Tips to increase WordPress security

Tips to increase WordPress security

For WordPress blog beginners, make sure that you are always up to date with the latest version. Besides, please refer to the tips below to enhance the security of your Word Press.

1. Change the default “wp_” prefix

Your website can be threatened because of some vulnerabilities (eg SQL Injection) if you are using the predictable wp_ prefix in the database tables. You can change the default wp_ prefix for added security.

2. Hide login error message

Error login messages can give hackers an idea if they have received the correct/incorrect username, vice versa. It is wise to hide it from unauthorized logins.

To hide the login error message, simply put the following code in functions.php:

3. Protect the wp-admin folder

Keeping the “wp-admin” folder protected means you’ve added an extra layer of protection. Anyone who tries to access files or folders after “wp-admin” will be prompted to log in. Protecting your “wp-admin” folder with login and password can be done in several ways:
– WordPress Plugins: Use WordPress HTTP Auth.
– cPanel: If your hosting supports cPanel admin login, you can easily set up protection on any folder through the graphical user interface Password Protect Directories of cPanel.
– .htaccess + htpasswd: Perform password protection of folders by placing the folders you want to protect inside .htaccess and .htpasswd.

4. Maintain backup

Keeping backups of your entire WordPress blog is just as important as keeping the site safe from hackers. If all security efforts fail, at least you still have backup files to restore. There are two types of backups: Full Backup and Incremental Backup.

A full backup will include everything in the site such as files and databases. This method takes up more space than necessary and can cause spikes in CPU and disk usage when performing backups. Therefore, you should not choose full backup if your website has limited resources.

On the other hand, an incremental data backup on the platform will only fully save the first time, then add in items that change over time. There are several options for this type of backup in WordPress that require users to pay a sizable fee like VaultPress and WP Time Capsule.

5. Prevent directory browsing

Another major WordPress security flaw is leaving folders and files exposed and publicly accessible. First, try to check if your WordPress directories are well protected by entering the URL https://www.domain.com/wp-includes/ in the browser. If it doesn’t show or redirect you back to the homepage, your folder is safe. However, if you see a screen similar to the image below, your site is not protected.

To prevent access to all folders, put this code in your .htaccess file:

If your site runs on nginx, you can add the following:

6. Keep WordPress Core files & plugins up to date

One of the most effective ways to keep your WordPress site secure is to make sure the files are always updated to the latest release. Now that WordPress has built-in automatic updates, you just need to make sure that you or your developer don’t disable it.

7. Choose a strong password

WordPress now has a strong password hint field like the image below when creating a new account or updating a new password. It will evaluate your password strong or weak. You should choose a strong password, but the downside of this is that you may not remember the characters in the password sequence clearly. You can also use a password manager like 1Password or LastPass.

8. Remove admin

A typical installation of WordPress usually comes with a default user named “admin”. For security reasons, you should not always use that admin account to access your WordPress blog.

A safer approach to login is to create a new admin and remove the default “admin”. You can follow these steps:
– Login to WordPress dashboard
– Move in Users ->Add New
– Add new user with role Administrator and choose a strong password.
– Log out of WordPress, log back in with your new admin.
– Move in Users
– Delete account “admin”

If you’ve ever used the “admin” account to post content, don’t forget to find the properties of all posts again and link it to the new user account.

9. Disable XMLRPC

XMLRPC in WordPress is a common attack point for hackers. You can disable it when the site does not require XMLRPC, or restrict the XMLRPC endpoint to certain IPs as needed, for example:

10. Add HTTP Security Header

Adding HTTP security headers is also a way to increase the security layer of your website, helping to mitigate cyber attacks. The headers will intrude into the browser to change in the given direction set in the headers. For example, X-Frame-Options will allow you to check if a web page can be embedded in an iframe. Other header types you can add include: X-XSS-Protection, Strict-Transport-Security, X-Content-Type-Options, Content-Security-Policy, and Referrer-Policy.

In addition to the above methods, you can also apply for WPVulnDB to identify vulnerabilities in your website’s security. WPVulnDB will check WordPress Core and Plugins, showing what type of vulnerability, which version is affected, and if it has been fixed.

https://thuthuat.taimienphi.vn/meo-tang-cuong-bao-mat-wordpress-55211n.aspx
Besides, you can refer to how WordPress login security here.