Those who own and run a WordPress blog are aware of the dangers associated with the security of such websites. A skilled hacker can manage to sweep your website completely off the web. This can cost you months of traffic, earnings and can also seriously affect your site’s overall performance. So there are certain cautionary measures that you should follow in order to save your site from any such attack. We are writing here these security tips enhance the defense of your WordPress blog.
Table of Contents
Always login using your email address
When you first install the WordPress blog, the user is called admin. Create a different user to control your blog. You may even remove admin and replace it with subscriber, guest or any other username that is not easy to guess. Then you use your email to login to your WordPress blog.
Never advertise the WordPress version you use in the world
WordPress sites always display the version number they have which makes it very easy for a hacker to decide if you are using an outdated version of WordPress thus helping them to plan their attack. Always remember to remove the WordPress version from your blog.You should also remove the readme.html file from the WordPress installation directory because that also displays your WordPress version to the world.
Prohibit others from altering your WordPress directory
Login to your WordPress Linux shell and then execute the command listed below. This gives you a list of all directories that might be opened. Such directories can be altered by anyone.
find . -type d -perm -o=w
Execute the two commands given below in order to set correct permissions for all of your WordPress files and folders
find /your/wordpress/folder/ -type d -exec chmod 755 {} \;
find /your/wordpress/folder/ -type f -exec chmod 644 {} \;
This sets your directories to parameters where only the owner can write permissions and the others can read and execute those permissions. For files, only owners have the read and write permissions and the others can just read files.
Rename WordPress Tables Prefix
You might have installed the WordPress using default options. Thus your WordPress tables have names as wp_posts or even wp_users. It is advisable that you change the prefix (wp_) of these tables to any random value.
Stop users from exploring WordPress directories
This is very necessary on your part. Just open .htaccess file in the WordPress root directory and attach the line given below to the code
Options-Indexes
This bars the guest users from the viewership of the listing of files available in your directories in the event of your index.html or index.php files missing from those directories.
Keep a record of your WordPress PHP and database errors
Keeping a log of your errors offers clues about what variety of invalid database queries and file requests are being encountered by your WordPress installation. Utilities as error log monitor constantly update you with these errors through emails.
To activate error logging in WordPress add the following code to the wp-config.php file and take care to ‘/path/to/error.log’ with whatever be the actual path of your log file. Also, the error.log file is placed in a folder which cannot be accessed from the browser.
define(‘WP_DEBUG’, true);
if (WP_DEBUG) {
define(‘WP_DEBUG_DISPLAY’, false);
@ini_set(‘log_errors’, ‘On’);
@ini_set(‘display_errors’, ‘Off’);
@ini_set(‘error_log’, ‘/path/to/error.log’);
}
Put a Password For WordPress Admin Dashboard
A very simple but important step to guarantee the safety of your blog. Make your dashboard password protected. This not only restricts guests from entering your dashboard but even the authorized users need to enter two passwords to log into their admin dashboards.
Track the login activity on your WordPress server
The “last-i” command of Linux can be used to list all users who have logged into your WordPress server. This also lets you know their IP addresses. If you find an IP address which logged into your server for the first time then it is obvious that you need to change your password. The following command will show the user login activity for a longer period of time along with a grouping of IP addresses. Just take care to replace with “USERNAME” with your actual username.
last -if /var/log/wtmp.1 | grep USERNAME | awk ‘{print $3}’ | sort | uniq -c
Use WordPress Plugins to improve Website Security
wordpress.org contains a variety of plugins to choose from that can help boost security of blog. Here are a few ones that can be looked into –
Exploit scan
It quickly scans all your WordPress files, blog posts and then separates the ones which have malicious codes. Spam links hidden inside your posts can also be detected by this plugin.
Wordfence security
This is an effective plugin that compares WordPress core files with original files. This brings any alteration to light. It also locks a user if it is unsuccessful in logging in after a specified number of attempts.
WordPress Sentinel
This plugin monitors the WordPress files and brings to your notice any alteration that has been made in the files (addition, removal or edition).
VIP scanner
It scans your WordPress templates for any advertising code that might have been inserted. It also checks your WordPress themes for any glitches.
(ix) Command to know about any file that has been altered in the last few days –
Use the following command to know about any file that might have been altered in the last 3 days. Just change mtime to mmin to see the files altered “m” minutes ago.
Protect WordPress Login Page
The WordPress login is the gateway to your blog. Securing it can help establish a strong first line of defense. In order to prevent non authorized users from entering WordPress, you have a few alternatives –
Password protection
Protect your wp-admin folder with a username and password along with your other WordPress information.
Google Authenticator
This plugin provides Google’s effective two step verification to your WordPress blog. If someone tries to sneak in your blog, they will have to enter not only the password but also the code that Google sends to your phone.
Login Dongle
This plugin has a unique way of protecting your WordPress It generates a bookmarklet along with a secret question that you can add to the bookmarks. On your login page enter your username, password, other information and then click on this bookmarklet to enter your WordPress by answering the secret question.