You never think it will happen to you. Until it does. Perhaps you haven’t been there yet, or you have had your site — or sites — hacked in one way or another. Perhaps you’ve faced a seriously damaging attack or you’ve simply found that your old blog posts now contain several links to sites selling Viagra.
In the latter case, I speak from experience…
And I know what you’re thinking: This sounds like a hassle. Actually, it’s not. Improving security of a WordPress site doesn’t have to be arduous or take a lot of time. And it’s easy: You don’t have to hire a PHP developer to do this. (Or even a WordPress one.) By performing a few actions and a adopting a mindful attitude, you’re all set.
So ensure you take the appropriate steps to secure your site, before it unwittingly become a promoter of male fertility. Unless that’s what you’re about, of course.
Here’s what you should do.
Don’t Use Admin as Your Default User Name
Being the most common username for WordPress admin users, “Admin” is a no-go. It’s basically leaving the door open to hackers. Instead, pick a username with that contains a mix of:
● Capital letters
● Numbers
● Symbols
The holy trinity of hard-to-crack logins.
You should also create a new user with admin privileges and ssign all the blog posts and pages to this one. Once you’ve done that, you can delete your old admin from your WP-site.
Pick a Strong Password
“Well, duh.” Yes, I know — it’s somewhat self evident. Yet very few people actually do it. You see a lot of people who simply use the same password over and over again, from platform to platform. Don’t be that guy. Instead, remember the holy trinity above.
Top it all off: make it long — 25 characters or more and change it often.
Use 2-Factor Authentication
Two-factor authentication is a combined way to provide login credentials. The best and most efficient way to do this is to use a plugin. I’d recommend either Rublon or Google Authenticator.
Don’t Use Login Hints
If you type the wrong password or username on your WordPress login form, you get a message that tells you that either the username or the password is wrong. You can disable this with some simple PHP.
Get to the file functions.php and add a simple script:
function no_wordpress_errors(){ return 'YOUR TEXT HERE'; } add_filter( 'login_errors', 'no_wordpress_errors' );
You can change the “YOUR TEXT HERE” section to whatever you like. (“Ah, ah, ah! You didn’t say the magic word” if you’re a Jurassic Park fan…)
Only Use Legit Plugins
Don’t download any random plugin you find on the web. Ideally, download plugins from WordPress.org. But if that’s not the case, always check:
● Any reviews or comments
● If there’s any support involved
Before you download a plugin, a word of caution: You should do a full database and website backup. Just in case.
Update WordPress and Plugins
By keeping your website up to date you will ensure you have all the latest security patches. While WordPress 3.7 onwards automatically updates, you’ll have to manually update plugins and themes.
Disable Trackbacks
A trackback notifies you when your content gets an incoming backlinks. While this seems harmless, trackbacks can be used to perform Distributed-Denial-of-Service (DDoS) attacks.
You disable trackbacks by going to Settings → Discussion and then unchecking “Allow link notifications from other blogs (pingbacks and trackbacks).”
Set Your Folder Permissions Carefully
File and folder permissions dictate who can read, write, modify, and access aforementioned items. These permissions are provided by three-number values to any given files or folders.
Set them up with the following values:
● Folders: 755
● Files: 644
Read more about permissions here.
Prevent Directory Browsing
If your web server doesn’t find an index-php or index.html file, it’ll instead show a page that displays the content of that directory. In essence, it reveals important information that relates to your themes, plugins, etc.
To disable directory browsing, go to your .htaccess file in the root directory. You need an FTP client to edit this file. Once you do, edit the -htaccess file by downloading it and opening it in a text editor, such Notepad. At the end of the code simply paste this line:
You can edit your .htaccess file by downloading it to your desktop and opening it in a text editor like Notepad. Now at the end of your WordPress generated code in the .htaccess file simply add this line at the bottom:
1 Options -Indexes
Then save it, and reupload it using the FTP.
Set Up a Lockdown
If you’ve gotten multiple failed login attempts, a lockdown locks the site and prevents the user from trying again. This effectively stop brute-force attacks. Additionally, you’ll also get notified of any unauthorized activity on your page.
I’d recommend using iThemes Security for this.
Rename Your Login URL
By default, the login URL is accessed by adding wp-admin (or wp-login-php) to your site’s main URL. iThemes Security can again be helpful in changing this.
Use SSL
Secure Socket Layer, or SSL, is more and more common these days, but it deserves a mention. You can purchase an SSL certificate from a SafeCyberSSL or your host.
Add Additional Accounts Carefully
Be careful who you add to your site. While you generally only add people you trust, it could make the website more vulnerable to attacks. So in addition to being careful, also make sure you remove inactive users.
Back Up Your Site with Regular Intervals
It doesn’t matter if you have the most secure website in the world. Still back it up with regular intervals. Try to make a routine of keeping an off-site backup at the end of each day.
Protect wp-config.php
Wp-config.php holds vital information about your WordPress installation. You can do this by either moving the wp-config.php file (It sits inside the root folder of your website by default). WordPress allows you to move the file up one level.
Another step is to generate new keys regularly. You can do that here.