The Basics of WordPress Security Settings for Beginners

As the world’s most popular open source CMS, WordPress is a common target for lots of miscreants of the web. From young wanna be hackers to more sophisticated malicious code distributors.

As a software, WordPress is very secure. These hackers look for is websites where users have unintentionally left something unchecked, leaving their sites vulnerable. Defending against most common vulnerabilities is quite easy in WordPress and we decided to cover some of the basics of WordPress security settings for beginners in this article.

By the end of this article, you will have some basic understanding of WordPress security settings that you can apply with very little effort.

Passwords are the most common entry points to any system on the web. Whether it is your email account, cloud storage, web hosting, or your WordPress site. All your passwords are linked together, losing one crucial password such as your email account can result into complete identity theft. Hackers can fill out forgot password links on your other online accounts and can completely erase all traces of you from the internet. We are not trying to scare you, its very real and its happening to lots of people.

Each year 13 million Americans, or 5% of the entire U.S. adult population, are victims of identity theft.

Passwords are most common cause of identity theft, hacking, and other illegal online activities. This is why everyone keeps reminding you that you need to use strong passwords using a combination of letters, numbers, and special characters. The problem with strong passwords is that they are hard to remember.

This is where password managers come in. Using software like 1Password and LastPass you can forget about ever typing any passwords again. These easy to use utilities are available on all platforms, devices, and browsers. They can automatically generate strong passwords for you, store all your passwords in a secure vault, and can automatically fill in all your passwords for you.

As a WordPress user, you don’t just need to use a strong password for your WordPress admin area. A typical WordPress site uses many other things that can be accessed with the password. Like your web hosting account, FTP username and password, MySQL username and password, etc. You need to make sure that you are using unique and strong passwords at every entry point. This will make your WordPress site quite secure from the most basic hacking attempts.

Your WordPress login page is easily accessible by anyone and so is your WordPress admin directory /wp-admin/. This leaves your website vulnerable to brute force attacks.

Brute force attacks are a common technique used by hackers to try thousands of password combinations on your WordPress login page. If you are using stronger passwords, then this will make it quite difficult for them to crack. However, most such attempts are made by automated scripts which won’t give up and keep trying for hours. If your web server has limited resources, then this could slow down or even make your website inaccessible.

The easiest way to deal with is by blocking the access to your WordPress login page and admin directory by using .htaccess password protection. First you need to create a .htpasswd file. Go to htpasswd generator, enter a username and password that you want to use, and click on create .htpasswd file button. It is important to note that usernames are case sensitive. Using JohnSmith is not the same as johnsmith.

This will generate a .htpasswd file for you. Basically it will encrypt your password and will show you something like this:

You need to copy this and paste it in a text file using a plain text editor like Notepad. Save this file as .htpasswd and then upload it to your web server using FTP.

While uploading the .htpasswd file, you need to make sure that you store it outside your site’s root folder. For example, if your site’s root directory is /var/www/example.com/public_html/ then you need to upload the file to /var/www/example.com/ directory.

After uploading your file, you need to create a blank .htaccess file in your site’s wp-admin folder. Add these lines at the end of the file.

Replace AuthUserFile path with the path where you uploaded your .htpasswd file, and replace JohnSmith with the username you used in your .htpasswd file.

There are lots of WordPress users who believe that since their site hasn’t been hacked in years, they probably don’t need WordPress backups at all. Some users believe that their web hosting companies make backups so they don’t need to. Well both these assumptions are wrong.

Even the most secure sites on the internet get attacked and hacked. Each year people lose millions of dollars worth of data because of corrupt or no backups. If you read your contract with your web hosting company, you will notice that you cannot held them responsible incase of data loss. It is in their terms of conditions and they need to add it even if they are careful about backups, because as we mentioned earlier data loss is a multi-million dollar industry.

This is why it is so crucial that you setup your own backup solution. There are plenty of free and paid WordPress plugins that allow you to setup a completely automated backup system. These plugins can make backups of your entire WordPress site on your desired schedule. They can even automatically upload those backups to a remote location like your dropbox, Google Drive, and other cloud services.

If you are looking for a free backup plugin, then give BackWPup a try. Alternately you can try BackupBuddy which comes with one year of support.

Nope, while these three steps will lay out a basic secure environment for your WordPress site. But there are so many other things that you can do to improve your WordPress security. In the upcoming articles, we will discuss WordPress security best practices for advanced users as well.

We hope this article helped you make your WordPress site a little bit more secure. If you have any questions, feel free to post a comment below!