Essential WordPress Security Tips to Keep Your Site Safe

A small business website is a valuable asset that you want to protect from damage by some malicious hacker. In many cases, our websites are analogous to a physical store or office. And just like you wouldn’t want someone throwing a brick through your window, you don’t want someone damaging your web property.

Many of us have spent time and money on our Website design, brand identity and expert content that projects how we want people to perceive us and our businesses. With its popularity, WordPress has become a target for those trying to exploit vulnerabilities. And unfortunately, there are those misguided individuals that think hacking your website and potentially harming your business is fun.

Proactive WordPress Security Tips

Here are some simple WordPress security tips and best practices that can help thwart those who want to do harm to your online presence.

Eliminate the account called “admin”

When you install WordPress, select a name for your administrative account rather than take the default. If one exists, create another admin account and delete the default.

Add the following to your functions.php file in your child theme to block access to active user accounts.

//START REMOVE JSON PARAMETER//

function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }
    return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');

//END REMOVE JSON PARAMETER//

Use strong passwords for all admins

Make your WordPress login as secure as your bank account and use a strong password with letters, numbers and special characters.

Add a security plugin to monitor activity

Select a WordPress security plugin to further secure your website from the back end. Set up a firewall capability to stop malicious intruders from gaining access.

• Wordfence is a quality firewall plugin that protects your website. It has a protect login feature that you can set to lock when under attack. This gives you the ability to still log in with a predefined username/password combination.
• Cerber Security plugin is my latest recommendation as it combines website security with antispam for forms. Looking at the activity shows you how much you truly need a security plugin that stops bad actors from damaging your website.

Keep WordPress and plugins updated

Outdated software may contain security vulnerabilities that are known to hackers. Updating your site regularly eliminates them and makes your installation more secure. You shouldn’t modify any of the core software so that you can update without breaking your site.

Only use plugins and themes from reputable developers

Do your research before you install a plugin or theme to make sure it isn’t harboring vulnerabilities that can be used to exploit your website.

Protect your critical files from being hacked

To protect your WordPress installation, add the following to your .htaccess file. Many of the security plugins today will add this to your .htaccess file for you, but if they don’t you can manually add them. If you use Yoast SEO plugin, you should have access to the file under tools > file editor:

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
	order allow,deny
	deny from all
</files>
# END protect xmlrpc.php

# Prevent directory listing
IndexIgnore *
# Protect .htaccess files
<Files .htaccess>
	order allow,deny
	deny from all
</Files>

# Protect wp-config.php
<FilesMatch ^wp-config.php$>
	deny from all
</FilesMatch>

# Protect install.php
<files install.php>
	Order allow,deny
	Deny from all
</files>

Protect the files on your WordPress installation

Make sure all theme and plugin files are write protected (644 for the property attributes) before you go live.

Keep a recent backup of your website

Keep regular backups using All In One Site Migration. The plugin allows me to rebuild the entire site in 10 minutes as long as you have their unlimited extension. As long as your site is clean, this type of a backup will enable you to recover quickly. I run the backup every time I make a major change.

If your database is compromised, make sure you have all the pieces to rebuild your site cleanly. Do a WordPress export of the content, theme settings, plugin settings, backup the uploads directory, theme and keep a list of plugins you use. Make sure you always do a fresh backup when you make any major changes to your website. If you know your database backup is clean, a simple monthly export can help you recover more quickly from an older version if something goes wrong.

Keep hackers at bay

Don’t think it couldn’t happen to your website. Hackers don’t care if your site is small, new or insignificant. Remember, hackers will hack your site because they can.