Simply Best Ways to Secure WordPress Website and Blog Security -Vulnerabilities

wp-admin

---

---

---

As a Web Blogger We knows that Most of Websites and Blogs are running on One CMS That is “WordPress”. In this post we will discuss how we can protect own and Our Customers WordPress Websites and Blogs from online threads. Website and Blog is must Implemented like other Techniques we use for our Websites and Blogs.

---

Let’s Discuss the Best ways to Secure Our WordPress Website and Blog

---

Keep WordPress Up to Date

The latest of WordPress is most likely more secure than the last one, and has less vulnerabilities. So keep it up to date—it’s a one-click operation. Make sure you back up your site first!

WordPress updates rarely cause problems, but if you like to be careful, update it on a test server first. Or, if you’d just like WordPress to auto-update itself, apply the following code to your wp-config.php file:

#Enable all core updates, including minor and major:

define ( ‘WP_AUTO_UPDATE_CORE’, true )

---

Limit Login Attempts

By default, WordPress allows you unlimited login attempts. This can be highly dangerous if the hacker attempts to guess your password or has a script for this purpose. To protect your site from these brute-force attacks, it is essential to limit login attempts from a user along with having a strong username and password.

The WordPress plugin Limit Login Attempt makes these brute-force attacks almost impossible by setting a limit to login attempts.

---

Change the Database Prefix

A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.

Secure wp-config.php

Lock down wp-config.php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.

To deny access to this file, you should add the code below at the top of the .htaccess file:

Simply Adding this code to .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>

Adding this to wp-config.php disallow file editing-
define(‘DISALLOW_FILE_EDIT’, true);

---

Use Two-Factor Authentication

Two-factor authentication is one of the strongest ways to keep your login safe, as it makes brute force attacks much more difficult to pull off.

There are a number of plugins that provide this service; We recommend this free plugin:https://wordpress.org/plugins/two-factor-authentication/

---

Protect Your .htaccess File

We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.

<Files .htaccess>
order allow,deny
deny from all
</Files>

---

Hide the WordPress Version Number

Some versions of WordPress have known vulnerabilities. Someone familiar with those vulnerabilities can discover which version you’re using because it’s shown in the HTML head of every page.

This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.

Remove that information by adding the following line to your theme’s functions.php file:

remove_action('wp_head', 'wp_generator');

---

Limit Login Attempts

Give hackers less opportunity to guess your password, and protect your site from brute-force attacks, by limiting the number of login attempts that are possible. This will automatically block the login screen after a configurable number of tries, and informs the administrator by email.

You can limit login attempts by using one of these plugins:

• WP Limit Login Attempts
• Login Lockdown

---

Install WordPress Security Scan Plugin

This is a good plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for below things:

• Passwords
• File Permissions
• Database Security
• WordPress Admin protection

Download the plugin from here.

---

Use email as login

By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.

The WP Email Login plugin works out of the box for this purpose. It starts working right after the activation and it requires no configuration at all.

To test it, just log out of your website and then log back in, but this time use the email address that you created the account with.

---

Limit The Number of Failed Login Attempts

This nice plugin can limit the number failed login attempts; Useful in case of someone is trying to guess your password manually or using a robot.

You can download plugin from here.

---

Use SSL to encrypt data

Enable SSL to secure your WordPress site. A Secure Sockets Layer encrypts all information sent to and from your site, keeping it private and preventing man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. As a bonus it can also boost your Google PageRank.

Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.

The address of an SSL-certified site will start with an HTTPS, while a site that’s not SSL certified will begin with HTTP. It’s best to activate HTTPS before installing WordPress, but it’s possible to update your WordPress settings if you add it later.

Getting an SSL certificate for your WordPress website is not an issue. You can purchase one from some dedicated companies or alternatively ask your hosting firm to hook you up with one (it’s often an option with their hosting packages).

Wordfence Security

• Details
• Reviews
• Installation
• Support
• Development

---

Securing /wp-content Directory

order deny,allow
deny from all
<files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all
</files>

Securing wp-includes

By block those scripts using mod_rewrite in the .htaccess file
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L] </IfModule>
# BEGIN WordPress

NOTE- Code should not been overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file, as wordpress can overwrite anything between these tags.

Remove Error Message on the Login Page

Add this in functions.php
function no_wordpress_errors()
{
return ‘Something is wrong!’;
}
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );

Turn Off PHP Error Reporting

Add the following lines to wp-config.php
error_reporting(0);
@ini_set(‘display_errors’, 0);

Disable WordPress XML-RPC

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Hide Author Usernames

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
{
if (is_author())
{
wp_redirect( home_url() ); exit;
}
}

Hide wp-config.php and .htaccess

<Files wp-config.php>
order allow,deny
deny from all
</Files>

<Files .htaccess>
order allow,deny
deny from all
</Files>

Disable directory Listing and Browsing with .htaccess

Just add following in .htaccess
Options All -Indexes
Options -Indexes

Disable PHP Execution in WordPress Directories

<Files *.php>
deny from all
</Files>

Disable Image Hotlinking in WordPress Using .htaccess

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteCond %{HTTP_REFERER}!^http(s)?://(www\.)?feeds2.feedburner.com/yoursitename [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Protect .htaccess From Unauthorized Access

<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

Protect Your WordPress Admin Area

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed’s IP address
allow from xx.xx.xx.xxx
# whitelist David’s IP address
allow from xx.xx.xx.xxx
# whitelist Amanda’s IP address
allow from xx.xx.xx.xxx
# whitelist Muhammad’s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>

Ban Suspicious IP Addresses

Want to block an IP address from accessing your website.

<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>

---

Two-Factor Authentication: What Is It and Why You Should Use It

---