23 simple ways to secure WordPress for you to feel secure to make money

I have heard many website owners complain about WordPress security. The thought is that an open source script is vulnerable to all kinds of attacks. Is that a fact? And if so, how do you secure your WordPress site?

Fortunately, the lack of integrated WordPress security is a myth. In fact, sometimes it's another way - WordPress sites are much safer than their online siblings.

Today, I intend to discuss many simple tips that can help you further secure your WordPress site.

After implementing these tactics and monitoring your WordPress security checks continuously, you will continue to secure your WordPress site forever.

Part 1: Protect Login and Brutal Force

Everyone knows the standard WordPress login page URL. The bottom of the site is accessed from there, and that's why people try to retort their way. Just added /wp-login.phpor /wp-admin/at the end of your domain name and you go there.

What I recommend is to customize the login page URL and even the page's interaction. That was the first thing I did when I started securing my website.

Why? Because it's often a user error that their site has been hacked. There are several responsibilities that you must take care of as a website owner. So the important question is, friend What are you doing to save your site from being hacked? Securing the login page and preventing brute-force attacks is one of the best things you can do.

Here are some suggestions for securing your WordPress site's login page:

#first. Set up login lock and ban users

itheme security

A locking feature for failed login attempts can solve the big problem of persistent brute force attempts. Whenever there is an attempt to hack with the wrong password over and over, the site will be locked and you will be notified of this unauthorized activity.

I found out that the iTheme Security plugin is one of the best and I've been using it for quite a while. The plugin has a lot to offer in this regard. Along with over 30 other excellent WordPress security measures, you can specify a number of failed login attempts before the plugin bans the attacker's IP address.

#2. Use two-factor authentication to secure WordPress

Introducing a two-factor authentication (2FA) module on the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a character set or, more commonly, the Google Authenticator app, sending a secret code to your phone. This way, only people who have your phone (you) can log in to your site.

I like to use secret code while deploying 2FA on any of my websites. The Google Authenticator Plugin helps me with that in just a few clicks.

# 3. Use your email to login

By default, you must enter your username to login to WordPress. Using an email ID instead of a username is a safer approach. The reasons are pretty clear. Usernames are easy to predict, while email IDs are not. In addition, any WordPress user account is created with a unique email address, making it a valid identifier for login.

Some WordPress security plugins allow you to set up login pages so all users must use their email address to log in.

# 4. Rename the login URL

Changing the login URL is an easy thing to do. By default, the WordPress login page is easily accessible via wp-login.phpor wp-adminadd the main URL of the site.

When hackers know the direct URL of your login page, they can test brute force their way in. They try to log in with GWDb (Their Guess Database works, ie a Database username guess and password, eg username :. adminAnd password: (email protected) ... with millions of such combinations).

At this time, we have restricted user login attempts and swapped usernames for email IDs. We can now replace login URLs and eliminate 99% of direct brute force attacks.

This little trick restricts an unauthorized entity from accessing the login page. Only someone with the correct URL can do it. Again, plugin iTheme Security can help you change your login URL. Like that:

  • Change wp-login.phpinto something unique; For examplemy_new_login
  • Change /wp-admin/into something unique; For examplemy_new_admin
  • Change /wp-login.php?action=registerinto something unique; For examplemy_new_registeration

# 5. Change your password

Play around with your passwords and change them regularly to secure your WordPress site. Improve their strength by adding uppercase and lowercase letters, numbers and special characters. Many people choose long passphrases because these hackers are almost unpredictable but easier to remember than a series of random numbers and letters.

And, okay, we all know that these things are what we should do, but we don't always have time. This is where some quality password managers come into play. They will not only create secure passwords for you but then store them in a secure vault, which will save you the hassle of having to remember them.

# 6. Automatically log out users who do not log in for a long time

Users leaving the site's wp-admin panel open on their screens can pose a serious security threat to WordPress. Any passerby can change the information on your site, change one's user account or even completely break your site. You can avoid this by making sure your site logs people out after they have been idle for a certain period of time.

You can set this up using a plugin like BulletProof Security . This plugin allows you to set custom time limits for idle users, after which they will be automatically logged out.

Part 2: Secure your WordPress site through the admin panel

For a hacker, the most intriguing part of the site is the admin panel, which is actually the most protected part. Therefore, attacking the strongest part is the real challenge. If completed, it gives the hacker an ethical victory and access to cause much damage.

Here's what you can do to secure your WordPress webmaster dashboard:

# 7. Directory protection wp-admin

The wp-admin directory is at the heart of any WordPress website. Therefore, if this part of your site is violated, then the entire site could be broken.

One possible way to prevent this is to password protect the wp-admin directory. With such WordPress security measures, website owners can access the dashboard by sending two passwords. One protects the login page and the other protects the WordPress admin area.

Setting this up usually involves adjusting your archive settings via cPanel. However, this is not too difficult to do if you follow the steps correctly.

#8. Use SSL to encrypt data

Deploying SSL certificates (Secure Sockets Layer) is a smart move to secure the admin panel. SSL ensures secure data transmission between the user browser and the server, making it difficult for hackers to break your connection or tamper with your information.

Getting an SSL certificate for your WordPress site is very simple. You can buy one from a third party company or check if your hosting company offers it for free.

SSL certificates also affect your site's Google rankings. Google tends to rank websites with SSL higher than sites without it. That means more traffic. Now who doesn't want that?

# 9. Add user accounts carefully

If you run a WordPress blog , or rather a blog with many authors, then you need to deal with many people who access your admin panel. This can make your site more vulnerable to WordPress security threats.

#ten. Change the default admin username to "admin"

During your WordPress installation, you should never choose Cameron's administrator as the username for your primary admin account. Such an easy-to-guess username is accessible to hackers. All they need to find out is the password, then your entire website falls into the wrong hands.

I can't tell you how many times I've scrolled through my website logs and found login attempts with usernames.

The iTheme Security plugin can prevent such attempts by immediately banning any IP address that attempts to log in with that username.

# 11. Monitor your files

If you want to add some WordPress security, keep track of changes to your site's files via plugins like Wordfence or again, iTheme Security.

Part 3: Secure your WordPress website via database

All data and information of your website is stored in a database. Taking care of it is very important. Here are some things you can do to make it safer:

#twelfth. Change WordPress database table prefix

If you have ever installed WordPress then you are familiar with wp-Table prefix is ​​used by WordPress database. I recommend that you change it to something unique.

Using the default prefix makes your website database vulnerable to SQL SQL attacks. Such attacks can be prevented by changes wp- into some other terms. For example, you can make it mywp-or wpnew-.

If you were Install WordPress website With your default prefix, you can use a few plugins to change it. Plugins like WP-DBManager or iTheme Security can help you get things done at the touch of a button. (Make sure you back up your site before doing anything with the database.)

# 13. Create regular backups to secure your WordPress site

No matter how secure your WordPress site is, there's always room for improvement. But at the end of the day, keeping an off-site backup somewhere is probably the best antidote no matter what happens.

If you have a backup, you can restore your WordPress site to its working state anytime you want. There are several plugins that can help you in this regard. For example, have all these.

If you are looking for a premium solution then I recommend it VaultPress by Automattic, it was awesome. I have set it up so it creates a backup every week. And if anything bad happens, I can easily restore the site with just one click.

I know some larger sites run backups every hour, but for most organizations absolutely overkill. Not to mention, you'll need to make sure that most of those backups are deleted after a new backup is created because each backup file takes up space on your drive. That said, I recommend weekly or monthly backups for most organizations.

In addition to backups, VaultPress also checks my site for malware and notifies me if anything shady is going on.

# 14. Set strong passwords for your database

A strong password for the database user is required because this password is the password that WordPress uses to access the database.

As always, use uppercase letters, lowercase letters, numbers and special characters for passwords. The password is excellent as well. I again recommend LastPass to generate and store random passwords. A free and fast tool for creating strong passwords is a Secure Password Generator.

# 15. Keep track of your Audit diary

When you are running multi-page WordPress or handling a multi-author website, it is important to understand what kind of user activity is taking place. Your writer and collaborator may be changing your password, but there are other things you may not want to happen. For example, changing themes and widgets is obviously for administrators only. When you check the audit log, you can be sure that your administrator and collaborators are not trying to change something on your website without being approved.

The WP Security Audit Log plugin provides a complete list for this activity, along with email notifications and reports. At its simplest, audit journals can help you see that a writer is having trouble logging in. But the plugin can also reveal malicious activity from one of your users.

Part 4: Let the server handle your WordPress security

Almost all hosting companies claim to provide an optimized environment for WordPress, but we can still take one step further:

# 16. File protection wp-config.php

File wp-config.php It contains important information about your WordPress installation and this is the most important file in the root directory of your website. Protecting it means protecting the core of your WordPress blog.

This tactic makes it difficult for hackers to violate your site security, because of the file wp-config.php inaccessible.

As a reward, the protection process is really easy. Just get the file wp-config.php file and move it to a higher level than your root directory.

Now, the question is, if you host it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are placed at the top of the priority list. So even if it is hosting a folder above the root directory, WordPress can still see it.

# 17. Do not allow file editing

If users have administrator access to your WordPress dashboard, they can edit any file that is part of your WordPress installation. This includes all plugins and themes.

If you do not allow file editing, no one will be able to modify any files - even if hackers have administrator access to your WordPress dashboard.

To do this job, add the following to the file wp-config.php (at the end):

define('DISALLOW_FILE_EDIT', true);

# 18. Set directory permissions carefully

Access to the wrong directory can be fatal, especially if you are working in a shared hosting environment.

In such cases, changing the file and directory permissions is a good move to secure the site at the hosting level. Set folder access to Game 755 and files to Page 644, protecting the entire file system - folders, subfolders, and individual files.

This can be done manually via the File Manager inside your hosting console or via a terminal (connected to SSH) - using the chmod command.

For more, you can read about the correct permissions scheme for WordPress or install the iTheme Security plugin to check your current permission settings.

# 19. Disable directory listing with .htaccess

If you create a new directory as part of your site and don't put the index.html file into it, you might be surprised to find that your visitors can get a complete directory listing of everything. in that directory.

For example, if you create a directory named data data, you can see everything in that directory just by typing http://www.example.com/data/ in your browser. No password or anything is needed.

You can prevent this by adding the following line of code to your .htaccess file:

Options All -Indexes

Suppose you locate an image online and want to share it on your website. First of all, you need to get permission or pay for the image, otherwise it's probably illegal to do so. But if you are allowed, you can directly pull the URL of the image and use it to place the image in your post. The main problem here is that images are displayed on your site, but are hosted on another site's website.

From this perspective, you do not have any control over whether images are still available on the server. But it is important to realize that people can do this to your site.

If you're trying to secure your WordPress site, then hotlinking is basically someone else taking your photos and stealing your server bandwidth to display images on their own site. Finally, you will see slower download speeds and the potential for high server costs.

Although there are some manual techniques to prevent hot links, the easiest method is to find a WordPress security plugin for the job. For example, the All in One WP Security and Firewall plugin includes built-in tools to block all hot links.

# 21. Understand and protect against DDoS attacks

DDoS attacks are a common type of attack on your server bandwidth, where an attacker uses many programs and systems to overload your server. Although an attack like this does not endanger your site files, it means that it will crash your site for a long time if not resolved. Typically, you only hear about DDoS attacks when it happens to large companies like GitHub or Target. They are done by what many call cyber terrorism, so the engine can be simply devastating.

That said, you don't need to be a Fortune 500 company to be at risk.

If this worries you, we recommend that you subscribe to the Sucuri premium plan ( Or see my review of Sucuri ) or Cloudflare . These solutions have a web application firewall that analyzes the bandwidth being used and completely blocks DDoS attacks.

Part5: Secure your WordPress website through themes and plugins

Themes and plugins are an essential component for any WordPress website. Unfortunately, they can also pose serious security threats. Find out how we can properly secure your WordPress themes and plugins:

# 22. Regular updates to WordPress security

Every good software product is supported by its developers and updated right now. These updates are meant to fix bugs and sometimes have important security patches. WordPress, and its plugins, are no different.

Not updating your theme and plugin could mean trouble. Many hackers rely on the fact that people can't bother updating their plugins and themes. More often than not, hackers exploit the bugs that have been fixed.

So if you are using any WordPress product, please update it regularly. Plugins, themes, everything. The good news is that WordPress automatically releases updates to users, so you will receive an email notifying you about updates and information about fixes in your dashboard.

For plugins, they must be updated manually by accessing the Plugin in your control panel. When a plugin has a new version, it will notify you and provide a link to update now.

As an alternative, you can choose a managed WordPress hosting package. Along with many other features and improvements to your WordPress security, quality managed hosting provides automatic updates for all elements of your WordPress site.

Some managed hosting providers include Kinsta, Media and Flywheel. You can learn more about top managed WordPress hosting here.

# 23. Delete your WordPress version

Your current version number of WordPress can be found very easily. Basically, it is sitting right in the source view of your site. You can also see it at the bottom of your dashboard (but this doesn't matter when trying to secure your WordPress site).

Here's the thing: if hackers know which version of WordPress you use, then it will be easier for them to adjust the attack.

You can hide your version number from most of the WordPress security plugins I mentioned above.

For a more manual approach (and also to remove the version number from the RSS feed,) consider adding the following function to functions.phpyour file:

function wpbeginner_remove_version() {
return '';
add_filter('the_generator', 'wpbeginner_remove_version');

Final thoughts on how to secure your WordPress site

If you are a beginner then that is a lot to join. However, everything that I mentioned in this article is a step in the right direction. The more you care about your WordPress security, the harder it is for hackers to gain access.

However, with that being said, perhaps equally important security is website performance. Basically, without a fast loading site, your visitors will never get a chance to consume your content. The average site visitor will only wait for 2 seconds before being disappointed and leaving.

About My name is Nguyen Manh Cuong. I was born in a poor village in Ba Vi district, HA NOI province - windy and sunny land. Currently. https://www.nguyendiep.com/. Mr Cuong.
Newer Posts Newer Posts Older Posts Older Posts


Post a Comment