How to make your WordPress website more secure

Why security is needed

Now blogging has become a hobby for many people , and WordPress Is the most popular platform . By default ,wordpress Blogs use the lowest level of security , And its files and / Or plug-ins may often be outdated . These files are traceable and vulnerable to hackers . The Internet is not a safe workplace , You must fully understand how to ensure safety .

This article introduces some simple tips and techniques that beginners can implement , To ensure that their blogs and are stored in WordPress Security of information on .

Tips #1 Use only 、 Secure user name and password

• Avoid using default Administrators
• Users can also create new users with administrator privileges and delete old users “ Administrators ” user name .
• Such as Username Changer And so on. WordPress The plug-in can also be used to change the user name to a more secure name . Try to avoid using common user names , for example usernames or administrator, These user names are easy to guess .
• Select by letter 、 A complex password consisting of numbers and characters . Don't choose a user name 、 Website name or simple word similar password .
• It is recommended to use random strings .

Tips #2 Enable two-step verification

1. Users need to have a WordPress account , You can create... By clicking here . If the user already has WordPress account , Please skip this step .

2. single click here Enable two-step verification . The user is redirected to the following page .

3. When you click start, the following screen appears

4. Select the SMS verification option .

5.WordPress The verification code will be sent by SMS , The user needs to enter the verification code to verify the number .

6. Correctly enter the code sent to your mobile phone . A pile of spare codes should then be provided , If the mobile phone is stolen or lost or the mobile phone cannot be accessed to obtain the code , You can use it as an alternative to accessing your site . Save the code in a text file .

7. You have now enabled two-step verification .

Tips #3 The use of plug-in

To prevent violent attacks , There are two great plug-ins

• All in One WP Security & Firewall The plug-in has an option , You can simply change the default of the login form URL (/wp-admin/). This plug-in also helps limit access from a IP Number of attempts to log in to the address .
• The other is 　BruteProtect. The plug-in was recently WordPress The creator of the Automattic Acquisition . The plug-in will automatically protect the user login form from IP The impact of address , these IP Addresses tend to make multiple login attempts .

Tips #4 take wp-config Move a directory up and lock it

• Users can wp-config.php File move to WordPress Install the directory above . This means that for sites installed in the root directory of your website space , You can take wp-config.php Stored in web-root Outside the folder .
• This is it. wp-config The appearance of ：

If you are using a server with .htaccess, Please add this code to the top of the file , To deny anyone access to it ：

<files wp-config.php> order allow,deny deny from all </files>

Tips #5 keep WordPress to update

Suppose the user has installed Wamp The server ：

1. start-up wamp The server
2. Use localhost open WordPress Site
3. Under the dashboard section, click Update

4. As far as I'm concerned , I have updated my WordPress. So for me , It shows “ You already have the latest version ”.

5. For those who already have the latest version , There will be an update option . Click on it . complete ！！

Tips #6 Change file permissions

The server has shell Users with access rights , You can use the following command to recursively change file permissions ：

For directory ：

lookup /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

For the file ：

lookup /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

Tips #7 Schedule regular data backups

• Back up data on a regular basis , Including your MySQL
• Data integrity is very important for trusted backups .
• A good backup plan may include putting the entire WordPress install （ Include WordPress Core files and databases ） A set of periodic snapshots of is saved in a trusted location .

Tips #8. Delete the readme file and any unnecessary files

• WordPress There is a default readme.html, And many plug-ins and themes that follow .
• They should be deleted , Because they can be used for fingerprint identification or general snooping , And usually contains version information .
• Delete all junk files from the folder .

Tips #9 Enable SSL Sign in

· If the site has SSL certificate , You can enable SSL Sign in .

· To enable the SSL, Your site must be usable https visit .

• Add the following code to wp-config In file

define('FORCE_SSL_LOGIN', true);//  For login only define('FORCE_SSL_ADMIN', true);//  For the entire administrator 

Tips #10： inquiry Apache Password protection

- This plug-in allows users to better control their blog in terms of security
- Users can go through... In simple steps 401 Authorize to protect your website .

The plug-in can be downloaded from Here to download .