How to Increase your Website’s WordPress Security Options
To date, up to 14 million websites are hacked every year. If you run a WordPress blog/website that is setup through standard installation options, you’re probably going to experiencing a brute force attack attempting to log into the WordPress dashboard. If you haven’t been subject to it yet, consider yourself fortunate. Fortunately, there are a wealth of strategies to deal with security concerns, and the best strategy is to deploy multiple strategies to increase your website’s WordPress security options. Bear in mind that hacking attempts don’t happen at a predictable pace. Months can pass by without a single malicious login attempt and then suddenly, a few hundred (even up to a couple of thousand attacks) can occur during a short period of time. I’ve seen many website that were breached because of reckless security standards. There are however, ways to protect your website from these attempts.
In this article, I’m going to show you the techniques that I use to protect my blogs and website that are built on WordPress, and aim to help you use similar techniques to protect your own.
Step 1: Secure your login page and prevent brute force attacks
- Set up website lockdown and ban users
- Enable two-factor authentication
- Use your e-mail address to log in
- Rename your login URL
- Update your passwords regularly
- Add security questions to your WordPress login page
Step 2: Secure your admin dashboard
- Protect the wp-admin directory
- Use SSL to encrypt your data
- Secure the credentials of your admins and collaborators
- Change the admin username
- Monitor your files
Step 3: Secure the database
- Change the WordPress database table prefix
- Back up your site regularly, learn how to Backup WordPress Website Using Plugins
- Set strong passwords for your database
Step 4: Secure your hosting setup
- Protect the wp-config.php file
- Disallow file editing
- Connect the server correctly
- Set directory permissions carefully
- Disable directory listing with .htaccess
Step 5: Secure your WordPress themes and plugins
Step 1: Secure the login page and prevent brute force attacks
WordPress login page URL is like fire on flag. Everyone knows that to access a wordpress backend you need to go to the login page, and that is the reason why people try to force their way in.
Just add /wp-login.php
or /wp-admin/
at the end of your domain name and there you go. Here are some suggestions for securing your login page:
-
Set up website lockdown and ban users
Lock down feature, lock the site immediately whenever there is a failed login attempt with repetitive wrong password used to breach it. The plugin will recognize that there is a hacking attempt and will prevent the IP address from accessing the website’s backend. You can specify a the number of failed login attempts after which the plugin bans the attacker’s IP address. I-Themes Security plugin is one of the best such plugins in the market, and I’ve been using it for several of my blogs.
-
Enable Two-Factor Authentication
2-factor authentication (2FA) at the login page is another good security measure. I advice you to use a secret code while deploying 2FA on any websites. The Google Authenticator plugin helps with that in just a few clicks.
-
Use your E-mail to Log In
Using an email ID instead of a username is a more secure approach. 85% of Usernames are usually (Admin or your name), while email IDs are not. additionally, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in. Install and activate WP Email Login it requires no configuration at all.
-
Rename your Login URL
Now, replace the login URL. The concept is to restricts an unauthorized person from accessing the website. Only users who have the unique URL can visit the login page.
For Example:
Change wp-login.php
to something unique; e.g. my_secret_login
Change /wp-admin/
to something unique; e.g. website_users_Steaks
Change /wp-login.php?action=register
to something unique; e.g. Developer_registeration_portal
-
Update your Passwords Regularly
Update and change your password regularly (a good rule of thumb is every three months). Add uppercase and lowercase letters, numbers, and special characters within your password to improve password strength.
-
Add Security Questions to your WordPress Login Page
Adding security question to WordPress login and registration page is simple. Install and activate WP Security Question from WordPress plugins directory. WP Security Pluginenables security question option on WordPress registration, login and forgot password screen.
Once the plugin is installed on your website, navigate to Settings> WP Security Questions> Settings. By default, this plugin has many questions added. You can add or remove any questions from the list.
Login Screen: Your login screen will look like this. From here, you need to provide your username, password, and security answer.
Step 2: Secure your admin dashboard
-
Protect the wp-admin directory
Use the AskApache Password Protect plugin for securing the admin area. With this plugin, the website admin can access the dashboard by submitting two passwords. One protects the log-in page, and the other the WordPress wp-admin. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts individually.
-
Use SSL to Encrypt Data
SSL certification (Secure Socket Layer) provide security for your website by encrypting communications between the server and the person visiting the website. It is required to be used on e-commerce sites when accepting credit card payments online. Any good hosting company like Hostgator, Blue host and Metropolitan host do offer free SSL with their hosting packages.
On October 2017 Google search console warned that Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode. The following URLs on your site include text input fields (such as < input type="text" >
or < input type="email" >
) that will trigger the new Chrome warning.
-
Secure the Credentials of your Collaborators
If you run an e-commerce website, blog, or normal website, you will have to deal with collaborators (Authors, shop keepers, editors, admins). To prevent a breach in security from hackers, by using a collaborator’s username and password because it might have a lower security measure than the admin’s password. Use a plugin like Force Strong Passwords for your users if you want to make sure that whatever passwords they use are secure.
-
Change the Admin Username
While installing word press for the first time, new users choose “admin” as the username for your main administrator account. Technically speaking you are providing the hacker with the username, and all he need to figure out is the password.
If you already installed the iThemes Security plugin it can help you stop such attempts cleverly by immediately banning any IP address that attempts to log in with that username.
-
Monitor Your Files
If you have developer who you collaborate with, you might need to keep an eye on what plugins or files the developers are using on your website. You can monitor the changes to the website’s files via plugins like Wordfence. Keep a sharp eye on any file changes, or new files being introduced to the system, a backdoor access file can be implemented on your website and can be used to access your website anonymously.
Step 3: Secure the Database
-
Change the WordPress Database Table Prefix
By default when installing WordPress, the system creates Database in phpmyadmin to save all the data needed for your website. This data base has a default prefix
wp-
. Using the default prefix makes your site database prone to SQL injection attacks. Such attack can be prevented by changingwp-
to some other term, e.g. you can make itmywp-
,wpnew-
,WPDBS-
. -
Regularly Backup your Website
The technology is continuously being updates and improved, which by default will create new opportunities for hacker to access websites through discovering new breaches in the updates. To prevent this from happening, backup your website on monthly and maybe weekly basis (based on how much activity you have, and what type of website you run). There are several backup plugins in the market that you can install, but I always recommend to backup the site files and database manually at least on quarterly basis.
-
Set Strong Passwords for your Database
Not only your Wp-admin is protected by a password, even your database has a password, WordPress uses to access the database. If you installed your wordpress blog, then this is not something new to you. Make sure you have a strong password for the main database user. You can use Password generator tools to help you create random secured password.
Step 4: Secure your Hosting Setup
-
Protect the wp-config.php file
The wp-config.php is the core of your wordpress website, in fact the most important file in your site’s root directory. Let us change the of the wp-config.php file so it becomes harder to locate. Follow these steps:
- Access your Cpanle through your hosting account or access through FTP
- Locate the wp-config.pfp file in your root directory
- Move wp-config.php file to a higher level than your root directory
-
Disallow File Editing
If a user has admin access to your WordPress, it means they can edit any files that are part of your WordPress installation. This includes all plugins and themes from Appearance>editor>function.php or any other file.
To prevent users from accessing Add the following code to button of your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
-
Connect the Server Correctly
When setting up your site, connect the server only through SFTP or SSH. SFTP is always preferred over the traditional FTP because of its security features that are, of course, not attributed with FTP. Many hosting providers such as Hostgator, Blue host and Metropolitan host offer this service as part of their package.
-
Set Directory Permissions Carefully
Wrong directory permission scheme of WordPress can be devastating, especially if you’re working in a shared hosting environment. To secure the website at the hosting level, change files and directory permissions., and set the directory permissions to “755” and files to “644” protects the whole file system – directories, sub-directories, and individual files. This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.
-
Disable Directory Listing with .htaccess
Every directory on your website should have an Index.html file. For example, if you create a directory called “Client portal ”, you can see everything in that directory without typing in any password simply by typing https://www.yourwebsite.com/Client-portal/ in your browser.
Step 5: Secure your WordPress Themes and Plugins
-
Update Regularly
WordPress updates are frequent and do not occur at set times. These updates are meant to fix bugs and sometimes have vital security measures. Not updating your themes and plugins in a timely manner might put your website at risk. Update your WordPress website regularly, and don’t forget to update themes and plugins as well.
-
Remove your WordPress Version Number
You can hide your wordpress version number with almost every security plugin that is mentioned above. The version number makes it easier for hacker to know the breached of the system based on the wordpress version you are suing
-
Add Simple History Plugin
Keep track of what other people are doing. Simple History shows recent changes made within WordPress, directly on your dashboard or on a separate page.