If you are running a website that supports WordPress, security will be a top concern. In most cases, WordPress blogs can be hacked because their core files and / or plugins are “outdated”. So how to keep your blog away from the risk of bad guys?
Tips to improve WordPress security
Table of Contents:
1. Change the default “wp_” prefix.
2. Hide the login error message.
3. Protect the wp-admin directory.
4. Maintain backup.
5. Prevent directory browsing.
6. Always update the file.
7. Choose a strong password.
8. Delete administrator.
9. Disable XMLRPC.
10. Add HTTP security headers.
For starters of WordPress blogs, make sure that you are always up to date with the latest version. Besides, refer to the following tips to enhance the security of your Word Press.
1. Change the default “wp_” prefix
Your site may be threatened by some vulnerabilities (for example, SQL Injection) if you are using the predictable wp_ prefix in database tables. You can change the default wp_ prefix to enhance security.
2. Hide the login error message
Error log messages can give hackers an idea if they have received the correct / incorrect username, otherwise. It is wise to hide it from unauthorized logging.
To hide the login error message, simply place the following code in functions.php:
3. Protect the wp-admin directory
Keeping the “wp-admin” folder in protected state means you have added a protective layer. Anyone who tries to access the following files or folders “wp-admin” will be prompted to login. Protecting your “wp-admin” folder with login information and password can be done in several ways:
– WordPress Plugin: Use WordPress HTTP Auth.
– cPanel: If your hosting supports cPanel administrator login, you can easily set up protection on any folder via the graphical user interface. Password Protect Directories by cPanel.
– .htaccess + htpasswd: Perform password protection by putting the folders you want to protect inside .htaccess and .htpasswd.
4. Maintain backup
Keeping backups of entire WordPress blogs is just as important as keeping the site safe from hackers. If all security efforts fail, at least you still have backup files to restore. There are two types of backups, Full backup and Incremental backup.
The full backup will include everything in the site like files and databases. This method takes up more space than necessary and can cause a spike in CPU and disk usage when making backups. Therefore, you should not choose full backup if your site has limited resources.
On the other hand, incremental data backups on the platform will only save full data for the first time, then add items that change over time. There are several options for this type of backup in WordPress that require users to pay sizable fees like VaultPress and WP Time Capsule.
5. Prevent directory browsing
Another major WordPress security hole is to make folders and files exposed and publicly accessible. First, try to check if your WordPress folders are well protected by entering the URL https://www.domain.com/wp-includes/ in your browser. If it does not display or redirect you back to the home page, then your directory is safe. However, if you see a screen similar to the image below, your page is not yet protected.
To prevent access to all directories, put this code in your .htaccess file:
If your website runs on nginx, you can add the following:
6. Always update your WordPress Core files & plugins
One of the most effective ways to keep your WordPress site safe is to make sure the files are always updated to the latest releases. Currently, WordPress has built-in automatic updates, you just need to make sure that you or the developer does not turn this off.
7. Choose a strong password
WordPress now has a strong password suggestion field like the image below when creating a new account or updating a new password. It will evaluate whether your password is strong or weak. You should choose a strong password, but the downside is that you may not remember the characters in the password range. You can also use a password manager like 1Password or LastPass.
8. Delete administrator
A typical installation of WordPress usually comes with a default user named “admin”. For security reasons, you should not always use that admin account to access your WordPress blog.
A safer approach to logging in is to create a new administrator and delete the default “admin”. You can follow these steps:
– Log in to the WordPress dashboard
– Move in Users ->Add New
– Add new users with roles Administrator and choose a strong password.
– Log out of WordPress, login again with your new administrator.
– Move in Users
– Delete the account “admin”
If you’ve ever used the “admin” account to post content, don’t forget to find the properties of all posts and link to the new user account.
9. Disable XMLRPC
XMLRPC in WordPress is a common hack point. You can disable it when the site doesn’t require XMLRPC, or restrict the XMLRPC endpoint to certain IPs in case of need, for example:
10. Add HTTP security headers
Adding HTTP security headers is also a way to enhance the security layer of your website, helping to minimize network attacks. The titles will intrude into the browser to change in the direction given by the titles. For example, X-Frame-Options will allow you to check if a webpage can be embedded in an iframe. Other types of titles you can add include: X-XSS-Protection, Strict-Transport-Security, X-Content-Type-Options, Content-Security-Policy, and Referrer-Policy.
In addition to the above methods, you can also sign up for WPVulnDB to identify vulnerabilities in your website’s security. WPVulnDB will check WordPress Core and Plugins, indicate the type of vulnerability, which version is affected and has been fixed.
Besides, you refer to how WordPress login security here.