How to make your WordPress website more secure through some simple steps ?

Securing your WordPress account to a next level.

  1. Bhawani Singh
    Some tips to secure your Wordpress account :

    1). Keep your wordpress account upto date:-
    It is very important to keep your wordpress account updated, as mostly new versions of themes and plugins have security patches.
    -> UPDATE all cms, themes, plugins.
    -> REMOVE unused and unnecessary plugins and themes.
    -> Use Wordfence plugin for security.

    2). Protect access of your Wordpress admin section :
    One of the most important factor in wordpress security is admin area. You have to give access to limited persons to access your Wordpress admin section.
    It can be easily done through putting these lines in .htaccess file in Wordpress admin folder.
    -------
    <Files wp-login.php>
    order deny,allow
    Deny from all
    Allow from xx.xxx.xxx.xxx
    </Files>

    --------
    Here, xx.xxx.xxx.xxx is your IP to whom you have given access. In case you want to allow access to multiple IP's, You have to simply add another line for new IP.

    3). Don't use "admin" username and use strong password :
    Most of the users use "admin" as username which is easily assumable and attackers can easily guess it. Kindly avoid to use "admin" username, it will reduce brute force to a limit.
    Also, always use strong and complex passwords and avoid using these type of passwords (123456, password, etc). they can be easily assumable by a normal person.

    4). Use two-factor authentication :
    By using two-factor authentication will increase your Wordpress security to a level. You can use mobile or email to authenticate login.

    5). Check your PC is fully secured with antivirus and not compromised:
    The very big issue starts at our own end when we have our system compromised with viruses and malware.
    You have to regularly scan your system on intervals to confirm security at your own end.

    6). Securing wp-config.php file :
    You can move your wp-config.php file one level up above your wordpress install. It means you can move your wp-config.php file outside your root folder if wordpress is installed in root folder.
    Also, chnage it's permission to 600 make sure to deny access of it from any one else. For that kindly put this code in .htaccess file
    ----
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    ----

    7). Disable File Editing :
    Wordpress by default allows administrators to edit plugin and themes files. Entering the following constant in wp-config.php, disables editing from within the administrative interface.
    -----
    define('DISALLOW_FILE_EDIT', true);
    -----

    8). Delete readme and unnecessary files.

    9). Limit Login attempts :
    By limiting login attemts, you can secure your account to a level. As if any hacker or bot is attempting brute force on your account, it will restrict the IP after several failed login attempts/
    There are many plugins available in market to limit login attempts. You can use any one of them.

    10). Do not allow search engine to browse your directories :
    You can increase your wordpress security by disallowing search bots to browse your directories. Robots.txt file is used to help search engine robots to direct them which part to avoid and which part to crawl. When Search engine bot comes to your site, they follow Robots.txt file first to index your site. To do this you have to put these lines to your "robots.txt" file.
    -----
    User-agent: *

    Disallow: /wp-admin/
    Disallow: /wp-content/
    Disallow: /wp-includes/
    Disallow: /xmlrpc.php
    Disallow: /wp-
    Disallow: /feed/
    Disallow: /trackback/

    -----

    11). Prevent directory listing of your account :
    You can prevent your directory listing from all by simply putting this code to ".htaccess" file.
    -----
    Options -Indexes
    -----

    12). Prevent PHP Files from executing :
    Our experience says hackers puts their php files in /wp-includes/ folder or in your /wp-content/uploads/ directory. Usually these are .php files with names that some what seems like WordPress core files, but they are not.
    What you can do to for this is prevent PHP files execution in certain directories. You can put this code in ".htaccess" file to prevent php execution.
    --------
    <Files "*.php">
    Order Deny,Allow
    Deny from All
    </Files>

    --------