Security is one of the most important aspects of running a website. Thousands of websites get hacked every day. The chances of your site being the next victim of a hack are fairly high. If your site gets hacked, you will not only lose all your content but also the countless hours of work you have invested into designing and building your site.
While the core WordPress platform is very secure, there is always room for improvement. After all, prevention is better than cure. This article will guide you through 11 basic steps you can take to improve the security of your WordPress site.
1. Prevent Brute Force Attacks
WordPress, by default, allows you to try logging in as many times as you want even if you repeatedly enter the wrong login information. As you can imagine, this leaves your site vulnerable to password guessing.
While it may be nearly impossible for a human to guess your correct username and password, it’s not that difficult for a computer. This is called a brute force attack. In this type of attack, a computer continuously tries different combinations of random usernames and passwords again and again until it is able to find one that works.
If your WordPress site allows unlimited login attempts, chances are that one day the brute force attack might succeed. To get around this potential vulnerability, you need to lock the account after a fixed number of failed attempts.
The best and probably the easiest way to do this is to use the free Login Lockdown plugin for WordPress. It is a simple plugin that blocks the IP Address of the user after a certain number of incorrect login attempts.
This renders brute force attacks useless. Because, even if you ban an IP for as little as ten minutes, the attacker will only get a very limited number of chances to try random username and password combinations. This way, even if the attacker keeps on trying, he will need to wait a very long time before being able to guess the correct login combination and break in.
2. Rename Your Login URL
By default, WordPress allows you to login by going to the wp-admin or the wp-login.php URL on your site. Because WordPress is available to everyone, hackers know where the login page is located. This makes it vulnerable to brute force and other types of attacks. But, if a hacker doesn’t know where your login page is located, he won’t be able to attack it. The easiest way to hide your Login page is to rename the URL.
To do this, you can use the free Protect Your Admin plugin for WordPress.
This plugin allows you to rename your Login page URL to a custom string of your choice. For example, you can use this plugin to rename your login page URL to your-site.com/my-secret-login-page. Once you activate this plugin, it will redirect all requests to wp-admin and wp-login.php URL’s back to the homepage.
Use this plugin to rename your Login Page’s URL to something that is difficult to guess. After you implement this, the security of your login page will significantly increase.
3. Use Two Factor Authentication
A two factor Authentication adds an additional layer of security to your login process. You might be familiar with this process. Google uses two factor authentication. When you try logging in to your Google Account from a new computer, Google will send a one-time PIN to your registered mobile number and then ask you to enter it in order to complete the login process.
You can implement the same authentication mechanism on your own website. If you are not interested in one-time passwords, you can use a secret question or a phrase as a second layer of added security. While one-time PIN’s sent to your mobile number are the best, you can also consider the use of secret questions and phrases.
If you want to use Google Authenticator to enable two factor authentication, you can use this free plugin from miniOrange.
It will allow the users to complete the two factor authentication process using the Google Authenticator app on their phone.
Otherwise, if you are looking for SMS-based one-time password authentication, you can try this other free plugin from miniOrange. It allows authentication with Email, SMS, and Mobile.
4. Use Strong Password Security
Most people neglect the importance of using a strong password. When people hear about weak passwords, most think they look something like ‘123456789’ and ‘password123’.
While these passwords are easy to guess by humans, hacking programs can also guess somewhat weak passwords with ease using brute force mechanisms like Dictionary attacks.
With that said. There are a lot of things you can do to make your passwords stronger.
The first thing to do is try and avoid using passwords that consist of just dictionary words. These passwords are vulnerable to Dictionary attacks. It is recommended to use a random non repeating combination of special characters, numbers, letters, and upper/lower case letters in your password.
If you can’t think of a good password, try this free Password Generator tool or use the Random Password that WordPress generates. While it is important to use Strong Passwords, it is also important to regularly update your passwords.
Updating your password once a month is considered sufficient.
5. Only Allow Email Logins
Everyone would probably agree, guessing a username is far easier than guessing an Email address. Email addresses are generally long and very hard to guess. By simply restricting your users to log in with their usernames will help you to improve your site’s security.
In order to guess an email address, the hacker needs to know the characters used in the local part, the domain name and the Top Level Domain. (.com, .net, etc.).With an email address, there are just too many parts to guess.
This is not to say that it’s impossible to guess an email address with a brute force attack. But, guessing an email makes it increasingly difficult and can potentially discourage the hacker from continuing the attack altogether.
To restrict your users from logging in with their username, you can use the free WP Email Login plugin.
6. Password Protect The Admin Directory
Adding an additional username and password to access the wp-admin directory will act as an additional security layer. This adds one more username / password combination for the hacker to break. Guessing two username / password combinations is twice as difficult for the hacker.
If you are using Apache Web Server, the easiest way to do this is with an .htpasswd file. Apache also allows you to password protect any other directory you want using the .htpasswd file.
To do this manually you need to be familiar with Operating System command line commands and creating and modifying files. If you prefer, there is an easier way. You can use the free AskApache Password Protect plugin. It’s free and will help you password protect your wp-admin directory in no time.
7. Change Your WordPress Database Table Prefix
During the WordPress installation process, you have to choose a prefix for the tables of your WordPress database. The default prefix is ‘wp_’ If you use this prefix, you will be more vulnerable to a SQL Injection attack. While the WordPress core platform itself isn’t vulnerable to SQL Injection attacks, the themes and any additional plugins you install might not be as secure.
A SQL Injection attack allows the hacker to do almost anything to your database. It can insert, update, and delete data in your database. As you can imagine this can be catastrophic.
In order to be able to successfully pull this off, the hacker needs to know the name of your database tables. When you use the default prefix, the hacker is one step ahead as he already know the names of your database tables. If you use a non-default prefix for your tables, it makes it that much harder to guess.
While this makes it more difficult for the hacker to guess the prefix, it will not secure your site 100% from SQL Injections as there are still other ways for the hackers to find the names of your database tables. This way at least, you will prevent the noobs (hacker speak for newbies) from getting “easy” access to your database.
If you have already installed WordPress with the default table prefix, you can use the free WP-DBManager plugin to change it to something else.
8. Disable Login Hints
WordPress, by default, gives you a hint every time you enter an incorrect username / password combination. It not only tells you if the username is non-existent but also if the username exists and the password is wrong. As you can imagine, this makes it vulnerable to brute force attacks.
A hacker might try to guess the username while keeping the same password for all combinations. This way, once the hacker finds a valid username, all he has to do is try to guess the password. When you disable login hints, there is practically no way for a hacker to find out if a username is valid or not.
You can either remove or change the login hints. If you want to change the login hints, there’s a simple solution:
return ‘No Trespassers!’;
add_filter( ‘login_errors’, ‘disable_login_hints’ );
You can change the “No Trespassers!” message with a message of your own.
9. Keep Your Plugins and WordPress Core Updated
When the WordPress community releases a new update, it not only adds new features, it also improves your website’s security. When the WordPress community finds a vulnerability in the WordPress code, they fix it as soon as possible and release a new security update.
If you don’t keep your site updated, chances are good it will sooner or later become vulnerable to hackers. The same is true for WordPress plugins. Plugin Authors release new minor and major updates as soon as they find vulnerabilities in their code.
The bottom line is. If you want to keep your site secure, keep your site updated.
10 Disable Directory Browsing
When someone enters the URL of a directory on your website, Apache looks for an index.php or index.html file, if it can’t find either of these files, it displays a list of all the files and folders in the directory:
This is not a bug in Apache. It’s a feature to help you create an index page without even creating one. In other words, let’s say you want people to be able to download hundreds of your research notes. One way to make it possible is to create a page and then manually link to every single one of those hundreds of files. With Apache, you don’t have to do it. Apache does that itself.
While directory browsing is a great feature that can help you save dozens of hours, it also allows hackers to not only view the names, but also download all the files in your directories that have directory browsing enabled.
The easiest way to disable directory browsing is to create an empty index.php file in the folder. This will result in a blank screen. This is what WordPress does by default. But, on a large scale, it becomes very time consuming to manually create blank index.php files.
There is one other easy way to disable directory browsing using your .htaccess file by adding the following code to it:
Options All -Indexes
Add this to your main .htaccess file and it will disable directory browsing for all the sub-directories.
11. Disallow File Editing
This is really important. WordPress allows admins to edit all the theme and plugin files. If any of your admin accounts get hacked, the hacker will be able to inject malicious code into your site’s code. The worst part is, there is almost no way to find out. Disallowing File Editing directly from WordPress acts as one more additional security measure.
To disallow file editing, you need to add the following line of code to your wp-config.php file:
This will disable editing files directly from the WordPress dashboard.
In the ever evolving realm of cyber security there is a true and tried, and very effective, security strategy called Layered Security or Layered Defense. The purpose of the layers is to secure as many entry ways as possible into a website. This article lists 11 different security layers that when implemented, will make it significantly more difficult for someone with malicious intent to gain access to your site.
Think of this as an onion. The “onion layers” are the 11 security layers and the “onion center” is your WordPress site. The more layers you have to peel off, the longer and more difficult it takes to get to the center.
Keeping your WordPress site secure is extremely important. If your site ever gets hacked, you will not only lose all your hard work and content but also search engine rankings if Google tags your site as malicious.
If you want to stay on the safe side, try implementing all of these techniques. All of them are really easy and won’t take more than a minute each.
What tactics do you like to use on your and your client’s websites?
Have any of your site’s ever got hacked?