20 Simple Tricks Secure WordPress

20 Simple Tricks Secure WordPress

This is a contribution by Ahmad Awais. Source:
I’ve seen many website owners nagging about the security of WordPress.The opinion is that an open source script is vulnerable to all sorts of attacks. But that is mostly not true – sometimes it’s the other way around. Or, okay, let’s say that it’s partially true, but even then you shouldn’t blame WordPress.Why? Because it’s usually your fault that your site got hacked. There are some responsibilities that you have to take care of as a website owner. So the key question is always, what are *you* doing to save your site from being hacked?Today, I plan to discuss quite a few simple tricks that can help you secure your WordPress website:

Part (a): Secure the login page and prevent brute force attacks

Everyone knows the standard WordPress login page URL. The backend of the website is accessed from there, and that is the reason why people try to brute force their way in. Just add /wp-login.php or /wp-admin/ at the end of your domain name and there you go.

What I recommend is to customize the login page URL and even the page’s interaction. That’s the first thing I do when I start securing my website.

Here are some suggestions for securing your login page:

1. Set up website lockdown and ban users

A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.

I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. You can specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.


(Alternatively, you can also use the Login LockDown plugin that was built to help you with this problem only.)

2. Use 2-factor authentication

Introducing the 2-factor authentication (2FA) at the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.

I prefer using a secret code while deploying 2FA on any of my websites. The WP Google Authenticator plugin helps me with that in just a few clicks.


3. Use email as login

By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.

The WP Email Login plugin works out of the box for this purpose. It starts working right after the activation and it requires no configuration at all.

To test it, just log out of your website and then log back in, but this time use the email address that you created the account with.

4. Rename your login URL

To change the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.

When hackers know the direct URL of your login page, they can try to brute force their way in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: [email protected] … with millions of such combinations).

So, at this point – if you’ve been following along – we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.

This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:

  • Change wp-login.php to something unique; e.g. my_new_login
  • Change /wp-admin/ to something unique; e.g. my_new_admin
  • Change /wp-login.php?action=register to something unique; e.g. my_new_registeration

5. Adjust your passwords

Play around with the website’s passwords and change them regularly. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters. This password generator is a useful resource.


Part (b): Secure your admin dashboard

For a hacker, the most engaging part of a website is the admin dashboard, which is indeed the most protected section of all. So, attacking the strongest part is the real challenge and, if accomplished, it gives the hacker a moral victory and the access to do a lot of damage.

Here’s what you can do:

6. Protect the wp-admin directory

The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached then the entire site can get damaged.

One possible way to prevent this is to password-protect the wp-admin directory. With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.

You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password and configures the correct security-enhanced file permissions.

7. Use SSL to encrypt data

Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.

Getting an SSL certificate for your WordPress website is not an issue. You can purchase one from some dedicated companies or alternatively ask your hosting firm to hook you up with one (it’s often an option with their hosting packages).

I use the Let’s Encrypt free open source SSL certificate on most of my sites. Any good hosting company like SiteGround offers free Let’s Encrypt with their hosting packages.

The SSL certificate also affects your website’s rankings at Google. Google ranks sites with SSL higher than those without it. That means more traffic. Now who doesn’t want that?

8. Add user accounts with care

If you run a WordPress blog, or rather a multi-author blog, then you need to deal with multiple people accessing your admin panel. This could make your website more vulnerable to security threats.

You can use a plugin like Force Strong Passwords for your users if you want to make sure that whatever passwords they use are secure. This is just a precautionary measure.


9. Change the admin username

During WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to know is the password, and your entire site gets into the wrong hands.

I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.

The iThemes Security plugin can stop such attempts cleverly by immediately banning any IP address that attempts to log in with that username.

10. Monitor your files

If you want some extra added security, you can monitor the changes to the website’s files via plugins like Acunetix WP Security, Wordfence, or again, iThemes Security.


Part (c): Secure the database

All of your site’s data and information is stored in the database. Taking care of it is just crucial. Here are a few things you can do to make it more secure:

11. Change the WordPress database table prefix

If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.

Using the default prefix makes your site database prone to SQL injection attacks. Such attack can be prevented by changing wp- to some other term, e.g. you can make it mywp-, wpnew-, etc.

If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).


12. Back up your site regularly

No matter how secure your website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.

If you have a backup, you can always restore your WordPress website to a working state any time you want. There are some plugins that can help you in this respect. For instance, there are all of these.


If you are looking for a premium solution then I recommend VaultPress by Automattic, which is great. I have it set up so it creates backups every 30 minutes. And should anything bad ever happen, I can easily restore the site with just one click. On top of that, it also checks my site for malware, and alerts me if anything shady is going on.

13. Set strong passwords for your database

A strong password for the main database user is a must – the one WordPress uses to access the database.

As always, use uppercase, lowercase, numbers, and special characters for the password. I once again recommend password generator as a useful resource.

Part (d): Secure your hosting setup

Almost all hosting companies claim to provide an optimized environment for WordPress, but we can still go a step further:

14. Protect the wp-config.php file

The wp-config.php file holds crucial information about your WordPress installation, and it’s in fact the most important file in your site’s root directory. Protecting it means protecting the core of your WordPress blog.

It gets difficult for hackers to breach the security of your site if the wp-config.php file becomes inaccessible to them.

The good news is that making this happen is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.

Now the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set the highest on the priority list. So, even if it is stored one fold above the root directory, WordPress can still see it.

15. Disallow file editing

If a user has admin access to your WordPress dashboard then they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

However, if you disallow file editing, even if a hacker obtains admin access to your WordPress dashboard, they still won’t be able to modify any file.

Add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

16. Connect the server correctly

When setting up your site, connect the server only through SFTP or SSH. SFTP is always preferred over the traditional FTP because of its security features that are, of course, not attributed with FTP.

Connecting the server this way ensures secure transfers of all files. Many hosting providers offer this service as part of their package. If not – you can do it manually (just google for tutorials; there’s a lot of stuff out there).

17. Set directory permissions carefully

Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.

In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole filesystem – directories, subdirectories, and individual files.

This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.

For more, you can read about correct permission scheme of WordPress or install the iThemes Security plugin to check your current permission settings.

18. Disable directory listing with .htaccess

If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing in your browser. No password or anything is needed.

You can prevent this by adding the following line of code in your .htaccess file:

Options All -Indexes

Part (e): Secure your WordPress themes and plugins

Themes and plugins are essential ingredients of any WordPress website. Unfortunately, they can also pose serious security threats. Let’s find out how we can secure WordPress themes and plugins the right way:

19. Update regularly

Every good software product is supported by its developers and gets updated now and then, but WordPress is updated very frequently. These updates are meant to fix bugs and sometimes have vital security patches.

Not updating your themes and plugins can mean serious trouble. Many hackers rely on the mere fact that people can’t be bothered to update their plugins and themes. More often than not, those hackers exploit bugs that have already been fixed.

So, if you’re using WordPress products then update them regularly. Plugins, themes, everything.

20. Remove your WordPress version number

Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view.

Here’s the thing, if the hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.

You can hide your version number with almost every security plugin that I mentioned above.

Like this article? Please share 20 Simple Tricks Secure WordPress with your friends.

20 Crucial WordPress Plugins

20 Crucial WordPress Plugins

Better user experience is a goal that has jumped to the top of most businesses’ priorities list in recent years. Making sites easy to use, responsive and user friendly are qualities that can make or break a brand’s success.

Since our site is built on WordPress, we’ve had to explore many options to be able to scale in the way that we need.

I’ve done some of the heavy lifting, testing out countless plugins that did and didn’t work. That’s why I’ve come up with a list of the top WordPress plugins for 2016 that will make website management quicker and easier, as well as keep viewers pleased and eager to come back.

1. WordPress SEO by Yoast.

WordPress SEO by Yoast has recently been named the top plugin for WordPress users. This plugin functions as a complete optimization platform for the user’s page content. In addition to SEO, this plugin features a snippet editor, XML sitemaps, permalink cleanup, Meta descriptions and configuration and more.

2. BackupBuddy.

This is the most vital WordPress plugin because BackupBuddy acts as a crisis prevention tool, ensuring that content is safe from being lost. It really should be the first plugin any WordPress user installs after creating their site, which is great because it’s one of the easiest plugins to setup. With Backupbuddy, users can also schedule routine backups, so forgetting to do it won’t be an issue.

3. W3 Total Cache.

Site accessibility and speed is essential for optimal user experience, not to mention search engine rankings.This plugin allows the user to set up caching for their site, making downloading features quicker and navigation smooth and concise for page visitors.

4. CaptainForm.

This is the plugin that is any WordPress beginner’s key to creating almost any type of form for their site. While this plugin is primarily used for contact forms, it can also be used for subscriptions, orders and a host of other form types as well. Using a contact or subscription form is a great way to attract a larger audience and obtain loyal visitors.

5. OptinMonster.

OptinMonster is the plugin best used for converting visitors to your site into subscribers. Because of the simplicity of this plugin, users can A/B test and generate lead capture forms without needing help from a professional developer. This plugin has built-in, easy to interpret analytics, and multiple form types, such as lightbox popups, sidebar forms, floating bars and more. OptinMonster integrates with all website and eCommerce platforms in just one click, so this one’s a no-brainer.

6. Edit Flow.

Organization is key for successful content distribution on any site. Edit Flow allows WordPress users to manage all their editorial in one place. From managing authors, creating workflow strategy, keeping up-to-date with editorial calendars and much more, this plugin gives users a one stop shop for keeping track of all editorial functionality.

7. Soliloquy.

Soliloquy is a slider plugin that displays a slider deck onto a WordPress site WITHOUT slowing the site down. The other bonus that makes Soliloquy the top-rated slider plugin is its streamlined visibility and responsiveness across all devices (i.e. desktop, tablet, smartphone, etc.).

8. Sucuri.

Sucuri is your “better safe than sorry” plugin. It’s too risky not to have a security lock on any site, and for WordPress users, Sucuri is the best option, as it’s a company that specializes in protecting WordPress sites. This plugin has malware cleanup, site auditing capability, blocks all hackers or attacks to the site, and much more.

9. Floating Social Bar.

This plugin is especially beneficial to sites that don’t need every social media platform icon linked to it. Floating Social Bar allows the user to only select the social platforms they use and/or the ones relevant to that particular site. This feature helps to avoid unnecessarily slowing down the user’s site.

10. AdSanity.

For WordPress users who are looking to run ads on their site, this is the best plugin option. It’s a smooth, easy to use platform and it includes basic analytics for ad click-through rates and reach. AdSanity allows for flexible advertising scheduling.

11. Envira Gallery.

Envira is the most important plugin for users who run photography sites or use digital imagery as a dominant component for their sites. There is nothing more annoying than trying to view images on a site that refuse to load, and Envira makes that annoyance a non-issue. Envira has a clean, responsive layout and it’s easy to use for beginners.

12. Login Lockdown.

To significantly lower the risk of hackers logging in to a site, Login Lockdown is a plugin that limits the amount of attempts a user has at entering their admin username and password before it locks itself down for a period of time. Just like on iPhones, if someone tries to guess your keypad code to unlock your phone too many times, the iPhone will automatically lock. With WordPress, that isn’t an automatic feature, so that’s why it’s a good idea to have Login Lockdown.

13. Term Management.

This plugin is especially helpful for beginners who do not know the difference between tags and categories on each post and how they organize the user’s site content. Term Management helps organize and merge these tools so that content is classified correctly and easier to find.

14. TablePress.

This plugin is pretty straight-forward. WordPress users who need the ability to insert tables into their posts, need this plugin. For example, business or finance related content driven websites often times will use tables to display date.

15. WPtouch.

This plugin allows users to convert their WordPress site into an app, allowing visitors to access the site via a mobile application, rather than simply viewing the desktop version on their phones. The most crucial part of this plugin is that users don’t have to play around with the App Store or direct visitors there in order to access their site.

16. Compact Archives.

This plugin is most useful for bloggers who have tons of archived content, which drags on and on at the bottom of their page. Compact Archives literally just compacts your archives into a smaller, more efficient display.

17. ThirstyAffiliates.

Affiliate marketing is a popular feature for WordPress users, but if users decide to do so, they absolutely need a link management tool and ThirstyAffiliates is the best option for when it comes to WordPress. This plugin automates the process, requiring less manual entry from users.

18. Display Widgets.

This plugin allows users to choose what widgets they want visible, and where. This plugin is best used for hiding certain widgets from visitors and requiring them to log in or subscribe before seeing said widgets. Doing this gives viewers another push to subscribe.

19. WP Mail SMTP.

This plugin gives WordPress users the ability to use an SMTP server to send emails, making email delivery more reliable.

20. WPForms.

WPForms is a drag & drop online form builder for WordPress. It allows you to easily create contact forms, email subscription forms, order forms, payment forms, and other type of online forms with just a few clicks.

What additional plugins do you use to scale your business?

originally posted at: