I’ve seen many website owners nagging about the security of WordPress.
The opinion is that an open source script is vulnerable to all sorts of attacks. But that is mostly not true – sometimes it’s the other way around. Or, okay, let’s say that it’s partially true, but even then you shouldn’t blame WordPress.
Why? Because it’s usually your fault that your site got hacked. There are some responsibilities that you have to take care of as a website owner. So the key question is always, what are you doing to save your site from being hacked?
So basically, here are 5 tips to make sure your WordPress site is safe and secured!
Everyone knows the standard WordPress login page URL. The backend of the website is accessed from there, and that is the reason why people try to brute force their way in. Just add /wp-login.php or /wp-admin/ at the end of your domain name and there you go.
What I recommend is to customize the login page URL and even the page’s interaction. That’s the first thing I do when I start securing my website.
Here are some suggestions for securing your login page:
#1: Set up website lockdown and ban users
A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. You can specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.
#2: Use 2-factor authentication
Introducing the 2-factor authentication (2FA) at the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.
I prefer using a secret code while deploying 2FA on any of my websites. The Google Authenticator plugin helps me with that in just a few clicks.
#3: Use email as login
By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.
The WP Email Login plugin works out of the box for this purpose. It starts working right after the activation and it requires no configuration at all.
To test it, just log out of your website and then log back in, but this time use the email address that you created the account with.
#4: Rename your login URL
To change the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.
When hackers know the direct URL of your login page, they can try to brute force their way in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).
So, at this point – if you’ve been following along – we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:
Change wp-login.php to something unique;
Change /wp-admin/ to something unique; e.g. unique_login
So basically, here you can get as much creative as you wish.
#5: Protect the wp-admin directory
The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached then the entire site can get damaged.
One possible way to prevent this is to password-protect the wp-admin directory. With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.
You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password and configures the correct security-enhanced file permissions.
So those were the five cool tips that I can lend you to secure your WordPress website.
As usual, don’t hesitate to leave any questions or comments below, and I’ll try to respond to each of them.
Thanks for the read. See you in the next tutorial.