How to Bulk Delete Menu Items in WordPress

Bulk delete menu items in WordPress – WordPress has a very easy to use and drag and drop user interface to quickly add menu items. The menus feature in WordPress allows you create a good site structure while letting users navigate and find information as needed. The good thing is, you can easily add as many menu items you want. The annoying thing is, there are no options to bulk delete menu items in WordPress.

Why Bulk Delete Menu Items?

It may not be every time, but there will situations where you need to delete multiple menu items. Sure, you can manually delete each and every menu item by simply expanding it and then clicking on the link “Remove.” However, if you have quite a few menu items, it can be a pain in the back to delete all of them manually. This is especially true in scenarios like when you import demo data for your theme or when you are cleaning and organizing the menu.

For instance, look at the below image. There are a ton of menu items that are automatically added when I imported the demo data of a WordPress Adsense theme. Trust me, what you see in the below image are just half of the menu items. As you can tell, it will be pretty frustrating to delete to all those dummy menu items one by one.

Bulk Delete Menu Items in WordPress

1. Though WordPress didn’t have built-in options to bulk delete menu items, you can use a simple and free plugin to do that. To start off, search for “Quick Remove Menu Item” in the Plugins page (Plugins > Add New) and then click on the button “Install.”

Do you know you install a plugin in multiple ways? Here’s how to install WordPress plugin in 3 different ways.

2. Once installed, click on the button “Activate” to activate the plugin. After activating the plugin, you can proceed to delete the menu items. To do that, open the Menus page by navigating to “Appearance > Menus” in the WordPress dashboard.

3. In the Menus page, select the menu you want to edit from the drop-down menu and then click on the button “Select.” In my case, I want to edit my Primary Menu. So, I selected it from the drop-down menu.

4. Now, you will see all the menu items in that particular menu.

  • To delete a single menu item, simply click on the “X” icon.
  • If you want to delete a menu item with all its sub-menu items then click on the “XX” icon.

When you click on the icon, you will not receive any warning message or confirmation message, but the menu will be deleted.

5. Once you are done deleting the unwanted menu items, click on the button “Save Menu” to save the changes.

That’s all there is to do and it is that simple to bulk delete menu items in WordPress. Do comment below sharing your thoughts and experiences about using the above method to delete menu items in WordPress.

How to Create An Admin User in WordPress Using MySQL

Create an admin user in WordPress using MySQL – In my other WordPress how-to article, I’ve shown you how to create an admin user via FTP with a simple functions file code snippet. This method is particularly useful when you forgot WordPress password and cannot recover it in traditional methods.

Besides from using FTP, you can also create an admin user in WordPress using MySQL pretty easily. Just like the FTP method, this approach is helpful when you are facing WordPress login problems. In case you are wondering, here is how to do it.

Things You Need to Know Beforehand

You need to have access to your hosting control panel and your MySQL database. Typically most hosting providers use cPanel as the hosting control panel and phpMyAdmin to manage WordPress database. So, I’m using the same to create an admin user in WordPress via MySQL.

Even if your control panel is different or using some other software to manage MySQL, the process should be pretty similar.

Note: Before proceeding any further, make sure that you backup WordPress database. This helps you to restore the database if anything happens in the process.

Create An Admin User in WordPress Using MySQL

1. To create an admin user in WordPress using MySQL, login to your hosting control panel, find and click on the phpMyAdmin option to open phpMyAdmin. Typically, you can find the phpMyAdmin link in the Databases section in the cPanel.

Using phpMyAdmin we are going to edit wp_users and wp_usermeta tables to create an admin user in WordPress using MySQL.

Create an Admin User in WordPress using MySQL - Select phpMyAdmin

Create an Admin User in WordPress using MySQL – Select phpMyAdmin

2. In the phpMyAdmin window, select your database appearing on the sidebar.

Create an Admin User in WordPress using MySQL - Select Your Database

Select Your Database

3. The above action will open the database. click on the link wp_users appearing on the sidebar.

Create an Admin User in WordPress using MySQL - Select wp_users Table

Select wp_users Table

4. Once the table has been opened, click on the option “Insert” appearing on the upper navigation bar.

Create an Admin User in WordPress using MySQL - Click Insert in wp_users Table

Create an Admin User in WordPress using MySQL – Click Insert in wp_users Table

5. Now, enter the fields as described below:

  • ID — In this field, enter a number of your choice. In my case, I’ve entered “5”. Remember this number, we are going to enter it a couple more times in other areas.
  • user_login — Enter a username of your choice. I’ve chosen “user5” as my username.
  • user_pass — Select “MD5” from the drop-down menu and then enter a strong password in the next field.
  • user_nicename — Enter your nickname in this field.
  • user_email — Enter the email address you’d like to associate this account with.
  • user_url — You can enter a web address of your choice in this field.
  • user_registered — Enter the date and time when the user is registered.
  • user_activation_key — Leave this field blank for now.
  • user_status — In this field, enter “0”.
  • display_name — Enter your name in this field. This will be displayed on your WordPress site.

6. Once you are done filling up the details as described, click on the button “Go“.

Create an Admin User in WordPress using MySQL - Fill wp_users fields

Create an Admin User in WordPress using MySQL – Fill wp_users fields

After editing the wp_users table, we can proceed to edit wp_usermeta table. Just like before, all we have to do is add a few values to complete the process of creating an admin user using MySQL.

7. To do that, click on the link “wp_usermeta” link appearing on the sidebar.

Create an Admin User in WordPress using MySQL - Select wp_usermeta Table

Select wp_usermeta Table

8. After opening the wp_usermeta table, click on the option “Insert” appearing on the upper navigation bar.

Create an Admin User in WordPress using MySQL - Select wp_usermeta Table Insert Option

Select wp_usermeta Table’s Insert Option

9. Now fill in the fields as described below:

  • unmeta_id — Leave this field empty.
  • user_id — Enter the ID you’ve entered earlier. In my case, I’ve entered “5” earlier.
  • meta_key — Enter meta key as wp_capabilities.
  • meta_value — Insert a:1:{s:13:"administrator";s:1:"1";} as the meta value.

On the other row, fill the blanks like below:

  • unmeta_id — Again, leave this field empty.
  • user_id — Enter earlier user ID. In my case, that will be “5”.
  • meta_key —  Insert wp_user_level in this field.
  • meta_value — Enter “10” in the field.

Once you are done filling up the details, this is how it looks like. Click on the button “Go” to save the changes.

Create an Admin User in WordPress using MySQL - Fill wp_usermeta Fields

Create an Admin User in WordPress using MySQL – Fill wp_usermeta Fields

10. That’s all there is to do. You’ve successfully created an admin user in WordPress using MySQL. In fact, you can log in with this username and password you used in this procedure.

Once logged in, you can reset the password of the other account, modify, or remove the user account by navigating to “User > All Users” in the WordPress dashboard.

Create an Admin User in WordPress using MySQL - Admin User Account Created using MySQL

Admin User Account Created using MySQL

If you like this simple guide, you might also like how to change database prefix and how to change WordPress database name. Do check them out for improved WordPress security.

Hope that helps and do comment below sharing your thoughts and experiences about using the above method to create an admin user using MySQL.

How to Change WordPress Database Prefix [in Simple and Easy Steps]

Whenever you install WordPress with its default configuration, the database prefix “wp_” will be used for all the tables in your WordPress database. Even though it doesn’t look like much, your site might be at risk with this default table prefix. This is because most hackers and spammers target this default WordPress database prefix for automated or manual SQL injection attacks. Considering the security risk of having the default database prefix, changing WordPress database prefix is one of the most commonly recommended WordPress security settings.

In case you are wondering, here is how to change WordPress database prefix in two different ways. i.e, before installing WordPress, and after installing WordPress. Follow the method you are most comfortable with to change WordPress database prefix.

Note: since we are going to mess with the WordPress database itself, make sure that you have a good backup of WordPress database. This backup will help you restore the database, in case anything happens.

Change WordPress Database Prefix – Before Installing WordPress

If you want to change WordPress table prefix before installing, then the process is pretty simple.

1. Just open the wp-config.php file, scroll down and find the value $table_prefix. As you can see, the default database prefix is set to wp_.

Change WordPress Database Prefix - Default Table Prefix

Change WordPress Database Prefix – Default Table Prefix

2. Simply change the default table prefix to something like wp_bs645t_. Once you are done with the changes, save the file and proceed to the WordPress installation.

Change WordPress Database Prefix - Modified Table Prefix

Change WordPress Database Prefix – Modified Table Prefix

Change WordPress Database Prefix – After Installing WordPress

Even after installing WordPress, you can easily change WordPress database prefix in three simple steps.

  1. Change table prefix in WordPress config file
  2. Rename database tables
  3. Update Options and Usermeta tables

Just follow the below steps below as is and you should be good. Again, backup WordPress database before proceeding.

1. To start off, fire up your FTP client and open the wp-config.php file located in the root directory.

2. Once opened, scroll down and find the value $table_prefix. Now, replace the default wp_ prefix with your new database prefix. For instance, I’m using wp_bs645t_ as my new table prefix. Save the file and reupload it.

Change WordPress Database Prefix - Modified Table Prefix

Change WordPress Database Prefix – Modified Table Prefix

3. Now, login to cPanel (or whatever control panel you are using), find “phpMyAdmin” and click on it to open the application.

Change WordPress Database Prefix - Open phpMyAdmin in cPanel

Change WordPress Database Prefix – Open phpMyAdmin in cPanel

4. The above action will open the phpMyAdmin application. Here, click on the “Databases” link in the top navigation bar. Now, select the database that you want to change WordPress database prefix for.

Change WordPress Database Prefix - Open Database

Change WordPress Database Prefix – Open Database

5. Once the target database has been opened, click on the link “SQL” in the upper navigation bar.

Change WordPress Database Prefix - Select SQL Option

Change WordPress Database Prefix – Select SQL Option

6. This action will take you to the SQL query window. Here, you can run or execute SQL queries to change WordPress database prefix.

Change WordPress Database Prefix - Blank SQL Query Window

Change WordPress Database Prefix – Blank SQL Query Window

7. To change the table prefix, copy the below lines or quires, paste it in the SQL query field and click on the “Go” button to execute all the quires at once.

Note: don’t forget to replace wp_bs645t_ with your new table prefix.
RENAME table wp_commentmeta TO wp_bs645t_commentmeta; 
RENAME table wp_comments TO wp_bs645t_comments; 
RENAME table wp_links TO wp_bs645t_links; 
RENAME table wp_options TO wp_bs645t_options; 
RENAME table wp_postmeta TO wp_bs645t_postmeta; 
RENAME table wp_posts TO wp_bs645t_posts; 
RENAME table wp_terms TO wp_bs645t_terms; 
RENAME table wp_term_relationships TO wp_bs645t_term_relationships; 
RENAME table wp_term_taxonomy TO wp_bs645t_term_taxonomy; 
RENAME table wp_usermeta TO wp_bs645t_usermeta; 
RENAME table wp_users TO wp_bs645t_users;
Change WordPress Database Prefix - Execute SQL Quires

Change WordPress Database Prefix – Execute SQL Quires

8. The above action will change the table prefix of all the default WordPress tables. If you have any other additional tables (which can be seen on the left sidebar of the phpMyAdmin page), then use the above technique to change those table prefixes.

9. Now, you also need to update the “wp_options” and “wp_usermeta” tables for any old table prefixes.

10. To do that simply copy the below query lines and execute them. While executing, make sure that you replace:

  •  {%NEW_TABLE_PREFIX%} with the new prefix (example: wp_bs645t_)
  •  {%OLD_TABLE_PREFIX%} with the old table prefix (example: wp_)
UPDATE `{%NEW_TABLE_PREFIX%}usermeta` SET `meta_key` = replace(`meta_key`, '{%OLD_TABLE_PREFIX%}', '{%NEW_TABLE_PREFIX%}');
UPDATE `{%NEW_TABLE_PREFIX%}options` SET `option_name` = replace(`option_name`, '{%OLD_TABLE_PREFIX%}', '{%NEW_TABLE_PREFIX%}');

Once you’ve replaced the required values, this is how it looks like.

UPDATE `wp_bs645t_usermeta` SET `meta_key` = replace(`meta_key`, 'wp_', 'wp_bs645t_');
UPDATE `wp_bs645t_options` SET `option_name` = replace(`option_name`, 'wp_', 'wp_bs645t_');
Change WordPress Database Prefix - Update WordPress Tables

Change WordPress Database Prefix – Update WordPress Tables

11. As soon as you execute the above queries, you will receive the confirmation message showing the number of updated rows.

Change WordPress Database Prefix - Tables Updated

Change WordPress Database Prefix – Tables Updated

That’s all there is to do.

Conclusion

It is that simple to change WordPress database prefix. If you want to verify, navigate to the Structure tab and you will see the modified table prefix. Also, backup your WordPress site as soon as you change the WordPress database prefix.

Also, backup your WordPress site as soon as you change the WordPress database prefix.  This enables you to restore your site in future without needing to change the table prefix again.

Hopefully that helps and do comment below if you face any problems or just to share your thoughts and experiences about using the above methods to change WordPress table prefix.

22 WordPress Security Tips – Best WordPress Hardening Guide

WordPress is one of the most popular choices for bloggers, businesses and anyone who wants to have a hassle-free blogging software with loads of features and support. Being a popular CMS (Content Management System), it is the most targeted platform for hackers. Even though the WordPress core is pretty well coded and secure, you can harden your WordPress installation even more by putting a little more effort towards the security and following the WordPress best practices.

So, how do you protect your WordPress installation?

Well, that’s easy. All you have to do is put more care towards managing your WordPress site. In case you are wondering, here are some of the best and must follow WordPress security tips. Think of the below WordPress security tips as a checklist and make sure that you follow them by all means.

Note: Some of the WordPress security tips discussed below may require you to edit WordPress files. So, make sure that you manually backup your site to cloud storage services like Dropbox or Google Drive.

1. Never Use “admin” as Username

This one of the most recommended WordPress security tips. Always make sure that you never use “admin” as the username. Using a WordPress site with the username “admin” and not having a strong enough password is a deadly combination. In fact, this is one of most common reasons behind many hacked WordPress sites. Due to the obvious security reasons, WordPress itself stopped assigning “admin” as the username while installing.

If you already have a WordPress site with the user account named “admin,” then fixing it is pretty easy. Just create a new administrator account with a different username from the “Users > Add New” page, log in to your new administrator account and delete the user account named “admin.”

Delete default admin user account in WordPress.

Don’t worry, while deleting the user account named “admin,” WordPress lets you assign all the existing posts to the user account of your choice.

2. Use Strong Password

Using passwords like 123456, superman, your mobile number, date of birth, etc.., is good because you can easily remember them, but so can your friends and foes. So, never use passwords that are so obvious to guess and easy to brute-force. Having a good and strong password to protect any of your online or offline accounts is really important.

To create a strong password, always follow the rules below.

  • The password must be 12 characters or more.
  • The password must contain small and capital letters, numbers and special characters.
  • The password should not contain complete words.
  • The password should not contain any of your personal information.
  • You should not use the same password to secure any other account.
  • Finally, be creative.

If you think the password created using the above rules is pretty complex to remember or to enter in the web forms, then use software like LastPass or KeePass. These apps lets you securely manage all your passwords.

3. Only Use the Administrator Account When Needed

This is one of the most ignored WordPress security tips, but the thing is, you are not going to need the administrator access to your WordPress site every time. The best practice is to use the administrator account to do only the administrative tasks like updating WordPress plugins and themes, managing WordPress configurations, etc. You don’t need administrative privileges to edit or publish posts, to moderate comments, etc.

So, depending on your needs, create a new user account with Author or Editor user role and manage all the general tasks using that user account. You can know more about the Roles and Capabilities from the WordPress codex.

WordPress User Roles List

4. Block Access to WordPress Login Page

Using a strong password to protect your WordPress is good and all. But, you can increase your WordPress site security two-fold by simply blocking the access to your WordPress login page (wp-login.php) except for you and anyone approved by you. You can achieve this by limiting the access to selected IP addresses. This approach is particularly helpful to protect yourselves from the brute force attacks.

WordPress login page blocked by IP address.

To block access to the WordPress login page, open the .htaccess file in the root directory. Now copy and paste the below code on the top of the file. Don’t forget to replace “xx.xxx.xx.xxx” with your actual IP address. In case you are wondering, you can get your IP address details by simply asking Google.

# Limit access by IP address
<Files wp-login.php>
        order deny,allow
        Deny from all

# whitelist IP address one
allow from xx.xxx.xx.xxx

# whitelist IP Address two
allow from xx.xxx.xx.xxx

</Files>

5. Limit Login Attempts

In some cases, you may not be able to implement the above method of blocking access to the WordPress login page because you have multiple backend users and/or the IP addresses are dynamic. In those cases, you need to limit the login attempts. i.e, after a predetermined number of failed attempts, the user or the IP address is locked out for a pre-determined period of time.

In that time period, the user cannot login even with a valid username and password. This simple precaution can save your WordPress site from brute force attacks and guess works.

WordPress login page secured with Limit Login Attempts plugin.

To enforce a limit on the login attempts, you can use the plugin Limit Login Attempts. The best thing about the plugin is that you can configure the lockout rules as required using the respective settings page.

6. Hide Login Error Message

Whenever there is a failed login attempt, WordPress displays an error message something like “The password for ‘username’ does not match.” If you read the error message clearly, WordPress is indirectly hinting that the username is correct.

The worst thing about this error message is that it lets the hacker know whether the username is correct or incorrect.

Remove WordPress login error message.

So, the good thing to do is to disable or hide the actual login error message. To do that, open your theme’s functions.php file, copy and paste the below code at the bottom of the file.

// Hide login message on WordPress login page
add_filter('login_errors',create_function('$a', "return null;"));

That’s all there is to do. From this point forward, the login error message is disabled.

7. Disable Directory Browsing

By design, when a web server has no default index file in a directory, it simply displays all the files and folders in that directory. This could be a big loophole in your WordPress security. This is called as directory browsing. This loophole can be used by hackers to gather sensitive information like the plugins used, vulnerable files, etc.

WordPress directory browsing.

To disable directory browsing, open the .htaccess file in the root directory, copy and paste the below code in it.

# Disable directory browsing
Options -Indexes

If you are uncomfortable editing the file, you can also disable directory browsing from cPanel.

8. Disable WordPress Editor

In WordPress, you can easily edit all your theme and plugin files using the built in WordPress code editor. As useful as it is, a hacker can use it to edit theme and plugin files to add some malicious code once he has access to your WordPress site. Moreover, when is that last time you’ve used the build it code editor to edit theme or plugin files? If you’ve ever used it, then you should just avoid that practice, for real.

WordPress plugin and theme editor.

To disable the WordPress Editor, open the wp-config.php file, copy the below code and paste it at the end of the file. That’s all there is to do. From this point forward, the built-in WordPress editor is no longer accessible.

// Disable WordPress Editor
define( 'DISALLOW_FILE_EDIT', true );

Don’t worry, even after disabling the WordPress editor, you can alway edit the theme and plugin files through FTP.

9. Change WordPress Table Prefix

Whenever you install WordPress without changing table prefix before hand, it will be installed with the default table prefix. Often times, this default table prefix could make your site vulnerable to automated or manual SQL injections.

So, in order to protect your site, you can change your default table prefix from wp_ to something random like wp_bs645t_.

Change WordPress Table Prefix - Default WordPress Table Prefix.

Changing WordPress table prefix isn’t anything hard. But if you don’t want to make your hands dirty, then using a plugin like Change DB Prefix can be helpful. This simple change makes your site a bit more secure from the hack attacks.

10. Protect “wp-config.php” File

If you are using WordPress for any span of time, then you will probably know that the wp-config.php file is one of the important files in your WordPress installation. This file holds all the important configuration information like the database username and password, table prefix, etc. So as a precaution, you need to protect this file at all costs.

To protect the wp-config.php file, copy and paste the below code snippet in the .htaccess file located in the root directory.

# Protect wp-config.php file
<Files wp-config.php>
   order allow,deny
   deny from all
</Files>

11. Protect “.htaccess” File

Hypertext Access file (.htaccess file) is a directory level configuration file and is it is also one of the important files in your WordPress installation. This simple file holds some of the important configurations that can affect the web server directly. Just like the wp-config.php file, you should also protect the .htaccess file. To protect the .htaccess file, simply copy the below code and paste it in your .htaccess file.

Quick tip: download all essential htaccess rulebook for WordPress.

# Protect htaccess file
<Files .htaccess>
   order allow,deny
   deny from all
</Files>

12. Protect readme.html and license.txt Files

Whenever you install or upgrade your WordPress site, WordPress automatically creates two files named readme.html and license.txt in the root directory. These files are not at all required by your WordPress site and may sometimes be used to gather your WordPress version information. To protect your WordPress site, you can just delete them, but the thing is, they will be created whenever you upgrade your WordPress site.

So, the best way is to protect these files from being accessed by the public. To protect the readme.html and license.txt files, simply copy the below code and paste it in your .htacess file located in the root directory.

# Protect readme.html File
<Files readme.html>
    order allow,deny
    deny from all
</Files>

# Protect license.txt file
<Files license.txt>
    order allow,deny
    deny from all
</Files>

13. Protect install.php File

After installing WordPress, there is no need for the install.php file. In fact, if you execute the URL http://exmple.com/wp-admin/install.php, you will see that WordPress gracefully informs you that you’ve already installed WordPress. Even though this doesn’t look like much, there are instances when the installation script tried to reinstall WordPress under certain circumstances.

WordPress informing WordPress is already installed.

So, blocking the file from being accessed by the public is a good thing to do. To do that, simply copy and paste the below code in your .htaccess file.

# Protect install.php
<Files install.php>
    order allow,deny
    deny from all
    Satisfy all
</Files>

14. Protect “wp-admin” Directory

For those of you who don’t know, wp-admin directory acts as the front end for the backend users like admins, editors, etc. Considering the importance of the directory, it is always a good thing to add an additional layer of security. This not only secures your WordPress installation from regular attacks but is also good at blocking brute force attacks.

Password Protect wp-admin folder.

To protect the wp-admin directory — download, install and configure the plugin AskApache Password Protect as per your needs. Don’t forget to choose a strong password to protect your wp-admin folder.

15. Protect “wp-includes” Directory

In case you don’t know, the wp-includes directory in your WordPress installation hosts all the core files and is only intended to be used by WordPress itself. That is, there is no need or should not be any need for any user to access the contents of the wp-includes folder.

So, in order to protect the wp-includes folder from being accessed by any user, copy and paste the below code at the bottom of the .htaccess file located in the root directory.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

16. Use Security Plugins

WordPress plugin repository has a plethora of security plugins to secure your WordPress site from general exploits and hardening WordPress security. Some of the best security plugins include iThemes Security, WordfenceAll In One WP Security and Firewall, Sucuri (free plugin), etc. Most of the plugins available in the WordPress repository are capable of acting at WordPress level to filter and protecting your Website.

In fact, almost all the tips shared here can be managed using the above plugins. So, install the plugin of your choice and harden your site. If you want to be more secure and carefree, then spending a few bucks on premium services like Sucuri is well worth it. Moreover, services like Sucuri can even help you recover your hacked website.

17. Always Stay Updated

Whether it’s WordPress core, themes or plugins, staying up to date is like winning half the war. For those of you who don’t know, bad guys generally target out-dated and vulnerable WordPress core, plugin and theme files. To close the security holes, developers release the security patches and fixes in the form of updates. So, always stay updated and safe.

If you don’t stay updated, you will always be an easy target for the hackers. The recent MailPoet incident is a good example.

Update plugins and themes.

If you think it is too much work to manage all the plugin and theme files, then consider using secure and managed hosting services like WP Engine and SiteGround or website security services like Sucuri who can monitor and protect your WordPress site from known and zero-day vulnerabilities.

Moreover, starting from version 3.7, WordPress introduced automatic update feature which by default updates your WordPress core for all the minor releases like maintenance and security updates.

By adding the below code in your wp-config.php file, you can enable automatic updates to all the major WordPress core updates.

// Enalbe all automatic updates
define( 'WP_AUTO_UPDATE_CORE', true );

18. Delete Unused Plugins and Themes

WordPress is pretty customizable and most of the credit goes to the all the free and premium plugins that offer the extra functionality. Often times, you try different themes and plugins to find the right combination that works for your site. After that, you may just disable all the plugins and themes that aren’t needed anymore. This is good and all but the unused plugins and themes in your WordPress site may stock up without your realizing.

When you look from the security point of view, there is no reason whatsoever to leave unused plugins and themes installed in your WordPress. This is not only a security risk but these unused plugins and theme may clutter the database and also increases your disk space usage.

Delete unused themes and plugins from WordPress.

So, be a happy egg and make a habit of deleting any unused plugins and themes. After all, you can always reinstall them with just a few clicks.

19. Never, Ever Use Nulled Plugins and Themes

Premium plugins and themes like OptinMonster, Genesis Framework, Gravity Forms, etc., are well worth their price. But, it is very tempting when you access sites which give your premium plugins and themes for free to install on your WordPress site. Often, these kinds of resources are called as nulled plugins and themes.

The thing is, nobody gives a premium plugin or theme for free.

In most cases, these nulled plugins and themes are infected with malicious code that can effectively spread spam, hide malicious links, show eyebrow-raising ads, and/or create backdoors to your WordPress site. So, don’t take the risk and you are better off “not” installing the nulled themes or plugins.

Malicious code in nulled WordPress themes and plugins

If possible, even avoid using free themes in favor of using premium themes like Genesis Framework or Elegant Themes. This is because even the genuine free themes may sometimes contain encoded code (base64) that can hide malicious links. Moreover, the premium theme developers are quite quicker to resolve any issues with the theme security and they often provide better support to customize your theme according to your needs.

20. Have a Backup of Everything

The best defense is a good offense and creating daily and steady backups are the best thing you can do for your WordPress site. Sure, these backups won’t stop your site from being compromised corrupted, but will surely help you to restore the site to a previous known good state. Not to say, having reliable backups of your WordPress site including the database will give you a peace of mind to concentrate more on developing your blog or website.

Generally, you can create a manual backup of your site, but that process is very inefficient and will be quite a hassle. So to automate the WordPress backup process, WordPress plugin repository has several free and popular backup plugins like BackWPup, UpDraftPlus, WP-DB-Backup, etc.

Just install one of them and make sure that you take daily backups.

Backup your WordPress site regularly with plugins like BackupBuddy, BackWPup, etc.

If you want premium support and more reliable features, then spending a few bucks on premium backup solutions like BackupBuddy or VaultPress can help you in many ways. Again, make use of these free or premium plugins and never neglect to create regular backups.

21. Always Use SFTP Instead of FTP

This seems pretty obvious, but considering that the regular FTP (File Transfer Protocol) has no encryption for your FTP account password, I can’t restrain myself from recommending. So, depending on what your hosting provider supports, always use SFTP (Secure FTP) or FTPS (FTP over SSL) to transfer files to and forth.

That being said, even though the names FTP and SFTP are similar, SFTP is completely different from FTP. Know more about FTP from Wikipedia.

22. Keep Your Computer Clean and Virus-Free

This is one of the most over-looked thing’s while securing a WordPress site. Keeping your computer clean and virus free is really important because the infected computers may leak confidential information like your account user ids and passwords. This, in turn, leads to information theft, identity theft, and data loss.

So, don’t do anything crazy like clicking unknown links in email, installing pirated software, etc., on your main productive machine. To keep your computer free from viruses and other malicious infections, install a good antivirus and anti-malware software.

Protect your computer from viruses and malware.

Conclusion

If you are a beginner, then all the above tips may seem pretty intimidating if not nerve-wracking. But the fact is that all most all the tips shared here to harden your WordPress security are very easy to follow and most of them are “set it and forget” configurations. So, make sure you follow them and each and every tip you follow will make your WordPress site a little bit more secure and keeps you one step ahead of hackers and other unintended consequences.

That’s all for now and hopefully, the hardening tips will help to secure your WordPress site. If you find this article useful, then do share it with your friends. If you think I’ve missed something, then do share it in the comments form below. That will help everyone using WordPress.

If you find this article useful, then do share it with your friends. If you think I’ve missed something, then do share it in the comments form below.

How to Add a User in WordPress Using FTP

Sometimes, there will be instances that get you locked out of your own WordPress admin area. This can be stressful and frustrating. There may be any number of reasons for this like the hack attacks, theme or plugin malfunctions, or even forgetting your username, email address or password for that matter.

Regardless, there are backdoor methods on how you can enter your site and create a new Admin User manually in the case of such emergency. One such method is connecting via the phpMyAdmin section and running MySQL queries to create the admin user. However, if you don’t want to meddle with the database or if you are unable to do so for some apparent reason, the other alternate method would be to add the new admin user via FTP.

Add Admin User in WordPress via FTP

Creating a new Admin user via FTP is really easy than you think. The first thing you need to do it to connect to your WordPress site via your FTP client.

Also read: how to update WordPress via FTP

After connecting to your FTP account, proceed to locate your WordPress theme’s “functions.php” file. The general location of the file would be /wp-content/themes/theme-name/functions.php.

Using the FTP client, download the functions.php onto your computer.

Theme functions file - Open WordPress theme functions file

Now open the file using a plain text editor, like the Notepad and add the following code snippet at the bottom of the file. Don’t forget to replace the Username, Password and name@example.com fields with the actual values. Also, the username and email address should be unique, i.e. there shouldn’t be a user already registered with the same username or email address.

//Add a new user using FTP
function bs_admin_account()
{
    $user = 'Username';
    $pass = 'Password';
    $email = 'name@example.com';
    if (!username_exists($user) && !email_exists($email)) {
        $user_id = wp_create_user($user, $pass, $email);
        $user = new WP_User($user_id);
        $user->set_role('administrator');
    }
}

add_action('init', 'bs_admin_account');

Now that you’ve done that, go back to your FTP client and upload the file to your website’s FTP account.

That’s all there is to do. You’ve created a new admin user using FTP. You can now log into your WordPress admin area using the credentials that you provided above.

Wordpress login page - Log into WordPress dashboard

Once logged in, make sure to remove the added code from the functions.php file. Don’t worry even when you remove the code, the user account will stay intact. You can always keep adding users and authors to your site as you need.

If you want to, you can force reset passwords of other accounts by simply navigating to “Users > All Users” and clicking on the “Edit” link under the user account. Once you are done resetting, you can remove the newly created account by clicking on the “Delete” link.

WordPress users - Edit WordPress Users

If you like this quick tip then you might also like to hide admin bar for all users except for administrators. Do check it out.

Hope that helps and do comment below sharing your thoughts and experiences about using FTP to create a new admin user in WordPress.