People create fancy and awesome blog. But usually doesn’t care about security. Most of us think about security only when our Website get hacked. Let’s not wait until that happens. I will introduce few steps that you should do to protect | secure your Website from hackers.
Step1: Restrict access to WordPress admin page:
So you usually access your WordPress website admin panel via link http://your_website_name/wp-admin. This link get redirected and land you to page http://your_website_name/wp-login.php where username and password of your wordpress admin dashboard asked. Hackers can do Brute force attack (Trying every combination of username and password) if they get access to this page. Let’s restrict access to the page only to you. Ideally nobody need access to admin dashboard of your website except you. So Let’s allow it for you only.
To do this, you need to know the public IP address of the network from where you usually access your website.
Find out your public IP address from here => https://whatismyipaddress.com/ and add it in your .htaccess file. To do that:
1. Go to Document root of your website.
2. Open .htaccess file (if it’s not there, create one) and add entries shown below. Here I added two dummy IPs 18.104.22.168 and 22.214.171.124 for demonstration.
allow from 126.96.36.199
allow from 188.8.131.52
deny from all
Step2: Change WordPress admin user:
You know that WordPress default administrator user is ‘admin’. Let’s change that to something else.
Follow the steps given below.
1. Open WordPress admin panel.
2. Click ‘Users‘ on the left side bar.
3. Create a new user with administrator privilege.
4. logout from the dashboard.
5. Log in with the newly created user.
6. Go to ‘Users‘ on the left side bar again and delete the ‘admin user.
Step3: Give a strong WordPress admin password:
Let’s generate a strong password for your administrator account. WordPress generate a strong password for you. You can either use it or prepare password yourself but that should be minimum of 8 character with uppercase letter, lowercase letter and special character. Please don’t include your name or anything easily predictable in the password. Let it be a random string.
There are a lot online password generators. You can also get help from them.
Step4: Let’s disable DirectoryIndex of your WordPress website:
If DirectoryIndex is enabled for your website, your website visitors can see/download files of a directory via the browser when accessed that directory with the website url. This happens only when index files like index.html, index.php, index.pl..etc are not present in that directory.
You are risking your website security here by explosing everything. Let’s disable the DirectoryIndex by following steps given below.
1. Open/create .htaccess file in the website’s document root.
2. and add Options -Indexes at the bottom of the file.
Now visitors get forbidden page when they access a directory where index file is not present.
Step5: Secure the server where WordPress installed:
If your website is hosted with a “Shared Webhosting plan”, then you don’t have to worry about this because whoever your webhosting provider, they take care of the server security.
If your website is managed by yourself with VPS or Dedicated server. Please read following stuffs.
1. Make sure you are using stable and secure versions of Apache, MySQL, WordPress and PHP. I would suggest you to always upgrade them so that you get all security patches updated on the packages.
Here are the official websites of each of them. Just go through them.
Apache - https://httpd.apache.org/
PHP - http://php.net
WordPress - https://wordpress.org/download/
MySQL - https://dev.mysql.com/doc/
If you installed Apache, MySQL and PHP using APT or YUM, then it should be fine. Because usually APT or YUM would keep only latest/stable version in their repository.
2. Make sure unncessary processes are not listening for connections from internet in your server. Just run below command and findout the listening ports.
netstat -tulnp | grep LISTEN
In a LAMP server, you only need 80,443 and 22 open to the the world(You might have MySQL listing on 3306 and any mail service listening on 25. This is fine unless it is open to the world). So you can restrict all ports except these ports in the firewall.
Step6: Double verify plugins and theme of your WordPress:
I know you are choosy about the plugins and themes. Rather than only looking at the style, please do a background check on the author of the theme or plugin. Check how popular they are, How often they release security patches and updates. There are authors who only built plugins or theme, but does not release any updates post developement. I will not recommend you guys use their products.
Please thoroughly read about any plugins from here => https://wordpress.org/plugins/ and themes from https://wordpress.org/themes/. And don’t forget to consider reviews and ratings of the theme/plugin when choosing.
I will be filling this article with a lot useful information soon. Stay tuned by subscribing to the website.