Important information for your WordPress website security
Published: 1st May 2015 in News
Wordpress is one of the most popular content management systems today and it has some great benefits. It is one of the CMS's we use for our web design clients and we know that a good number of our Green Hosting clients use it too. However, because it is so popular it can tend to attract unwanted attention of potential attackers who look for out of date installations and vulnerabilities to gain access to your website's admin area.
This can cause serious problems, including:
- Attackers gaining access to your website, posting their own content or defacing your content.
- Heavy load on the website server as thousands of attempts to access your website log in is made, resulting in your website being taken offline.
Five steps to protect your WordPress website
1. Update your WordPress installation and plugins.
This needs to be done first and foremost, before any of the items below. Always make sure you back-up your website before starting the updates. Keep an eye out for new software releases and update your WordPress website each time.
2. Change the 'admin' username
WordPress' default Administrator username on initial installation is 'admin'. If you haven't changed this it gives attackers a better chance of guessing your log-in details straight away. Make sure none of your user profiles have the username 'admin'.
3. Limit login attempts
There is a very useful plugin that allows you to set a number of failed log-in attempts before a user is blocked. If an attacker is trying to guess your username and password their IP will be blocked until your stipulated timeframe. The 'Limit Login Attempts' plugin can be installed and configured easily and was still working on Wordpress 4.1.1 at the time of writing this article.
4. Rename the wp-login URL
A potential attacker would usually try to find your log-in page from the default WordPress URL but this makes their job so much harder.
The 'Rename wp-login.php' plugin allows you to change the standard log in URL from
www.yourwordpresswebsite/wp-login.php
to
www.yourwordpresswebsite/login-of-your-choice/
Again, this is easy to install and set up. Although the plugin is no longer maintained it was still working on Wordpress 4.1.1 at the time of writing this article.
5. Add a '403 Forbidden' to your .htaccess file
As additional security to the above WP login rename you can add a small amount of code to your website's .htaccess file. If a hacker attempts to find your standard wp-login.php page they will run into a '403 Forbidden' rather than the '404 Page not found' on your website. Here's the code:
<FilesMatch "wp-login.php">
Deny from All
ErrorDocument 403 "Forbidden"
</FilesMatch>
Please note: You should always back up your website before making changes such as these described above. These changes are suggestions only and we cannot be responsible for any problems with third party WordPress software, plugins or themes now or in the future. These changes shouldn't be attempted unless you understand their implications and have a good knowledge of WordPress.