Keeping your WordPress website secure: Part II
In the previous article, we discussed a few simple steps you may follow to keep your WordPress website secure. In this article, we will focus on a few advanced steps that you may follow to improve the security of your WordPress website even more. Some of these steps require that you have enough technical expertise. So, it’s necessary to be careful while following the steps listed below to not cause any harm to your website. To get the best results, we suggest you hire an expert to do the job. Design Cavern provides all types of website-based services including WordPress optimization and website management.
Here are a few advanced steps you may follow to take the security of your WordPress website to the next level:
- Disable file editing – The built-in code editor of WordPress can allow hackers to edit your plugin files and themes once they get access to your WordPress admin area. Thus, it’s a great security risk and should be turned off.
To disable file editing in WordPress, you simply have to add the code listed below in your wp-config.php file:
|// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
- Automatically log out idle users – Logged-in users that forget to sign out often become vulnerable due to reduced security. For instance, if they leave their PC or mobile unattended, another person would be able to view their account information, change their account password, or even change their account information. Thus, it’s necessary to force-logout the session of an inactive user.
To do that, you just have to install and activate the ‘Inactive logout’ plugin and go to Setting > Inactive Logout page to configure details such as time duration and logout message.
- Change the default ‘admin’ username – Setting your default WordPress admin username as ‘admin’ makes it easier for hackers to perform brute-force attacks. So, it is necessary to create a custom WordPress username when installing WordPress.
To change your WordPress username, you may do the following:
- Update WordPress username from phpMyAdmin
- Create a new admin username and delete the old one
- Use the Username Changer plugin
- Change WordPress database prefix – wp_ is the default prefix set for all tables in a WordPress database, which makes it easier for hackers to guess your WordPress table name. To change your WordPress database prefix, you need some advanced coding skills. Here is a step-by-step tutorial you may follow to change your WordPress database prefix.
- Add a security question to WordPress login – To add security questions to your WordPress login screen you just need to install the ‘WP Security Questions’ plugin. Once installed, go to Settings > Security Questions page and set the details. This would make it even harder for unauthorized users to gain access to your WordPress website.
- Disable PHP file execution – You can disable PHP file execution in directories such as /wp-content/uploads/ where it is not required to tighten the security of your WordPress website.
To do that you simply need to paste the following code in a text editor like Notepad, save the file as .htaccess, and use an FTP client to upload the file to your /wp-content/uploads/ folders.
Here is the code:
deny from all
- Password protect WP-Admin and login – To block DDoS attacks and prevent hackers from requesting your login page and wp-folder without any restrictions, you can implement additional password protection on a server-side level. Here are the steps you may follow to password protect your WordPress admin directory.
- Limit login attempts – Failed login attempts can be set up using a web application firewall. This prevents hackers from executing brute-force attacks on your WordPress website. You may also install and activate the ‘Login LockDown’ plugin to add some additional security. Simply go to Settings > Login LockDown page to configure the plugin options.
- Disable directory indexing and browsing – If you have directory indexing and browsing enabled on your WordPress website, it can allow hackers to detect and find out files with vulnerabilities. They may even use those files to gain access to other sections. Plus, it also allows people to find out your directory structure, view, and copy your files.
To disable directory indexing and browsing on your WordPress website, do the following:
- Use your cPanel’s file manager or FTP software to locate the .htaccess file in your WordPress website’s root directory
- Add the line – Options – Indexes
- Save the file and reupload it
- Add two-factor authentication – Enabling two-factor authentication adds another layer of security to your website since you need to verify your login using another device or app. To enable it, you simply need to do the following:
- Install the ‘Two-factor Authentication’ plugin and enable the ‘Two Factor Auth’ from the WordPress admin sidebar.
- Use an authenticator app such as Google Authenticator, LastPass, or Authy to verify your login.
- Scan for WordPress malware and vulnerabilities – If you notice a sudden drop in your search ranking or website traffic, it could indicate that your website is affected by malware and malicious code. Normally, any security breaches or malware would be detected automatically if you have a WordPress security plugin installed on your website. However, running manual online scans is also a good idea to detect threats that may have gone undetected by the WordPress security plugins.
- Disable XML-RPC in WordPress – If you have XML-RPC enabled in your WordPress website, it can allow hackers to improve their brute-force attacks since XML-RPC provides many powerful functions like system.multicall. To disable XML-RPC, you may install the ‘Disable XML-RPC’ plugin.
Alternatively, you may add the following code to .htaccess file:
|# Block WordPress xmlrpc.php requests
deny from all
allow from 184.108.40.206
Design Cavern can help you to keep your WordPress website secure and help you manage it without any hassles. Contact us today to find out more about our services.