Websites 'N' More, a WordPress development agency based in Sydney has put together a list of techniques that can be used to further harden your WordPress website or blog.

1. WordPress Security (Hardening) Tips 2017

2. The Importance of Website Security
Website Security is a pressing issue today. We have progressed in the virtual world with better, faster and more
reliable technology but so have the hackers. The methods used by hackers have become more sophisticated and more
damaging in many ways. As more and more businesses turn towards the virtual world in order to keep up with the
changing consumer preferences and the competition, it is important that they fully understand the risks involved with
their digital presence and take appropriate measure right from the very start.
Here are some recent Facts about Website Security,
•As of March 2016, Google reported that over 50 million website users were greeted with a security warning when
they visited a website. In March 2015 that number was 17 million. That is almost 3 times increase in a single year.
•Google blacklists close to 20,000 websites a week for malware issues and another 50,000 for phishing scams.
•A study done by Sucuri on 11,000+ infected websites showed that 75% of these websites were running on the
WordPress platform and over 50% of them were out of date. The most basic step towards improving your WordPress
website security is to update the core software and plugins.
•According to a recent study conducted on the 40,000 most visited WordPress websites, 70% were vulnerable to
hacking attacks .
•WordPress Plugins are the biggest threat. In a study conducted, 55.9% hacking attacks happened through plugin
vulnerabilities.

3. How do you Secure your WordPress Website or Blog?
Here are some security techniques that our team of WordPress developers have put
together. Some of these techniques might require advanced knowledge of WordPress.
Backup WordPress- There are plenty of techniques that you can use to backup your WordPress website or blog. You
can either backup your WordPress Installation through the backup wizard provided by your hosting company or use
a plugin from the WordPress Plugin Directory. Not all hosting companies provide a backup service as a part of your
hosting plan so it is best that you confirm the same. If you want to use a plugin to take backups then here are some
options,
• UpdraftPlus
• Duplicator
• BackWPup
Update Plugins - One of the main reason for WordPress websites getting hacked is plugins being not up to date. We
highly recommend you login to your WordPress dashboard and check for any notifications on the left hand side of
the panel (under updates or plugins).

4. How do you Secure your WordPress Website or Blog?
Update Core Software- Another simple security measure is to update the WordPress core software on a regular
basis. By default every WordPress website is set to automatically update the core software if there are minor
releases/changes available. However this might not be the case if your website has been highly customised. If you
are not sure please check with your web developers.
Update WordPress Plugins Regularly- According to a study conducted on 117,00 hacked WordPress websites in
2013, 22% were hacked via a vulnerability in the plugin that was being used. If you are using a plugin that has been
downloaded from the WordPress Plugin Directory then you should be able to easily check for any updates through
your WordPress Admin dashboard. However if you have a custom plugin created by a web developer, it is best you
check with them.
Use a Security Question- Using a plugin you can add a security question to Registration, Admin Login and Forgot
password screens.
• WP Security Question
Don’t Use Admin as the Username- A simple fix that is often overlooked by WordPress website owners. We have
seen so many websites using admin as their username and this puts your website security at serious risk! All the
hacker needs to guess is the password in order to get access to your website. Here is how you can change your
WordPress username,

5. How do you Secure your WordPress Website or Blog?
• Go to your WordPress dashboard using your existing login credentials and click on Users on the left hand
panel.
• On the following screen click on Add New and a form will appear that will allow you to create a new user.

6. How do you Secure your WordPress Website or Blog?
• Please complete the form choosing unique login credentials and select the role as an administrator.
• Once the form has been submitted the new user should appear on the User screen.
• Now logout from your current admin account and sign in using the new credentials. Once you enter the
dashboard please remove the old administrator account
NOTE- When you delete the old admin account you will be prompted by WordPress to assign a new user to
the pages and posts. Please assign this content to the new admin user account you have created or else
these might get deleted.
Use 2 Factor Authentication- This adds an extra layer of security to your WordPress admin panel by asking a user for
a unique code each time they want to enter the WordPress admin dashboard. This code is sent using the Google
Authenticator App and can be used on both iOS & Android. Here is a step by step guide for enabling this security
feature on your WordPress website using the following plugin,
• Google Authenticator
Use Strong Passwords- The same study also showed that 8% of security hacks happened because the WordPress
installation was using a weak admin password. Here are some tools you can use to generate strong passwords,
• Strong Password Generator
• Norton Password Generator

7. How do you Secure your WordPress Website or Blog?
Update your WordPress Theme- In a study of 117,000 hacked WordPress websites, it was found that 29% were
hacked into because of a vulnerability in the WordPress theme being used. Most themes come with an auto update
option or a plugin that would support this feature. It is best you check your theme documentation or contact the
theme publisher. For custom built themes the best option is to check with your WordPress Developer.
Use a SFTP connection to connect to the server- Using a SFTP connection to connect to the server will mean that the
file transfer between the local machine and the server (remote machine) will be private and secure. More on SFTP
connections here.
Disable File Editing from the WordPress Dashboard- WordPress comes with a handy little feature on the admin
dashboard that allows a user to edit files that are a part of the WordPress installation. But this feature can be
misused if a hacker gains access to the dashboard. WordPress itself highly recommends that you turn-off the file
editing feature completely. Add the following line at the end of the wpconfig.php file,
Use Comprehensive Security Plugin for WordPress- There are plenty of plugins available on the WordPress Plugin
Directory providing a range of security features. Here is an article that talks about the most popular security plugins.
We have personally installed the following plugins on WordPress websites,
• Wordfence
• Acunetix

8. About Us
Websites ‘N’ More is a Sydney based digital agency focusing web development using PHP based open source
platforms including WordPress, Joomla, Magento and Drupal. Our team of web developers are capable of,
• Custom Plugin/Extension Development
• eCommerce Development
• Systems Integration
• API Development &
• Theme Development

9. References
References-
•https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
•https://www.wpwhitesecurity.com/wordpress-security-news-updates/statistics-70-percent-wordpress-installations-vulnerable/
•https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/
•https://www.wpmayor.com/wordpress-security-based-facts-statistics/