Strengthening WordPress security is an important task that cannot be taken lightly.
I remember many years ago when I was new to WordPress.
Since I am new to WordPress, my understanding of security is still limited. On my first website, I didn’t know how to change the login page path. Even I still use the username admin.
While the web interface is eye-catching because I spent money to buy the theme at magazine3
The inevitable result is the page being hacked with the goal of stealing the theme.
The consequences at that time were not terrible because the website I created was to familiarize myself with hosting and learn basic WordPress.
Now, I have gained certain security knowledge when I step into professional blogging. And in this article, I have compiled a few simple ways to secure WordPress.
Knowing that, no website is absolutely secure. But at least when you lock the door carefully, it also avoids thieves.
The security ways in this article I will use iThemes Security as the solution. This is the most popular WordPress security plugin . You should install for your website.
Read more : essential plugins for WordPress
Instructions for installing and using the Wordfence security plugin
Summary of the best WordPress security plugins
Contents
- 1 1. Limit the number of hits and block the wrong access IP too much
- 2 2. Use 2-Step Verification
- 3 3. Change the login page path
- 4 4. Use hard-to-remember passwords
- 5 5. Use SSL to Encrypt Data
- 6 6. Add user with strong password
- 7 7. Change admin username
- 8 8. Monitor file changes
- 9 9. Change the prefix for the table name in the database
- 10 10. Regular database backup
- 11 11. Create a strong password for the database
- 12 12. Update WordPress Regularly
- 13 13. Turn off file editing
- 14 14. Prevent executing php files in upload folder
- 15 15. Protect the WordPress Admin (wp-admin) folder with a password
- 16 16. Disable XML-RPC Feature in WordPress
- 17 Epilogue
1. Limit the number of hits and block the wrong access IP too much
By default, the WordPress login screen does not limit the number of false hits. It is this that opens the door to a brute force attack. In this type of attack, the hacker uses a script to generate a username and password combination and tries to log in until it matches.
To prevent brute force, you need to limit the number of hits. And temporarily block the wrong access IP address too much.
To solve this problem, I use the iThemes Security plugin. Once installed, you just need to click Security Site. The rest iThemes Security takes care of.
Or you can use the Login LockDown plugin .
2. Use 2-Step Verification
Adding 2-factor authentication to the login screen is a good WordPress security measure. When anyone wants to log in, they need a secret code in addition to the username and password.
You can refer to the Google Authenticator installation guide to know how to add this feature to your website.
The role of WordPress hosting
The WordPress hosting service you are using also plays an important role in ensuring the security of your website. A hosting service with good security like A2Hosting has taken more measures to protect its servers against common attacks. Especially its cPanel integrates Patchman to help quickly find and patch security holes in your website.
3. Change the login page path
By default, you access the WordPress login page via the URL yourdomain.com/wp-admin or yourdomain.com/wp-login.php.
It is the well-known URL that the WordPress website attracts a lot of brute force attacks.
Changing the URL of the login page is also a simple but equally effective way to secure WordPress. Again, you use iThemes Security. This feature you have to configure at Settings-> Security -> Advanced , click the button Configure Settings .
In the configuration screen, enter the path you want in the Login Slug box.
4. Use hard-to-remember passwords
Setting a strong and extremely hard to remember password is the way to prevent your WordPress website from being hacked. If you don’t know how to generate high difficulty password, use this password generator tool .
A better password generator tool you should use: secure-password-generator . This tool has a Vietnamese interface, so it will be easier to use.
5. Use SSL to Encrypt Data
Using SSL is also a way to ensure the safety of information transmitted between the browser and the server. As you know, SSL encrypts information when you log in before sending it to the server.
Therefore, if hackers try to intercept information, they will not understand.
Getting an SSL certificate is not too difficult. Hosting companies all provide SSL services. Some hosting companies also offer free SSL for example Hawkhost offers Let’s Encrypt SSL for free.
Besides security, Google also prioritizes pages that use SSL in ranking. In other words, switching to SSL helps your website get more traffic thanks to higher rankings.
See more : Instructions to install SSL for WordPress
6. Add user with strong password
If you have a multi-author website, more people will visit your admin page.
This makes your website very vulnerable if other users don’t pay attention to security. For example their login information is very simple and easy to hack.
To prevent such a bad situation, you should use the Force Strong Password plugin . When installing the plugin it will check the strength of the password.
7. Change admin username
Previously, the default WordPress username was admin. Thus, the hacker’s task is only finding the password.
Luckily, WordPress now requires you to choose a username when installing WordPress. If your username is admin, please change the way I give in this article .
Besides, you should configure iThemes Security to block the IP login username admin. Certainly, this type of login is not well-intentioned.
In the configuration section of Local Brute Force Protection, check the option ” Automatically ban “admin” user “.
8. Monitor file changes
File change monitoring helps you know if your site has been hacked. Because once someone breaks into your website, they usually change the file.
At that time, if you enable file monitoring, you will receive an email notification of file changes.
iThemes Security supports this feature but is not enabled. To enable this feature, simply click the ‘ Enable ‘ button in the File Change Detection section .
9. Change the prefix for the table name in the database
As you know, by default WordPress database table names start with wp_. Using such a default prefix makes the database very vulnerable to SQL Injection attacks.
So I recommend you to change it. You can change it when installing WordPress.
If you already have it installed, you can change it thanks to the iThemes Security plugin. Remember to back up your data when making changes.
How to change:
In the Advanced section of iThemes Security, you access the configuration section called ” Change Database Table Prefix “. Then follow the instructions
10. Regular database backup
No matter how secure a website is, it is not an impregnable fortress. Large government websites are also damaged by hackers, let alone a small website.
Therefore, you should back up your WordPress website on a regular basis.
There are many solutions for you to choose from. If you don’t have money, you can choose UpdraftPlus . It helps you to backup automatically. And you can set up storage on a cloud service like DropBox. Overall it meets basic backup needs.
And if your budget is abundant, you can use services like BackupBuddy, VaultPress
11. Create a strong password for the database
Just like the password for the login page to the admin screen, use a strong password for the database.
As soon as you install WordPress , you should take advantage of the password generated for you. This password is very strong.
If you still have a weak password, use the password generator tool to get the best password.
12. Update WordPress Regularly
Some people often have a habit of being lazy to update WordPress, themes and plugins. This inadvertently creates a security hole for hackers to take advantage of.
Update WordPress, themes and plugins regularly. It helps your website run more stable and secure
13. Turn off file editing
WordPress has an editor that helps you directly edit plugin and theme code. You can find it in Appearance -> Editor.
This feature makes it easy to edit code without using FTP access to the host.
But it can also create a security risk when the hacker has access to the admin page. So you should turn it off. If there is anything to fix, use FTP or File Manager to access the host, and then fix it there. After all, once the website is up and running, you rarely edit the code.
To lock this editor, you use iThemes Security. You go to Security -> Settings -> WordPress Tweaks . Make sure the Disable File Editor option is checked .
14. Prevent executing php files in upload folder
Please block the execution of the php file in the uploads folder to prevent bad guys from intentionally uploading dangerous scripts in this folder.
To do this, go to Security -> Settings . Enable System Tweaks if not already enabled. Then you tick the option Disable PHP in Uploads . Remember to click Save Settings to save the settings.
15. Protect the WordPress Admin (wp-admin) folder with a password
Normally when someone accesses the wp-admin page (yourdomain.com/wp-admin), a screen asking for username and password appears.
You can add an extra layer of authentication. This means that the user must authenticate twice to access the admin page.
This way it becomes harder to hack wp-admin screen.
We use cPanel to do this.
First, you Login cPanel, scroll down to the Security section. Click on the icon “ Password Protect Directories ”
A dialog box appears, choose web root
On the next screen, select the wp-admin folder. Finally, you will see the following screen
First you tick the option “ Password protected this directory ”. Then you create a user with access to that directory.
Like that’s it.
Now, when you access the wp-admin folder in your browser, you will see a dialog asking for authentication like below:
Way 404 or Too many redirects
If you get this error, open the .htaccess file in the root directory (eg public_html) and add the following code
ErrorDocument 401 default
Ajax error in front-end
If, after setting the password as above, the user always sees a popup asking for authentication when accessing the homepage, you are probably getting an Ajax error. To fix this, open the .htaccess file in the /wp-admin directory (not the .htaccess file in the root directory). If this file is not available, you can create one. And add the following code
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
Note: If you have changed the login page path as I mentioned in section 3, it is not necessary to use this security method.
16. Disable XML-RPC Feature in WordPress
XML-RPC has been turned off for a long time for security reasons. But as of WordPress 3.5 it is enabled by default.
Some more information about XML-RPC if you don’t know yet
XML-RPC is a remote connection to WordPress that uses XML to exchange data back and forth. Usually you use the feature to post from clients such as Windows Live Writer, or applications that use IFTT.
But enabling XML-RPC means you are opening the door to brute force attacks on your website to steal passwords. Even worse is the HTTP Flood Attack (a type of DDoS attack). With this form of attack, the hacker sends a large number of requests that paralyze the server.
So it’s best to turn off XML-RPC. Use either of the following:
a. Disable XML-RPC with .htaccess
Simply open the .htaccess file and add the following code
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files>
b. Turn off XML-RPC using iThemes Security
You go to Security -> Settings -> WordPress Tweak and select Disable XML-RPC as below
Epilogue
Those are all the WordPress security methods that I know of.
As I said at the beginning, you should install iThemes Security. This plugin gives your WordPress website the most basic level of security.
If economic conditions allow, you can refer to Sucuri Firewall for better website security.
If you know of any good WordPress security practices, let me know through the comments section below.
