Due to the popularity of WordPress and the way in this this CMS works, website using WordPress have increasingly been targeted for attack. WordPress vulnerabilities lie within its login system and the plugins and themes you install on your site. Plugins are heavily susceptible to attack due to the reliability of the person who coded them and their knowledge of PHP.
Apparently more than 70% of WordPress installations are vulnerable to being attacked and taken over and by reading the following tips you can prevent your site from being part of this statistic.
Lets look at ways to secure the WordPress WP-login
Protect Your Admin Directory using .htaccess
Using notepad create a file called .htpasswds and open it
Head over to this MD5 Generator site and enter a password of your choosing and click generate.
Look for the section “Your Hash” it will look something like this “48bb6e862e54f2a795ffc4e541caed4d”
go back into notepad and enter a username: followed by the password.
Save this file and upload it to a new folder inside the wp-admin directory.
Example : /wp-admin/passwords/
Go back to your root directory (/public_html) and open your .htaccess file. Then add the following code to the bottom
AuthName "Authorization Needed" AuthUserFile /home/youraccountname/.htpasswds/public_html/wp-admin/passwords; AuthGroupFile /dev/null AuthType basic require user yourusernamehere
Save the file.
Now when anyone visit your wp-admin section they will require the login details to enter.
Google Authenticator Two-Factor Authentication
This is one the best security plugins to protect your site and you can download it here or search for “Google Authenticator” via the add a plugin section on your site.
The way this works is you install the Google Authenticator app on your phone for either IOS or Android then install the plugin to your site. You set a secret key and display the QR code. You then open the app on your phone, scan the code and it will automatically add the required information. When ever you need to log into your site you will need a time delayed access key.
Here are the steps
Install the Google Authenticator WordPress Plugin
Go to your profile page on WordPress and look for “Google Authenticator Settings”
Enter a site description and click “create new secret” the QR code will display.
Open the “Google Authenticator” app on you phone, tap the + symbol and then “Scan Barcode”
You will now see a 6 digit code on your phone which will refresh ever 10 seconds.
When you visit wp-login.php you will see a new text area where you can enter the code from your phone.
Disable Directory Browsing
This is such a simple fix yet its amazing how many people dont do it.
To stop people from browsing your directores simple add the following code to your sites root .htaccess
You will go from this
Turning off PHP Errors
PHP allow attackers to produce errors in your code and see where vulnerabilities may lie. A simple fix it to disable PHP errors within WordPress to prevent them from showing
Add the following code to block PHP errors from showing
ini_set('display_errors','Off'); ini_set('error_reporting', E_ALL ); define('WP_DEBUG', false); define('WP_DEBUG_DISPLAY', false);
Disable PHP Execution on Uploads Folder
Another method the bad guys will use is to try and upload a file to your server through a vulnerability in a plugin or theme. They are often renamed to look like WordPress core files to hide from detection.
The Uploads folder is the main place attackers will try to upload a file. While the following code wont stop them upload it will stop any PHP files they do upload from executing.
Create a new .htaccess file on your PC using notepad, add the following code and upload this to your /wp-content/uploads/ folder
&lt;Files *.php&gt; deny from all &lt;/Files&gt;
Protect .htaccess From Unauthorized Access
.htaccess provides a gateway to your server and any access by unartherzied individuals can comprise your WordPress site security.
Protect it now by adding this short code
&lt;files ~ "^.*\.([Hh][Tt][Aa])"&gt; order allow,deny deny from all satisfy all &lt;/files&gt;
Block File Editing
With the above you should prevent most bad guys from accessing your WP-admin however there is always a small chance someone can still gain access from a unknown exploit in a plugin or theme.
This little edit will prevent editing of files even if access is obtained by those nasty intruders.
Add this code to the bottom of your wp-config.php file
These are the best ways to secure your WordPress site. Employ them now before the worst happens. For any issues please comment below and i will do my best to help you