WordPress Security | secure wordpress site
Security, a word which we use in our Daily Life, not verbally but we do. The World is becoming more Digital every day. The day might be too much time, it’s becoming Digital every second. We are being introduced to New Features in SmartPhones, Computers, etc. Sometimes new Features come with new Vulnerabilities. We all use some kind of Lock in our SmartPhones. There are few known features like Screen Lock, Pattern Lock, Password Lock, and the Vintage PIN Lock. We use what we like in our Phones to Secure it from Unwanted Access and Data Thefts. When we are so serious about a Phone’s Security, then we should be aware of the WordPress Security as well. As I said earlier, new features come with vulnerabilities sometimes.
Let’s see what you will be reading below:
- Taking Backups
- Updating WordPress: Software, Themes, and Plugins.
- Combination of Strong Password with 2 Factor Authentication.
- Username and Password, Limited Login Attempts.
- Disabling Theme and Plugin Editors.
- Securing the WordPress Admin Directory.
- WordPress Database Prefix.
- SSL Certificate Importance
- Disadvantages of Free Plugins.
Backing up your site often is essential. Every website proprietor knows this. Regrettably, many new WordPress users do not take backing up as seriously as they must. In reality, if something goes wrong with a website or wordpress, You would end up having nothing to do with.
Updating WordPress: Software, Themes, and Plugins
WordPress is an open-source software made for Blogging, mostly. It’s also used for Businesses. Currently, we are using WordPress 5.1.1 Version. This version includes 14 enhancements and fixes. WordPress 5.1 and earlier versions were affected by some bugs which made a WordPress post vulnerable to cross-site scripting with just one maliciously crafted comment. These are fixed in the Latest update.
So, it’s important to update your WordPress Core whenever there is one. Same goes with the Themes and Plugins you use in your Site. According to surveys, most of the WordPress blogs which are hacked or are victims of Cyber Attacks are those which were not updated.
There are 2 types of updates in WordPress. One is minor changes, which you can wait to update till a week. Some are Critical Updates, you need to update that as soon as possible.
Make sure you have Backup before you update the Core or you may lose your Site.
How to update: You can go to your Site Dashboard, there you will the Notification to Update the Required Things. Or you can download the latest software from WordPress Official Website and upload it in your File Directory. Whichever is more comfortable for you.
Combination of Strong Password with 2 Factor Authentication:
2 Factor Authentication, in short 2FA, is a High-Level Security Feature used in many platforms. This Feature includes a Password and a Random Security Code generated on the Security App in your phone. There are apps which work as Authenticator in 2 Factor Authentication. Like Google Authenticator.
How to set up 2 Factor Authentication: Login to your Control Panel aka(as known as) cPanel. In the Security section, click on Two Factor Authentication. Scan the QR Code with the Authenticator app on your phone. Or you can also do it manually by entering the Information given there in your app.
After enabling 2 Factor Authentication, you need to keep your Phone on which you installed the Authenticator App with you. Because whenever you log in, you have to enter your Password as well as the Code you will get in the App. Or else, it won’t open.
You may read: How to setup 2-Factor security
Username and Password, Limited Login Attempts:
A Username is what you write in place of default “admin” while installing WordPress on your Domain. And below that, you write a Password in place of “pass” which must be difficult for others for a guess. Now coming to Login. By default, WordPress allows anyone to enter the password in as many attempts as a person wants. Yes, there is a feature called Forget Password which you can use if you forget it. But what if the person who is trying to log in isn’t you?!
Well, there are many Plugins available to prevent unknown people trying to breach into your Website. One such plugin is a loginizer plugin. You can install it on your WordPress site and follow the Instructions to make sure next time someone tries to enter your Site, the attempts restrict that person.
Once you have chosen the Username in Installation, you can’t change it. There are options but that will consume your time. If you have activated Limited Login Attempts, then it will work for you as well. So, if you forgot the Password, then don’t keep trying. Just click on Forget Password and Reset it. If you keep entering wrong credentials, your Ip Address might get blocked for a while.
Disabling Theme and Plugin Editors:
WordPress comes with 2 Editors with installation, one is the Theme Editor, and the other is known as the Plugin Editor. With Theme Editor, you can make changes to your current theme which is in use. Like removing Credits from the Footer, or adding a Google Analytics code in the Header. You can use it if there is such need for Editing the Theme. Plugin Editor is the least used Function in WordPress. It’s mostly used by Developers only. If you have no knowledge of it, then you shouldn’t use it. Let’s assume, a hacker enters in your WordPress site. The 1st thing he will do is to corrupt your Site and it can be easily done with both Editors as WordPress gives Unrestricted Access to anyone who has logged into the Dashboard. Once he’s done, either your Site may not function anymore, or it might give corrupted information and what not. That’s one reason to Disable both Editors. Another is, if you have multiple users on your WordPress Site, then you may need to hide both Editors since they can knowingly or by mistake make some changes in the Codes which might result in you losing your own Site. These are the common reasons why you must disable the Editors.
How to Disable: Login to your WordPress Dashboard. Go to Appearance→Editor. Now click on wp-config.php on the right side and in the middle, you will see a Text Editor. Go to the bottom and paste the below code there and click on Save File:
define( 'DISALLOW_FILE_EDIT', true );
Both Editors will be disabled once you reload. To reverse it, you have to go cPanel’s File Manager and remove the above code from the wp-config.php file. You can disable the Editors via cPanel too.
Before disabling, make sure you have FTP Access to your Control Panel. You will need to Enable them again from FTP.
Securing WordPress Admin Directory:
By Default, anyone can see the Login Page of a WordPress Site by going to mydomain.com/wp-admin where mydomain.com will be your domain. To secure it, there
can 2 options which are popular. One is via Plugin, other is via cPanel. I will tell you about the former only since the latter is a bit stretched. So, after you login into the Dashboard, go to Plugins→Add New. Then search WP Hide Login. You will see below the plugin in the results:
Install it, then Activate it. Now you must be taken to the Settings automatically or you can go to the Settings→General manually. You will see the below panel:
Replace the “wp-admin” with the words you want to use to Login into your Dashboard and click on Save Changes below. E.g. if you entered “securelogin” in the box, then you have to visit mydomain.com/securelogin to login into your Dashboard.
You need to memorize the new Login URL after you have changed it. If you forget it and you don’t have access to cPanel, you will have to contact your Website Developer.
You may Read: How to hide login URL
WordPress Database Prefix:
WordPress Database is the main source of everything you have in your WordPress Site. It’s the Foundation of your WordPress Installation. That makes it the most important place digitally for Spammers and their seniors known as the Hackers. By default, when you are installing WordPress via cPanel, you will see “wp_” in Table Prefix. That’s too common for anyone to guess. So, to make your WordPress Database more secure, you need to make it a bit tough to guess. Make sure whatever you enter there, it ends with an underscore(_). If you keep “wp” in the start, it will make the Directories be in Order.
SSL Certificate Importance
SSL/TLS is crucial. Without it, your customer’s information is viewable by attackers, The internet is a shared pipe; You have to take care of yourself.
Disadvantages of Free Plugins:
Who doesn’t like Freebies in this world, be it the Real World, or the Digital. We all love to get things for Free but every Free Stuff comes with a Hidden Price which we have to Pay eventually. Speaking of Free Plugins available on WordPress, the Price can be in form of Data you stored on your Site or a Vulnerability in the Security of your WordPress Site.
When you install a Free Plugin, you indirectly sign-up for Making Your Site Less Secure than it was before Installing Free Plugin(s). If you keep updating the Plugins regularly as they show up in the Notification, you are on the Right Track. Most of the Hacked Sites appear to have some Old Plugins which were not updated on time and Hackers knew how to Rip that apart. So, make sure you update the Plugins as soon as they have new updates.
Keeping many plugins on a Site won’t help you. There is more than 1 Plugin for a single task we need to do. So choosing one out of many isn’t easy at all. However, you can check for Reviews from people of a particular plugin. It will help you to decide which one is more Effective and also can do more than one task.
If you are looking forward to making a Brand or something like that, I will highly suggest you prefer Premium Plugins over Freemiums. They come with better Security Patches and the Developers are available to Help you on any issue you face.
Did I miss something? If yes, then let me and others know about it in the Comments below. 🙂