Network security should be a constant concern for all websites. No matter what precautions you take, there is always room for improvement. This is because there is no foolproof security. In addition, hackers sneak around 24×7, so you must always be vigilant. Hosting, weak passwords, old versions of WordPress, or suspicious themes/plugins are possible entry points for bots to enter your website.
One way to make it harder for hackers is to strengthen the protection of the WordPress administrator or login page. It is the portal of your website. By enhancing the security of this page, you can stop most hoaxes at the door.
You can take some measures to protect your management page,
The default username in WordPress is “Admin” and the robot knows this. Now, if they can guess your password, you have actually sent them an invitation to enter. Therefore, change your username to a unique and unguessable name. For example, for the New York Football Club, “NY Soccer” is not a suitable username.
You can follow the simple steps below to change your username,
- Log in to WordPress using your existing admin user account.
- Add a new user with one click User> Add.
- Select “Administrator” as the role of this new user. Choose a unique username here, because this newly added user will become the new administrator user.
- Log off the old “Administrator” user account.
- Log in again using the new unique username you created.
- Delete the original “Admin” user. You need to reassign all old posts of the old “administrator” user to the new user.
You can also change the username by visiting phpMyAdmin.Read this at site.
Changing the username is only half the battle. Strengthen your password so that the robot cannot guess it. The birthday, the name of the pet, and the favorite athlete can all be guessed right. Brute force attacks are just frequent and repeated attempts to guess passwords through trial and error. If the password is weak, they will succeed. Therefore, strong passwords are important.
Ideally, a strong password should use a combination of uppercase and lowercase numbers and letters. Enter one or two symbols, such as “!” or’@’. WordPress provides the option to generate a strong password, and you can also use it.Or ask someone to help Password generator. Check if your password is strong How secure is my password. And change the password regularly.
Find it difficult to remember your password?Check the password manager, for example Last pass, Lane, Pass, 1Password with RoboFormThe password manager stores all your passwords in encrypted form, and you can access it from any device.
If I didn’t defend a strong password, This report from SplashData A list of the worst passwords of 2015 may persuade you.
Restrict user access
If you are the only person accessing Admin, then this is not for you. But if you allow multiple users to access the backend, you should strictly control their permissions. Only allow access to areas and permissions, and within the scope they need to perform their tasks.
Not only that, users on your website should also be required to use strong passwords.To ensure this, you can install Enforce a strong password insert. This plugin only allows users to access the site if they set a strong password for themselves. Or you can check the login security solution, which will also check and enforce password strength without annoying real users.
Limit login attempts
The bot enters your website by trying various username and password combinations. They may need multiple attempts to break in. If we limit the number of attempts that can be made from a single IP, we can greatly reduce the chance of bots gaining access.
There are special plugins that can perform this task-
- Limit login attempts – Limit the login attempt rate of each IP. It is a commonly used plug-in, although it has not been updated for a long time.
- Brute force login protection – Use .htaccess to protect your website from brute force attacks.
- Jetpack protection – Protect your WordPress website from botnet attacks.
It is also worth noting that some virtual hosts provide this feature built-in. For example, WP Engine added it to their hosting platform in early 2015 to make the websites they host more secure (except for free SSL, two-factor authentication, automatic backups, multiple firewalls, malware scanning, etc.).
Change your login URL
By default, the URL used to log in to all WordPress sites is the main URL of your website, followed by wp-login.php or wp-admin —— E.g, mywebsite.com/wp-login.phpHackers know this, and if you can change this URL, it will make it more difficult for them to enter your website.
You can install Protect WP-Admin Change the URL of the admin panel and block the default link.You can change it to anything you like, for example mywebsite.com/allow_admin_access. When querying mywebsite.com/wp-login.php or mywebsite.com/wp-admin, Upon reaching the site, it will be redirected to the home page. And only the custom URL will be allowed to enter the management panel.
A completely reliable way to protect your admin page is to completely block access to you wp-admin with wp-login.php Page. However, you can only use this method if you are using an IP address that will not change. Otherwise, you will face the risk of being locked out by the website. If you can track multiple IP addresses, you can still continue to use this option.
You can also restrict access to you wp-login.php Files that use HTTP basic authentication. This is an external security layer through which users must pass to reach the login page. You need to generate a .htpasswd file to list all authorized user names and their respective encrypted passwords. Brute force attacks can also be launched against HTTP basic authentication, but it takes twice as much effort for hackers to crack these two layers.
Add SSL to your website
SSL is a standard security technology. HTTP is a hypertext transfer protocol used to transfer data between the server and the browser. The secure version of HTTP is HTTPS, and “S” stands for security. Together, they verify the identity of the website to the user and assure the user the confidentiality between the website and the user’s browser.
After SSL/HTTPS is set, the server will encrypt the data, and only the user’s browser can decrypt it. For any unwelcome third party, these data have no meaning and will only be displayed as a string of characters.As a reward, you will find Google supports HTTPS When ranking websites.
Obtaining an SSL certificate may no longer be optional, especially if you are using the Chrome browser. This is because Google is marking all non-HTTPS sites as “unsafe.”
Today, all non-HTTPS sites have a neutral indication of SSL status, but this will change in January 2017.All websites that require passwords or collect credit card information must become secure or Risk of being marked as unsafe by Google.
There are many companies like Comodo, Digital certificate, with SSL.com Provide certification services.No need to spend too much cost to get a certificate SSLMate And free from Let’s encrypt. Some hosting providers offer free SSL in their hosting plans. You can read more about installing SSL in our HTTPS and free SSL guide.
Two-factor authentication is one of the safest ways to protect your website from hackers. In addition to your existing standard username/password, it can also be used. Once you enter these credentials, a code is generated on the device you own (usually a smartphone). Only by entering this code can you access the site.
Many free and advanced plugins can be installed on your website. This security method has existed for a long time, but it is now increasingly used for website access. You can read more about two-factor authentication in our previous post.
Many websites have installed plugins that handle WordPress security in a comprehensive way. They include firewall protection, malware scanning, blacklisting and whitelisting IPs, monitoring user activity, auditing logs, and generally enhancing overall security. Free and advanced options are provided.
Some plugins that include login protection,
- Text fence – Enforce the use of strong passwords and prevent brute force attacks.
- iThemes-Fight against automatic attacks and limit the number of login attempts. It also implements stricter user credentials.
- All-in-one security and firewall – Prevent brute force attacks and allow IP level blocking, and lock users after a specified period of time. Other login protection features include login lock and whitelist and blacklist IP addresses.
- Bulletproof security – Login and brute force protection.
- McAfee Secure-Provides multiple layers of protection, including trusted site marking, malware scanning, and identity protection for e-commerce stores (a huge asset).
Most of the methods listed in this article are simple but very effective methods that you can use to reduce the intrusion of bots, malware, and pranksters into your website. You can also add a verification code or other small test to verify whether the login attempt is initiated by a human and prevent robots. If you need more tips about WordPress security, please read what Freddy said in this article.