This chapter explains about WordPress Security. WordPress is an open source platform used for designing blogs or sites. To protect the site from hackers, one needs to follow some security tips. Following concepts are covered in this chapter:

• Stay Up-to-date
• Admin Area Protection
• Strong Username and Password
• Hide the WordPress version
• WordPress Backup
• Secured WordPress hosting

The most essential tip for securing the self-facilitated WordPress site is likewise the most obvious, WordPress gives updates and then the security fixes constantly. When clients get notice in admin panel, it is the absolute best approach to secure the site from assaults. But, such a variety of individuals leave their own sites and other sites without any update because of the vulnerability of breaking the topics and/or plugins. The image below demonstrates the plugin update location in WordPress Plugin section.

It is essential to limit the entrance to the WordPress admin region for individuals who really need access to it. The site does not support enrollment or front-end content creation to not allow the visitors to access the wp-admin folder or the wp-login.php file. The best way the client can do is to get the home IP address and add to the .htaccess file in the WordPress admin folder by replacing the line **.***.***.*** with the IP address as shown below: [c] <Files wp-login.php> order deny, allow Deny from all Allow from **.***.***.*** </Files> [/c] To access multiple systems, the user can add another new line of Allow from **.***.***.*** statement. Accessing the admin area from different IP address can be dangerous, which may cause some brute-force assaults. To avoid such situations, it is better to use a plugin for restricting the login attempts. Check the WordPress official website in order to download the available plugin for limiting the login attempts. Check out the following tutorial WordPress Plugins to check the download and installation process of different plugins.

Most attackers will assume that the admin username is "Admin", which is not a good username. Earlier, WordPress has admin as the username of the primary admin account by default. But now, when installing the WordPress, the user can choose a different username. In general, when users start using WordPress, especially for the first time, many stick to admin as the username, which is an extremely predictable username. It makes the site easy to break. There are a number of individuals who use phrases like "Password" or "123456" for the administrator login details. Needless to say, such passwords can be effortlessly known or guessed and they are on the highest priority on the list of any dictionary assault. A decent tip is to utilize a whole sentence that makes sense to the client and can be remembered effortlessly. Such passwords are much better than single phrases.

By enabling the WordPress version on the site, it would be easy for hackers to attack. So, in order to hide the WordPress version on the site, one needs to remove Meta generator from WordPress. The Meta generator shows the WordPress version on the site. In order to secure the WordPress from hackers, place the following code in the function.php file. [c]remove_action(‘wp_head’ , ‘wp_generator’);[/c] Also, remove version from RSS feeds using the following code as shown below. [c] function wpt_remove_version() { return ‘ ‘; } add_filter(‘the_generator’, ‘wpt_remove_version’); [/c]

The WordPress database contains Posts, Comments and Links on the blog. If the database gets erased or corrupted, the user may lose everything that is on the site. There are many reasons why this could happen and not all the things can be controlled. So, by using a proper backup of the WordPress database and files, it is easy to restore the things back to normal. Check for the most popular Backup plugin in the official website of WordPress. Following are some of the most popular plugins used by many users: Check out the following tutorial WordPress Plugins to check the download and installation process of different plugins.

The WordPress site is as secured as the hosting account. Anyone can misuse a defenselessness in an old PHP version. For instance, there is nothing in particular as such the client should have the most recent WordPress version. This is the reason why it is important to be hosted with an organization that has security. Following are the key features for secure hosting of WordPress.

The secrete data of the WordPress site is stored in the wp-config.php in the WordPress root directory. The secret keys are one of the bits of information stored in that particular file. So, make sure you change the default secret keys. WordPress secret or security Keys is a set of random variables that improve encryption of data stored in the client's cookies. Earlier in WordPress 3.0, the user has to install these security keys in the wp-config.php file manually but now by using the install wizard it automatically adds the security keys in the wp-config.php. Earlier, there are only 4 security keys but with in 3.0 version 8 security keys are available. The code below demonstrates the format of 8 security keys in wp-config.php file. [c] define(‘AUTH_KEY’, ‘ put the unique phrase here’); define(‘SECURE_AUTH_KEY’, ‘ put the unique phrase here’); define(‘LOGGED_IN_KEY’, ‘ put the unique phrase here’); define(‘NONCE_KEY’, ‘ put the unique phrase here’); define(‘AUTH_SALT’, ‘ put the unique phrase here’); define(‘SECURE_AUTH_SALT’, ‘ put the unique phrase here’); define(‘LOGGED_IN_SALT’, ‘ put the unique phrase here’); define(‘NONCE_SALT’, ‘ put the unique phrase here’); [/c] If not sure about the unique phrases, click the following link to get some security keys automatically. Security keys

• Maintaining WordPress plugins and updating to the latest version all the time will avoid some security issues.
• Admin area can be protected by adding IP Address to the .htaccess file.
• Strong Username and password must be given in order to avoid malicious attacks.
• Hide the WordPress version by removing the Meta generator.
• Backup the WordPress data, so that it will be helpful when the data gets corrupted or erased.