WordPress is a great publishing platform, but due to its nature of being an open source platform, its opens a huge gateway to all the potential attacks from hackers, spammers and from other attacks. Keeping the installation as well as whole of your WordPress website secure and safe is your primary responsibility. It does not take huge efforts but timely-mannered efforts.

I have been asked by many of people, including my clients, that what we can do in order to prevent such of things. And, the answer interestingly lies beneath that the first focus required in any of WordPress blog is of on security as if your website is not secured, then it’s easy for anyone to enter into in it and play as per own wish.

With this article, I have compiled a five steps guide by which you can perform your security audit. The reason for doing this is that with this you can keep your website safe plus keeping the security check will let you enhance your website for a longer run. I do the audit from time-to-time considering it as an important step. Make sure you too make it as your habit.

Happy Auditing!

1. Delete the default “admin” and create a new administrator user with a new login name. Avoid opting for generic login names like “administrator”, “test.”

2. Always use random 12 characters gibberish password.

3. Install and activate Secure WordPress plugin which will beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories and hides the WordPress version.

4. Install and activate Login LockDown plugin which will record the IP address and timestamp of every failed WordPress login attempt. As soon as more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disables for all requests from the range itself. This will help to avoid brute force password discovery. The plugin by default will lock out an IP block for an hour after failed login attempts within 5 minutes.

5. Install and activate Lockdown WP Admin which will conceals the administration and login screen from intruders. It can hide WordPress Admin (/wp-admin/) and and login (/wp-login.php). If a user isn’t logged in and they attempt to access WP Admin directly, they will be unable to and it will return a 404. It can also rename the login URL.

Suggested Readings:

Photo Credit: MithrandirAgain via photopin cc