Security? Yes! All this fuss about WordPress website security. Having a WordPress site is great, blogging at it makes you feel like you own an Empire. But somehow, it never remains safe when intruders get in. When they try to dethrone you. No matter what happens, you got to do what is necessary for your rule. This is a funny way to put our common life words in analogy with WordPress.
Securing your WordPress blog from the bad guys is the goal of every blogger these days. That is an issue with ultimate importance as well. But, most of the bloggers do it wrong way. They are not quite sure about choosing the best WordPress template or a plugin, where they end up with messed up blogging career with screwed up blog.
Certainly, leaving these issues behind is not an option for us anymore. So, getting to point, in this WordPress tutorial you will be learning a lot about WordPress security, how to DO IT YOURSELF and harden it to the core. Let’s kick in Yay? Nay?
Step#1 – LOG IN HACKS
Step #1 is all about how to save your blog from being hacked, by notorious login hacks.
Admin username is your doomsday
One should never have Admin or admin as the username of Administrator account. Change it while you install the WordPress. If you don’t change your username from Admin to anything else while installing, then there is a little trick that will do just good. Make a new user with different username and set its role as Administrator, then log out. Log in with the new user, you just created, go to Users >> All Users and delete the user Admin.
Some Plugins that help
In case of login hacks there are several plugins that help a lot.
With a lot of other stuff this plugin takes care of removing login notice.
This plugin locks down the login screen if specific number of wrong login attempts are made by some hacker (defined in admin panel).
With Google Authenticator Plugin you can devise two way authentication. The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
More conscious about Security?
This plugin can be used to add .htpasswd file in wp-admin directory, so that whenever you want to access the login page you will be asked for an extra user and password. You can do this all by manual placement of .htpasswd file, through the “cPanel >>Password Protection on a Directory” option (only if you are using Linux on your hosting account and have cPanel on it).
This plugin sets up a password for you to use once. After that the password is deleted from the database and no one can use it to log in to your admin panel.
Still need more hack proof login pages?
- Simple Advice: Make use of a strong password e.g. v1!r2u3$4 this is virus with 1234
- Create a file name it as .htaccess place is under /wp-admin/ directory of your WordPress and in it deny access from all other IPs except yours (it can get you into issues if you have Dynamic IP Changing)
1 2 3 4 5 6 7 8 9 10
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Only Admins to Access" AuthType Basic <LIMIT GET> orderdeny,allow deny from all # whitelistYour IP address allow from xxxx.xxxx.xxxx.xxxx </LIMIT>
Step#2: The wp-config paradox
This little file named as wp-config.php has utmost importance in WordPress. It is present right in the root of where you install your WordPress.
You can move it to one step behind in your web host where no one can ever have access to it. By that I mean moving it to one level above from public_html or httdocs folder (Don’t worry if you don’t do this, your WordPress will still be fine). You should have latest version of WordPress installed before you try to move your wp-config.php file.
Changing Default Security Keys
So, I assume you have your wp-config.php file right in-front of you. It is present in the root of WordPress installation, open it and change the salt keys. You will see the text just like one below. All you have to do is open this LINK and copy what you find there, after that replace the below text in wp-config.php with the copied one.
1 2 3 4
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here');
Step#3: Final Checks with few more Plugins
Let me tell you there is nothing final. You just need to stay up to date. Always keep checking for new threats, whereas keep your WordPress with its themes and plugins updated.
More stuff? Still thirsty? Hardening your WordPress core seems fun eh?
Always keep your database prefix different from “wp_” you can use this handy plugin to do that
Hide your Directories
Open your .htaccess file in the WordPress root and at the top of it put this
It will keep your directory structure hidden from the others, in case you have no index.html present in them
Never satisfied with this much?
If so here are some more WordPress plugins that will make your work easier and rock solid.
This plugin searches the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.
This plugin checks all the files of your themes to make sure they are not affected with any kind of malicious code or virus.
WP Security Scan (Recommended)
This is the plugin that I recommend to a lot of WordPress Users.
WP Security Scan checks your WordPress blog for most of the vulnerabilities that it can hold in worst cases
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
Nah! That isn’t all but that is good enough to make your WordPress security rock solid. In my next article over Template Monster I will discuss about Templates of WordPress. Stay tuned for more exciting stuff.