The WordPress platform is used by millions of websites the world over and any flaws and weak points are immediately discovered and patched as and when they are discovered.
But despite the vast security infrastructure and dedicated developers who pour their heart and soul into making WordPress one of the best and safest CMSs on the market today, hackers still manage to get though its defenses from time to time.
WordPress security for DiY users is not impossible and here are a couple of things you can do from your side to reduce the chances of your WordPress website being hacked. Let us see what they are.
File editing should be disabled
For security purposes, it is advisable to disable WordPress file editing from the Dashboard until you use it. This can be done by adding the following line to the wp-config.php file:
Doing this will help to prevent users from accidentally or maliciously modifying any of the WordPress core files.
Don’t keep default ‘admin’ user names
If you are installing WordPress from single-click installers like that offered by some web hosting services, the default WordPress username is still ‘admin’. This make is very convenient for brute force hackers.
WordPress doesn’t allow you to change usernames so the best thing to do is to create a new username and delete the old one. You can also use the Username changer plugin or if you are tech-savvy, go to phpMyAdmin and change the username from there.
Default usernames like ‘admin’ are unfortunately still very common and the necessity of changing them to a custom username can’t be stated enough.
Consider two factor authentication
Two factor authentication adds an extra layer of security by requiring two forms of authentication to login. This means that even if someone knows your password, they will not be able to login to your WordPress site without also having access to the second factor, such as a mobile phone.
Some popular two factor authentication plugins are
Put a limit to login attempts
By default, WordPress allow you to attempt to login any number of times. Consider limiting how many times someone can attempt to login.
First, it can help prevent brute force attacks. Second, by making it more difficult for someone to guess your password, you’re making it more difficult for them to access your site. Finally, if someone is trying to brute force their way into your site, they can cause your server to slow down or even crash.
You can limit the login attempts by installing the Login LockDown plugin.
Change the database prefix
The default prefix for your WordPress database is wp_. By changing the default prefix, you make it more difficult for hackers to guess the name of your database and gain access to it.
But only do this if you are sure about your coding skills because if you attempt it and you don’t do it properly, your website can break.
Protect your WordPress Login page and Admin folder with passwords
The WordPress Login page and Admin (wp-admin) folder can normally be accessed by anyone. A hacker will surely attempt to hack these pages with tricks or by running DDoS attacks. But if you deny these attempts by blocking access with a password on the server-side, these attacks will not bear fruit.
Logout idle WordPress users
We are prone to letting WordPress sit idle while we are logged in and this is actually a security risk. This is the reason many websites automatically logout the user if the user is idle for a certain time. This is because a hacker can use such opportunities to hijack the sessions, change the password, or make other changes. A plugin called Inactive Logout can take care of this.
Add a security question to the login screen
Adding a security question to the login screen will give it a second layer of protection. But since it will increase the time, it takes to login to your WordPress account which some may find exasperating, use this technique only if you don’t mind spending a few extra seconds to login every time. You can add this feature by installing the WordPress Security Questions plugin.
Directory browsing and indexing should be disabled
Hackers will browse your directory to find vulnerable files that they can exploit. Directory browsing also shows your images, directory structure, and more. That is why it is recommended to disable directory browsing.
If you want to disable directory browsing on your WordPress website, you can do so by modifying the .htaccess file. You will need to add the following line of code to the file:
Once you have saved the file, upload it to the root directory of your WordPress website.
XML-RPC should be disabled
WordPress provides a feature called XML-RPC which allows for remote access to a WordPress site. This can be used for a number of purposes, such as managing content or publishing posts from a mobile device.
However, XML-RPC can also be exploited by malicious users to perform attacks on a WordPress site. There are a number of plugins available which can disable XML-RPC, or it can be disabled manually by adding a few lines of code to the site’s .htaccess file.
WordPress websites are very secure and ordinarily, they are almost impossible to hack. But a determined hacker has many ways of bypassing WordPress’s inbuilt security checks.
A little proactive work from your side vis-a-vis security will go a long way in deterring these hackers from getting access to your WordPress website. If you want to secure your WordPress website against hackers and intruders, please feel free to get in touch with us and we will discuss how we can help you.