Today everybody nags about WordPress security but my opinion is that yes indeed WordPress is vulnerable to all sorts of hack attack. But we shouldn’t blame WordPress – Tricks You Should Know for Securing Your WordPress Website Why is the question here? If your website got hacked it completely your responsibly because WordPress have just provided
Today everybody nags about WordPress security but my opinion is that yes indeed WordPress is vulnerable to all sorts of hack attack. But we shouldn’t blame WordPress – Tricks You Should Know for Securing Your WordPress Website
Why is the question here? If your website got hacked it completely your responsibly because WordPress have just provided you’re a starting point on which you go and enhance. So today we decided to provide your information on how to secure your WordPress website.
Securing Your WordPress -By Securing Default Login page of WordPress page.
Everybody knows the Default login URL of WordPress, From where you can access the back end of your website and the default URL is the reason why people try to brute force your website for hacking your website, and they can just do this by adding wp-login.php or wp-admin at the end of your domain name and that’s it.
So here we recommend you to customize this to something of your own choice and it should be something that only you know it. This is the first thing you should do for securing your website.
So below given are some step you should take for securing your website.
1. Setting up lockdown for your website and banning unauthentic users
Adding a lockdown feature to your website for failed login user can solve many of your problems. For example, it will avoid continuous brute force attacks. Whenever some buddy tries to attempt a hack attack by inserting repetitive wrong passwords your website will block that IP and will send you an email to inform you regarding the activity.
By doing some research we have found out that Word-fence security plugin is the best for this job, me and many of my clients have been using this plugin for quite some time now. It offer a lot of things in this field of security like you can customize number of attempts a user can make for login in and after this the user will get banned then if that is your authentic user you can unblock him by just one click so it a great plugin you should must try it out on the other hand you can use another plugins too like.
Login LockDown and many more.
2. Always Use 2-factor Authentication for login in to your website.
Using 2-facture authentication (2FA) for login in to your website is another way you can improve your website security. Once you set up 2FA for your website login your user will be asked two thing to be entered that can be set by the website owner it can either be password and security question or password and security code etc.
We personally prefer to have password and security question while deploying 2FA on our or ourclients websites, Below are listed some of the plugins you can use for 2 factor authentication.
- Google Authenticator – Two Factor Authentication (2FA)
- Two Factor Auth
- Two Factor Authentication
3. Use Email instead of username for logging in
By default, we have to insert username for logging in but you can customize that you can use email instead which is more secure way to login to your website. Why email why not username the reason is obvious because the username is easy to guess or find out unlike emails, emails are a bit harder also the whenever a WordPress account has been created it created with a unique email id.
Wp email login is the plugin which you would love for this job and it works out of the box for this job you just need to install the plugin and upon on activation it will start it work straight a way no configuration or settings required some of the other plugins are also listed below which does the same job.
- Email Login – Force Email Login – Email Login Auth
4. Customizing your login URL
Customizing the default WordPress login URL is an easy thing to do. By default, everyone can access the WordPress login page by just writing wp-admin or wp-login.php after the domain name which when the hackers know they will indeed try to brute force your website with their own DWDb which is the tool they used for guessing your password for each username :internetseekho password : internetseekho321 and millions or other such combinations they have stored in their Guess Work Database.
At this point if you have used all of our suggested security tips you have already restricted the user for their login attempts also you have swapped the username with an email and now if you replacement the default login page you will get rid of 99.9 % attacks.
So now here you can again use the iThemes Security for the job just install the plugin and go to its setting from their you can change your default login from
wp-admin to something like is-admin
and from wp-login.php to something like is-login.php or something of your own choice.
Also change the /wp-login.php?action=register to something only you know.
5. Keep a Strong password
Keep on changing the password of your website once in a week at least. Also try to generate a password using a standard free password generator and keep strong password that cannot be hacked easily.
Secure your WordPress Admin Panel
The most engaging part of your wordpress website to hacker is obviously your admin panel which should indeed be the most secured place of your website. And for attacking and hacking the strongest place of website is indeed attractive to hackers and this is the place from where they can do a lot of damage to your website.
Here are some to tips by which you improve your security of your wordpress dashboard.
1. Password Protect your WP-ADMIN directory
As you know everything is has a heart by heart we mean the main component or branch or thing on which the entire thing is dependent. So the heart of wordpresswp-admin directory if this gets hack you are done with your website this is the place from where you can get a lot of damage so let figure out ways you can secure this place of your website.
Ok so lets figure out ways we can protect the wp-admin directory one way to protect the directory is to password protect that directory which would be if the owner of website want to access the dashboard he or she has to give two password one for the website and the other master password for accessing the wp-admin dashboard by submitting tow passwords. If for some reason the users of the website are allowed to some parts you can unblock those part of the website by just making some simple configuration.
You can use the Ask Apache Password Protect plugin for doing the job which will automatically generate the .httaccess file for encryption and password protection configurations and the correct file access permissions which can be changes later own according your own use.
2. SSL Data Encryption
The smart move to secure your website is to Implementing an SSL (Secure Socket Layer) in website it will indeed improve your rank in google too and it will make your website more secure too. So what the SSL would do it will ensure secure data transfer between the clients browser and server browser, making it nearly impossible for hackers to get hands on the data.
Well setting up an SSL is not a big issue because you can simply request your hosting provider to enable your SSL certificates and they will and the good thing is that it is provided to you free of cost in most of cases.
Once they enable the SSL Certificates you just need to install this free plugin by the name of Let’s Encrypt free open source SSL certificate I use this for my own website as well for my clients too.
All the good hosting provider uses Let’s Encrypt with their packages. As previously described it will also rank you higher in google you can read its complete manual by clicking here.
3. Add User with 100% attention and Care.
If you are running your blog by multiple people like multiple authors write blog for your website so in this multiple user would access your admin panel so in this situation you are more vulnerable to security treats.
Don’t worry in this case you can use a plugin by the name of Force Strong Password to ensure that all of your users get registered and login with a strong password.
4. Never keep admin as your Username.
At the time of installing WordPress You should never keep “ADMIN” as your administrator account. The main key of hackers is guessing and admin is really easy and approachable key for hackers. Now they are one step away from hacking your website which is just guess your password.
I can share the screenshots of wordfence security that how many time they have blocked such attempts.
You can also use the word fence security to block such attempts.
5. Keep Daily check on your files
You can use wordfence security to keep track of changes in your website. It will ensure a bit more security to your website.
Secure Your website’s Database
The entire data and setting of your website is being stored in your website’s database. The most crucial thing it to take proper care of it. Below are some tips to take care of in order to ensure your website’s security.
1. Change your database table prefix.
If you installed WordPress on your website then indeed you might be aware of wp- table prefixits been used by WordPress database table by default. I would highly recommend changing it to something unique because using this default table prefix make to more open to hackers, because they know that wp- the default table prefix and they would really like to try some SQL injection with default table prefix in order to get some hints or even some use information about the table design and table data.
So, change it to something unique like mywp or something else of your own choice.
If the WordPress is already been installed on your website with the default table prefix then in this case you can use the iThemes security plugin to change your table prefix it pretty simple setting can easily help you do that.
You can also use another plugin by the name of WP-DBManager for the same job.
2.Set up a strong password.
Use a really strong password for accessing your WordPress database then one you enter at the time of installing WordPress. As always use the password generator to generate your password.
3.Back up your database daily.
No matter how much you make your website secure but there is always a way to hack in but keeping your self on the safe side is always a better choice so take your website backup daily in case your website gets hack it won’t be a problem for you to restore all you will do would to install the back up you have taken.
Secure Your Website theme and plugins.
WordPress themes and plugins are the most important thing in your website. Butunfortunately, the can also be the target for hacker to hack in your website. Now let’s find out how can we secure them.
1.Update your WordPress its themes and plugins regularly.
As you may or may not know every good price of software product is supported and maintain by developers and it’s been updated with respect to time like the developer try to overcome their mistakes and vulnerabilities in this software product.
So,updating your themes and plugins can save you from a lot of trouble because the hackers do know that many people don’t take time to update their themes and plugins so they will indeed target you through previous versions software loop holes.
2.Hide your WordPress version number.
The current version number of your WordPress can easily be found because it sits next to your source so it always better to hide because if a hacker knows what version you are using the its pretty easy prepare the perfect attack to target and hack your website.
Secure your hosting.
Every hosting company promise to provide the best but still there is always room for improvements lets see them step by step.
1.WP-CONFIG file protection.
Well WP-CONFIG is the file which hold all of your passwords and details about your site like your database name and user name etc which is really crucial data with respect to your website security. The WP-CONFIG is the heart of WordPress if somebody get access to this he can do what every he want to do with your website.
When you the WP-CONFIG file because inaccessible to hacker then its really hard to hack a WordPress website and the good news that its really easy to do so.
All you have to do is change the directory of your wp-config file which means just move it one directory higher and you are done. Now the question is that how will the server know that we have moved the config file one step higher WordPress routing engine is made in away that it searches all of the directories for finding it core file so it wont be a problem for WordPress where to find config file.
2.Disable file editing.
If you have given multiple user the admin access then in this case all of your admin’s can access your website theme and plugins core file, However if you disable this feature then if a hacker gain admin access to your website even then he cannot amend your wordpress core file and doing this really easy just go to your cpanel and in your wordpress directory find wp-config file and add the below given line in it.
and you are done.
3.Set up your file access role properly.
If you have using shared hosting then having wrong file access permission can lead to very serious problem in this situation setting up proper directory and file permission can really secure your website.
If you are willing to protect your website at hosting level you can set your directory permission to “755” and file to “644” this will protect your whole website at hosting level. Like by doing this your directories, subdirectories and individual file are all secure.
This can be done either using your file system in your hosting or you can do this manually from terminal using the chomd command.
For more info you can read the WordPress codex in order to understand everything about file system for WordPress website.
4.Using .htaccess disable the directory listings.
Suppose that you create a directory on your server or hosting by the name of “Website” and you don’t add index.html then you would be surprised that your visitor can access all of the listing of that directory by just visiting the link like “demo.com/website”. For this they don’t even need a password.
You can stop this by adding the below given code to your .htaccess file.
Options All -Indexes