WP Security essential part 2

  • wordpress-security2

6. Hide Your WordPress Version

Another good idea is to remove the generator meta for the WordPress. This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.

To do this you need to place below code in function.php of your active theme. remove_action(‘wp_head’, ‘wp_generator’);

You can go one step further and additionally remove it from RSS feeds using this: function wpt_remove_version() { return ”; } add_filter(‘the_generator’, ‘wpt_remove_version’);

7. Update all the things

Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.

Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.

Don’t ignore this! The same applies to themes and plugins. Make sure you update to the latest versions as they are released. If you keep everything up-to-date your site is much less likely to get hacked.

8. Strengthen up those passwords

According to this infographic, around 8% of hacked WordPress websites are down to weak passwords.

If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, ‘admin’ or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.

For a password that’s easy to remember but very hard to crack, I recommend coming up with a good password recipe.

If you’re feeling lazy, you can also use a password manager like LastPass to remember all your passwords for you. If you use this method, make sure your master password is nice and strong.

9. Never use “admin” as your username

Earlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.

If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.

Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.

Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account. If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.11. Hide your username from the author archive URL, another way an attacker can potentially gain access to your username is via the author archive pages on your site.

By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs

This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.

10. Limit login attempts

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address. Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts. There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution. Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords.

One of the best ways to protect your website against this kind of attack is to install Login LockDownor Login Security Solution. The plugins allow you to limit the number of login attempts from a given IP range. Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time. The default period of lockout can be increased to a more significant period of time if you wish.

You can manually unban any legitimate users that have been locked out, so you need not worry about frustrating your staff. The great thing about these plugins is that they record the IP address of anyone who fails a login attempt. You can use this information to block those people from your website indefinitely using the .htaccess technique I discussed earlier