CMS: WordPress Security Guide
Why Website Security is Most Important?
A hacked WordPress site can cause serious damage to your business revenue like payment information. Hackers can steal user information, passwords, install malicious code and can even distribute malware to your users.
Recently Google reported that more than approximate 50,000 website users have been warned about a website they’re visiting may contain malware or steal information and blacklisted. As an online business owner or developer’s responsibility to protect their business website.
WordPress security is the main topic for every website owner, then you need to pay attention to the WordPress security standards. In this blog, I will share all the best WordPress security tips to improve your website security from hackers and malware.
While WordPress core is very secure, and it’s audited regularly by hundreds of expert developers. We have some basic steps that you can take to improve your Wordpress security.
1] Generate Custom Secret Keys:
wp-config.php file is established connection between the database and your site. It is stored MySQL database username, database password, and the secret key. Overall it’s the most important file in WordPress site’s folder structure. We can generate the custom secret key from this official api page (https://api.wordpress.org/secret-key/1.1/salt/). Once you visit the page simply press F5 to refresh the page and get the newly generated unique secret keys and used in the wp-config files.
2] Enable Two-Factor Authentication:
It increases security for your user accounts to your WordPress site by using Two-Factor authentication. Two-Factor Authentication protects you from password re-use, phishing, and keylogger attacks.
The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.
It is quickly becoming most reliable ways to protect your online accounts, and most reliable websites will insist that their users enable it.
While WordPress does not necessarily have built-in two-factor authentication into it, but we can enable two-factor authentication on our site by installing the following third party plugins like:
1] `Google Authenticator (https://wordpress.org/plugins/google-authenticator/)
3] Secure the login page and prevent brute force attacks
Everyone knows the standard WordPress login page URL i.e. just add /wp-login.php or /wp-admin/ at the end of your domain name The WordPress backend of the website is accessed from there and that is the one of the main reason for hack the site.
What I strongly recommend is that to customize the login page URL and even the page’s interaction. That’s the first thing I do when I set up the WordPress website.
Change wp-login.php to something unique; e.g. my_new_login
Change /wp-admin/ to something unique; e.g. my_new_admin
Change /wp-login.php?action=register to something unique; e.g. my_new_registeration
You can achieve using iThemes Security (formerly Better WP Security) (https://wordpress.org/plugins/better-wp-security/) like this one.
4] Change the admin username and Strong Passwords:
When we set up WordPress installation, We should never choose “admin” as the username for your administrator account.This is easy to guess username is approachable for hackers. All they need to know is the password and our whole site gets into the wrong hands.
When I have checked my website logs and found login attempts with username “admin” so be careful.
One of the common WordPress hacking attempts use stolen passwords. We can make that difficult by using stronger passwords that are unique for the website. It is not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account and your professional email address as well.
The top reason why we don’t like using strong passwords is because they are hard to remember. SO we don’t need to remember passwords anymore. we can use a password manager like:
1.LastPass
2.Dashlane etc.
5] Change the WordPress database table prefix:
When We have installed WordPress then by default table prefix is wp- which is used by the WordPress database. I recommend that we should change it to something unique.
Using the default prefix (wp-) makes site database prone to SQL injection attacks. Such attack can be prevented by changing wp- to some other unique term, e.g. We can make it my-, wpnew- etc.
If We have already installed WordPress website with the default prefix, then we can use plugins to change the prefix of the table like WP-DBManager or iThemes Security can help you do it (Make sure take a back up our site before doing anything to the database).
6] Limit Logins Based on Number of Failed Attempts:
By default, WordPress allows users to try to log in as many time. This leaves to hackers try to crack passwords by trying to log in with different combinations of username and password on our WordPress site i.e. nothing but vulnerable to brute force attacks.
Limiting the failed login attempts will lock or block a user if they entered the wrong password more than the specified time. They will be locked out for a specified time or blacklisted the Ip which trying to access again and again on the site.
The Jetpack Protect Module plugin can also protect you from bruteforce attacks. We can use Jetpack like the plugin.
7] Disallow file editing
If a user has admin access to your WordPress dashboard then they can edit any files on the admin dashboard.
If you disallow file editing even if a hacker obtains admin access to your WordPress dashboard they still unable to modify any file.
Add the following in wp-config.php file (at the very end):
define(‘DISALLOW_FILE_EDIT’, true);
8] Set directory permissions
It is essential to ensure that you have the right file permissions, especially if you’re working in a shared hosting environment.
In such a case, changing files and directory permissions is a good to secure the website at the hosting level. Make sure that WordPress directory permissions are set to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.
This can be done either manually via the File Manager inside your hosting control panel, or through the terminal or connected with SSH i.e. use the “chmod” command.
9] Update regularly
WordPress is updated very frequently. These updates are very important to fix bugs and sometimes have vital security patches.
If we are not updating your themes and plugins can mean serious trouble.
So, if you’re using WordPress old version then update them as well as Plugins, themes, everything.
10] Remove WordPress version number
Our current WordPress version number can be found very easily.If the hackers know which version of WordPress we use, then it’s easier for them to build the perfect attack.
11] Monitor Sites using Security Plugins and Backup WordPress Site
We can monitor the changes to the website’s files via plugins like Acunetix WP Security, Wordfence,iThemes Security etc.
No matter how secure our website is or what we take precautions, there is always room for improvements. But take regular backup interval is perhaps the best antidote no matter what happens to the site we can restore anytime.
The next main thing we need to do is set up an auditing and monitoring system that keeps track of everything that happens on our website. It includes file integrity monitoring, failed login attempts, malware scanning, etc.
This can be all taken care by the free WordPress security plugin, Sucuri Scanner.
These are some little-known basic security tips that can make WordPress site just a bit more secure. We have to care about the other factor also like Server Host, SSL, Standard Theme, Plugins etc.
Note: Before Adding any third party plugin always take a backup of the site with Database.
The more We care about another security factor of the WordPress, the harder it gets for a hacker to break it.
Sumanta Relkar
Sumanta is well skilled and holding experience of 2.5+ years in Wordpress | Joomla | Unity | Phonegap | Basic Magento | PHP | Html | Css | Javascript & SEO