Many website owners always nag about the security of WordPress,
The opinion is that an open source script is vulnerable to all sorts of attacks. But that is mostly not true – sometimes it’s the other way around. Or, okay, let’s say that it’s partially true, but even then you shouldn’t blame WordPress.
Why? Because it’s usually your fault that your site got hacked. There are some responsibilities that you have to take care of as a website owner. So the key question is always, what are *you* doing to save your site from being hacked?
1. Rename your login URL
To change the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via
wp-admin added to the site’s main URL.
When hackers know the direct URL of your login page, they can try to brute force their way in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username:
admin and password:
p@ssword … with millions of such combinations).
So, at this point – if you’ve been following along – we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:
wp-login.phpto something unique; e.g.
/wp-admin/to something unique; e.g.
/wp-login.php?action=registerto something unique; e.g.
2. Protect the wp-admin directory
The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached then the entire site can get damaged.
One possible way to prevent this is to password-protect the wp-admin directory. With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.
You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password and configures the correct security-enhanced file permissions.
3. Use SSL to encrypt data
Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.
Getting an SSL certificate for your WordPress website is not an issue. You can purchase one from some dedicated companies or alternatively ask your hosting firm to hook you up with one (it’s often an option with their hosting packages).
I use the Let’s Encrypt free open source SSL certificate on most of my sites. Any good hosting company like Whogohost offers free Let’s Encrypt with their hosting packages.
The SSL certificate also affects your website’s rankings at Google. Google ranks sites with SSL higher than those without it. That means more traffic. Now who doesn’t want that?
4. Change the admin username
During WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to know is the password, and your entire site gets into the wrong hands.
I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.
The iThemes Security plugin can stop such attempts cleverly by immediately banning any IP address that attempts to log in with that username.
5. Change the WordPress database table prefix
If you have ever installed WordPress then you are familiar with the
wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.
Using the default prefix makes your site database prone to SQL injection attacks. Such attack can be prevented by changing
wp- to some other term, e.g. you can make it
If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).
6. Back up your site regularly
No matter how secure your website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.
If you have a backup, you can always restore your WordPress website to a working state any time you want. There are some plugins that can help you in this respect.
7. Protect the wp-config.php file
The wp-config.php file holds crucial information about your WordPress installation, and it’s in fact the most important file in your site’s root directory. Protecting it means protecting the core of your WordPress blog.
It gets difficult for hackers to breach the security of your site if the wp-config.php file becomes inaccessible to them.
The good news is that making this happen is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.
Now the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set the highest on the priority list. So, even if it is stored one fold above the root directory, WordPress can still see it.
8. Disallow file editing
If a user has admin access to your WordPress dashboard then they can edit any files that are part of your WordPress installation. This includes all plugins and themes.
However, if you disallow file editing, even if a hacker obtains admin access to your WordPress dashboard, they still won’t be able to modify any file.
Add the following to the wp-config.php file (at the very end):
9. Disable directory listing with .htaccess
If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.
For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.
You can prevent this by adding the following line of code in your .htaccess file:
Options All -Indexes