How to secure your WordPress website?

How to ensure the security of WordPress website?

WordPress is one of the most popular website building platforms in the world. However, due to its open source nature, WordPress websites are often targeted by hackers. In order to ensure the security of WordPress websites, website administrators need to take a series of measures to prevent potential security threats. The following will introduce some common security measures and specific code examples to help website administrators strengthen the security of WordPress websites.

1. Regularly update WordPress core files, themes and plug-ins
   Keeping WordPress core files, themes and plug-ins updated is the first step to ensure website security. Updates fix known vulnerabilities and security vulnerabilities, preventing hackers from exploiting them against your website. This can be done by updating in the WordPress backend or by uploading a replacement file via FTP.
2. Set a strong password
   A strong password is the key to ensuring account security. Website administrators should set complex passwords that contain letters, numbers, and special characters, and change them regularly. At the same time, it is recommended to enable WordPress’s strong password policy, which requires that all user passwords must comply with certain complexity rules.

function custom_password_policy( $password ) {
    if ( strlen( $password ) < 8 ) {
        return new WP_Error( 'password_too_short', 'Password is too short. It must be at least 8 characters long.' );
    }
    if ( !preg_match( "/[a-z]/", $password ) ) {
        return new WP_Error( 'password_no_lowercase', 'Password must include a lowercase letter.' );
    }
    if ( !preg_match( "/[A-Z]/", $password ) ) {
        return new WP_Error( 'password_no_uppercase', 'Password must include an uppercase letter.' );
    }
    if ( !preg_match( "/[0-9]/", $password ) ) {
        return new WP_Error( 'password_no_number', 'Password must include a number.' );
    }
    return $password;
}

add_filter( 'user_profile_update_errors', 'custom_password_policy' );

3. It is forbidden to use the default username "admin"
   Hackers usually try to use the default username "admin" for brute force cracking, so website administrators should avoid using "admin" as username. If the username is already taken, you can change it to a different username with the following code.

function change_admin_username( $user_login, $user ) {
    if ( $user->user_login == 'admin' ) {
        $new_username = 'new_admin_username';
        wp_update_user( array( 'ID' => $user->ID, 'user_login' => $new_username ) );
    }
}

add_action( 'wp_login', 'change_admin_username', 10, 2 );

4. Prohibit direct access to sensitive files through URLs
   In order to prevent hackers from obtaining sensitive files or information by directly accessing URLs, you can add sensitive file paths to the prohibited access list through code. .

<FilesMatch "(wp-config.php|xmlrpc.php|wp-admin)">
    Order allow,deny
    Deny from all
</FilesMatch>

5. Regular backup of website data
   Regular backup of website data can quickly restore the website in the event of unexpected events. Databases and files can be backed up regularly via WordPress plugins or server tools, and the backup files can be stored in a safe place.

The above are some common measures and specific code examples to ensure the security of WordPress websites. In addition to the above measures, website administrators should also regularly monitor the security status of the website, stay vigilant and respond to possible security threats in a timely manner to ensure the security of the WordPress website.

The above is the detailed content of How to secure your WordPress website?. For more information, please follow other related articles on the PHP Chinese website!