WordPress is the most powerful CMS in the world. It powers nearly 30% of all websites on the internet. WordPress security is an important thing for every website owner.
1. First, you have to use your WordPress admin user name strong. If your WordPress admin username is “admin”, then change it.
2. Strengthen your login password. Some examples of the complex passwords is Y#!^&G98n@2fg, bE$S%*&654(8D, %&^dvRUdf4. It will strengthen your password.
3. Keep your WordPress version updated. Because they release a new version when they saw a problem in the previous version. Update the latest version from WordPress site http://wordpress.org.
4. Change your database prefix. Generally, we use the default prefix “wp_”. Change it and give something different like xYz_m7d_s9
5. Delete all unnecessary plugins from your site. Use “growmap anti spambot” for spam filter and delete the previous Akismet version.
6. Delete all unnecessary themes from your site.
7. You can use captcha for user login.
8. Change the WordPress login URL http: //yoursite.com/wp-admin to http: //yoursite.com/customlink
9. You can use the “Better WP security” plugin for your site Safety. Also see: 10 best plugins for protecting WordPress site from hacker
10. You can change the wp-content folder name. You can do it by using a plugin.
11. Secure the site by .htaccess for better WordPress security. You can use a plugin for htaccess, but using code will be better. See the code below and use it in by cPanel.
# BEGIN WordPress
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Disable directory browsing
Options All -Indexes
# WPhtC: Limit upload size to 10 MB
LimitRequestBody 10485760
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
</files>
# WPhtC: Protect comments.php
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*http://yoursite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# WPhtC: Disable image hotlinking
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com/.*$ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://goo.gl [NC,R,L]
</IfModule>
# WPhtC: Setting mod_gzip
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
# WPhtC: Setting mod_deflate
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</IfModule>
RewriteEngine on
# Unless you have set a different RewriteBase preceding this point,
# you may delete or comment-out the following RewriteBase directive:
RewriteBase /
# if this request is for “/” or has already been rewritten to WP
RewriteCond $1 ^(index\.php)?$ [OR]
# or if request is for image, css, or js file
RewriteCond $1 \.(gif|jpg|jpeg|png|css|js|ico)$ [NC,OR]
# or if URL resolves to existing file
RewriteCond %{REQUEST_FILENAME} -f [OR]
# or if URL resolves to existing directory
RewriteCond %{REQUEST_FILENAME} -d
# then skip the rewrite to WP
RewriteRule ^(.*)$ – [S=1]
# else rewrite the request to WP
RewriteRule . /index.php [L]
# END WordPress
*Put your own site link instead of “yoursite.com”
Caution: Keep your .htaccess file backup before doing this.
12. Keep your wp-config.php file permissions to 400.
13. Remove the install.php and install-help.php from wp-admin.
14. Do not use premium free, cracked or nulled themes and plugins.
15. Change the cPanel and FTP password regularly.
16. Keep a regular basis backup of your site.