Security of your website is something you should take it very seriously. You should always take precaution actions to protect your website from security threats. In this blog post, I will share with you how to secure WordPress website.
I can still feel the pain when my website got compromised few years ago. I was so shock when I browsed my website and it shows something else. I thought I was typing in the wrong address and I kept trying it for few times. It shows the same result. Then I know my website got compromised. My mood fell to the bottom!
This incident taught me a lesson that I should had always take proactive action to protect my website from security threats. Remember, security is about to minimize the risk but not risk elimination. Risk will always be there.
I am not a security expert but I want to share with you what I do to protect my website and how to secure WordPress website.
Don’t Use the Username “admin”
Never ever use “admin” as your username in any case! Choose something else. There are many names you can use and I am sure you can get one. “admin” username make your WordPress website vulnerable to Brute Force attack.
If you are already using “admin” as your username, you can simply create a new username with administrator role. Then remove the “admin” username. Don’t worry about the posts or pages that created by “admin” user. You will be asked if you want to delete all the contents created by “admin” or assign them to the new user.
Practice Least Privileged Principles
In some cases, you would need someone else other than you to manage your WordPress website. In this case, you need to grant access to that user to the WordPress backend.
Make sure you practice the least privileged principles by assigning appropriate role to the user. Don’t assign administrator role to user just for the sake of convenient or you will regret later.
By practicing the least privileged principles, you wil greatly reduced your security risk.
Use Strong Password
Password is the key for people to access your website backend. Therefore, using strong password will greatly reduced your risk from security vulnerable attack. You should avoid using common password that can easily guessed. Below are some example common passwords you should avoid using.
Below are some criteria to create a strong password.
- Must be at least 8 characters long.
- Don’t use your personal information for example your name or company name.
- Include numbers and less common characters like # or ^.
- Use uppercase and lowercase letters.
Change the WordPress Database Table Prefix
By default, WordPress is using ‘wp_’ as the prefix for all of it’s database tables. Using the default value is always risky from the perspective of security. It makes jobs easy for hacker to attack your website. Therefore, it’s good idea to change the default table prefix.
There are few ways to change the table prefix. If you are installing a fresh new WordPress, you have a chance to change the default table prefix during the installation.
If you are already using the default table prefix, you can still change it but the steps will not be so straightforward. You must do it carefully or you will break your website. I don’t recommend you do this unless you are confident with your coding skills.
Disable File Editing
WordPress provides a file editing tool for your convenience to edit files. However, the convenience of this tool also makes it easier for a hacker to change your file. You can easily edit your file by going to Appearance > Editor in WordPress.
Therefore, you should disable the file editing function to lift your WordPress security. There are 2 ways to disable file editing function. You can either use a plugin or manually editing the wp-config.php file.
For me, I am using the All In One WP Security WordPress plugin to disable file editing. If you would like to do it manually, you can access the wp-config.php and change the “DISALLOW_FILE_EDIT” setting to ‘true’.
Don’t worry, disable file editing function in WordPress doesn’t mean that you can’t make change to your file any more. You can still be able to change your files using your favourite FTP application. You just won’t be able to do it via WordPress itself.
Limit Login Attempts
Brute Force attack is a popular method used by hacker to crack your password. In this method, hackers target your login form by trying different combinations of username and password until they found it.
Limiting failed login attempts will greatly reduce your website vulnerability to brute force attack. You can achieve this easily by installing a WordPress plugin. For me, I used All in One WP Security plugin. It has an option to limit the number of attempts to login from a specific IP address.
Add Two-Factor Authentication
Two-Factor Authentication, also known as 2FA provides an extra layer of security to your login form. In this method, you have to go through 2 forms of authentication as implied by its name.
This means that you are required not only a username and password but also another piece of information to ensure that you are the only person can access to your account.
A common implementation of the 2FA is by sending a One-Time-Password (OTP) via SMS or email. Alternatively, you can use Google Authenticator 2FA plugin to implement this.
It’s no secret that WordPress is the most popular content management system (CMS) people use to built their website. Moreover, it is free and open source. Due to this fact, it is always the target for malicious hacker to find vulnerability in it.
Thanks to WordPress community! As soon as they found any vulnerability in WordPress, a patch will be created to fix it. This is the reason why you should always keep your WordPress website up to date. By keeping your WordPress update to date, you are also keeping your website away from vulnerable attack.
Add Captcha on Login Page
Adding a captcha to your WordPress login page makes it even harder for someone to get unauthorized access. It also prevents your website from Brute Force attack.
You can easily add a captcha to your WordPress login page using All in One WP Security plugin. To do this, simply go to WP Security >> Brute Force >> Login Captcha to enable captcha on login page.
Your website’s security is a very importance matter you need to pay extra attention to it. I am sure you don’t want to be the next victim. That’s all for my sharing today and I hope you learn something from my article. Remember, “Prevention is better than cure”.
To Your Sucess,
Kwah Choon Hiong