A Foolproof Guide To WordPress Security

Prevent Brute Force Attacks and enhance WordPress Security

A brute force attack is a hacking technique with huge security concerns. Every person knows that the standard WordPress login page URL is accessed from the backend. Hence, in order to do a brute force attack, they directly add “/wp-login.php” or “/wp-admin/” at the end of your domain name to easily access the backend.

Tips to secure WordPress Website

1. Modify the WordPress Database Table Prefix to secure login page

Wp is the default table prefix used by WordPress database tables. You can modify it to “my-wp”, ‘I-wp”, “xyz-wp” or with any random prefix that is easy to remember and difficult to hack. Either modify it at the time of installing WordPress or later on while configuring.

2. Rename login URL slug to secure login page

When hackers know the direct URL of the Login page or access it through wp-login.php or wp-admin.php, they attempt to brute force attack your site. Also, they may try to access websites by randomly applying commonly used usernames and passwords. So, change the login URL and make it unique rather than common.

3. Set strong, long and complex passwords to secure login page

It is a no brainer activity to set complex passwords, but it can secure your WordPress site to a great extent. Set a strong password and change them frequently to secure your WordPress website. You can have a mix and match of special characters, uppercase, lowercase and numbers to set unpredictable complex passwords. Such patterns of passwords are impossible for hackers to predict.

  • Change your wordpress /wp-admin/ URL slug to set something unique; e.g. my_custom_admin
  • Change your wordpress /wp-login.php?action=register to set something unique; e.g. my_custom_registeration

4. Use two-factor authentication to secure login page

Two-factor authentication is one of the best solutions for security measures. So, introduce the 2FA module to the login page. The website owner can take a call on what are those two factors to be set for users. Normally, over and above a regular password, people set a second authentication factor in the form of a secret question, a secret code, a set of characters, or more popular usage of the Google Authenticator app, which sends a secret code to your mobile.

5. Use the email address to log in to secure login page

When you log into your WordPress site, by default it enables you to insert your username. However, using email ID to login is a more secure approach as compared to username. People can predict usernames but predicting email IDs can be a challenge. Creating a WordPress account with a unique email address makes it a valid identifier for logging in.

6. Idle users auto-logged out of your WordPress site

Users leaving your site’s wp-admin panel accessible on their screens can present a serious security threat. Anyone can access it at any time. To avoid unwanted access on idle screens, better set auto-logout functionality for the users that have been not active for a certain period of time say 15 minutes for example.

7. Monitor your files with security plugins

The below TWO plugins are highly recommended for WordPress security.

  • <a href=”https://ithemes.com/security/">iTheme Security Pro is available on pro version.</a> Both are plugin provide security against Brute Force Attacks, SQL Injection, Cross-Site Scripting (XSS).

8. Take regular backups

In case you have a backup of your hacked or lost site, you can easily restore it. Hence, ensure you are taking backup regularly; preferably on a daily/weekly basis. This helps in case of any virus or any SQL injection attacks.

9. Protect the wp-admin directory and set directory permissions

The wp-admin directory is the core of your WP website. Therefore, if this core element of your site gets burst, your entire site can be harmed. The secure wp-admin area with TWO passwords. The first one protects the login page and the second one secures the dashboard admin area.

10. SSL (https) cryptography to encrypt data

If you have yet not implemented an SSL (Secure Socket Layer) certificate to your WordPress site, do it today only. It is one of the steps to move to secure your admin panel area. SSL certificate secures data transfer between browser and server. And, it makes it difficult for hackers to breach the connection or parody information about your website. You can buy the SSL certificate from a third-party company or check with your hosting company if it provides a free SSL for your website.

11. Disallowed or restricted file editing

Anyone who has admin access to your WordPress dashboard can edit any files, including themes and plugins. It can hamper security at times. To strengthen WordPress security, if you disallow file editing, no one can edit or modify any of the files. Not even a hacker — even if a hacker even if s/he obtains admin access to your WordPress dashboard.

12. Disable directory accessing list in .htaccess

.htaccess file is located on the WordPress root directory. If you create a new directory (or folder) on your website and do not put an “index.html” file in it, you may be surprised to know that your website visitors can get a directory listing of all the files in that folder. For example, if you create a folder called “masterdata”, you can see everything in that directory simply by typing “http://www.example.com/masterdata/" in your browser. No password or anything is needed.

Final thoughts — Stay up to date and regularly update your WordPress site for security

Considering the security aspects of your WordPress site, you need to regularly update WordPress, themes and installed plugins. Especially, in case of the plugins, you need to update them manually by visiting Plugins in your dashboard. When a plugin has a new version, it notifies you and provides a link to update now.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store