Top 3 WordPress Security Steps to Take
There are a lot of things that anyone can do to improve the security of their WordPress site. Yet there are some that are essential and simple steps that can be taken and I’ll show you what they are.
1- Username/Password
I have found many sites still using the name admin as a username and this is a big no-no. Hackers know that the default WordPress username will be admin so this makes their brute force attack jobs easier. This should be changed to anything, preferably something that is different than the name of your website. A password should also be set that has a combo of numbers and letters; of course you already knew that.
2- Disable Editor
WordPress allows users to edit their plugin and theme files in the admin interface by default. This is a simple security risk that many non-developers are unaware of or don’t consider. To see if you have this access, hover over Appearance and you will see Editor at the bottom. If its not there, then you’re developer knows his shit.
The goal is to protect intruders from getting into the admin area of the site. In case that fails, then at least we should prevent them from changing files on our server. File changes should be done via FTP on your server where you would need login access to it. To remove this access in the admin, you will need to FTP into your server and in your wp-config.php file add the following line in it:
define('DISALLOW_FILE_EDIT', true);
3- iThemes Security
If step 2 is complicated or you don’t want to mess with your server; no problemo amigo. There is a plugin that can you let you do the work in the admin area. I recommend everyone use this plugin for security and it’s iThemes Security. It gives you options to protect you from local and network brute force attacks. It allows you to block users who run into a lot of 404 pages; the default setting is twenty 404 pages. If someone lands on that many 404 errors, it typically means they’re scanning for a vulnerability on your site. You have the option to ban their IP address and never have to worry about that person again. If you’re really serious about protection, you can change the login url from the basic yoursite.com/wp-admin. The way to do that is to go the advanced options in the settings and click on Hide Backend settings. There will you have the option to change the login url to yoursite.com/badmuthatrucka or whatever you like.