WordPress Is Worlds Largest Blogging Platform .Lot of popular blogs are using wordpress software.Wordpress have lot of users not only users but also hackers.If your website generates a lot of traffic, then hackers will aim at these sites to steal sensitive personal information.So as an Administrator or Editor-in-Chief of your WordPress blog it is very essential to use these security tips and keep the hackers away.so you need to take care of your wordpress blog.

Here are some of our tips for keeping your WordPress website or blog more secure and less susceptible to malicious attacks.

Security Tips To Protect WordPress Blogs

WordPress Security :

1) Always Use Latest Version Of WordPress

Upgrade WordPress To Latest Version

As soon as an upgraded version is released, try to upgrade your blog. You can use the WordPress Automatic Upgrade plugin to upgrade to the latest version. Any major security issues will be likely to be fixed in the upgrade.

2)Update Your WordPress Plugins

The plugins that you use are all developed by third party programmers; thus they are more vulnerable to hackers than WordPress itself. It is recommended that before you start using a plugin, check the profile carefully and read the comments and stats. Also, update your plugins regularly.

3)Use Strong WordPress Account Passwords

In addition to adding a secret key to your wp-config.php file, also consider changing your user password to something that is strong and unique. WordPress will tell you the strength of your password, but a good tip is to avoid common phrases, use upper and lowercase letters, and include numbers. It’s also a good idea to change your password regularly — say once every six months.

4)Install WordPress Security Plugins

Security Plugins For WordPress

There are many WordPress security plug-ins that you can install to keep your site secure, like WP Security Scan and WP Exploit Scanner. You can use WP Firewall or WP Antivirus also.

5)Protect your WP Admin folder

You may add a .htaccess file to your WP admin folder; this restricts access by blocking all IP addresses except the ones you use. Below is the .htaccess code to do so. Make sure that you place this .htaccess file in the WP-Admin folder. If you place it in the root directory of your WordPress blog then only you’ll be able to access your site. So be cautious when dealing with such htaccess commands.

Allow WP Admin Folder Access only to a specific IP

order deny,allow
deny from all
allow from 1.1.1.1

Change 1.1.1.1 to your own IP Address. If your blog is multi-authored or has multiple owners then add another allow command with your partner’s or guest blogger’s IP. Now, I know many people have Dynamic IP. So if you allow your current Static IP then you will be blocked when you reconnect and try to access your blog.

To avoid such a situation you need to allow Dynamic IPs. But that would mean, that some people apart from you can also access the WP Admin folder. Here is the code for blocking Dynamic IP.

Allow Access to a Dynamic IP

order deny,allow
deny from all
allow from 1.1.1.*

We use the Wildcard character (*) here. This means anyone with the IP 1.1.1.0 to 1.1.1.255 can access your WP Admin folder.

6)Don’t use ‘admin’ username

As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.

If you are running older version of WordPress (which I do not recommend), you can change admin username directly in the database. Open your phpMyAdmin and run this query:

UPDATE wp_users SET user_login = 'your_new_login' WHERE user_login = 'admin';

7)Move your wp-config.php file

In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.

To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.

8) Limit wordpress admin access by IP address

Any visitor with web access can visit your WordPress login page and take a guess at your admin password. If they get it right, they’ll have full control of your site.

What you can do is Restrict the WordPress admin folder to allow access only from your computer, or a small group of computers. To limit access by IP, create an .htaccess file in your /wp-admin/ folder (not in WordPress root) containing the following code:

order deny,allow
deny from all
# allow IP address
allow from XX.XX.XXX.XXX
# allow IP address
allow from XX.XX.XXX.XXX

Just google “what’s my IP” and you can find your IP address. Once you’ve done this, visitors without the allowed IP address will see a 404 message if they try to access your admin area or login.

9) Use Secret Keys

This is probably the most followed security tip on the list, but still I’m amazed at how many people don’t do this. A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.

10)Back up Your WordPress Blog Regularly

This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.Regular backup is a must. There is a great list of WordPress Backup Plugins available here.