WordPress has become one of the most popular and widely used content management system. It has become one of the most popular choice for building a new website. If the stats are to be believed, WordPress is powering more than 26% of the top 10 million websites as of April 2016. In its 13 years of existence, this free and open-source content management system is under the hood of close to 60 million websites. And this blog too, is powered by WordPress.
Being an easy and highly customization tool, WordPress has become a popular choice among rookie as well as professional bloggers. The tool lets the users deal only with the easy tasks like writing a post, adding a photo etc. while it itself deals with the messy tasks like linking images, SEO, storing data, backups and what not. WordPress in itself is a secured tool but with an increase in cyber attacks and hacking attempts, even a secured WordPress Website can be compromised. Being well versed with WordPress and hosting and already having a hacked website, here are 5 tips to Secure WordPress website.
*** Note: This post assumes that your are running a self-hosted WordPress Blog. Read here to find out what a Self-Hosted WordPress site is. ***
One of the best things about WordPress is that it does everything for you. But that doesn’t mean that everything it does is good ! Every time you setup a website with WordPress, it be default enables the META Tag. For all of you who don’t know, the META contains the RSS, WordPress.org links and most importantly a link to your admin login page. What this would do is, that any user visiting your website / blog can click this link and reach your admin login page. But these users don’t have the username and password, so my site is still secured. Wrong ! If the intentions of the user are not right, they can either try simple username / password combos like admin / password, admin123 / pass123 etc. or they can launch a Brute-Force attack on your website that will eventually grant access to the user or bring down your website. You don’t want any of it to happen. Don’t you ? So go ahead and disable the META Tag plugin. You can find this under Appearance -> Widgets.
This is the simplest and yet the Most Effective Tip. Keeping a complex Username / Password combination can do wonders. Avoid using your personal details like date of birth, place of birth, favorites etc. in a password as it can make things easy for a hacker. Also try to avoid using the default username / password like admin and password, since that is the first guess that anyone would take while trying to break into your website. Further having special characters can make it difficult for anyone to break in. Pro Tip: Keep changing the password regularly to keep your website secured.
When you install WordPress on your server, you will find a folder named ‘wordpress’ under the public_html folder on your server. This is your WordPress root folder. All your website’s content – images, plugins, themes etc. are stored here. By default WordPress will always create this directory. However it’s a good habit to rename the root folder. Once you rename the root folder, it gets tougher for anyone to access it since nobody knows the name of the folder except you !So anyone trying to get to your admin directory or admin login page might see a 404 error page if they tried with the default folder name.
Installing WordPress is just a matter of few clicks, and with automated software installer available with your hosting package, installation has got much easier. Apart from having a complex login credentials, giving WordPress its own directory makes it much more secured. What does that mean ? Well if you can see the folders wp-content,wp-plugins and wp-admin when you open the public_html directory, it means your WordPress installation doesn’t have its own directory. Thus while setting up WordPress itself, provide a different folder than your server’s root folder to keep things more secured. Also apart from being secured, this will make backing up your site easier since everything is in one single directory.
One of the best things about WordPress is that it is open-source. And being open-source anyone (even you) can develop plugins for it. If you head to WordPress Plugins site, you will come across thousands of plugins spanning across categories. So if you want to display a Facebook Like Box, there is a plugin for that, if you want to create a slider, there’s a plugin for that too. Similarly there are many security plugins available. These plugins will monitor your website for many things including unauthorized access, number of failed attempts, recording IP addresses, blocking IP addresses etc. These might be a little tough to configure, bur the documentation does a great job. Some of the famous WordPress security plugins are Wordfence Security, All in one WP Security and Firewall etc. So go ahead and install one of these security plugins to secure your WordPress website.
This is a Pro Tip and should be used with caution as this deals with modifying your website’s sensitive files. So please ensure to have a backup handy before trying this out. Also keep a backup of the .htaccess file from your web server.
Our admin login page is inside the wp-admin folder. So with this tip we shall add an extra layer of security before you reach the admin login page. I.e. you need to authenticate yourself twice before being able to access the control panel. The tip is simple, open the File Manager on your server and make sure to “check” the show hidden files. On the file manager page you should now see the hidden files and one of those files will be the .htaccess file. Edit the htaccess file and add the following lines:
&amp;lt;FilesMatch "wp-login.php"&amp;gt; AuthName "Authorized Access Only" AuthType Basic AuthUserFile /home/&amp;lt;your-username&amp;gt;/.passwordFileName require valid-user &amp;lt;/FilesMatch&amp;gt;
In the above snippet, what we are doing is simply adding an authentication to access the wp-login file. After this you need to create the .passwordFileName under the directory you provide. (home/<yourusername>/ .passwordFileName in this case) In the password File just enter one line with your username followed by password in MD5 encrypted format. You can refer to this link to generate a MD5 password. So it will look something like this: administrator:$apr1$vZ2sKLZI$eJekbK9VFVAcqZByNsN0H/
Once you do this, every time you try to access the wp-login page you will be prompted by the server to authenticate yourself. After successful authentication, you will land at your WordPress admin login page.
So here were the 5 tips to secure WordPress website / blog. Whether you have a small personal blog or a big corporate website, using the above mentioned simple tips will help you keep your website away from the evil hands. Because in the end, no body wants to see a hacked homepage or a website !