WordPress is one of the most used content managers for publishing websites and blogs. Although it is a very solid platform, many users suffer attacks for various reasons.
To make things worse, hackers often target the backend, the WordPress admin panel. The reason for this is of course, total control over the site. That is why you should have an extra concern with WP-Admin (WordPress Admin).
To help you protect your site, here are some security tips that can be very useful to keep your site or blog free of vulnerabilities, allowing you to work in peace of mind.
Create Custom Login Links
It is very obvious that, to access the admin panel of WordPress, everyone has to enter the URL of the site with ‘/wp-login.php’. Now, if you used the same password in more than one location, and this has been broken, then it is easy for someone to hack your site.
A plugin called Stealth Login Page allows you to create custom URLs for login, logout, administration and registration for your WordPress blog.
You can also enable Stealth Mode, which will prevent users from being able to access ‘ wp-login.php ‘ directly. You can then set your login url to something more enigmatic.
This will not guarantee your site perfectly, but if someone can break your password, it can make it difficult for him/her to find where the login really is. This also prevents any bots, which are used for malicious purposes, to access your ‘ wp-login.php ‘ file and try to break it.
Choose a Strong Password
This is a step that seems very obvious, but it may still be insufficiently emphasized. Do not use the same password elsewhere. Try to make each password different and hard to guess.
Use the WordPress strength detector – ‘ WordPress Password Strength Detector ‘ – to your advantage and create a strong password.
Another thing you should do is to change your password periodically, so that even if someone has guessed your password, it will be useless to them once you have changed it. Strong password See an excellent guide to Creating Strong Passwords.
Limit Login Attempts
Sometimes the hacker may think he knows the password, or he can develop a script to guess the password, which is worse. In this case, what you need to do is limit your login attempts.
You can easily do this by using a plugin called Limit Login Attempts which will block a user if they enter the wrong password more than the amount of times specified in the plugin.
It will be locked for a period of time also specified. You can control these settings through the wp-admin panel.
Use Secure Login Pages with SSL
SSL Login Pages you can login to the WordPress admin panel through the channels encrypted with SSL, that is, your session URLs will have ‘ https: // ‘. You must confirm with your hosting provider if you have a shared SSL ‘ Shared SSL ‘, or if you have an SSL certificate of your own. Once you have confirmed paste the following code into your ‘ wp-config.php ‘ file:
Define (‘FORCE_SSL_ADMIN’, true);
There is also a plugin called Admin SSL, which will force SSL on every page. It is easier if you use this plugin, but it is only compatible with version 2.7 or higher.
Protect the WP-Admin Directory with Password
There is nothing wrong with having two passwords. This only adds an extra level of security to the WordPress Admin Area. This can be done by using a plugin called AskApache Password Protect .
It encrypts your password and creates the ‘.htpasswd ‘ file, as well as sets the correct advanced security file permissions.
You can also use Password Protection from a cPanel Directory if you are using a cPanel Hosting, such as Hostagor, to password protect the ‘ wp-admin ‘ directory. Ask Apache Protect
Limit access through IP address
You can limit access to your Wp-Admin and only allow certain IP addresses to access it. All you have to do is create a .htaccess file in the ‘ / wp-admin / ‘ folder, if there is not one already. Paste the following code:
AuthUserFile / dev / null
AuthGroupFile / dev / null
AuthName “WordPress Admin Access Control’
order deny, allow
deny from all
# Allow Asllan IP
allow from xx.xx.xx.xxx
# Allow Aline’s IP
allow from xx.xx.xx.xxx
# Allow Home IP
allow from xx.xx.xx.xxx
# Allow Work IP
allow from xx.xx.xx.xxx
Set the IP address that you can access. The downside to this hack is that if you want to access the admin panel from somewhere else, you will not be able to do it unless you add that extra IP in your .htaccess file. Source
Never use the Username “admin”
This is the first user that is created when WordPress is installed. You should never use or maintain this user. This is in the main causes of invasion. You must create another user using the admin panel of your WordPress, and assign administrator roles to it.
Try to make this username something not so obvious, and so it is more difficult for the hacker to guess. Then delete the admin user completely to stay safe.
Remove the Error Message on the Login Page
Error message by default, when you enter a wrong password or an invalid user name, you receive an error message on the login page. So, if a hacker gets a certain thing, the error message will help you identify this.
Therefore, it is recommended that you completely remove this error message. Open your functions.php file, located in the folder of your theme and paste the following code:
add_filter (‘login_errors’, create_function (‘$ a’, ‘return null;’));
A plugin called Secure WordPress also does this and has other features as well. Check it out to see if you care.
Use Encrypted Password in Login
When you do not have SSL enabled, this method comes in handy. A plugin that allows you to do this job, is the plugin called Semisecure Login Reimagined.
WordPress Anti-Virus Protection
The AntiVirus plugin for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. The special feature of this plugin is the manual test with immediate result of the infected files and daily automatic verification with notification by e-mail.
Stay Updated with Latest WordPress Versions
Last, but definitely not least, is keeping up to date with the latest version of WordPress, because each release is made a release.
Therefore, WordPress also includes in the releases the bugs and exploits of the previous version, which puts your administrative area at risk if you do not upgrade.
One Time Password
The One Time Password plugin allows you to login to your WordPress blog using passwords valid for a single session. Single-use passwords prevent your primary WordPress password from being stolen in less trusted environments such as cybercafes and PCs, for example by keyloggers.
WordPress Firewall Plugin
The WordPress Firewall Plugin detects, intercepts and logs suspicious appearance parameters and prevents them from compromising WordPress. It also protects most WordPress plugins from the same attacks.
Optionally, it can be configured as the first plugin to be loaded, for maximum security. It will give you an option to send an email to you with helpful information about blocking a potential attack and more.