-admin folder and this securing it.