Posted by ThinSquare ON Thursday , 28 Sep 2017 1 Comment
When we create a website in WordPress, we usually give much importance to appearance, functionality, usability, and content, bypassing many times as necessary a factor as security.
Can you imagine getting up tomorrow morning and after weeks or months of work to find that someone has hacked the web? I prefer not to think about it.
To try to avoid that, today I bring you 8 simple tips (some more than others) to improve the security of your website in WordPress. You know, better safe than sorry.
Securing 100% a web created with WordPress is almost mission impossible. In the end, if someone insists on accessing your website and has the necessary knowledge, one way or another, it is likely to succeed.
Many people are collaborating on the WordPress code, many WordPress plugins, and WordPress themes developed by third parties and it is very easy to see a bug somewhere that makes life easier for hackers.
Our goal today is to put it as hard as we can for the hackers. If they want to come in, to cause damage, at least we would stop them.
We must continue to search for bad links. Moreover, if someone wants to access that website, these details will be the first to look for.
To avoid this kind of things and improve the security of your WordPress, we will see immediately a series of very simple tips, accessible to everyone, that at least will make things a little more difficult to the next hacker that is posted on your website.
So without any further ado, let’s get to it.
1. User Name
It may seem very obvious, but you would be surprised how the typical admin user still accesses the site.
You should avoid this type of user (admin, administrator, editor, etc …). Similarly, avoid using your name or any reference to the domain of the site.
In general, you should avoid any username that can be predictable.
Keep in mind, that brute force makes many of the unwanted access to WordPress and such type of usernames, will be the first to try.
In computing, it is called brute-force attack, how to recover a key by testing all possible combinations until you find the one that allows access.
This is achieved with programs that load a list of users and passwords, which are more frequently used and is responsible for testing all the combinations one by one until you find the correct one.
You have to distinguish between username and alias. WordPress, by default, uses the username as the name that is displayed publicly and this is something that you should change. To do this, access to edit a user and you will see a section.
The username, as you see, it is gray, and you can not change it. However, you can put an alias on the field for it and then in the drop-down of the name to show choose the alias.
2. Secure Password
This one is important, too. However, there are still people who use passwords as a ‘password’ or ‘123456’.
What should a secure password look like?
-Must be at least 8 characters. It should be alphanumeric .”Contain lower case letters, capital letters, numbers and punctuation marks.”
– Do not use personal information on it. No dates, names of couples or children, etc…
A good password should look like this: Ow\SoJs2 and embroider it; you should have a different one for each service you use. It is obvious if you use the same in all services, the day that someone might discover one, discover them all. And really, it is worth losing some time with this; we do not realize how important it is until it happens to us.
3. Update WordPress, theme, and plugins regularly
Update both WordPress and the custom WordPress theme and plugins you use as soon as there are new versions. More often, during the updation, we would discover bugs and bugs in the code that can allow unwanted access to our installation.
WordPress developers strive to detect and fix these bugs as soon as they appear and launch a new version of their code to fix it. This is why it is important to keep our system updated as if it were an operating system.
4. Use Original Themes and Plugins
The one who has never downloaded a pirate program, raise your hand. The temptation to get something unpaid is great, and WordPress themes and plugins are no exceptions.
The problem of piracy, in this case, is that often the original themes and plugins can carry scripts and malicious code that can ruin your website in a matter of seconds.
Think about it for a moment. Why would anyone bother to buy a theme and then share it with everyone? There are many good faith people out there, but this much?
My advice is to use only original WordPress themes and plugins downloaded from the official websites or let the WordPress Development companies help you in this regard.
5. Protect wp-admin from the control panel
This is very simple and can save you a lot of headaches. It is about protecting the wp-admin directory from your server-level control panel so that it can only be accessed if the user and password for that directory are known.
To do it in C-Panel which is one of the most used, and similarly, it is very easy to do in any control panel of your provider.
Access your C-panel. Go down to the security section. You will see it.
Go to Directories protected by password and a window will open where you can choose the directory to protect. Choose wp-admin, and you will see the screen to configure. It is very simple to protect c-panel directory.
At the top mark the box to protect the directory and choose the name of the window that will appear to ask for username and password.
At the bottom, we choose the username and password. Add authorized user button.
What will happen after protecting the directory? – That first you will have to enter the user and password that you just created to access the directory and once authenticated, you will be able to access the WordPress login. Let’s say you will have a double check to access the administration of your website.
6. Perform backups regularly
It is important to make backups of your website periodically. At least once a week.
The simplest way to do it is through a plugin. It helps you to automate your backups and even send them to a system in the cloud like Google Drive or Dropbox.
The three are quite alike and work just as well. I would like to explain how they work, but it might start to look like a chapter of the Bible. I will explain it to you in detail in another article.
7. Limit login attempts
This is as simple as installing a plugin. For example, we limit the number of failed attempts to 3, if someone misspells the user and pass 3 times, you will not be able to try again after a predefined time. What do we get with this? Hindering the brute-force attacks is important. These attacks are based on trying the login countless times until you find the right combination. If we limit login attempts, we are protecting ourselves from such attacks.
8. Change the prefix of the tables of the database
One of the problems of WordPress is a number of bad links it gives visitors with intentions of dubious morality. Another of these bad links are the prefixes of the database tables. If someone wants to attack your site using a SQL injection, the first thing to check is if the prefixes of the tables are the ones that come by default (which is something that very few people change). If so, as tables are known, you already know all (or almost all) tables in your database.
The first option and the easiest is to change them when you install your WordPress. If you use an automatic installer of the hosting that you have contracted, surely you can not modify them but if you hire WordPress developer to install WordPress manually.
As you can imagine, these are not all the steps you can take to secure your WordPress installation, but they are the most important ones. To make your WordPress secure, there are WordPress Development companies that provide their services at affordable prices.