Recently I have faced multiple cyber attack on my server. My own website runs on WordPress (PHP, MySQL). Simple reason, so simple setup. Nothing to do with money transaction. Then, I found lot of my files been corrupted with malicious code, MySQL been hacked.
I started analysis & found, main attack happened with brute/forced login attempt. I am sure my password is strong enough. It is combination of numbers, capital & small letter alphabets, special characters etc. Looks like, it didn’t matter to the hackers.
After little research, I found there are multiple ways to increase WP security. I have discussed some at below:
- HTTPS: It is HTTP over SSL. It is recommended to use HTTPS protocol with the webpage which has anything to do with login, signup, any identity, money transaction etc. Contact your hosting or domain manager to discuss on this. Most likely, you need to buy this option. Not too expensive, but it will save you from lot of hassle.
- FTPS: Same way, use FTPS to transfer data. Contact your host provider for details. You can use FileZilla to get access.
- Two Factor Authentication: I personally like Google Authenticator. Basically, it is extra layer of security with realtime password. You login with your own password & then you have to enter another password, which is changing in every few seconds. To setup second realtime password, you can install Google Authenticator app to your mobile phone. Or, you can have physical security key.
WordPress.com already started for their own site. What I do: I have enabled WP login with my personal site. You can easily do that by install & configuring Jetpack. It can remember your login in once computer for up to 30 days. So, I am automatically secured with their Two Factor Authentication login. Also, my site has its own Google Authenticator.
- Security Scan: I am using iThemes Security free version to check threats. It can send you your database via email. It detects file changes, network downtime, strong password enforcement for users etc. I am also using free version Wordfence for my other WP sites. Doing the same thing, more or less. If you are ready to pay, both of these plugins will backup your data & do more than standard security.
- Limit The Number Of Login Attempts: If it is your website, you should remember your password; well that is expected! So, it is better to limit the number of Login Attempts. I use WP Limit Login Attempts. The free version has default 5 attempts. To unlock that you need to buy it. For me, the free one is doing fine.
- Login Page URL: site.com/wp-admin.php is known to any user or web developer. People know, that page has login form. So it is better to hide it.
I know WPS Hide Login plugin. It doesn’t change your file or location. It simply intercepts page requests. The wp-admin directory and wp-login.php page become inaccessible. You have to go to a particular url to get access to admin-panel. read the description first, before using it.
- Username: Please, do not keep your admin username as “admin”. Isn’t it obvious? Change it to something else. But not as your site name. If your site name is “Dory’s Cake Shop”, DO NOT keep username as “dory” or “cakeshop”. Avoid these kind of silly mistakes, your site will live longer.
- Update: Lot of people avoid this. Please update. If there any bug or hole, update helps to fix it. It will protect your from recent threats. These days, you can enable automatic update from settings. You dont even have to worry about.
- Data Backup: At the end, data backup is always crucial. WordPress’s Jetpack gives you that option to do it without labor. It has a value added service, which called VaultPress. You try their 5 days trial. It will make backup with both daily and realtime sync of all your WordPress content. It does security scan & let you know threat & vulnerability. Price starts with $5 a month.
There are more services like this. You just need to dig the market.
Every plugins I have discussed here, they have alternatives. You dont have to try what I have mentioned. There can be better or less.
image credit: freepik.com