123WordPress is the most popular CMS used for website creation. The main reason behind site owner’s decision in WordPress usage is that it is very flexible, feature rich, very easy to customize even by a non-technical person. Because is widely used on the Internet these days, WordPress has attracted the attention of hackers.
Most of the websites developed in WordPress maintain the same configuration which makes the hackers job even easier. You are logging in using wp-login.php page and on most of the cases your administrator user is called Admin. Add both to a weaker password which can be easily guessed or retrieved using a brute force attack and your WordPress website becomes vulnerable to hacking attempts.
Of course that you can be 100% sure that your WordPress website or any website developed using any other platform will not be hacked ever, but you can try to make hackers life harder by implementing some security measures to protect your website, database and valuable data stored on it.

Keep your WordPress website up to date

WordPress is very complex and the coding team is on constant run in fixing bugs and security issues and adding new features to it. By updating your WordPress on your website you will reduce the chances to get hacked or to run into a bug which may cause the website to be a hacking target. Don’t think that updating WordPress core software will solve any problems that you may facing. Every time it is required to update the plugins and themes to the latest versions available.

You will be informed in WordPress dashboard about any updates available for your WordPress edition or for plugins used. Some of the premium plugins or themes don’t inform you about updates so be sure that you are checking for updates regularly. Update everything today to have a secure WordPress website.

Change WordPress administrator username

When you install WordPress default administrator username is “admin” unless you specified another username. The administrator user can customize about everything on your website. A hacker knows that most of the WordPress websites are still using the default username for their administration panel which is one step forward for him to hack your website.

If you didn’t change your WordPress admin username, there are two ways to to this. The first and the simplest one is to work with what WordPress dashboard user administration is offering you and to create a new administrator with new user name and delete the old admin user. Please make sure that you backed up your data prior following the procedure.

  1. Log in into your WordPress administration.
  2. Go to Users menu and click on Add New.
  3. Fill the required fields with the new information and select Administrator from roles drop-down. Be sure that you choose a strong password for the new user (you will see why below). Click on Add New User.
  4. You should see your new user created, but you are still logged in with old admin user. Log out from admin account.
  5. Log in with your new administration account.
  6. Go again to Users menu, but this time just click on Users.
  7. Hover your old admin user and click on Delete link.
  8. You will be asked about old posts which are linked to old admin account. Check the option to attribute all your posts to new administrator and click on Confirm Deletion. Please be careful, not attributing the old posts to new admin will delete them all!
  9. You should now see your new admin and all posts linked to it.

There is another method to change your admin username quick, but you will need to have small MySQL knowledge. If you are unsure about what you are doing, please stick to the first method. Again, it’s a wise thing to back-up your WordPress database first.

  1. Log in to your phpMyAdmin or other MySQL administration tools offered by your hosting provider.
  2. Select your WordPress database.
  3. Find SQL query box.
  4. In the SQL query box type and click on Execute (or Go). Please check database prefix (wp_ in this case) and punctuation.
    UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';
  5. New user is set-up and you can log in with it on WordPress administration panel.

Use strong passwords

Usage of strong password is should be extended to your all online identity. Remember that passwords protect your personal data from any unwanted eyes. Most of the hacking attempts are trying to guess your password using brute force attacks. This password cracking common approach is trying to guess your password by filling the password field with combinations many times per second until the correct password is found.

A good and strong password is intended to be complex so don’t put your dog’s name or birth date as password. Some common rules in creating a good password are:

  • use a password with 8 characters or longer
  • use a combination of uppercase and lowercase letters
  • include numbers and special characters (like &, ?, @) and punctuation marks
  • do not use the same password for your website accounts, try to have one password per site

You can use a password manager software like the ones you will find on the Internet. Make sure that reviews about the software are good. Some antivirus software offers password manager tools as well.

If you are unsure about your strong password you can use a password generator software.

Disable WordPress theme editor and plugin editor on administration panel

WordPress comes with the option to edit plugin or theme files directly from administrator dashboard. For web developers this option is very handy as allows them to change the files directly. However, if your website is already set-up, the small modifications that you or your developers may do on the WordPress website can be done using FTP or hosting file manager because leaving the editor option on your admin panel can damage your website. A simple typing error followed by pressing save button can blank your website, not to mention what a hacker will do if he will have access to this valuable editor.

To avoid this possible exploit you should disable WordPress Theme Editor and WordPress Plugin Editor by adding the following simple line of code into wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

Avoid using free WordPress themes

Selecting the theme for your WordPress website it’s always a difficult decision. You want an eye caching theme to attract your customers and there are a lot of themes available on the market. So you are thinking why not to choose a free WordPress theme since you are at the beginning and your budget is low.

The main reasons behind the decision not to buy a free WordPress theme are related to the disadvantages of the free themes versus premium themes:

  • Free themes usually are not updated or no support it’s available for them.
  • There is no SEO optimization. Free themes are usually basic themes with no SEO build-in code and the clear code on them is a mirage.
  • Free themes always have base64 encrypted links or code. Usually, free themes come with the “feature” of linking the author’s webpage or other links on the footer. Disabling them can be a nightmare if you are inexperienced user. Beside a simple link on the footer, they are full of encrypted strings which can lead to bugs and security issues.
  • Free themes are difficult to use because usually there is no control panel attached and all the options can be set-up by experienced WordPress developers
  • Premium themes have a lot o features attached to them which will make your life easier working with WordPress.

The wise choice for your website will be purchasing a WordPress premium theme which will help you to easy configure your website, stay up to date and receive constant support form their authors.

There is something more potentially damaging than free themes however. The cracked or nulled WordPress premium themes that you can find on the Internet. These kind of themes are cracked and all kind of bad code is injected for different purposes like: hacking your account, linking your website to unwanted websites. A nulled WordPress theme will be the worst selection for your website.

Use .htaccess to restrict access to your WordPress administration panel

Your wp-admin directory is far the most important directory in the WordPress structure. From this directory, the administration panel is launched and all the settings and data are managed from it. You probably will want to restrict unwanted access to this directory. There are multiple types of restrictions that you can apply based on your hosting configuration and your needs.All these restrictions are applied to your .htaccess file on the root of the website. Please be careful when editing .htaccess file as a typo error can lead to a blank website. All the rules below, regardless which one you will choose should be placed on the top of the .htaccess file for a properly function of it.

Restricting WordPress admin to certain IP address (in this example 10.0.0.1, just replace with your desired IP):

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^10\.0\.0\.1$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

 

Password protect your wp-admin directory.

With .htaccess you can password protect your directories. After a successful password protect rule creation you will be asked to authenticate to view the wp-admin folder when accessing it into your browser. To protect your WordPress wp-admin directory you should first create a .htpasswd file. This file contains all the users and password used to access the blocked directory. Please refer to your hosting provider if you don’t know how to create it. There is strongly advised that the credentials used to access wp-admin directory to be different than the ones used to login into your WordPress site. After the .htpasswd file is created, you should add the following lines on the beginning of .htaccess:

AuthUserFile /etc/httpd/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

 

In order this to work the AuthUserFile should contain the real path of the .htpasswd file stored on your hosting space.

There are a lot more restrictions that you can apply based on your custom requirements. If you think that you are an experienced person and you can apply furthermore rules, you can refer to Apache .htaccess tutorial.

Some WordPress security plugins recommended

If you find difficult to work directly with the files or it’s hard to implement security changes, there are some security WordPress plugins that you can find useful:

Conclusions

Even if secure WordPress website is the lowest priority on your checklist, you must keep your WordPress website safe and secure.

If you have another tips and tricks to secure WordPress website, please write them below.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

clear formSubmit