Just like with any popular software, WordPress is hunted by notorious hackers 24/7 and it fights the vulnerabilities all the time. Sometimes, it wins the day by discovering vulnerabilities before hackers & fixing it. Other times, it lets down its users. And this is to be expected, because no software is 100% secure. The best you have is precautions and security measures in place. While WordPress always tries to keep vulnerabilities at bay. It constantly releases security patches and fixes. Still there are practical measures you can take to go extra mile. Things like – not having “admin” as username, hard-to-guess database table prefix, etc. go a long way to WordPress security.
In this post, we will go through top 10 tips and tricks for WordPress security. Boy, you’re in for a ride!
Do not use “admin” as username
Many web hosts come with a quick script installer like Softaculous or QuickInstall. These auto-installers though makes it easy to install scripts like WordPress, Open Cart, Magento, etc., but they use default settings for all installs. You are provided with the option to change it during the installation, but no many people change it and leave them as default. That’s how WordPress default username “admin” comes into play. And hackers know this.
So they try to brute-force their way with “admin” as username. Do not use “admin” as username. Here are instructions to change this:
- Go to phpMyAdmin, click your database
- Open table named “wp_users”, look for “admin” username row
- Click “Edit”, change the value of user_login to anything but admin
There you go!
Limit Login Attempts to Avoid Brute Force Attacks
This is one of the most popular WordPress plugins. What if you had unlimited time, unlimited random passwords and unlimited login attempts to do, would you be able to log in to WordPress? Of course, yes, right? This type of hacking attack is called brute force attack. By default, WordPress does not care how many times a user fails to log in, it lets it make attempt again.
The plugin in question blocks an IP address after a certain number of failed login attempts. Limit Login Attempts is fairly customizable. You decide how many attempts are allowed, when the lockout is triggered, etc.
- Install & activate Limit Login Attempts.
- By default, it triggers a lockout of 20 minutes after 4 login failed attempts. And after 4 lockouts, it increases the lockout time to 24 hours.
- You are welcome to configure the settings to your liking. Go to Dashboard > Settings > Limit Login Attempts
- You can also define after how many lockouts you are notified via email.
Change WordPress Login URL
Everyone knows WordPress default login URL is http://domain.com/wp-admin, right? That’s where hackers apply all their brute force attacks. Sure, with a different admin username and limited login attempts, you decrease chances of brute force attacks. This tip therefore takes things one step further. It directly helps you change default WordPress login URL. E.g. from http://domain.com/wp-admin to http://domain.com/mairajlogin. Now the hackers know this not so common URL, they are left with no choice but either to guess it or give up.
This is how you change default login URL:
- Install & activate iThemes Security (formerly Better WP Security) plugin. Changing WordPress login URL is one of the many security features this plugin offers.
- Go to Dashboard > Security, make sure to view all features by clicking “All” above
- Look for a box named Hide Backend, click “Configure Settings”
- In the popup, click “Enable the hide backend feature”
- Add a custom Login Slug & click “Save Settings”
Kill default Table Prefix
Just like with a default “admin” username, there is something called default database table prefix. It is what tells WordPress, which of a particular database’s tables it should care about. By default, you get wp_ as table prefix, which means all tables of WordPress database will look like wp_posts, wp_options, etc. Quick-installers being quick don’t care much for table prefix unless you click “Advanced options” or some such button first.
Anyway using a wp_ as table prefix is just as good as sending a candy crush request to hackers and even they hate candy crush (I guess!) :P. There are two times to change this table prefix. First, during the installation. Second, once the installation is done and the site is up and running.
NOTE: Before you do go any further, make sure to have a database backup. I don’t guarantee or not-guarantee said plugin’s ability
Here is how you change the table prefix:
- Install & activate Change DB Prefix
- Go to Dashboard > Settings > Change DB Prefix
- There are two fields on this page. Existing table prefix and new one
- Add a complicated and hard-to-guess table prefix in the second field and add an underscore (_) at the end of it.
Force users to use strong passwords
This one is applicable especially for blogs or sites with multiple users. However… still good enough to remember to always use strong password on Administrator account. Passwords are the locks to virtually anything you do these days, so make sure to get a strong one. During an autoinstaller WordPress installation, you get to set a password. It however does not necessarily force you to use a strong one. Therefore it is always good practice to change it manually. Follow the instructions:
- Go to Dashboard > Users > Your Profile
- WP already has a password strength meter, which is a good indicator of password complexity
- Scroll to Account Management section, click “Generate Password“
- Make sure to copy this password somewhere.
- Click “Update Profile“
Always Have Database Backups! PERIOD!
This is the most important tip from whole series. It is unaffordable to not have most recent database backup. Better yet is to schedule regular backups sent to your email, uploaded to DropBox or saved on the server. I personally prefer to keep backups on DropBox. Nobody knows when a certain site will get hacked or its database corrupted, so it’s always better to have a database backup. So even if your site is down, already prey to hackers or messed up inside out by some malicious code, you can sit relaxed getting tan under sun and slurping that tea.
There are multiple ways to generate & schedule a database backup. However for simplicity’s sake, we will use an easy way:
- Install & activate BackUpWordPress
- Go to Tools > Backups to run a backup
- Since the plugin is for beginners. It does not offer many gateways to save the database.
- Meaning you can only store backups on your server
- If you click “Run now” for the default backup settings available, you will get backups stored on your server every day at 11 pm.
- The settings are however fairly customizable
Disable File Editing From WordPress Dashboard
OK. For one second, let’s imagine what happens if a hackers gains access to your WordPress dashboard. They have posts, themes, free & premium plugins and can execute any PHP code they desire through Theme Editor & Plugin Editor. Or they can somehow compromise your database, from where they can redirect your site to theirs, change your login credentials and leave you no way to access your database or WP installation. What do you do then?! Pardon my French, but you are totally screwed!
Well, whole story started when they were able to execute codes through Theme & Plugin Editors found at Appearance > Editor & Plugins > Editor. So why not just disable these editors and give yourself a break? Here is how you can do that:
- Go to wp-config.php
- Add this line right before /* That’s all, stop editing! Happy blogging. */ : define(‘DISALLOW_FILE_EDIT’, true);
- This will disable the editors, so now whenever you have to do custom coding, you need to either use this plugin or use FTP
Keep WordPress Updated
One of the gravest mistakes people make is not keep WordPress up to date. Sure, I admit there are just so many updates released. But these updates are what make WP what it is. More often than not, these updates are primarily security fixes. So if you don’t update WordPress, you are putting your site on hacker’s radar. The pain of updating WordPress is not as much as that of getting your site hacked and worse defaced. Unbeknownst to most WP users, WordPress automatically updates your CMS for minor security fixes.
There has been debate as to whether it is ethical to edit one’s site for one’s protection without one’s permission. But overall speaking, this is for the good of all. You may however disable these automatic updates, which I don’t recommend you do by adding following string to your wp-config.php file:
define( ‘WP_AUTO_UPDATE_CORE’, false );
Use Two-Factor Authentication
This is security 2.0. With two-factor authentication, you get an extra security layer. With the addition of standard login credentials, you have to give a one-time security key. The plethora of Google products includes Google Authenticator, you may familiar with it. This plugin uses that product. Read this tutorial by legendary WPBeginner to learn how to use this technique.
Security is delicate. It is never 100% done. The best you can do is always have backups, measures and extra security measures in place. A backup strategy is always good as a fallback system. Have fun! If you liked this list, please share it.