In my previous post we shown a comparison of security plugins. I am trying to post everything for DIY user of wordpress. So that you can learn wordpress security and you don’t need to hire a wordpress security expert and save your money. With that phase today we will discuss about 10 WordPress Security Tips for DIY users. So lets get started.
Top 10 WordPress Security Tips for DIY users:
- Change the Default “admin” username
- Disable File Editing
- Disable PHP File Execution
- Limit Login Attempts
- Change WordPress Database Prefix
- Password Protect WP-Admin and Login
- Disable Directory Indexing and Browsing
- Disable XML-RPC in WordPress
- Automatically log out Idle Users
- Add Security Questions to WordPress Login
Change the Default “admin” username
Once upon a time every webmaster used “admin” username for their dashboard. So it is easy to guess the username for a malicious hacker and harm your website. So, you need to change your default “admin” username. There is 3 ways to change WordPress Admin Username
- Manually change the default admin username in WordPress
- Via Plugin
- Using PHPmyAdmin
Manually change the default admin username in WordPress
This a very easy and effective method to change username in wordpress. To complete this method follow these steps:
- Log into your Dashboard. On the left-hand menu, hover to Users and choose Add New.
- Fill in all required information. You should give it a harder-to-remember username (that’s our purpose). In the Role drop-down menu, choose Administrator so that this new user has the right as an admin. Then hit Add New User.
- Hover to the top right of the page to log out.
- Now log in again to your Dashboard but by new user account.
- Choose to view All Users in Users section. Hover to the default admin and click on Delete.
- To save all the contents you have previously created with the old admin account, tick on Attribute all content to. And from the drop-down menu choose the new admin username.Finally, Confirm Deletion.
Disable File Editing in WordPress
WordPress has a default theme and plugin editor within it’s dashboard. If it is in wrong hand it could be dangerous. So you need to disable this feature of wordpress. To do this:
- Open up your wp-config.php file in a text editor.
- Anywhere above the line in that add the line
define( 'DISALLOW_FILE_EDIT', true );
- Save the file.Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.
Limit Login Attempts on WordPress
If you do not enable this your website can be hacked by brute force method. So you need to Limit Login Attempts on WordPress. There is several plugins what does this. You can find Best WordPress Security Plugins in this article.
Change WordPress Database Prefix
As you already know wordpress is a very secured and flexible content management system. Though you need a hard security for your website. So that no hacker can bypass your security. WordPress default table prefix is: “WP_” what is common. So you need to change this. There is two method for changing this:
- CHANGING THE DEFAULT DATABASE TABLE PREFIX BEFORE INSTALLING WORDPRESS
- CHANGING THE DEFAULT DATABASE TABLE PREFIX AFTER INSTALLING WORDPRESS
CHANGING THE DEFAULT DATABASE TABLE PREFIX BEFORE INSTALLING WORDPRESS
- Open your wp-config.php.
- find $table_prefix = ‘wp_’;.
- And replace the “wp_” with your own prefix. Such as: “wp1234_”.
- Hit save and continue to install
CHANGING THE DEFAULT DATABASE TABLE PREFIX AFTER INSTALLING WORDPRESS
Before you begin Create a backup of your wordpress website. Now proceed:
- Open your wp-config.php.
- find $table_prefix = ‘wp_’;.
- And replace the “wp_” with your own prefix. Such as: “wp1234_”.
- Hit save
- Open phpMyAdmin and select your desired Database.
- Now one way to do that is to rename each table manually.
- To make things faster, here’s a list of SQL commands that you can run to rename all 12 of the default WordPress tables:
RENAME table `wp_commentmeta` TO `wp_ a1b2c3d4_commentmeta`; RENAME table `wp_comments` TO `wp_ a1b2c3d4_comments`; RENAME table `wp_links` TO `wp_ a1b2c3d4_links`; RENAME table `wp_options` TO `wp_ a1b2c3d4_options`; RENAME table `wp_postmeta` TO `wp_ a1b2c3d4_postmeta`; RENAME table `wp_posts` TO `wp_ a1b2c3d4_posts`; RENAME table `wp_terms` TO `wp_ a1b2c3d4_terms`; RENAME table `wp_termmeta` TO `wp_ a1b2c3d4_termmeta`; RENAME table `wp_term_relationships` TO `wp_ a1b2c3d4_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_ a1b2c3d4_term_taxonomy`; RENAME table `wp_usermeta` TO `wp_ a1b2c3d4_usermeta`; RENAME table `wp_users` TO `wp_ a1b2c3d4_users`;
- MODIFY THE OPTIONS TABLE
SELECT * FROM `wp_ a1b2c3d4_options` WHERE `option_name` LIKE '%wp_%'
- MODIFY THE USERMETA TABLE
SELECT * FROM `wp_ a1b2c3d4_usermeta` WHERE `meta_key` LIKE ‘%wp_%’
This will change prefix of your website.
Password Protect Your WordPress Admin (wp-admin) Directory
This can be done in two methods. Such as:
- Direct From Cpanel
- Manually with help of .htaccess
Create A Password Protected Directory Directly From cPanel
- Login to your cpanel
- Navigate to security section
- Click on Directory Password.
- Type your password and save.
Create A Password Protected Directory Manually
- Login to cpanel or ftp
- Create a file with dot (.) such as: “.wpadmin”.
This will create file under /home/<username>/public_html/wp-admin/.wpadmin location.
- Go to
- Enter Username and Password
- You will see username and password combination like this:
- Now open .wpadmin and paste the username and password combination.
- Now create a .htaccess file in wp-admin directory. And paste these lines in the .htaccess:
Disable Directory Indexing and Browsing
Some WordPress folders like wp-content or wp-includes contain sensitive data. As you know, the wp-content folder contains your themes, plugins and media uploads. Anyone can simply surf through those media files and hackers can find potential exploits. So that's why you need to disable directory indexing and Browsing. To do this:
- Open your .htaccess and Paste the line:
Options All -Indexes
Disable XML-RPC in WordPress
The XMLRPC allows remote connection to WordPress. So you need the xml-rpc for your wordpress website for so many advance works. But if you don’t need this you need to disable this. This can be done using a plugin or manually using .htaccess. I am showing you the .htaccess method. Cause it is manual and it is effective. You can find so many plugins but you won’t find .htaccess method. To do this add these lines into your .htaccess:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 18.104.22.168 </Files>
Automatically log out Idle Users In WordPress
You need to log out automatically idle users. Otherwise malicious users can use session hijacking and hack your website. To do this you need to add a plugin idle users logout plugin or you can use any of the best wordpress security plugins.
Add Security Questions to WordPress Login
- Install a plugin WP Security Question .
- Navigate to Settings » Security Questions
- Type your security questions and done.
- Check your wp-login.php page
This was a very long post. With this post you will understand and learn a lot of things about wordpress security. This will help if you are newbie to wordpress security or if you are a DIY(Do It Yourself) user. If you are not DIY user you can simply use our contact us and message us if you need any wordpress maintenance service or wordpress security service.
WordPress is a very popular CMS. It has a lot of features, functionalities and facilities. It is easy to Maintenance WordPress Website. To Maintenance of WordPress you need to follow some steps regularly basis. Though if you are not a wordpress expert, you don’t know coding you can do maintenance of wordpress website. The list of WordPress Maintenance may be infinite but you will know what is necessary and why it is important.
TABLE OF CONTENTS
- Back Up WordPress Website
- Regularly Update WordPress Core, Your Theme, and Your Plugins
- Optimize Your Database
- Scan Your WordPress website for Secuirty
- Use a SEO plugin
- Maintaining Your Website Content
- Speed Optimization
Back Up WordPress Website
You need to backup of your WordPress Website regularly. It is so important to take back up of your wordpress website.
Why your backup is so important:
- Website Got hacked, You can restore from recent back up.
- Website got messed up, You can restore from recent back up.
- Website’s Data Deleted, You can restore from recent back up
To take back up check : How to do back up in WordPress
Secret Tips: If your Hosting is down or you cannot pay bill to the host that’s why website is down what will you do? You need to take back up of your website to your computer or free clouds such as: google drive, Dropbox or any other platform.
Regularly Update WordPress Core, Your Theme, and Your Plugins
The most mistake what a webmaster or website owner do is once his website is complete he doesn’t update the website. He just sits and linger forever without having to touch it. WordPress is under constant CMS. It provides daily bug fixing, daily new feature adding and daily security fixing. It means the code is updating constantly.
Not only wordpress core you need to update. You also need to update your plugins and themes as well.
Why you need your theme and plugins update:
- Because of security issues
- Because of Compatibility
- Up to date with latest technology
- Because of Website Speed.
- Because of maintaining Search engine Ranks.
Optimize Your Database
WordPress is a database driven content management system. You need to do database optimization. Cause over time your database can be bloated and full of extra junk. Such as:
- Post revisions: if you hit “Save Draft”, “Publish” or “Update” multiple times over the life of your site, a new revision is saved to the database. This adds up over time.
- Deleted posts.
- Unapproved or spam comments.
- Unused categories and tags.
If you want to optimize your wordpress database check this article: How to Optimize database in wordpress
Scan Your WordPress website for Secuirty
I previously mentioned several times about wordpress security. As you know WordPress is a under constant developing cms so it has a lot of security issues. To prevent malicious activities on your website you need to use a security plugin.
To scan your wordpress website for security check this article: How to completely scan a WordPress site
Use a SEO plugin
To keep track in search engine or maintaining search engine you need to use a SEO plugin. The plugin what will automatically complete your SEO work. Such as: sitemap building, webmaster connection, social media correction and etc.
For this kind of SEO automated work I suggest Yoast Plugin.
Maintaining Your Website Content
Do you know what is the heart of a website? It is the content. You need to keep update your content on a regular basis. This will help you to keep rank on search engine. It will reduce the bounce rate. It will increase visitor and ultimately it will provide you a good amount of sales.
The most and important thing checking website’s speed on a regular basis. You need to check your website speed continuously. Around 73% internet users leave your website because of slow website.
In our Speed Optimization Blog you can find so many good amount of article where you learn speed optimization easily.
Wrap it up
I have provided you most important parts of wordpress maintenance. I hope you will do these tasks on your website and make your website better. If you don’t have much time to maintenance your wordpress website. Then feel free to Contact Us.
Many of the webmaster claim they cannot do wordpress database backup. I thought I should write about wordpress database backup. This post will divided into two section one is Manually another is Automatic. So wrap it up and start!
Why you do wordpress database backup
If your website got hacked or you are having plugin error after updating or any conflicting issues then most of the time you cannot access wp-admin. In that case you need to upload your backup.
In other words as you cannot access your wp-admin, so you need a manual backup. Cause you cannot install a backup plugin and backup wordpress.
So, You need backup manually or automatic. Cause nobody knows when your site will causes problem.
WordPress Database Backup Manually Using phpMyAdmin
I think you already know what is PHPMYADMIN. I don’t think I need to explain that. At first collect your Database name, User Name and Password from your wp-config.php
Now from cpanel go to Database then click PHPMYADMIN
Click on your Database > Export.
Now export screen will appear. Then click on go and your Database will be downloaded as SQL format.
WordPress Database Backup Automatically
If you are using good hosting company like bluehost, siteground etc. they has options for automatic backup in their panel. You can scheduled back up from the hosting panel.
If your hosting company doesn’t provide you a backup system. Then you have to use a plugin for automatic backup of wordpress. Here I am listing some plugins for backup:
UpdraftPlus WordPress Backup Plugin: It allows you to create complete backup of your WordPress site and store it on the cloud or download to your computer. Or you can save your backups to Dropbox, Google Drive, S3, Rackspace, FTP, SFTP, email, and several other cloud storage services.
Duplicator – WordPress Migration Plugin: This is the popular plugin for WordPress Backup. Also you can do migration with this plugin.
Wrapping it up!
That’s all, we hope this article helped you learn how to do WordPress database backup. If you are having error in wordpress check our WordPress Error Fix Category.