WordPress Website Security
My list originally came from Code In WP
This is a presentation that I did for the Houston WordPress Meetup and the topic was security and keeping your WordPress website secure. This started from an internal perspective from within the Dashboard as well as your server as well as outside the website I’m looking in.
So first off we start off with locking down the website and banning users. The most popular plugin would be Ithemes Security. That one has a lot of features, lot of information, and it does a lot right out of the box, not a lot of configuration can help you lock your website down pretty well and has a lock down feature.
One of the most important ways of keeping your website secure is stopping people that are trying to log in over and over and over again. We call that a brute force attempt. So they’re using a bot trying to access your website over and over. They are trying to logging login and guess a password. So this will stop that. If it sees a certain number of attempts, it will lock the IP address. Too many bad log-in attempts and that IP will be locked out.
Two Factor Authentication
This is a technique that many people are heading toward. It is a little a bit of extra step or if you’re building websites for customers, you those customers need to be familiar with this process. Essentially. It just provides two different ways and components of logging in and you do have to have both of them to get inside. That typically is really secure. It does have that added feature. It’s not foolproof, but it does help. One of those plugins is by MiniOrange and their two factor authentication. https://wordpress.org/plugins/miniorange-2-factor-authentication
Email As Login
A third option is to make sure that your username is your email id instead of a username. Usernames are easier to predict. Emails are typically not. Accounts are always created with a unique email address, making it a valid identifier for logging in.
Rename Your URL
Then you can rename your login URL. That way people cannot guess where your login page sits. WordPress has a default login; company.com/wp-admin. You can change that to prevent hackers knowing the direct URL of your login page. They can try to brute force their way in, but if you change it to something unique like ‘my_login’ or ‘new_login,’ it is another hurdle that hackers have to figure out. One of the plugins that we’ve talked about earlier will help you with that. Better web security is another good plugin that will rename your log-in URL.
Set Strong Passwords
Next one step is to set very, very strong passwords. I know it’s really helpful in your brain to think of an easy password and you won’t forget it. There are tools to help you create very strong passwords that either you can remember or they’ll help you manage them, but all of our websites have multiple digits and types of Alpha and numeric as well as symbols.
We recommend that when you do have a WordPress website that you require a strong password. In other words, nobody can create an account and then create a really easy password, i.e. 123password or something like that. It will require you to have a minimum set of digits in a certain combination. We do also recommend you change them regularly.
When you are creating a database for your WordPress website, there is a user account that you need to add to that database. Make sure that password is very strong, setting a strong password. Is it crucial to your securing your website?
Protect the WP-Admin
Then you can protect the web admin directory. Password protection is an additional website security measure. The website owner can access the dashboard by submitting two passwords. One protects the login page. There would be kind of a firewall in addition to the WordPress Admin area. You would login once and then it would let you through to the to second login on the WordPress admin page.
Honestly, I have not tried this yet. I’ve heard that you can. I mean, certainly you can do that from the server level. You create like a password with the server within your C-panel. So it does allow for that secondary passwords. You’ve got two factor authentication and you’ve got strong passwords. This is just another layer.
Use SSL to Encrypt Data
Then also remember to incorporate your website with SSL encryption. It does ensure data transfer security of your data transfer between your browser and your server. It will make it difficult for hackers to breach the connection or spoof your information. Google does now, look at whether our website has encryption and it will, it is now part of ranking your website. You’ll see in the upper left of your website, if it’s green chrome now actually has a big ugly bar or warning that your website is not secure. As people enter information into your website, when they hit the enter key, the information is passing from their browser to the server. So let’s make sure that we encrypt that data for your customer’s sake.
Change Admin Username
The other is changing the Admin username. Most people that are not familiar with securing their website will choose admin as the user admin. And as we mentioned earlier, we don’t want to use admin as your username, we typically want to use the email address, so, uh, but if you do still use your username, do not call it ‘Admin,’ do not call it ‘administrator,’ do not call it ‘user.’ You need to have something extremely unique because the hackers know this and that they have admin, they’re going to do everything they can to get your password.
Monitor Your Files
Then you need to really monitor your file. So after all of these different ways of getting into your website, and we’re going to do what we can to block that if somehow somebody does come in. One way to, to circumvent hack is to monitor the file. So we want to monitor the changes that are made to a website’s files.
Plugins and extensions, those change quite frequently. Obviously when you are updating WordPress, some of those files get updated with security, but these plugins know this and they will, but they’re going to. They’re going to warn you if something’s just not right like your admin folder has got, does not match what we have and you should probably take a look at it.
Change the Database Table Prefix
The other is to change the database table prefix. As I mentioned before, the average WordPress user might have installed the database, but they use the default table prefix, which is wp_admin, that is what hackers know. They know that the default table prefix is wp_admin, so when you’re installing your WordPress website it’ll ask you what would be your prefix.
We use something use three letters and an underscore and we will backup your site regularly. If something does happen, you can at least go back to a time that it was okay.
Back Up Your Website Regularly
Part of website security is keeping an offsite backup somewhere is perhaps the best antidote, no matter what happens, be careful that your backups are not infected.
If you haven’t been checking your website in weeks or months, your backups are going to be infected. You need a clean backup of your website and be able to put it somewhere else and maybe not on your hosting server. Put it on maybe a backup drive and Amazon backup drive or DropBox or something that is not attached to your web server than try to make sure that your website is being backed up weekly or monthly, daily if you’re very active. So backing up your site is, is crucial.
Protect the WP-Config.php File
If you’re a little bit more advanced and you have installed word, press yourself and you should be familiar with a web config file protecting this means protecting the core WordPress blog. So you want to take your web config file and move it to a higher level than your root directory. So typically when you install WordPress, it goes under the /public folder.
In that folder you can move the WP config file to a root folder. I personally have not done this. It’s supposedly easy to do because the file, it knows that it’s in the root folder and it will call all those other files that it needs to run, but it is an option.
Again, what we’re trying to do is trying to take out the WordPress’ default mode so that the hackers have to take a longer time to figure out how to get into your website. This is just one of those ways.
Disallow File Editing
Next is disallowing file editing. If you disallow file editing, even if a hacker obtains admin access to your WordPress dashboard, they still won’t be able to modify any file, so add the following to the wp-config file at the very end of that file and that will disallow file editing. That is a really hardcore way to just stop anybody from editing the WordPress files. It can also make it a little more difficult later on if you’re trying to make changes or customizations to the WordPress, but you can always go back and turn it off. When you’re done, change the status to ‘True,’ again,
Connect to the Server Correctly
When you are working with your web server from your computer or browser to the server, the best way to do that is through a secure FTP connection or SFTP or SSH. You have more encryption that you connect.
Set Directory Permissions Carefully
Set your directory permissions carefully. A setting of 755 is pretty open and allows people to write to that directory. If there is a hacker and you’ve set a whole directory of files at the 755 permission level, you are giving them the ability to write and make changes to that file.
If you set permission to 644, you’re unchecking the write option and that way people can’t write or update or make a changes. You can read it, but you can’t change anything, so you can obviously set up a directory permissions level for using some 755 or 644. It’s a good way to secure the website at the hosting level. There’s different ways you can secure your WordPress website. You can at the dashboard itself or using your C-Panel at the hosting level.
Disable Directory Listing
Now we’re going to disable directory listing with .htaccess. Again, that’s where we’re going to tell the server to not list every single file in this directory. We are preventing hackers from seeing every single file within your entire website. If you’ve fixed the permissions setting, you can prevent this by adding a line of code to your .htaccess that says, “Hey browser! Don’t show all of my files on this directory if I have no index or no webpage on this directory.” If you have and index html file it will show that first, but if there’s no index file, it’ll show everything in that directory unless you add at the Hex as file.
Some, some hosting companies already have this, some don’t
Every good software product is supported by its developers and should be updated regularly. WordPress is updated very, very frequently and these updates are meant to fix bugs and any vital security patches. Just like your Windows software and your Mac software. Maybe you don’t even know it but it updates behind the scenes, but it is always updating. It is constantly making changes and fixing website security holes that a programmer has found. That’s what WordPress is doing. That’s what all those updates you see in the backend and you have to be vigilant about this. It’s not always completely vital, but if it is a security patch, you should do that right away. That just means somebody has found an opening and we need to patch it. We need to glue the file and not allow people through that open hole that’s been left behind.
Hide Your WordPress Version
Remember that default when we’re looking at your WordPress site, one way hackers can figure out what files you have on your site or how it’s configured is by knowing the WordPress version that you have. If you remove the version that gets displayed in the code of your site, that’s just one way that we can just kind of circumvent hackers if they know the version. It’s easier than to tailor build the perfect attack because they know that version. They know that version has these specific holes.
Change the User Nickname
Shout out to Riz@xelectonline.com. He recommended also to change the user nickname. I was always wondering how these hackers were figuring out my username as were, especially websites that we don’t blog on. It’s not anything displayed but apparently it’s easy to find and he recommends a changing that nickname to something else because when you create a username, the username is used as the nickname, so change that to something, maybe the first name or something that has nothing to do with the username.
So thank you Riz for that!
OK, thank you very much.
That’s a discussion on securing your WordPress.
We went through a few of many different ways to secure your WordPress website from the dashboard level plug-ins all the way to back end level stuff into your server c panel works, um, password protections. All good stuff.
I think from any beginner level to advanced level, hopefully learn something.
Houston WordPress Meetup
I gave this presentation at the local Houston WordPress meetup. If you’re interested, we have three different locations in Houston that we meet. We discuss all things WordPress from beginner level to advanced level WordPress programming, managing your WordPress, designing for WordPress, maybe even a running a WordPress agency.
I encourage you to stop by. If you’re interested in becoming a speaker, please reach out. Just go to the meetup.com website. Thank you very much.
Again, this is Christina Hawkins on with GlobalSpex Internet Marketing @ www.globalspex.com. Thank you very much.
Learn More About Website Security
If you are concerned about your WordPress Website Security, I recommend our Website Care Plans.