Security of a WordPress blog is a big concern now a days specially when the Brute-force bonet attacks are going on all over the web. If your blog has not been attacked till now be prepared as it may happen in the future. Securing your WordPress blog must be your first priority in order to keep it and its content protected from hackers.
According to various news sites all over the world, hackers have been recently found trying to attack WordPress enabled blogs and websites using over 90,000 servers. It is primarily aiming at WordPress blogs with default ‘admin’ username and weak passwords of words that can be found in dictionary or passwords like ‘123456’ which can be hacked easily.
So it has become increasingly important to take serious measures to secure your WordPress blog otherwise you may end up having a dead blog with all the content gone. And its completely your responsibility to secure your WordPress blog as you can’t just sit and be optimistic all the time that your blog may not be hacked.
As according to WordPress : They are, in short, an attack on the weakest link in any website’s security: You. So you are the one responsible for securing your WordPress blog from the hackers and in this post I’m going to show you how.
In this post I have discussed some of the tips by which you can secure your WordPress blog or website from this Brute-force attack and all the future attacks from hackers.
Disclaimer: The methods I have discussed below are the best practices that I follow on my blog and I’m in no way smarter than the hackers. So your blog may be hacked even after applying these methods. But what I can assure is that by using these methods I was able to secure my blog and my blog has not been hacked till now (not that I want to, pardon me hackers). Some of the methods below are dead simple but can improve the security to a great extent. So all the best and hope you never get attacked.
Tips To Secure Your WordPress Blog
General Security Tips
1. Change Your Default Username
When you install WordPress the default username you get is ‘admin’. This is well known by the hackers and is the weakest link that can get your blog hacked. Just create a new user by going to User > Add User with administrator role from your WordPress backend. Then delete your default username ‘admin’ from Users > All Users and select “Attribute all posts and links to” and choose your newly created username.
Following this simple step can secure you from different types of automated attacks that try to log into your account using the default username ‘admin’.
2. Change Your Weak Password
If you are using a weak password like ‘12345’ or ‘password’ for your blog change it to something more complex. Use passwords with combination of alphabets, numbers and symbols like ‘asd12_#a’. When attacking a blog hackers usually try a lot of commonly used words and words from dictionary. So make sure you don’t keep any easy to guess word that can easily be found in a dictionary.
WordPress provides a great feature – Strength Indicator – which you can use when creating a new user or changing your current password. It helps you detect if the password you entered is Weak, Medium or Strong.
3. Don’t Give Admin Privileges To Other User
If your blog is a multi-user blog, do not assign administrator role to other users until very necessary. Giving administrator role to other users give them complete control over every element of your blog. So use this feature very carefully and assign administrator role only to the users you can completely trust.
4. Keep WordPress Updated
Keep your WordPress installation updated. With every update WordPress adds new security measures to its code, making it more secure to attacks than before. Whenever there is a new update you can see a yellow bar showing at the top of your dashboard. You can simply click on the “Please update now” to update your WordPress installation instantly.
5. Only Install Trusted Plugins
Choose your plugins carefully and install only if you completely trust the developer. Installing plugins from WordPress Plugin Directory is safer as compared to downloading it from somewhere else and uploading it. WordPress monitor its each and every plugin and you’ll hardly find any suspicious plugin in their directory.
Plugins have full access to your backend and can do a lot of destruction in disguise. So stay away from plugins that you don’t know much about or fully trust.
Advanced Security Tips
6. Change The Default URLs To Backend
The default login, registration and admin URL of any WordPress blog looks like this :
- http://yourblog.com/wp-login.php
- http://yourblog.com/wp-login.php?action=register
- http://yourblog.com/wp-admin/
The hackers know this and can easily access your backend from these URLs. So its better to change these URL thereby further increasing security from potential attackers. Now there is no direct way of doing this inside WordPress so I use a plugin called “Better WordPress Security” for this purpose. Its a free plugin and I mostly use it for my advanced security methods.
Just install and activate this plugin on your blog and go to “Hide” tab. There you’ll see the option “Enable Hide Backend”, just tick it and fill in the three fields below it with your new slug. This will create your new URLs to access the backend of your WordPress blog.
You can write anything you want just make sure you don’t forget it or you’ll never be able to log into your own blog. Here’s an example of how your new login, register and admin URL may look like if you change the default slugs:
- http://yourblog.com/my-login-page
- http://yourblog.com/my-register-page
- http://yourblog.com/my-admin-page
7. Limit Number Of Logins
Hackers try to attack your blog by bombarding it with thousands of login attempts with different possible passwords. You can limit this number of login attempts by using the plugin Better WordPress Security that I mentioned above.
If you already have it installed on your blog, just go to “Login” and tick the “Enable Login Limits” option. It offers a lot of parameters like maximum number of logins per host, maximum number of logins per user, lockout time etc that you can use to control how your login page behaves, increasing the overall security exponentially.
There are a couple of other plugins too that you can use for limiting the number of logins:
8. Backup Everything
No matter how strong your security measures are, there are chances that your blog and its data may still get attacked. So its always better to regularly backup you entire database. There are a lot of plugins like BackUpWordPress, Simple Backup and BackWPup that you can use to easily backup your WordPress database on a regular basis. Better WordPress Security also has this feature of regularly backing up your database that can be accessed by going to the tab “Backup”
9. Change the Default Database Prefix
The default table prefix for WordPress database is ‘wp_’ and is well known to hackers. They can easily attack your database with this information so its best to change the default prefix to something else. You are generally asked about choosing the default table prefix when installing WordPress but if you somehow forgot to change it you can do you using plugins.
You can do this using the Better WordPress Security plugin by going to “Prefix” tab or you can use other plugins like Change Table Prefix. Use these plugins with care and make a backup of your database before you apply a new prefix. Making backup is important because if anything goes wrong when applying changes you may loose all your data.
This is how it looks like in the Better WordPress Security’s Prefix tab:
10. Protect Your wp-config.php File
The wp-config.php file contains all of the confidential details for your WordPress site and is stored in your WordPress directory. You can secure it by adding the following code in your .htaccess file.
<Files wp-config.php> order allow,deny deny from all </Files>
The .htaccess file is stored is your WordPress directory and can be edited simply by using a text/code editor.
11. Hide Your WordPress Version
Although WordPress is getting more secure with each update but still different versions of WordPress has their own set of vulnerabilities. And hackers know about them and can attack your blog knowing those vulnerabilities. So its better to hide your WordPress version.
Its easy to remove WordPress version from your blog, just add the following code to your function.php file:
remove_action('wp_head', 'wp_generator');
Conclusion
These are the 11 tips that you can implement today to secure your WordPress blog. If you can implement them all I’m sure you’ll eliminate 99% possibility of being attacked by hackers. I discussed above the weakest points of any WordPress blog and how you can secure them and now that they are secure you can sit back and stop worrying about the security issues.
