Working with popular content management systems can be a great way to manage, modify and maintain your website. But with great popularity, the big responsibility will secure your WordPress installation from hackers who aim to exploit popular systems like WordPress. Let us find out how we can secure our server and protect ourselves from attackers.
Why do I need to secure WordPress?
WordPress popularity makes it a target for hackers. With millions of users worldwide, attackers get the best out of them by using such widely used tools. A single exploit can allow a hacker to compromise hundreds or thousands of sites, which could mean that your site is one of many affected.
The main ways that WordPress is hacked or compromised are from easy to guess passwords and the compromise between themes, plugins and an outdated WordPress installation. Keeping strong passwords and usernames, themes, plugins and kernel installations updated with the latest patches can go a long way in protecting your server from attackers.
Let̵7;s take a look at how we can update these articles and make sure our WordPress installation is up to date.
Create a secure username and password
Although you can not change the username set during the WordPress installation, we can create an alternative administrative user who does not have an easily guessed username such as “user” or “admin”, which may not have been a consideration during the installation. Then we can create a secure password for the original administrator account, so it will not be guessed.
Easy to guess username allows attackers to guess common usernames and password combinations to gain access to your WordPress installation. By having a vague and unique username, even if your password is something simple like “password”, attackers still have to guess your complicated username to gain access.
With a username like “mywebsite123987 @ # $ @!” Hackers will have a hard time compromising your server this way.
To create a new user, open the dashboard and navigate to users.
Select add a new one in the top navigation to create a new user.
Be sure to provide a unique and hard-to-guess username and password with 12+ characters including letters, numbers and symbols.
Assign this user Administrator role and then select Add new user.
Now we can go back to the Users page and select our original administrator account with the name user.
Create a new password for our original user that is impossible to guess. Now that we have our alternate administrator account, our original account is named user can have a very long complicated password, so attackers are not forced to be such a common username.
Change the WP-Admin login URL
Another great way to secure your login pages is to change the default wp-admin login URL to something unique. This way, attackers cannot automatically attempt to log in to your site by default example.com/wp-admin/ URL and must guess your (probably named) login page to attack your site.
Although this is not supported by WordPress, we can accomplish this in one of two ways. Use a plugin or manually modify files to make our changes.
For this article, we will modify our files manually and do our best to stay away from unnecessary plugins.
It is important to note that these changes are not transferred to WordPress updates and may cause some issues in the future. To ensure smooth updates, it is recommended that you keep a backup copy of all modified files and restore them before updating. Then you can simply make the same changes again to reset your secure WordPress login URL.
To begin with, you want a good text editor like Notepad ++ that has a strong search-and-replace feature. When we have this, let’s find ours wp-login.php file in our WordPress root directory.
First of all, make a backup copy of this file if we ever need to return to the original login URL. When done, open wp-login.php in Notepad ++ so that we can issue the search-and-replace module we need to secure our login page.
To access the search-and-replace module, navigate to search in the top menu and find Replace.
When the module is open, i Find what: enter field wp login and in Replace with: enter the desired login URL. In this case, I have chosen custom_login to be our newly appointed login page.
Select Replace all to replace all instances of wp login.
Save your file and navigate back to the WordPress home directory. Time to change our name wp-login.php file to custom_login.php.
Now, to test that our change worked, open the wp-admin directory on your site. In my case, it’s on http: // localhost / wordpress / wp-admin /. When you load this URL, you should find that it gives an error or a “Page not found” warning. This means that our login URL has changed and cannot be found by hackers using a default login URL!
Let’s open the right login page now, in my case on http: //localhost/wordpress/custom_login.php.
Congratulations! You have changed your default login URL to a more secure unique URL that will be harder to guess by hackers. This will prevent your login page from being enhanced by programs that specifically search for it wp-login.php URL. One step closer to safety!
Keep plugins, themes and Core WordPress up to date
The most effective way to protect your WordPress installation is to keep the themes, plugins and WordPress kernel up to date.
Plugins and themes are often targeted at hackers because they tend to be developed by third-party developers with somewhat limited resources, as opposed to the WordPress organization whose priority is security and trial and error of official plugins and themes.
Themes and plugins are created but the developer decided to write them, and they are not often thoroughly tested against exploits. This can cause problems for users when an attacker finds a bug in theme files that may not have been updated for all users. This can happen years later as well.
Plugins work in the same way but can be used more by WordPress users, making plugins a perfect target for hackers. There have been many instances where plugins installed by millions of users are exploited and all websites with the affected plug-in can be compromised if they are not updated.
To manage updates for WordPress, navigate to the dashboard and find Home.
This page helps you manage core updates, theme updates and even plug-ins in one central location. You will be notified of obsolete extensions and given the opportunity to update them here. You only need FTP access which has modification rights for the theme, plugin or WordPress installation.
While WordPress often provides warnings on the main page of the obsolete files dashboard, check this WordPress update page frequently and make sure your files are up to date. Correcting outdated files is one of the most effective ways to prevent easy acquisitions from attackers.
Minimize the use of plugins and installed themes
It can really be a challenge to keep themes and plugins up to date with the latest fixes, especially if you use dozens or more themes and extensions. One of the easiest ways to minimize this risk is to limit the amount of plugins and themes you use.
This results in exponentially smaller attack vectors for hackers for each plugin or theme that is not installed and may have potential exploits. In addition, uninstalling disabled plugins and themes will prevent even unused tools from being exploited in the future by severe bugs.
Once you have decided not to use a plugin, remove it completely from your site. Even old disabled plugins have been shown to have serious bugs that are compromised by hackers on a large scale.
Although there seems to be a plugin for everything, even some of the things we did today, minimizing your use of plugins and theme installations will surely protect your site from easy-to-use bugs that hackers may find even years back. If possible, just have the default theme and what you use installed and as few plugins as possible to make your site work.
Remember that the more users who have a plugin or theme installed, the juicier the goal is for hackers to find an exploit for.
Backups for decontamination and peace of mind
A final step in protecting irrevocable compromises is to keep secure backups. If there is a message about a bug in a plugin or WordPress, you may be able to return to a more secure installation or simply delete the affected files from the live site.
If the exploitation is serious enough, you may want a new installation of WordPress and simply import your posts into the new and secure installation.
Although there are a million ways to back up your data, we show you the most basic form of backup of WordPress files with the built-in export tool.
This tool is on Tool > Export in the WordPress Dashboard.
From here you can manually export posts, pages, media files or all content.
This will not back up your theme or plugins in any case, and it will not back up any modified files like ours custom_login.php page. In the event of a disaster, however, you will have secure backups of all your posts and pages that can be easily imported into a new installation.
Alternative methods for backing up your files include exporting the SQL database as a whole. But once it is compromised, it is difficult to say exactly which files and data risk a long-term backdoor. If your WordPress installation has been compromised, it is best to start over with a new installation with as few remaining files as possible.
Security: An endless job
While this guide only covers the security surface, it is some of the most effective methods to prevent a total compromise of WordPress. These are the most used attack vectors by hackers and securing these systems will secure your site from the most common and automated attacks running against WordPress installations worldwide.
A strong username and password that is not easy to guess, a custom login page and updated plugins, themes and core installations will go a long way to secure your server. Combine that with strong backups and minimize third-party tools, and hackers have significantly smaller vectors to utilize against your WordPress installation.
By combining strong WordPress methods with strong server security methods such as encryption, firewalls and detection of malicious activity, your website will be safe and a secure place on the web!