Guides

WordPress Security Tips To Secure Your Website Today

By November 20, 2018 No Comments

Due to the popularity of WordPress and the way in this this CMS works, website using WordPress have increasingly been targeted for attack. WordPress vulnerabilities lie within its login system and the plugins and themes you install on your site. Plugins are heavily susceptible to attack due to the reliability of the person who coded them and their knowledge of PHP.

Apparently more than 70% of WordPress installations are vulnerable to being attacked and taken over and by reading the following tips you can prevent your site from being part of this statistic.

Lets look at ways to secure the WordPress WP-login

Protect Your Admin Directory using .htaccess

Using notepad create a file called .htpasswds and open it

Head over to this MD5 Generator site and enter a password of your choosing and click generate.

Look for the section “Your Hash” it will look something like this “48bb6e862e54f2a795ffc4e541caed4d

go back into notepad and enter a username: followed by the password.

Example admin:48bb6e862e54f2a795ffc4e541caed4d

Save this file and upload it to a new folder inside the wp-admin directory.

Example : /wp-admin/passwords/

Go back to your root directory (/public_html) and open your .htaccess file. Then add the following code to the bottom

AuthName "Authorization Needed"
AuthUserFile /home/youraccountname/.htpasswds/public_html/wp-admin/passwords;
AuthGroupFile /dev/null
AuthType basic
require user yourusernamehere

Save the file.

Now when anyone visit your wp-admin section they will require the login details to enter.

Google Authenticator Two-Factor Authentication

This is one the best security plugins to protect your site and you can download it here or search for “Google Authenticator” via the add a plugin section on your site.

The way this works is you install the Google Authenticator app on your phone for either IOS or Android then install the plugin to your site. You set a secret key and display the QR code. You then open the app on your phone, scan the code and it will automatically add the required information. When ever you need to log into your site you will need a time delayed access key.

Here are the steps

Install the Google Authenticator WordPress Plugin

Go to your profile page on WordPress and look for “Google Authenticator Settings”

Enter a site description and click “create new secret” the QR code will display.

Open the “Google Authenticator” app on you phone, tap the + symbol and then “Scan Barcode”

You will now see a 6 digit code on your phone which will refresh ever 10 seconds.

When you visit wp-login.php you will see a new text area where you can enter the code from your phone.

Disable Directory Browsing

This is such a simple fix yet its amazing how many people dont do it.

To stop people from browsing your directores simple add the following code to your sites root .htaccess

Options -Indexes

You will go from this

To this

Turning off PHP Errors

PHP allow attackers to produce errors in your code and see where vulnerabilities may lie. A simple fix it to disable PHP errors within WordPress to prevent them from showing

Add the following code to block PHP errors from showing

ini_set('display_errors','Off');
ini_set('error_reporting', E_ALL );
define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);

Disable PHP Execution on Uploads Folder

Another method the bad guys will use is to try and upload a file to your server through a vulnerability in a plugin or theme. They are often renamed to look like WordPress core files to hide from detection.

The Uploads folder is the main place attackers will try to upload a file. While the following code wont stop them upload it will stop any PHP files they do upload from executing.

Create a new .htaccess file on your PC using notepad, add the following code and upload this to your /wp-content/uploads/ folder

<Files *.php>
deny from all
</Files>

Protect .htaccess From Unauthorized Access

.htaccess provides a gateway to your server and any access by unartherzied individuals can comprise your WordPress site security.

Protect it now by adding this short code

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Block File Editing

With the above you should prevent most bad guys from accessing your WP-admin however there is always a small chance someone can still gain access from a unknown exploit in a plugin or theme.

This little edit will prevent editing of files even if access is obtained by those nasty intruders.

Add this code to the bottom of your wp-config.php file

define('DISALLOW_FILE_EDIT', true);

Summary

These are the best ways to secure your WordPress site. Employ them now before the worst happens. For any issues please comment below and i will do my best to help you

Leave a Reply