Because getting hacked can cost a lot of time and money, a Secure WordPress Site is crucial! Here at The White Trash Web Developer, we believe to many plugins is a bad thing. Because all to often plugins can crash a site due to them malfunctioning.
As a result of testing all the plugins WordPress had to offer on security I concluded there were two good ones. When I say good I mean up until they broke my WordPress install!
Ithemes & Wordfence
So the two that I discovered with the most features were Ithemes and Wordfence. They both had features that I liked, and it’s ironic because each ones best feature the other didn’t have. I personally don’t use either of them anymore because I encountered several critical problems. If you do use either of these, don’t install both! If you insist on trying one out, that’s fine but not similtaneously! Because your site will be a ticking time bomb as to when it breaks.
Word fence offers real time tracking, which includes inbound traffic’s risk level based on activity. So if someone connected and was obviously up to no good, there is a good chance Wordfence would catch it. However it did not at the time of me using it provide a feature to relocate the login url.
When this plugin broke, no matter what I did I couldn’t log into my wordpress admin. The site was completely destroyed! As a result, I had to reinstall my entire site from the most recent backup!
So Ithemes main selling point was the custom url for the wp-admin login. However it didn’t have the ability to observe visitors in real time like Wordfence.
Much like Wordfence, this plugin broke within the first month of using it! Unlike wordfence, it didn’t break to the point I was unable to recover my site. So I don’t know if that’s a selling point, but I’m certainly not trying to market either one lol!😂
Step One Stop Directory Browsing!
Because of horrible experiences with to many plugins, I personally go with neither of the plugins listed above. However, just because we aren’t using them doesn’t mean we wont plug up the holes security leaves open! Although Owasp only considers directory browsing a medium risk, it is none the less potentially very dangerous!
Because the very first thing attackers do is conduct information gathering, So we’ll make sure as far as the admin username, the come up empty handed. Allowing the attacker to see the contents of directories, files not intended to be visible can be seen.
So fixing this is rediculously simple. All you have to do is access your websites files. Do this with either your webhosts Cpanel, or in a FTP session. The file you’re looking for is hidden, so make sure show hidden files is an option you specified or it will not be visible. The file is called htaccess, all you need to do is add this to the bottom:
Below is an example of how the htaccess file may look on a fresh install of WordPress. Once you have stopped directory browsing, we’re well on our way to having a Secure WordPress Site!
If you haven’t already utilized my Free SSL With Cloudflare Tutorial it’s worth it. Not only does Cloudflare provide SSL, It’s a CDN/Proxy as well. So not only will you get site wide SSL encryption, we’ll have our domain loading way faster too!
Even if you choose not to use Cloudflare, free SSL certificates can be obtained by other options. For example,
Let’s Encrypt provides you with a free one if you have access to your server’s Apache install folder.
So why exactly do we even need encryption? Because without it there are many vulnerabilities such as
XSS (Cross Site Scripting)
an attacker can intercept credentials! With SSL, we ensure our users credentials are not intercepted by a third part!
A Secure WordPress Site doesn’t Use Guessable Credentials!
No Admin Usernames Allowed Buddy!
Under no circumstances should you make your administrator username “admin,” because that’s one of the dumbest things you can do! Ideally you want there to be 3-4 layers of protection for your site. As a result of your attacker being able to figure out your administrators username, they will be one step closer to hacking your site.
Because we’re not going to allow that to happen, in addition to a random username, we want our password to be strong, 16 characters at least. By using a Password Generator, You substantially decrease the likliness of using one that’s on an attackers wordlist.
Just be sure you have it stored on a secure document on your cloud for example. Because it’s a guarantee you’ll forget a 16 digit password generated by this app lol!
Fill WordPress Vulnerability Hole
To ensure hackers don’t get your username, we have to create a secondary user to fix a loophole in post titles.(WordPress might get around to it someday lol!) As you can see in the image below, all an attacker needs to do is hover the mouse over the author name. We can fix this quite easily, by going creating and adding an editor account
In wp-admin, navigate to users. Make a user with only editor permissions. Then goto all your posts and pages and use the quick edit option. Change the author of every page and post on your WordPress so the administrator’s author page isn’t shown. Because we are now hiding our username credentials, brute forcers will have to get through two layers of security, not just one!
Secure WordPress Site By Changing Admin Login URL.
I originally attempted to do this without a plugin, then concluded that I would need to make a plugin to stop the auto redirection!😂 So Move Login By Grégory Viguier will suite our needs rather nicely. This simple but effective plugin will change the admin login url to one of our choosing. This creates our 3rd defensive layer, so our Secure WordPress Site will be ridiculously difficult to hack!
After completing this tutorial your site your WordPress Blog is now Solid Steel in comparison to most! If you have any feedback or questions please leave a comment, I’d love to hear from you!