We are always mindful of the valuables that we own, be it money, jewelry, gadgets, etc. We have a system set up to safeguard anything and everything we own. And if you are so vigilant about your personal belongings then safeguarding your website has to be taken a notch higher than this. Why? As you have more to lose from a hacked website than from a lost personal belonging. You stand to lose money, business, and reputation from every loophole in your website that has been hacked into. So, all those people out there who have not been taking WordPress Website Security seriously it’s time to gear up! I am going to list out some do’s and don’ts to help you manage your WordPress website security.
However, before we get into it, here’s the short version for your quick reference:
Do’s | Don’ts |
| Remove Version Numbers | Do Not Take Passwords Lightly |
| Upgrade Website Regularly | Do Not Allow Directory Browsing |
| Update System Software | Do Not Allow File Edits in Dashboard |
| Take Site Backup | Do Not Allow Hotlinking on Website |
| Secure Directories | Do Not Send Update Notifications to all Users |
| Secure wp-config.php File | |
| Scan Site with Malware Monitoring Service | |
| Set Appropriate Permissions |
Now, let’s discuss these in detail –
The Do’s for WordPress Website Security
Remove Version Numbers
Version numbers in your WordPress is a critical piece of information on your website. It allows hackers to invade your website if they have the means to abuse the WordPress or theme version used on your website. Hence, it would be ideal to remove the version numbers generated by WordPress and Theme’s CSS and JS files so that it won’t be easy to detect WordPress or Theme Version.
Upgrade Website Regularly
You should regularly upgrade the WordPress core. Also, upgrade non-customized themes and plug-in installed on your website. This is important as the software might to have bugs that make your website susceptible to attacks. Scheduling regular updates as part of your WordPress website maintainence would ensure you get cleaner versions of the code reducing the threat of an attack on your website.
Update System Software
Ensure that you have all the latest version of software such as OpenSSL, Nginx, PHP, MySQL, etc for you windows, Mac or Linux systems.
Take Site Backup
Install an appropriate plug-in to take regular backup of files and database on your website. You do not want to take a risk with precious data on your website right?
Secure Directories
It is important to secure wp-includes and uploads directories in your website folder so that direct access to files present in those directories can be prohibited.
Secure wp-config.php File
The wp-config.php file in your WordPress website folder contains a lot of sensitive information. Hence, it is important to make it secure.
Scan Site with Malware Monitoring Service
Scan your website periodically with malware monitoring software. This will help you get notifications when there is a potential hazard to your website.
Set Appropriate Permissions
Restrict access to folders on your website to users who can be trusted. Set the appropriate read and write permissions on the folders depending on your requirement.
| Expert Advice: WordPress security is not a one-time thing, it requires maintenance. You have to be vigilant about updating your plugins & themes and security scans. Regular scans are crucial for identifying malware & security issues. Then once you’ve identified these issues, you also have to patch them up. And of course, take regular backups in case something goes wrong. All these activities need to be planned for. So, it is a good idea to make them a part of the monthly maintenance plan for your WordPress website. Recommended Reading: |
The Don’ts for WordPress Website Security
Do Not Send Update Notifications to all Users
Update notifications that are made available on the website’s dashboard would not be made available across all user levels. While updating WordPress core, themes and plugins are essential it should be a well-researched step. Unrestricted updates could mean disaster for your website.
Do Not Take Passwords Lightly
Do not set your website password as admin as it is easy to guess. Also regularly change the password on your website. If you use the same password for a very long time, you’re giving hackers more time to try and crack it. If you change it frequently, you shorten the window of attack
Do Not Allow File Edits in Dashboard
File edits in the dashboard is a big fat NO! Users who are meant to make changes to the website should not be allowed to make changes to the code. Allowing file edits in the dashboard screams Danger!!! for your website.
Do Not Allow Hotlinking on Website
Prevent hotlinking on the website. People should not be able to hotlink any images or content from your website. After all, in the web world content is a goldmine and should be secured.
Do Not Allow Directory Browsing
Do not allow directory browsing access to all users. It is important to secure wp-includes and uploads directories in your website folder so that direct access to files present in those directories can be prohibited.
Well, that’s about it from my end on WordPress website security. I would like to add that maintaining website security is not a small task. It is sometimes a good idea to outsource it to a professional. As far as I am concerned I’ve tried to cover all the essential points in this article. If there are any other points that you might like to add feel free to do so in the comments section.
Please note, some of the links in this blog post might be affiliate links. This means if you go on to purchase a product using such a link, we receive a small commission (at no additional cost to you). This helps us support the blog and produce free content. We only recommend products we work with or love. Thank you for your support!
Leave a Reply