People create fancy and awesome blog. But usually doesn’t care about security. Most of us think about security only when our Website get hacked. Let’s not wait until that happens. I will introduce few steps that you should do to protect | secure your Website from hackers .
Step1: Restrict access to WordPress admin page:
So you usually access your WordPress website admin panel via link
http://your_website_name/wp-admin . This link get redirected and land you to page
http://your_website_name/wp-login.php where username and password of your WordPress admin dashboard asked. Hackers can do Brute force attack (Trying every combination of username and password) if they get access to this page. Let’s restrict access to the page only to you. Ideally nobody need access to admin dashboard of your website except you. So Let’s allow it for you only.
To do this, you need to know the public IP address of the network from where you usually access your website.
Find out your public IP address from here => https://whatismyipaddress.com/ and add it in your .htaccess file. To do that:
1. Go to Document root of your website.
2. Open .htaccess file (if it’s not there, create one) and add entries shown below. Here I added two dummy IPs 220.127.116.11 and 18.104.22.168 for demonstration.
allow from 22.214.171.124
allow from 126.96.36.199
deny from all
Step2: Change WordPress admin user:
You know that WordPress default administrator user is admin . Let’s change that to something else.
Follow the steps given below.
1. Open WordPress admin panel.
2. Click Users on the left side bar.
3. Create a new user with administrator privilege.
4. logout from the dashboard.
5. Log in with the newly created user.
6. Go to Users on the left side bar again and delete the admin user.
Step3: Give a strong WordPress admin password:
Let’s generate a strong password for your administrator account. WordPress generate a strong password for you. You can either use it or prepare password yourself but that should be minimum of 8 character with uppercase letter, lowercase letter and special character. Please don’t include your name or anything easily predictable in the password. Let it be a random string.
There are a lot online password generators. You can also get help from them.
Step4: Install Wordfence – a WordPress security Plugin:
Wordfence is a WordPress Security Plugin which protect your website from Brute force attack, DDoS and malware. Wordfence alerts you if you are using a weak password or the password you are using, is a compromised one. Wordfence also checks requests to your website and blocks IP addresses which has malicious behaviour. You can block a particular IP address using WordPress plugin “Wordfence”.
Download and install Wordfence to secure your WordPress website. Read documentation from here >>
Step5: Give a strong WordPress admin password:
If DirectoryIndex is enabled for your website, your website visitors can see and download files of a directory via the browser when accessed that directory with the website url. This happens only when index files like index.html, index.php, index.pl..etc are not present in that directory.
You are risking your website security here by exposing everything. Let’s disable the
DirectoryIndex by following steps given below.
1. Open/create .htaccess file in the website’s document root.
2. and add Options -Indexes at the bottom of the file.
Now visitors get forbidden page when they access a directory where index file is not present.
Step6: Secure the server where WordPress installed:
If your website is hosted with a “Shared Web hosting plan”, then you don’t have to worry about this because whoever your Web hosting provider, they take care of the server security.
If your website is managed by yourself with VPS or Dedicated server. Please read following stuffs.
Here are the official websites of each of them. Just go through them.
Apache - https://httpd.apache.org/
PHP - http://php.net
WordPress - https://wordpress.org/download/
MySQL - https://dev.mysql.com/doc/
If you installed Apache, MySQL and PHP using APT or YUM, then it should be fine. Because usually APT or YUM would keep only latest/stable version in their repository.
2. Make sure unnecessary processes are not listening for connections from internet in your server. Just run below command and find out the listening ports.
netstat -tulnp | grep LISTEN
In a LAMP server, you only need 80,443 and 22 open to the the world(You might have MySQL listing on 3306 and any mail service listening on 25. This is fine unless it is open to the world). So you can restrict all ports except these ports in the firewall.
Step7: Double verify plugins and theme of your WordPress:
I know you are choosy about the plugins and themes. Rather than only looking at the style, please do a background check on the author of the theme or plugin. Check how popular they are, How often they release security patches and updates. There are authors who only built plugins or theme, but does not release any updates post development. I will not recommend you guys use their products.
Please thoroughly read about any plugins from here => https://wordpress.org/plugins/ and themes from https://wordpress.org/themes/. And don’t forget to consider reviews and ratings of the theme/plugin when choosing.
I will be filling this article with a lot useful information soon. Stay tuned by subscribing to the website (Checkout Right Sidebar for the Subscription Form).