9 proven tricks to protect your WordPress site from attacks (2016 update)
WordPress is one of the most popular CMS solutions available today. As such, it is being used by a very large number of websites on our network.
However, its popularity among users also means that it’s extremely popular amongst hackers as well.
Here are 9 proven tricks to protect your WordPress site from attacks:
1. Choose a strong password
This is valid not only for WordPress, but for any online service where you have to log in. Choose a long password that has both lowercase and uppercase letters, numbers and, if allowed, special symbols. WordPress has a built-in password strength meter when setting up a new password and here is a guide on how to create strong passwords.
2. Create custom login URLs
During every WordPress installation, the same default login URLs are created. This makes it easier for attackers to locate them and launch a brute-force attack to gain access. You can thwart them by using custom login URLs. You can build your own login page by following this guide or you can use the ready-made Custom Login URL.
3. Change the ‘admin’ username
During the installation, WordPress sets up an ‘admin’ username by default. If someone wants to access your WordPress site and your username is still the default one, the attacker’s job is already half done.
To fix that, once you have installed WordPress, create a new user with admin privileges. Then, log out of your current session and log in with the new username and password you have set up. Then, delete the default user. If you have created any posts, make the new user their owner.
4. Limit the login attempts
A brute-force attack involves a script attempting to log into your account by using numerous username/password combinations. A very simple way to stop such attacks is to limit the number of login attempts. You can use the WP Limit Login Attempts plugin.
If your site is hosted with us, you are already protected by the mod_security Apache module we have. It blocks users who make more than 10 login attempts within 1 minute and is enabled by default.
5. Limit the access to the admin area by IP address
If you are the only person who needs to log into your admin area and if you have a static IP address, you can deny access to everyone except yourself to the wp-admin folder using an .htaccess file.
Create a file called ‘.htaccess’ using a plain text editor or simply edit the existing one (if any) and add:
# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all
Here, ‘x.x.x.x’ is your IP address. You can add multiple IP addresses by adding the line ‘allow from x.x.x.x’ in accordance with the number of IPs you wish to whitelist.
6. Limit the access to the admin area by IP address
You can also limit the access to the wp-login.php file via an .htaccess file.
Create a file called ‘.htaccess’ or simply edit the existing one (if any) in the /wp-admin folder and add:
<Files wp-login.php>
Order allow,deny
Allow from x.x.x.x
Deny from all
</Files>
Here, ‘x.x.x.x’ is your IP address. You can add multiple IP addresses by adding the line ‘allow from x.x.x.x’ in accordance with the number of IPs you wish to whitelist.
7. Hide the admin area from bots
Add the following lines in the robots.txt file or create a file named ‘robots.txt’ with the following content:
User-agent: *
Disallow: /wp-admin
Disallow: /wp-login.php
Disallow: /administrator
This will essentially block search engines from indexing these URLs, as brute-force attackers generate lists of such URLs (intitle: Log In and inurl: wp-login) namely with the help of the major search engines.
This is a long-term prevention method, as it will take a few months for the search engines to update this information, but it should make brute-force attempts disappear for good.
8. Protect yourself from spam comments
On a different note, if you are receiving a large number of spam comments on your WordPress site, you can disable the comment option by doing the following:
Go to yoursite.com/wp-admin/options-discussion.php and uncheck ‘Allow people to post comments on new articles’.
You WILL need to go to all the existing posts and to turn off the comments there as well.
If you still want people to be able to comment, you might consider making them register first. In that case, check the box ‘Users must be registered and logged in to comment instead’.
9. Keep WordPress and your plugins up to date
This may sound trivial, but there are a lot of users who simply forget to update. Each new update brings security improvements and is considerably more secure than the previous one. And WordPress is under very active development, so security patches are released frequently. You can use the WP Updates Notifier plugin to notify you when there are available updates for your themes, plugins and the WordPress core.
Originally published Thursday, October 13th, 2016 at 2:23 pm, updated July 8, 2024 and is filed under Web Hosting Platform, Online Security.Tags: online security, wordpress hosting