As promised, here are the rest of my advanced tips for WordPress security.
1. Change the admin username
During your WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to figure out is the password, then your entire site gets into the wrong hands.
I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.
The iThemes Security plugin can stop such attempts by immediately banning any IP address that attempts to log in with that username.
2. Use two-factor authentication for WordPress security
Introducing a two-factor authentication (2FA) module on the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, or more popular, the Google Authenticator app, which sends a secret code to your phone. This way, only the person with your phone (you) can log in to your site.
3. Set directory permissions carefully
Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.
In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.
This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.
4. Block all hotlinking
Let’s say you locate an image online and would like to share it on your website. First of all, you need permission or to pay for that image, otherwise there’s a good chance it’s illegal to do so. But if you do get permission, you might directly pull the image’s URL and use that to place the photo in your post. The main problem here is that the image is shown on your site, but being hosted on another site’s server.
From this perspective, you don’t have any control over whether or not the photo remains on the server. But it’s also important to realize that people might do this to your website.
If you’re trying to secure your WordPress website, hotlinking is basically another person taking your photo and stealing your server bandwidth to show the image on their own website. In the end, you’ll see slower loading speeds and the potential for high server costs.
5. Rename your login URL to secure your WordPress website
Changing the login URL is an easy thing to do. By default, the
WordPress login page can be accessed easily via
to the site’s main URL.
When hackers know the direct URL of your login page, they
can try to brute force their way in. They attempt to log in with their
GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords;
admin and password:
with millions of such combinations).
At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs.