WordPress is a very popular content management system (CMS) now a day but just like any other cms, website or web application, it can be targeted by hackers.
Today, I plan to discuss quite a few simple tricks that can help you secure your WordPress website even more.
1. Update WordPress regularly
With a new update release, WordPress gets improved and its security is improved too. Lot’s of bugs and vulnerabilities are fixed every time a new version comes out. Also, if any particularly malicious bug gets discovered, the WordPress core guys will take care of it right away, and force a new safe version promptly. If you don’t update, you will be at risk.
To update WordPress, you first need to go to your dashboard. At the top of the page, you’ll see an announcement every time a new version is out. Click to update and then click on the blue “Update Now” button. It only takes a few seconds.
2. Rename your login URL
By default, the WordPress login page can be accessed easily via
wp-admin added to the site’s main URL. Changing the login URL or add a security question to the registration and login page is an easy thing to do.
When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username:
admin and password:
[email protected] … with millions of such combinations).
At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it.
The easiest way to change your login URL is to use the wordpress plugine named WPS Hide Login. It’s very simple to use; just input your new login page URL and save the changes. You can set the URL to anything you want.
You can further protect your login page by adding a 2-factor authentication plugin to your WordPress. When you try to login, you will need to provide an additional authentication in order to gain access your site — for example, it can be your password and an email (or text). This is an enhanced security feature to prevent hackers from accessing your site.
3. Protect the wp-config.php file
Technically wp-config.php file is the core of your WordPress site. It hosts crucial information and data about your whole WordPress installation. and it is one of the most important file, hence vulnerable files on your site. If something bad happens to it, you won’t be able to use your blog normally.
One simple thing you can do is take that wp-config.php file, and simply move it one step above your WordPress root directory. Your WordPress site won’t be affected at all by this move, but hackers won’t be able to find it anymore.
4. Disable File Editing
If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.
If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.
To make this work, add the following to the wp-config.php file (at the very end):
5. Install SSL Certificate
Nowadays Single Sockets Layer, SSL is mandatory for any sites that process sensitive information, i.e. passwords, or credit card details. Without an SSL certificate all of the data between the user’s web browser and your web server are delivered in plain text. This can be readable by hackers. By using an SSL, the sensitive information is encrypted before it is transferred between their browser and your server, making it more difficult to read and making your site more secure.
Today, however, Google has recognized it’s importance and provides sites with an SSL certificate a more weighted place within its search results.