Protect & Secure WordPress from Hackers: I have been researching a lot these days to find ways to protect and secure my WordPress site from hackers. Since no website can be perfectly secured, its important that you take necessary steps in order to protect WordPress from any intrusion possible.
Steps To Secure & Protect WordPress Blog From Hackers
1. Don’t Use “admin” Username for WordPress Administrator
Starting with the Basic step of securing your WorPress site is to NOT use the username “admin” for your administrative purpose. The various scripts which are available in Hosting site use admin as a default username. Most users also use admin username ( since it come first to mind ).
Brute Force attack would surely try this username in its initial attempt to crack Username-Password combination. Hence try to use a different and unique (preferable difficult) username because the hacker will now have to guess both username and password to access the site.
Change “admin” username through SQL
In case you are already using admin username then you can easily change it by going to your PhpmyAdmin and then wp-users table -> Browse and edit the username admin with a new one.
2. Secure Login via SSL or Encrypted Channel
SSL secures you data stream to your server by encrypting its content. If your hosting provider supports Shared SSL then you can always use SSL security while logging in your admin area in WordPress.
To do that , simply paste the following code in your wp-config.php file:
3. A Strong Password Is The Key To Security
Always use strong password for your admin account. A strong password should be combination of Uppercase,Lowercase characters ,numbers ,Special Character’s and preferable be more than 10 characters
4. Password Protect wp-admin Folder
Its always better to have multiple layers of security. You can have additional layer of security if you have password protection enabled for your wp-admin folder which contain most important and sensitive information for your site.
Most hosting providers have an option of protecting Folders through cPanel. The same can be done using a .htaccess file.
5. Limit Login Attempts and Block IP Address of Intruders
A very useful plugin called Login Lockdown helps to protect from unauthorized access to your admin panel. It stores IP address of every failed login and blocks the access to that IP range if the no. of login attempts cross beyond a threshold.
- Login Lock provides a number of security enhancing features:
- Enforces strong password selection policies.
- Monitors login attempts.
- Blocks IP addresses for too many failed login attempts.
- Lets you manually unblock IP addresses at any time.
- Lets you forcibly log out all users immediately and require that they all change their passwords before logging back in.
Download Login Lockdown
6. Secure WP-CONFIG.PHP File
The following code will encrypt the information which is stored by cookies. If your cookies are hacked or compromised and some hacker gets access to your admin panel then there is no way to stop him from accessing your complete site.
Insert the code in your wp-config.php file. Do not copy the same code as above. Use your unique code for the keys.
Get you Unique code from HERE
define('AUTH_KEY', 'jh%889E'); define('SECURE_AUTH_KEY', 'knKIHk'); define('LOGGED_IN_KEY', 'dfskk(*&T'); define('NONCE_KEY', '3kk&^=KN'); define('AUTH_SALT', 'svjjjbdfsj’);
This code is the solution to above problem. Just change the values in the keys when you doubt that someone has access or is logged in your admin panel and the hacker would be automatically logged out of the admin panel of WordPress. Change your Admin Password immediately after this.
7. Hide WordPress Version in Header
Add following code to your WordPress function.php file in order to hide your WordPress version in header tags.
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
It will prevent anyone from discovering if your WordPress is updated or not.
8. Custom URL for Login Using Stealth Login
Everyone know that the default login page is www.yousite.com/wp-login.php. A plugin called “stealth Login” is used to create custom login page for your WordPress site. Hence, instead of wp-login.php, your login page could be anything like yoursite.com/MyNewSafeLogin. The hacker would then have to guess and look for your login page in order to attack.
9. Hide WordPress Directories From Public Access
Your WordPress directories and subdirectories could be visible to public due to improper setting and permissions. Add following code in your .htaccess file in your WordPress Installation location to Hide directories like wp-includes etc.
10. Update And Backup (WP-DB Manager Plugin)
Always update your WordPress and Plugins. This eliminates any security vulnerabilities which could be exploited by any smart hacker.
Backup is the ultimate solution. If anything goes wrong then backup would help you to restore and correct things. Although there are many plugins available for WordPress for automated and scheduled backups, a great plugin for automated backup is WP- DB MANAGER.
This plugin could be used to do automated backup of your WordPress site and send it to your email at a scheduled time.
Download and activate the Plugin
Browse to wp-content/backup-db folder and upload the .htaccess from plugin directory.
In your admin panel, a Database link would be visible. Click it and then click on DB-Options.
You can then schedule your Backup interval ( everyday etc. ) and enter your email where your backups are sent.
Do not use very frequent backup as it would create problems for your hosting server due to excessive cron jobs.
No technique is perfect. There are always some loop-holes. If you know some other great tips to secure your WordPress Blog then do comment below and let others know how to prevent hackers from attacking your site.