WordPress is the most popular CMS, this also makes WordPress top target for attacks. In this post, we will see how to make your WordPress site ‘little’ more secure. I say little more cause that’s the reality, someone will always find a way.
With tools like Wappalyzer or sites like Is It WordPress, it’s very easy to identify if a website is WordPress based. Once someone knows your site is WordPress based, it only takes three other things to break into your site.
- Login URL
It’s common knowledge that the default login URL for a WordPress based site is ‘www.yoursite.com/wp-login’. What is also very common is every site will have an ‘admin’ user. Well, that was very easy, we figured out two of three things required. Now password may require some work to crack but if your password is weak then with techniques like brute force even that can be cracked. And that is how safe WordPress based sites are.
Why not make life little bit difficult for someone trying to break into our site. Why not make your WordPress site little more secure.
Make sure everything is updated:
This might seem trivial but it’s very important. WordPress comes out with regular updates and new versions. Same goes for plugins and themes too. Each update not only gives us new features but, more importantly, fixes security bugs. Always keep your WordPress instance, plugins and themes up to date.
Before installing any plugin or trying any steps backup your WordPress files and database.
Make sure that the plugin is compatible with your instance of WordPress and that your WordPress instance is the latest out there.
Change WordPress login URL:
Let’s start with the login URL. Think about it, what use will username and password be if you don’t know the login URL.
You should change the login URL to something easy for you to remember but difficult for others to guess. So ‘www.mysite.com/wp-admin/’ can be changed to something like ‘www/mysite.com/mysecretentry/’.
Plugin that you could use: https://wordpress.org/plugins/custom-login-url/
Delete/Rename ‘admin’ user:
Cool so we have changed our login URL, now let’s fix our username issue. As far as possible don’t have ‘admin’ as a username, it’s common and easy to guess. If you already have an admin user you should create another user with admin rights and assign this user all the post and pages created by admin and delete the admin user or give admin user minimum rights.
Check this post for more details on how to delete and add users: http://www.wpbeginner.com/wp-tutorials/how-to-change-your-wordpress-username/
Use a strong password:
So we have fixed two issues that can be easily guessed. We don’t share our passwords with anyone but we also have to make sure that our passwords are not easy to guess.
WordPress has an indicator that tells us if our password is strong. Use this indicator and always set a strong password. If required use a password generator like this one https://identitysafe.norton.com/password-generator/.
Now that we have fixed all the three security issues we identified, there is one little detail that needs fixing.
Don’t show user login name on author page:
WordPress has author pages. While it is good to show author info and posts by the author, the URL to this page contains the author’s username. Again not a good idea to display usernames to the world. The way to fix this would be to change user slug. This post does a good job of explaining how this can be done http://www.wpbeginner.com/plugins/how-to-change-author-url-slug-and-base-in-wordpress/
That’s a lot of work to make your WordPress site little more secure, but these are basic security steps that should be taken. I will follow up with another post that will look at some more security measures.