WordPress Security Hacks You Need
If you are currently running a WordPress website, without focusing on keeping your site code secure, you may be exposed to some serious problems.
WordPress security is not automatic.
If you check the WordPress Attack Report (October 2017) provided by Wordfence, you will certainly start thinking of ways to protect your WordPress blog/site. Also keep in mind that, in December 2017, WordPress websites were under the highest brute force attack.
Don’t use ‘Admin’ as your administrator username
“Admin” or “admin” is the most common username for WordPress admin users. To make a hacker’s life a little more difficult, you should choose any other username instead of “admin” and pick one with capital letters. Since you already have a WordPress website, you should now:
- create a new user with administrator privileges
- if your previous “admin” user was your only user, assign all blog posts and pages to the new admin user you just created
- delete the old “admin” user from your WordPress
Do you what an easier method to change you admin? Check free version of Hide MY WP Ghost plugin.
Pick a strong password
The complexity of your password is another crucial issue. Do you know which passwords are most common? “123456”, “password”, “12345678”, “qwerty” and “123456789” .
Passwords are vital to your WordPress security and to cybersecurity in general. That’s why you need to start using passwords that have the following features:
- They have no words in it to prevent a dictionary attack
- They have symbols and numbers in it
- They are at least 15 characters long
If you don’t know how to come up with a password so strong, just use a service like strongpasswordgenerator.com or phonetic password generator. For passwords management, you can try a service like LastPass, which will be able to generate strong and long passwords as well.
Disable login hints
Any time you type a wrong – non-existent username or just an incorrect password – on your WordPress website’s login form, you’ll get a hint telling you either your username is wrong, or your password doesn’t match with that username.
It may have never occurred to you but this is a niche for hackers looking to break into your website.
If you wish to disable login hints in your WordPress login error messages, watch this video and it will guide you step by step.
WordPress is free and it has been created by a community of developers. With each new release, they fix bugs, add new features, improve security, improve performance, and enhance existing features to stay up to date with new industry standards.
In this link, you will find step by step instructions about how to update your WordPress version.
Here’s a list of other things to keep in mind:
- Keep plugins and themes up-to-date
- Delete any plugins or themes you’re not using
- Make sure you download plugins and themes exclusively from well-known sources
WordPress has a feature, which is enabled by default, that allows websites to send and receive trackbacks and pingbacks. This is a method for alerting other sites that you have linked to them.
Unfortunately, 99% of them are pure spam, so it’s best if you just disable them entirely from your WordPress settings.
Secure the Name of the WordPress admin & login paths
During the installation process, WordPress creates two default login URLs.
This happens during every WordPress installation. Since these repetitive login URLs are a potential security risk, many webmasters change their login page. Changing login URL protects against the most common type of website security breach, a brute force attack.
To sum it up:
- Username – don’t choose something obvious, like “admin.”
- Password – again, avoid the obvious and go for a complex password.
- Your login URL – the gateway to the WordPress dashboard.
How do you change URLs?
This can be very simple if you use a plugin like hide my wp Ghost.
Prevent directory browsing (indexing)
Some WordPress folders contain data that needs to be secure. For example, the wp-content folder contains your themes, plugins and media uploads.
Anyone can simply surf through those media files and hackers can find potential exploits. So we need to make the hacker’s job more difficult by not disabling directory browsing.
Download plugins entirely from known resources
WordPress plugins are “treasures” that everybody wants to use. Be aware that a plugin might sometimes harm your site, though.
Before downloading any plugin, always check for comments or reviews, if there’s any support if the author is quick to react.
You can do this manually but I think it is difficult if you are not a specialist. You can do a lot of harm to your site. Or change it through a WP Plugin like Hide My WordPress Ghost
10Use 2-factor authentication for login
Two Factor Authentication (TFA) provides an additional layer of security. As it requires two successive factors – ‘something you know’ (your password) and ‘something you have access to’ (your mobile phone, for example). You can see some method of 2-factor authentication.
You can learn more about 2-factor authentication from securitymetrics . To efficiently implement a two-factor authentication on your WordPress website, you should use one of the many plugins available . Two interesting plugins that give a “twist” to TFA are Rublon, which is also an email-based two-factor authentication, and Clef, which uses the camera of your phone.
WordPress is the most popular CMS on the web and is now powering over 26.5% of all websites. Since it holds such a large piece of the market share, it brings additional security concerns and increases your risk of attack when vulnerabilities are discovered.
In conclusion, WordPress security strategies are so important because they protect your business.