7 Things You Can Do to Secure Your WordPress Website Share: Vandesign Web Development Date Published 20 August 2021 Categories Blog, Guide, Tutorial Reading Time 3-Minute Read Whether you built your WordPress site yourself, or hired an agency that specializes in WP, so you know it’s secure. But are you sure? 1. Hide Your ‘PLUGINS’ Folder Plug-ins are what make WordPress, well… WordPress. Hackers and other malicious users have a multitude of ways to expose your site’s list of installed plugins, which they will then use to search for exploits. In addition to removing unused plugins, you can hide the wp_plugins directory by placing an index file containing nothing but white space inside it so that anyone trying to view it in their browser is met with blank pages instead! 2. Set Proper File Permissions The permissions for directories and files can have a huge effect on the security of your site. If you set them incorrectly, anyone will be able to access any file within that directory with 777 permission – which is not advisable at all! The safest setting would be 755 for directories and 644 for files, making it so only those who are authorized in advance can make changes or read from these areas. 3. Try to Use as Little Plugins as Possible Extensive use of plugins never helps when speaking about WordPress security and performance. When developing your site, try to stay minimalistic with your plugins, especially the ones that have an impact on the front end. 4. Never Use Default “Admin” as a User Login Hackers often use brute force programs to guess usernames and passwords. A hacker will use a program to guess hundreds of usernames and passwords in order to get into your account. They start with common login credentials, like “admin”. To avoid this type of attack on your accounts, remove the word “admin” from any username and replace it with something unique that’s easy for you but hard for someone else. 5. Hide “wp-config.php” File by Moving One Folder Up WordPress is known for its ease of use, but some security (and other) precautions need to be taken. One precaution that many WordPress users are unaware of can make a huge difference in protecting your site: moving the wp-config.php file one directory above your web root so it’s hidden from public view and not accessible by browsers due to incorrect permissions or an unpublished exploit with version 1x For example, the path, /domain.com/public_html/wp-config.php would become /domain.com/wp-config.php. 6. Use Two-Factor Authentication Two-factor authentication adds an extra layer of security to your administrator panel login. Many exploits aim to gain access to the administrator panel to gain full access to the site. This implementation can alleviate any worries you have about password-related WordPress security risks. 7. Update Default “wp-admin” URL & Prevent Search Engines from Indexing Your Admin Login Page This is easy, effective, and prevents anyone from finding a direct link to your login page by simply searching for your site. To prevent search engines from indexing your admin login page, input the following line into your robots.txt file: Disallow: */wp-admin/