You may have heard somebody’s story that their WordPress website is being hacked. It is not surprising as WordPress is powering 26% of all web sites in the world as of Jun 2016. It is obviously one of the hackers’ targets. However, WordPress is a reliable content management system for web site, how it is used make the tremendous difference.
The admin page is the most vulnerable pages on your WordPress site. Make sure you spare 15 minute Today to protect it.
1. Hide WordPress login and admin name
After you have installed WordPress, the first thing you should do is to hide the your login name. Leaving WordPress default untouched is going to cost you thousands. How easily is it find out your username? It is as simple as appending /?author=1 to your website URL.
Usually, the first account created is the admin account. It is not always true, but a good start for hackers. With a little customization skill, hiding all username for your website is not difficult. Adding this snippets into your child theme’s functions.php.
2. Hide your login page and admin page
Then hackers would do is to find your login page. If you keep the default WordPress settings, hackers can get into the login pages easily by adding /wp-admin or /login.php after your URL. Many plugins likes WPS Hide Login allows you to rename your WordPress login links. This definitely helps to prevent hacking.
3. Remove specific error message in login page
When you have enter a wrong password or an invalid username, you get an error message in the login page. The default setup will tell what’s wrong at the login. This helps the hacker to identify the correct login name of your WordPress site. Therefore, we should make the error message more generic to prevent leaking too much information. A plugin called Login LockDown can do this trick.
4. Limit the number of login attempts
If you password is not too worse, hackers should not be able crack into your admin page in a few attempts. Hackers will most probably create a script to guess your password. You can easily prevent this by the Login LockDown plugin as well. This plugins will restrict the user access if they entered the wrong password for more than the specified times. Those settings are configurable in the admin panel.
5. Choose a wired username and a strong password
This tips has no secret at all, but it is mostly ignored by the public or even IT expertise.
Never use any username which is easily being guessed by hackers, like admin, your name, your brand name, etc. What you can do is to think of a wired username that even you will forget.
SplashData has announced the worst password of 2015. The top three are:
No more to say. Bookmark our strong password generator and apply to all your login credentials.
6. Choose an secured hosting service
Many clients are looking for a budget hosting providers. From security point of view, this may not be the right choice. Hosting provider like WPEngine would test the core patches and release upgrades timely to reduce vulnerabilities. In the very worst scenario that your site is hacked, they will fix it for free.