Website Security is an important aspect you will have to take into account for every action that affects your site. Here we will focus on wordpress only, starting from the plugins you choose to install, the themes you’ll end up using and other aspects that don’t come to your mind as frequently as they should. Security is a serious thing and an ongoing process that you should always keep under your control.
1. Set up website lockdown and blocked users
A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
2. Use 2-factor authentication
Introducing the 2-factor authentication (2FA) at the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.
3. Use email as login
By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.
4. Rename your login URL
To change the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.
When hackers know the direct URL of your login page, they can try to brute force their way in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).
5. Adjust your passwords
Play around with the website’s passwords and change them regularly. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters.
For a hacker, the most engaging part of a website is the admin dashboard, which is indeed the most protected section of all. You can restrict or provide security to admin panel through SEO.
By using Robots.txt we can maintain the security of any site.
6. Protect the wp-admin directory
The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached then the entire site can get damaged.
One possible way to prevent this is to password-protect the wp-admin directory. With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.
7. Use SSL to encrypt data
Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
8. Change the admin username
During WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to know is the password, and your entire site gets into the wrong hands.
9. Back up your site regularly
No matter how secure your website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.
If you have a backup, you can always restore your WordPress website to a working state any time you want.
10. Set strong passwords for your database
A strong password for the main database user is a must – the one WordPress uses to access the database. As always, use uppercase, lowercase, numbers, and special characters for the password.
Almost all hosting companies claim to provide an optimized environment for WordPress, but we can still go a step further.
11. Protect the wp-config.php file
The wp-config.php file holds crucial information about your WordPress installation, and it’s in fact the most important file in your site’s root directory. Protecting it means protecting the core of your WordPress blog.
It gets difficult for hackers to breach the security of your site if the wp-config.php file becomes inaccessible to them.
The good news is that making this happen is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.
Now the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set the highest on the priority list. So, even if it is stored one fold above the root directory, WordPress can still see it.
12. Set directory permissions carefully
Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.
In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole filesystem – directories, subdirectories, and individual files.
This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.
13. Disable directory listing with .htaccess
If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.
Themes and plugins are essential ingredients of any WordPress website. Unfortunately, they can also pose serious security threats. Let’s find out how we can secure WordPress themes and plugins the right way:
14. Update regularly
Every good software product is supported by its developers and gets updated now and then, but WordPress is updated very frequently. These updates are meant to fix bugs and sometimes have vital security patches.
Not updating your themes and plugins can mean serious trouble. Many hackers rely on the mere fact that people can’t be bothered to update their plugins and themes. More often than not, those hackers exploit bugs that have already been fixed.
So, if you’re using WordPress products then update them regularly. Plugins, themes, everything.
15. Remove your WordPress version number
Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view.
Here’s the thing, if the hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.