The first and foremost step to secure WordPress sites is to know how to go along with it. At first, we really need to know how it’s done and then we can move to the steps steadily. Web securities are so significant to keep away hackers and cyber-thieves who might get access to different delicate information. If any kind of security protector isn’t applied then the site will be left in a very risky position, having all kinds of probabilities of triggered malware plus attacks on other websites, networks, and many more. If we are ready to start improving our WordPress security.
We can use plugins made by the community of WordPress in order to secure our websites. There are tons of plugins available for WordPress which are used for different kinds of security issues like malware threats, hackers, DDOS attacks, and many more. There are many free plugins that let us Harden the security of our website by different Authentication methods, blacklisting bad users, Regular Malware checking and removals, Hardening vulnerable plugins, etc. And by these, we can make sure our websites can be as safe as we want them to be with no risk of losing the trust of our users. Here we will let you know how to follow some steps to achieve a secured and healthy site where the visitors feel safe. So, let’s move on to it. But firstly, do you know why hackers are always after harming your site?
Here it is:
- They want your credit card information
- To sell contact information to unethical marketers
- They need usernames and passwords for server resources. (to gain control over the server your website is hosted on)
- They want to advertise (spamming with the website visitors or email subscribers)
- They want to use your site’s authority to promote fake information on google. (SEO spam)
- Stealing sensitive information
This is how we understand the necessity of protecting the sites from different hackers and suspicious malware. We hear a lot of news about websites getting hacked and different website visitors getting into the same trap. This is really terrifying for most of us. We have to make sure our site is secured enough. The visitors feel free and safe. We have to assure the existence of safety keeping up with the patterns.
There are many more ways to secure your website and keep it safe from hackers:
Thankfully, the web hosting industry has grown rapidly nowadays, and the prices of dedicated cloud servers have also decreased. Therefore, if you increase your budget just a little bit, you can have a dedicated cloud server to improve your WordPress site’s speed. There are many platforms from which you can purchase a dedicated cloud server at a reasonable price, such as SiteGround, DigitalOcean, Amazon Web Services, etc.
In order to choose security over anything else we need to make sure that before making any kind of changes to the website, we need to take a full backup of our particular website. So now if the hosting provider already provides a backup facility, then obviously take the chance and skip this step safely as well. Not having such facilities in hand right at the places can be a difficulty. That’s why we can use any third-party backup plugin.
Now, we have used the ‘all in one WP migration plugin before, right? If not, then it’s also not a problem. This feature is very easy and intuitive to use. We can export the WordPress site backup and later on import it back if anything doesn’t go the right way. How easy is that? We might face some sort of confusion at the beginning to start with but it won’t take too much time for us to figure this out as it’s really simple.
Auto-update of Theme and Plugins:
The very next step is to make sure that the WordPress core themes and plugins are always auto-updated. Make sure we do that. So, to make it happen, we need to add some code to our WP configuration file and create a very simple plug-in with our own customizations added to it. Makes sense, right?
Also, we can use SSH credentials to make a few changes to these files accordingly. We should prefer using FileZilla for the same tasks. So now, to auto-update WordPress core add the below line of code to the end of the WP config file:
“Add filter (‘auto_update_plugin’, ‘_return_true’);”
“add_filter (”auto_update_theme’, _return_true’);”
Make sure you don’t forget to save it.
To enable the auto-update of themes and plugins, we have to create a plugin that can be used in WordPress. To do so, we will navigate a new directory ‘MU’ plugins under the particular WP content directory which is not existing already. Let’s create a new PHP file. Ie; my plugin.PHP then paste these lines of code there and save it. We’re clearly done here!
Warning!!: we must delete all the themes and plugins, as we are no longer using them. Let’s move ahead and learn a little more about how the security of a website is protected. Continue reading and surely, we have already learned a lot about the security maintenance
Delete useless files
This step is very easy and convenient to pass. We have to delete ” readme.HTML ” and “licence.txt” from WordPress or the root. Because these files may reveal much of the sensitive information and they are not even of use. Besides, we must delete the installer PHP file from the WP admin directory only because these files are some residue installation process. They don’t have the importance anymore because they’re clearly left useless on the platform. We should be following all the steps above to keep up to make sure the process goes right.
Set the secret keys:
The additional step is to increase the security level of your WordPress installation by setting up a very secret key. Well, it’s very simple to do if you are still trying to figure out how to make it possible, let’s go ahead within! If at any time, there’s a suspicion that there’s a lack in the keys then the admin can very easily change the form. Choosing this process will invalidate all the sessions automatically so if there’s any access to someone else it’ll be denied and it will force the user to re-authenticate. How cool is that! The best part is that we can generate our own random strings that we don’t even need to remember. We can go easily with that. Just paste them as it is on the WP config file. Is it too hard? Not at all! It will become easier as we keep going ahead. WordPress needs to be protected as well as it offers us different features to maintain security.
Setting up Google-captcha :
Let’s move onto the next steps as we are proceeding. Forcing passwords and usernames is one of the ways that the attackers use to capture the whole system into their control. This is basically a very common strategy to hack the site. So here we can use CAPTCHA to detect root forcing attempts. This work can be very easily done by using plugins. For this, we need to use advanced no CAPTCHA and invisible plugins, versions 2 and 3 as well. We will need a site key and a secret key which will help us to get access to that particular link you want to get connected to. We can also choose one easiest way to go ahead with that is just search google CAPTCHA and then enter the site details typically while proceeding with the process. It will generate the keys for us!
The next thing we have to do here is that we have to put those keys in the plugin and select the initial places we want to enable CAPTCHA verification.
Use a strong password for logging into the WordPress site number.
- Always keep WordPress, along with many themes and plugins we have installed up to date!
- Setting up automatic backups of our WordPress site is a very good idea to start with.
In such ways, if our sites get hacked in any kind of situation we can make a run for it to save ourselves from it. We can restore our site back to normal. Do you want to know some super tips to keep in your head while working with your sites? Sure ahead. So, let’s check out some super important tips to remember to save your site from the hackers To enable one more layer of security to our login, we can enable two-factor authentication. For this, we will be required a very secret key that is available on our individual mobile devices other than the login password. We need to install an app, for example, Google Authenticator. For such apps, one can use any third-party plugins of one wish and choice. So, we will use two FS lite Google Authenticators. The time we install any plugins like that we’ll see how easy and simple it is to move out with the tasks like that.
Deleting old Admin Accounts :
In this step we will know why deleting the old admin account is so important. Its significance knows no boundary when we want to prevent brute-forcing of the username admin. Since the default idea of the admin account is singular. So, it’ll be the only first contact of any sequel injection. We can very easily create a new admin account. Firstly, log in with your new admin account and delete the default one. We must not forget to choose our role as the administrator. Later on, we need to uncheck this option. Well, if the user registration is not required or not a user or if user management is done through any other user management systems, we can uncheck this option by going into the WordPress settings.
Now that we have completed all the layers of security following all the steps, we also need to make sure that it doesn’t have access to anybody else. We need to make sure of the vulnerability to any further attacks. We can also put overall security beside by adding a firewall to our website. WordPress is pretty much secured by defaults, but just like with any other platform, there are still certain things we need to worry about. So, we better improve ourselves on those subjects to make a stronger platform for ourselves in the end. For most of us, it might seem pretty much difficult to start off without thinking of hackers or bots injecting harmful stuff on our sites. So, it becomes a lot more clear that we need to be more careful in following some more steps as we keep going forward
Hide the WordPress login page URL:
The first thing is to hide the WordPress login page by having it appear in a different URL instead. Whoever didn’t know this already knows that by default we can have access to the login page for any WordPress site by typing in the domain name ‘ domain.com/wp-admin ‘. Accurate to say that this is pretty much risky, but just to make it that little bit more difficult for anyone trying to reach or have access to our sites. So we are going to change the login page URL and deactivate the old one. We can achieve this very new thing in a very short time, by using a free plug-in called ‘ WPS hide login ‘. So just after we install and activate the plug-in. We just need to do some more to it. Just hover over the settings that can be found on the left bar or dashboard menu. Click ‘WPS hide login’. After that, just beside the login URL option, we can change WP – admin to whatever we like to set it to. After being done, we have to click ‘save changes’ at the bottom and it’ll be our new login URL. Easy and simple! Now if we log out of our site and try to visit our old login page. We will see a text saying ‘error’ and the page couldn’t be found anymore. So, after we visit the new login- URL we can log in very easily there. Note: Just write down the new URL because it can be a great hassle to log back in if we forget it.
Cloak your WordPress username
Most of the time, the admin username or login name of a WordPress site is usually the same as the author name which can be seen on blog posts. Well, this is specifically true for personal blogs or sites with only one author. So, cloaking the username is an easy way of increasing WordPress security. For doing that we don’t even need to install any kind of plug-ins! We can do this right away from within the WordPress dashboard. This is why we just need to roam over ‘users’ from our left dashboard menu and then click ‘your profile’. Now if we go further scrolling down to where it says ‘nickname’ we can change it. Set it to a unique name that you’ve chosen. After that, just choose the new nickname using a drop-down list underneath. After scrolling down to the bottom and clicking ‘update profile’ we can visit our blog and take a look at any of our posts. We can also see that the author name has turned into the chosen nickname
Note: We are still going to use our original username for logging in like before. Never use admin or administrator as a username! Because they are easily targeted by bots. If we really need to use admin, then we can set it as a nickname so it shows up on our site, but we should not set it for our actual username for logging in.
Limit WordPress login attempts:
When we first install WordPress, set up alloy unlimited login attempts. This means we can enter the wrong login details as many times as we like without anything happening. This strategy is very useful for those times when we can’t remember which of our hundreds of passwords we decide to use and proceed with sometimes. On the other hand, it also enables scammers and hackers to use bots that will continuously attempt to guess and login into our with as many attempts as they need to. This can be helpful for us sometimes but can bring us a lot of damage because millions of attempts will make the bot go through the perfect guess, and thus the site will Be hacked at a point.This problem can easily be solved by installing a free plug-in called ‘limit login attempts reloaded’. After installing and activating the plug-in we again need to go through the settings on the left dashboard menu and then click ‘limit login attempts’.
On this page besides, when it says ‘lockout ‘, we can change the following information for when a load retires. This is how many attempts we are going to face before the lockout. Don’t recommend this setting to maybe two or three as we all miss typing our own passwords a lot of times. So might turn out to be your hassle instead of the one who’s trying to get in touch with your sensitive information.
We will also find out the option ‘minute lockout’ that lets us understand the situation that this particular time limit is how long the users are going to be locked out. Besides, we can also increase the lockout time for repeat offenders.Finally, we can set the number of hours before those retries will be reset. When we are done here we have to scroll down to the bottom and click the ‘see if ‘ options. Well, no even if someone does find the login page they will only have a limited number of attempts before getting locked out.
Add a security question to the login page:
Add a security question to the WordPress login page as you have probably guessed what the press is already the most vulnerable place to be scared of. Again, to inform one of the most fragile places on our WordPress site is our login page. So, we have to be very careful about the login page as we have to pay a lot of attention to the login page to make sure the security of our site and save it from hackers. The perfect number of decent efforts will help protect the particular page. So, the Recommendation of adding a simple security question is highly important here.So, let’s move on to learning how to protect our site and how to add the security questions. Adding a security question will make you able to have an extra chance of adding your password. It is equal to having a second password to it. It might take a few extra seconds to get logged in but if it’s done perfectly it saves us from eliminating the chances of losing our site and it subtracts the chances of someone else getting in the way if they don’t know the answers.
To start it we need to install another free plug-in and this one is called ‘WP security question ‘. So, after installing and activating the plugin we can drive on to the WP security questions on the left dashboard menu and then click plug-in settings. There we can find a lot of prepared questions for us and if we don’t want some of the questions we can remove and also customize them for ourselves according to our choices. We can replace the questions with whatever we like under the section and we can set what pages we want security questions to appear on. It Won’t be a hassle if we just go to set this for the login screen, but we can also choose whatever pages we like, and then once we are done, we can click to see the settings at the bottom.
Now we have to set which questions we are going to use to do this we can enter into the settings on the left dashboard menu and then just click our profiles. Now we can scroll down to the bottom and enable our security questions. We can also choose which security question we would like to use and then under that we can enter our answers in the box. Easy! To complete the whole process, click ‘update profile ‘. So, this is our security question set up in the end. Smooth enough, isn’t it? Okay, now if we log out of our site and visit our login page, we will see that we now need to choose our answer to the security questions before logging in. Note: We must write down the answers to the questions so if we forget we can remind ourselves and get through the puzzle!
Final steps to know and apply:
We have come really far with the steps. We should keep no shortage in protecting our sites from hackers. Here we get why it’s important to protect the site! So, let’s be sure none of the above happens with any of us because it can be very dangerous. We should always be conscious about protecting the site using all the Strategies it needs. Most of us don’t realize until our site is hacked and a lot of sensitive information is being leaked. This is very hurtful and it’s totally against the laws. We should be more responsible and focused on such issues as site hacking. The above steps can help us to get rid of such harmful hackers. If the first step is never taken the consequences become hard to fight with. If there is any problem with furthermore issues that you might face can be helped out. Every problem has solutions and prevention is better than cure.