7 wordpress security tips

Most wordpress users think that the chance of getting attacked by a hacker is slim to none. The truth is that it happens more often than you think and unfortunately most people are not aware of that danger.

Have you noticed sometimes when searching on google that some results are labeled “This site may harm your computer”? Those are websites that have been hacked and therefore blacklisted by google. Needless to say, most users will freak out and might never visit your site again. Even if you manage to recover your site from such an attack, this would definitely give a bad reputation to your business.

I compiled a list of tips that can greatly improve the security of your wordpress website. Please note that the following tips apply to all versions of wordpress.

1. Use Strong Passwords

It may seem obvious but you would be amazed by how many users ignore this. No matter how much you work securing your website, a weak password can ruin everything. Your whole website’s security is dependent on that password. Do not even bother reading the rest of this article if your password is not strong enough.

Here are 3 tips when selecting your password:

  • Use something as random as possible (no single words, birthdays, or personal information)
  • Use at least eight characters. The longer the password the harder it is to guess
  • Use a mix of upper and lower-case letters and numbers. Passwords are case-sensitive, so use that to your advantage.

2. Keep WordPress Always Updated

It goes without saying that you always have to update your wordpress installation. If a vulnerability is discovered the wordpress development team will fix it by releasing a new version. The problem is that now the vulnerability is known to everyone so old versions of wordpress are now more vulnerable to attacks.

In order to avoid becoming a target of such an attack it is a good idea to hide your wordpress version number. This number is revealed in page’s meta data and in the readme.html file of your wordpress installation directory. In order to hide this number you have to delete the readme.html file and remove the version number for the header by adding the following line to your functions.php file of your theme folder.

<?php remove_action('wp_head', 'wp_generator'); ?>

3. Beware of Malicious Themes or Plugins

Some themes and plugins contain buggy or even malicious code. Most of the time malicious code is hidden using encryption so it’s not easily detectable. That’s why you should only download them from trusted sources. Never install pirated/nulled themes/plugins and avoid the free ones unless they are downloaded from the official wordpress themes/plugins repository.

Malicious themes/plugins can add hidden backlinks on your site, steal login information and compromise your websites security in general.

4. Disable File Editing

WordPress gives administrators the right to edit theme and plugin files. This feature can be very useful for quick edits but it can also be useful to a hacker who manages to login to the administration dashboard. The attacker can use this feature to edit PHP files and execute malicious code. To disable this feature add the following line in the wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

5. Secure wp-config.php

wp-config.php contains some important configuration setting and most importantly contains your database username and password. So it is crucial for the security of your wordpress website that nobody will have access to the contents of that file.

Under normal circumstances the content of that file are not accessible to the public. But it is a good idea to add an extra layer of protection by using .htaccess rules to deny HTTP requests to it.

just add this to the .htaccess file on your website root:

<files wp-config.php>
order allow,deny
deny from all
</files>

6. Do not allow users to browse in your WordPress directories

Add the following line in the .htaccess file in the directory you installed wordpress:

Options -Indexes

This will disable directory browsing. In other words it will prevent anyone from getting the listing of files available in your directories without a index.html or index.php file.

7. Change username

Hackers know that the most common user name in WordPress is “admin”. Therefore it is highly advisable to have a different username.

It is best to set your username during the installation process, because once the username is set it cannot be changed from inside the admin dashboard but there are two ways to get around this.

The first way is to add a new administrator user from the admin dashboard. Then log out and log in again as the new user. Go to the admin dashboard and delete the user named admin. WordPress will give you the option to attribute all posts and links to the new user.

If you are more tech-savvy you can change your username simply by executing an SQL query. Go to phpmyadmin select your database and submit the following query:

UPDATE wp_users SET user_login = 'NewUsername' WHERE user_login = 'admin';

It is important to keep in mind that even if you implement all my advice you can never be 100% protected from hackers. But my tips should be sufficient decrease the chances of getting hacked.

Moving wp-config.php outside web root – is there any benefit?

WordPress uses a file named wp-config.php to store some important configuration settings. This file contains among other things, your database username and password. So it is crucial for the security of your website that nobody will have access to the contents of that file.

The configuration file (wp-config.php) is by default located in the root directory but under normal circumstances it’s contents are not publicly accessible. If you try to access it via a browser you will notice that it doesn’t produce any output.

It’s a very common advice though to move wp-config.php one directory above the root directory for security reasons. If WordPress is installed in the public_html directory, this in most server set ups means that you will have to move it to the /home/username directory.

If nobody can read the contents of that file they why should we secure it?

That’s a good question. The only reason to protect your configuration file is for the rare case when your server’s PHP handler gets broken or hacked and it’s content becomes visible as plain text to the public. In that case anyone will have access to your database username and password simply by pointing their browser to http://yourwebsite.com/wp-config.php. It’s true that moving wp-config.php up one directory will protect you database information but the best option for a number of reasons…

Why moving wp-config is not a good idea

  1. The only way for someone to see the content of wp-config.php is by bypassing the server’s PHP interpreter. If that happens you are in trouble anyway. It means that your server is hacked and the attacker will be have complete control of your site. so wherever you move wp-config he will be able to find it.
  2. Most hosting companies use open_basedir protection which means that if a php script tries to open a file, the location of that file is checked and if it is outside the directory specified by open_basedir it won’t open. So if a hacker manages to inject a malicious php script on your site it will give him access only to this specific directory. Moving your configuration file above root directory means that you have to expand the open_basedir scope in order to let PHP access scripts outside the web root. So every php script will now have access to every directory outside the web root. There is a lot of sensitive information outside the web root such as logs and backups. Giving PHP access to that information is not a good idea.
  3. You can protect wp-config.php by using htaccess rules to deny HTTP requests to it. That way you achieve the same level of protection without moving the file and without expanding open_basedir.
    just add the following piece of code to the .htaccess file on your website root:

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

Here is my advice: do not move wp-config.php. there is no reason to move it when you can just deny HTTP requests to it from htaccess. That way you get the same level of protection without having to expand open_basedir.

Will securing wp-config.php make your website 100% bulletproof? certainly not. But it’s one more security measure that might discourage an attacker.

Don’t get too invested in securing this file though, because getting it’s content displayed as plain text is something very uncommon and it means that your servers security has been compromised anyway. Do not give priority to such a minor issue while ignoring stuff that really matters like keeping wordpress updated and using strong passwords.

how to write an article

Most bloggers don’t know how to write an article for human readers. Instead they are only interested in things like keyword density, spinning and taking advantage of the latest loophole in google algorithm that will enable them to rank their crappy articles for any keyword they wish.

I’ve seen a lot of bad practices in article writing and it’s really disappointing to see so many people focusing too much in search engine optimization, that they forget that what they really need is human readers.

People who publish low quality content realize after a while that no matter how much traffic they manage to get, nobody actually stays on their website. So if you want to build a real business online you must focus on quality content. There are no shortcuts.

After years of writing I have developed a certain process that helps me keep my articles quality, professional and compelling to read. By following this processs I am able to write an article in less that an hour and it can bring a lot of traffic to my website.

here is the 4 step process I use to write an article:

1. choosing a topic

The first thing you’ll need to do is to find what to write about and the best way to do that is by finding out what you are interested in. It goes without saying that your blog should be in a niche of your interest, otherwise you will always struggle finding topics to write about, and ultimately you will get disappointed and abandon your blog. So, don’t over-complicate this step. just figure out what it is that you are passionate about and move on to the next step.

2. keyword research

Once you have decided about the topic of your article you should do some keyword research. if for example the topic of your article is “how to write a blog post” go to the Google keyword research tool and search for that keyword. that way you will get a list of a lot of keywords relevant to your topic. Choose one of the suggested keywords as your primary and also choose some more as secondary keywords.

Focus on long tail keywords. These are keywords longer that 3 words which get small traffic but are typically easier to rank for because there is little competition. You can use SEOquake to analyze competition. This is a free Firefox plug-in that displays a lot of SEO information on search results and it can help you determine which keyword is the easiest to rank for.

Once you have found all the relevant keywords for your article you can start using them in your article. Use your primary keyword in your title and in the main body of your article at about 2% keyword density. This will make your article optimized for search engines. Higher keyword density is not recommended because it will make your article look spammy and Google will penalize you.

2. Reasearch your topic

Before writing your article it’s important to do some research. You have already compiled your list of keywords so start searching on google for each of those keywords and read as much information as you can. Do not underestimate the importance of this step. Research can make your article stand out and will increase the likelihood of having your article syndicated which can bring you a lot of traffic. Only if you are very familiar with the topic you might skip this step.

3. Start Writing

Length
Now have all the information you need to start writing your article. But before you do that you will have first to decide on the length of your article. Most people recommend that you write about 500 words, but unlike what most people I will advice you to write at about 700-1000 words. There reason is that a quality 1000 word article will greatly increase the chances of syndication.

Structure
An article in order to be compelling has to have some structure. You can’t just start placing one sentence after another. Every article I write consists of the following components:

  • Title: It’s the most important component because it’s the first impression a reader get from your article. If the title is not compelling enough chances are your reader will stop reading your article. Keep in mind that the title is what shows up on Google results and if it’s not catchy enough you will not get people’s attention. The tile also is an important factor for SEO so you have to include your keyword on your title if this is possible.
  • Introduction: first impressions matters. In the intro you will introduce your topic, mention all the main point you will discuss in your article, explain why you are writing this post, and provide a little background information if required. The primary aim of the introduction is to bring excitement so that your reader will continue reading. Also don’t forget to include your primary keywords phrase once in a way that looks natural.
  • Body: You must choose a way to structure your information with bullet points or sub-headlines (like in this article). That way you break up your content into small pieces which are easier to read.
    Another way to make your article more pleasing for the eye, is to add images and a video. A video will also increase the user engagement with your site and enhance the user experience which is a big factor in SEO rankings.
  • Conclusion: Do not overlook this part because a improper conclusion can destroy the article. Do not mention anything new in the conclusion. Keep it short summarizing what you just said and explaining your reader how to find further information on that subject. The conclusion is also the best place to add a call to action which can be a link to your product or an incentive for your reader to join your newsletter or an invitation to leave a comment. A call to action is a must. I can’t stress that enough. You will be amazed on how many people will respond to your invitation. do not overdo it though. Just one call to action on every post is enough.

4. Final Edits

Once you finish writing your post take some time to proof-read it by reading it out loud. This will help you find spelling and grammar mistakes. Also make sure you have included your keyword(s) in the title, the first paragraph and several times in the body of your post while making sure they do not look out of place or turn off human readers. If you target more than one keyword add your secondary keywords in your sub-headlines. Remember that you are writing for humans first and then for the search engines so make sure you are not affection the readability of your article by over-optimizing for the search engines.

So, tell me: How do you write your blog posts? What tips would you add? Leave your questions and comments below.