Please note that this tutorial is part of a series to help secure a WordPress blog. Some of these tips might not apply depending on the hosting environment. The following topics are covered:
- Setting up an SSL certificate
- Redirecting users to HTTPS
- Installing WordPress securely
- .htaccess for WordPress security
- php.ini for WordPress security
- Security plugins
- Security maintenance
WordPress comes pre-installed with the “Loginizer Security” plugin. It allows the administrator to control many things: from who can login to how many times they can try to login.
To activate it, go to “Installed Plugins” under “Plugins” and click “activate”.
To customize its settings, click on “Brute Force” under “Loginizer Security” in the left menu.
Modify the following under the “Brute Force Settings” section:
- “Max Retries” to 2;
- “Lockout Time” to 2880 minutes (2 days);
- “Max Lockouts” to 2;
- “Extend Lockout” to 168 hours (7 days);
- “Reset Lockouts” to 672 hours (1 month);
- “Email Notification” to 3 lockouts
It is wise to whitelist your IP, especially if you make password errors from time to time. This can be done by entering your IP in “Start IP”, under the “Whitelist IP” section of the page. You can find your ip by searching “my ip” on Google or by using Loginizers dashboard. Your IP address will be located in the “System Information” section.
To install this plugin, navigate to “Add new”, located under “Plugins”. Then search for “Sucuri Security – Auditing, Malware Scanner and Hardening”, click “Install” and “Activate” on the first result. Click “Sucuri Security” located in the left-hand menu.
Once the plugin is setup, you will be able to see your website’s security status from the dashboard and configure the plugins settings from the settings page.
To install this plugin, navigate to “Add new”, located under “Plugins”. Then search for “Health Check & Troubleshooting”, click “Install” and “Activate” on the first result.
Click “Site Health” located under “Tools”. Any potential security issues will be listed on the page.
Clicking on an issue will expand the tab to provide you with more information.
Websites should be backed up at least once a week. However, the higher the frequency, the better. A website can be compromised at any time and having the most recent backup copy in hand can help in a faster recovery. It is also important to store backup copies in multiple locations.
There exists free and paid WordPress backup plugins. I have opted for the “BackUpWordPress” plugin. To install it, navigate to “Add new”, located under “Plugins”.
Search for “BackUpWordPress”, click “Install now” and “Activate”.
In the WordPress left-hand menu, click on “Backups” located under “Tools” and “+ add schedule”. Select “Both Database & files” as the “Backup” option and set the backup frequency. Enter the email you wish to receive backups and click “Done”.
I recommend storing emails on a computer to have a backup copy in more than one location.
If you know of any useful security plugins for WordPress, please let me know in the comments down below!