Takeaway: Wordpress has powerful default security measures already in place, but it doesn’t hurt to enhance that security with tweaks that will make it even harder for hackers and bots from accessing your site and website files.
Use SSL
SSL allows you to securely transact over the internet. If you run a Wordpress-powered e-commerce site, using SSL ensures that all your data is encrypted during transfer, making it impossible to read it if it is intercepted. To force Wordpress to use SSL, ensure that your hosting server is SSL-enabled. After confirming that it can handle SSL, navigate to the root of your Wordpress installation and open the wp-admin directory. Open the wp-config.php file and add the following code:Define (‘FORCE_SSL_ADMIN', true);
The above code defines the FORCE_SSL_ADMIN constant and sets it to always TRUE so that users, by default, are always using the secure SSL connection when accessing your site.
Protect using .htaccess
.htaccess files are powerful configuration files that can be used to control many aspects of your web server. You can make page redirects, password-protect your directories and subdirectories and perform a bunch of other security enhancements. In this case, we want to use .htaccess to restrict access to our Wordpress files. One of these files is the wp-config.php file, which contains the site’s database information like usernames, passwords and so on. Ensure that you create a backup of the .htaccess file before continuing. Once you do that, open the file and add the following code:<files wp-config.php>
Order allow, deny
Deny from all
</files>
The above code ensures that no bots can change your Wordpress configuration file by preventing access to it.
You can also configure .htaccess to prevent other sites from hot-linking to your content, especially your images. Hot-linking consumes your server’s bandwidth which is something you don’t want happening especially if you have a limited bandwidth subscription. To prevent content scrapers from hot-linking, add the code below to your .htaccess file:
RewriteEngine On
#Replace ?mysite\.com/ your blog url goes here
RewriteCond %{HTTP_REFERER} !^http://(.+\.) ?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
Once you save the file, websites that try to link to your images will display the ‘nohotlink.jpg image file. You can even change the nohotlink.jpg file to display something else, say an image with your website address.
Hide your Admin login
When you are logged in as the admin of your Wordpress website, anything you do such as posting and commenting will be displayed as “By Admin” on your posts and pages. This alerts hackers and other malicious people that your admin account is still in existent and there lies the possibility of brute force attacks on your site. To remove your admin account, navigate to your Wordpress editor and paste the code below to the functions.php file:Function remove_comment_author_class ($classes) {
Foreach ($classes as $key => $class){
If (strstr ($class, "comment-author-")) {
Unset ($classes [$key]);
}
}
Return $classes;
}
Add_filter (‘comment-class', ‘remove_comment_author_class');
Hide error messages
Hackers can also identify your site vulnerabilities by simply reading error messages when something goes wrong with your Wordpress site. To remove these error messages, add the following code to your functions.php file:add_filter('login_errors',create_function('$a', "return null;"));
The above tweaks can be implemented immediately with immediate benefits to your Wordpress-powered website.