Buzz
Tips for Enhancing WordPress Security
1. Change the default 'wp_' prefix.
2. Hide login error messages.
3. Protect the wp-admin directory.
4. Maintain backups.
5. Prevent directory browsing.
6. Keep files updated.
7. Choose strong passwords.
8. Remove administrators.
9. Disable XMLRPC.
10. Add HTTP security headers.
For those just starting out with WordPress blogging, make sure you're always up to date with the latest version. Also, consider the following tips to enhance the security of your WordPress.
1. Change the default 'wp_' prefix
Your website could be vulnerable to certain exploits (e.g., SQL Injection) if you're using the wp_ prefix that can be guessed in database tables. You can change the default wp_ prefix to enhance security.
2. Hide login error messages
Login error notifications can give hackers an idea if they've received correct/incorrect usernames. It's wise to hide it from unauthorized logins.
To hide login error messages, simply insert the following code snippet into functions.php:
3. Protect the wp-admin directory
Keeping the 'wp-admin' directory protected means you've added a layer of security. Anyone attempting to access files or directories beyond 'wp-admin' will be prompted to log in. Protecting your 'wp-admin' directory with login credentials can be done in several ways:
- WordPress Plugin: Use WordPress HTTP Auth.
- cPanel: If your hosting supports cPanel admin login, you can easily set up protection on any directory through cPanel's user-friendly interface Password Protect Directories.
- .htaccess + htpasswd: Secure directories with passwords by placing the directories you want to protect inside .htaccess and .htpasswd.
4. Maintain backups
Keeping backups of your entire WordPress blog is as crucial as keeping your website safe from hackers. If all security efforts fail, at least you still have backup files to restore. There are two types of backups: Full backups and Incremental backups.
A full backup will include everything on the website such as files and databases. This method consumes more space than necessary and can cause a sudden spike in CPU and disk usage when performing backups. Therefore, you should not opt for full backups if your website has limited resources.
On the other hand, incremental data backups will only store full data the first time, then add changes over time. There are several options for this backup type in WordPress which require users to pay a considerable fee like VaultPress and WP Time Capsule.
5. Prevent directory browsing
Another major security vulnerability of WordPress is exposing directories and files that can be publicly accessed. First, try checking if your WordPress directories are well-protected by entering the URL https://www.domain.com/wp-includes/ in your browser. If it doesn't display or redirects you back to the homepage, it means your directories are safe. However, if you see a screen similar to the image below, it means your site is not protected.
To prevent access to all directories, place this code in your .htaccess file:
If your website runs on nginx, you can add the following:
6. Always update WordPress core files & plugins
One of the most effective ways to keep your WordPress website secure is to ensure files are always updated to the latest release. Currently, WordPress has integrated automatic updates; you just need to make sure you or your developer doesn't disable this feature.
7. Choose a strong password
WordPress now has a strong password suggestion field like the image below when creating a new account or updating a password. It will evaluate whether your password is strong or weak. You should choose a strong password, but the downside is you may not remember the characters in the password string. You can also use a password manager like 1Password or LastPass.
8. Remove the administrator
A typical WordPress installation usually comes with a default user named 'admin.' For security reasons, you shouldn't use this administrator account to log into your WordPress blog.
A safer approach to logging in is to create a new administrator and delete the default 'admin.' You can follow these steps:
- Log into the WordPress dashboard
- Go to Users -> Add New
- Add a new user with the Administrator role and choose a strong password.
- Log out of WordPress, log back in with your new administrator.
- Go to Users
- Delete the 'admin' account
If you've ever used the 'admin' account to post content, don't forget to reassign all post attributes to the new user account.
9. Disable XMLRPC
XMLRPC in WordPress is a common target for hackers. You can disable it when your website doesn't require XMLRPC, or restrict the XMLRPC endpoint for certain IP addresses if necessary, for example:
10. Add HTTP security headers
Adding HTTP security headers is another way to enhance the security layer for your website, helping to minimize network attacks. The headers will be injected into the browser to enforce certain directions set within the headers. For example, X-Frame-Options will allow you to check if the website can be embedded in an iframe or not. Other types of headers you can add include: X-XSS-Protection, Strict-Transport-Security, X-Content-Type-Options, Content-Security-Policy, and Referrer-Policy.
In addition to the methods above, you can also subscribe to WPVulnDB to identify vulnerabilities in your website's security. WPVulnDB will scan WordPress Core and Plugins, indicating the type of vulnerability, which versions are affected, and whether they have been patched or not.
Furthermore, you can learn more about WordPress login security here.
