On the web, the highest number of websites are running on WordPress platform. It means WordPress is ruling over the web. It grabs the attention of malicious elements on the web. Therefore, Google bans nearly 20K websites for malware and 50K websites for phishing each year.
In such dismal scenario, website security becomes vital. Incidents of attacks recorded are the highest on WordPress platform due to higher numbers of websites running with WordPress code. Therefore, today I would like to highlight few actionable steps that would help you secure your WordPress website.
Securing the Entry of Users of Your WordPress Website
In real life, when we want to secure a premise like home, office, or factory, we first look at the access points where mischievous or malicious elements can try to get an entry. The same strategy needs to apply for securing your WordPress website.
Now, let’s evaluate the possible entry points via hackers or bad intended users can get access to your backend or the source code. By default, WordPress backend access URL ends up with:
/wp-login.php or /wp-admin/
Therefore, you need to take appropriate steps to block the entry of unwanted users to your WordPress backend page.
Change Login URL
If you are a WordPress developer, you already know how to change the default URL of the backend of the site, but for power users or DIY type of users, an advanced security plugin or extension can empower you to do so. Thus, you can change
- /wp-login.php to /Your-Domain-Name-login.php
- /wp-admin/or /Your-Domain-Name-admin/
- /wp-login.php?action=register or /Your-Domain-Name-registration
Thus, this sort of customized URL can help you to protect from the brute force attacks greatly.
By default, most of the WordPress developers set ‘Admin/admin’ keyword as username. It makes the job of hackers and unwanted users easy to access your WordPress site backend and they have to employ their Guess Work Database (GWDb) only to guess the password.
If you change your default username to something that is unpredictable like your email address, you can reduce the threat of attackers and their software.
Just like username, the password is always under threat. There are many ways to protect the password guessing activities. For instance, using a highly complex password with a combination of lowercase, uppercase, number, and symbols.
However, recent trends of two-factor authentication is an excellent and solid way to secure the access to your backend for all level of users. Mobiles/smartphones are handy devices to access OTP (One-Time Password) to authenticate 2FA system.
Setup Lockdown and Ban
To prevent brute force attempts and implement lockdown or ban of that IP addresses, there are many plugins and software available to recognize repeated attempts of logins or registration. Plugins let you set a number of failed attempts and provide other features to prevent your website backend from unauthorized access.
Securing Admin Dashboard of Your WordPress Website
For WordPress backend users, the dashboard is the most engaging and highly used part of the backend. It provides all tools and options to manage entire website right from default usage to customization. If anyone hacks the dashboard successfully, it will prove the biggest victory for hackers and the most damaging for the website owners.
Therefore, we should take special measures for WordPress admin dashboard. The following are possible measures we can take into account henceforth.
Take Care of ‘wp-admin’ Directory
Everything is laid into a wp-admin directory that allows you to manage the entire websites including resources, and files. Therefore, preventing unauthorized access to the directory means eliminating the most of worsts upfront.
There are some plugins developed by WordPress community to make directory password protected. Thus, WordPress admin users have to use two different passwords to access the dashboard. One for login page while another for the dashboard. Such plugins automatically generate [.htpasswd] file then encrypt the password, and configure the file permissions.
Add Admin Users with Enough Care
Apart from the super admin who has all privileges of the backend, other users also have access to the backend with different levels of access to backend features and functions. The role-based access to the backend is possible, and you can grant them different usernames as well as passwords that you think the most secure.
Monitor Important Files in Admin Directory
You can use some plugins to monitor suspicious activities for all admin users to take real-time measure whenever security threats are detected.
If you have implemented Security Socket Certificate (SSL) that uses the latest encryption technology to protect your stored and exchanged data, you can prevent anything happening wrong in between and secure the entire WP admin areas as well as the website.
Securing Database of Your WordPress Site
WordPress platform highly relies on the database because all website assets are stored in databases in mostly tabular formats in SQL types of databases, be it texts, images, layout code, multimedia content, and anything in a WordPress site has a place in the database.
To protect databases from the SQL Injections and other cyber-attacks, you can protect your database with following measures.
Set Password for Database
You can set a strong password for your database and restrict access to database up to super admin role so tampering with database or possibilities of mistakes can be minimized.
Change WP Prefix
If you are going to installing WordPress website, you may encounter a setting for a database table, and it is WP table prefix. By default it is wp- and you have to change it to prevent SQL Injections like database attacks. You can change it from wp- to Your-Domain-Name like a customized prefix.
Take Regular Backup of Database
You may have the regular backup of the entire website or not, but arranging database backup can save you from data loss taking place due to various known and unknown reason. Today we have backup plugins with special privileges to take database backup with different frequency.
Securing Hosting of Your WordPress Site
Today hosting a website is critical to its success because search engines require an ideal SEO-friendly hosting to meet its ranking requirements. Similarly, website users including backend users and frontend users, performance optimization, conversion optimization, and user experiences greatly depend on hosting environment and quality of hosting as a whole.
Today we have several hosting options other than default WordPress community hosting services like shared hosting, VPS hosting, dedicated hosting and most importantly cloud-based hosting services such as Kinsta for different scale and size of websites.
Secure wp-config.php File
WordPress wp-config.php file access is a critical achievement for hackers to accomplish their bad intentions easily because it contains highly critical information regarding your entire WordPress installation.
The best way is to move the file to a higher level than the root directory. You can do that easily because WordPress can see it even if it is located outside the root directory of WordPress. Thus, the server can easily find it at a higher level.
Ban File Edit
In a hosting server, your website source has several files with critical information and permissions to run your site smoothly. If hackers or malicious elements crack the server and access those files, they can do different intensities of harms.
If you disallow file editing for anyone except the super admin, you can save from those losses easily. You can do that by simply adding a code line at the end of the wp-config file.
Be Careful While Setting Directory Permissions
Directories, sub-directories, and files on your hosting server are important WordPress security aspects. If you set permissions wrong for these components of your website. You might increase chances of attacks once the server compromise anyhow.
Therefore, you must set 755 permission for directories/sub-directories and 644 permission for files. By using File Manager tools available in hosting/c-Panel, you can set or change the permissions easily. For more information about file permissions – Understanding File Permissions and Using Them to Secure Your Site.
Correct Server Connection
Traditionally, we use FTP protocol for server connection. But SFTP or SSH is more secure and reliable way today to make server connection.
Securing Themes & Plugins of Your WordPress Site
Most of the WordPress themes and plugins are developed by third-party developers. Those are not completely reliable from a security point of view. Therefore, you must take some measures to render them securely. For instance:
Take Regular Updates
Just like your WordPress website, plugin and theme developers/companies also issue updates to keep pace with WordPress versions and fix bugs and issues they come to know by the feedback of users. So, try to install their updates regularly through dashboard using an appropriate plugin.
Hide WordPress Version Info
For attackers, knowing your WordPress version info like number can help to develop a tailor-made attack, and version info is easily available in WordPress source. If you can remove those version info DIY, or with the help of your dedicated WordPress developer, you can make the life of attackers a bit tough.
I have written the above post keeping in mind beginners and mid-level WordPress developers as well as dedicated WordPress plugin developer. Therefore, implementation of the described tips to secure your WordPress site would prove tough without taking help of appropriate and the latest WordPress security plugins. I recommend following plugins to install for your site and make it more secure than ever :
- All In One WP Security & Firewall
- Brute Force Login Protection
- Bulletproof Security
- Google Authenticator
- iThemes Security, formerly Better WP Security
- Sucuri Security WordPress plugin
- WP Antivirus Site Protection
If you still have confusion and wish to have the help of expert hands. Perception System provides WordPress development services as well as facilities to hire WordPress developer to help needy clients to make their site completely safe and secure.
Tarang Vyas, CTO at Perception System, a leading WordPress Development Company, founded in 2001.