Wordpress Security Tips & Plugins

shabbir's Avatar author of Wordpress Security Tips & Plugins
This is an article on Wordpress Security Tips & Plugins in Content Management System.
WordPress out of the box is pretty secure still if you follow few simple security tips and install few security plugins, it can make your Wordpress lot more secure.

Choose Secure Passwords



Public always knows your Wordpress username because of your author profile on your blog and so this means you need to choose a password that is lot more secure. For a "secure password," use at least ten to twelve characters long passwords that contain at least one upper-case letter and one symbol, such as # or !.

Blog From Safe System



Don’t login to your Wordpress dashboard and admin area from public computer or computer that you think will not be secure. Those computers can have keyboard loggers and other malware that can steal your Wordpress Admin password as you login.

Block wp-admin directory with .htaccess



You can easily protect your Wordpress Admin panel Directory with .htaccess. This enables extra layer of security to your Wordpress admin control panel for your blog.



CPanel provides password protecting directory option inside your control panel.



Or if you have access to the SSH you can add the password using the .htaccess and .htpasswd file like I have for my Internet Marketing Blog

Code:
AuthName "IMTips Admin Area"
AuthType Basic
AuthUserFile /home/imtips/.htpasswd
Require user shabbir
In the htpasswd file, you place the username and password (which is encrypted) one per each line. To add password you can use the htpasswd command in Linux as well.

Code:
shabbir:SomeEncryptedPassword

Move wp-config.php up one level



wp-config.php file contains all of your database configuration information. You can make Wordpress more protected by knowing this little secret of Wordpress. You can move the wp-config.php file one level above the WordPress root. If you have your blog installed on your domains root directory it makes wp-config.php outside of the public_html folder making it safe from any scripting access and Wordpress automatically knows where to look for wp-config.php i.e. one level up.

Remember this tip doesn’t work if you install your blog in a subdirectory (e.g. public_html/blog) because then though you have your config file one level up you are still having the file under the public_html folder and so is accessible through web browser and other scripts.

Updated WordPress, Plugins, & Themes



Wordpress provide frequent updates as well as security patches for any vulnerabilities as and when found and the same thing also holds true for plugins and themes and so it really make sense to be using latest Wordpress and latest plugins.



Install Login Lock Down



Login Lock down plugin helps protect your Wordpress blog against brute force attack (enumerating all possible passwords and checking which one is the correct one.). By default Wordpress does not lock logging into the system even if you give wrong password many times and so anybody can Brute force your admin username for various passwords and so having a Login Lock Down plugin disable the brute force attacks on your site by defining how many wrong password attempt you allow before locking the user.

Plugin to Scan Wordpress Security Scan



Install Wordpress Security Scan plugin to check if there is any thing more that you can do to make your Wordpress more secure by scanning through your site’s files and directories and giving you suggestions and action items on passwords, file permissions and other database security flaws.

Automated backups



For popular blogs you can opt for VaultPress, A premium service by the makers of WordPress to automatically backup databases and files associated with WordPress and restore them with just one click.

I hope the tips help follow bloggers remain safe. What security measures do you take for your blog? Share your views in comments below.
pradeep's Avatar, Join Date: Apr 2005
Team Leader
Nice one, I would like to add a point: Securing the wp-admin directory via forcing https, you can use a self-signed certificate, this will help prevent password stealing via packet inspection.
mathewines's Avatar, Join Date: Mar 2012
Newbie Member
Thanks for this informative artical great hob done.
KJMS-Chris's Avatar
Banned
Renaming wp-admin/ is not a bad idea either because it makes you less of a target from automated attacks