10 ways to secure wordpress websites
DESCRIPTION
Unfortunately website are liable to suffer from security risks and so any networks to which web servers are connected. Setting aside risks created by hackers or misuse of network resources, your web server and the site it hosts present you’re most serious sources of security risk. Website security plays an important role for anyone who has website presence. We have many following methods to secure the WordPress sites.TRANSCRIPT
10 Ways to Secure WordPress Websites
Unfortunately website are liable to suffer from security risks and so any networks to which web servers are connected. Setting aside risks created by hackers or misuse of network resources, your web server and the site it hosts present you’re most serious sources of security risk. Website security plays an important role for anyone who has website presence. We have many following methods to secure the WordPress sites.
Modify login errors
When you type wrong username or password, it will give very detailed error message telling you exactly whether your username is wrong or password. This is a great hint for hackers but fortunately we can disable the login errors by following code:
1234
function your custom error(){return 'Anything you will write here will become new error messages';}add_filter( 'login_errors', 'your custom error' )
Never use admin as a username
First don’t use admin as a username, if you have then make it as subscriber? Subscriber has less privileges i.e. can’t delete or add post and pages.
Enable 2-factor authentication
This is highly recommended. If someone gets hold of your WordPress login details, they will still need your mobile phone to get into your WordPress dashboard.
Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress but you can always use the Authy plugin to enable 2-factor authentication.
Stop WordPress from guessing URLs
WordPress has habit of guessing URLs. If a user request macwill.in/con URL but if that page doesn’t exist, WordPress may redirect that user to macwill.in/contact because the URLs have some common words.
By following code you can stop WordPress to stop guessing URLs.
1234567
add_filter('redirect_canonical', 'stop_wordpress_guess_url');function stop_wordpress_guess_url($url) {if (is_404()) {return false;} return $url; }
Disable file editing when you logged in
WordPress has the strange functionality, that user who logged in can edit files. This becomes easy for hacker that, he can write malicious code in it and destroy your whole website. By following code you can stop editor from back end.
1 define('DISALLOW_FILE_MODS',true);
Not allow users to install plugins, themes or doing updates
Not allow a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:
1 define('AUTOMATIC_UPDATER_DISABLED', true);
Limit the login attempts
Sometimes user tries to login in your account by commonly username and password, or uses script to break your password. Then you must limit your login attempts. Limit login attempts is a plugin in that if user tries wrong login details for more than specific time, then login process must be locked out for specific time and you will get email with client IP, then you can BAN that IP address.
Disallow wp-config file
In WordPress wp-config is sensitive file. It is a best practice that disallow wp-config from back end.
1234
<files wp-config.php> order allow,deny deny from all </files>
Securing with htaccess file
Apache uses ht access to prevent unauthorized access to certain parts of the site. Since wp-config.php should never be accessed directly by anybody, and since it contains the critical database details, we should block it from ht access file too. This can be done by adding the following lines to your htaccess file:
123
order allow,denyDeny from 192.168.1.1(you can use multiple IP) ordeny from all (Block all IP)
Change database prefix ($table_prefix)
The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like wp_users, wp_options, wp_posts etc. Now a hacker knows that your user details are stored in the table wp_users, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for $table_prefix. In your wp-config file there will be a line:
$table_prefix = ‘wp_';
You need to change it to something random like
$table_prefix = ‘macwill_';
This will cause the tables in the database to become macwill_users, macwill_posts etc, in turn making it harder for the hacker to guess.
To know more about Top Website Designing & Development Company in India i.e. Macwill just call at +91 81466-52452 or visit http://www.macwill.in/
Reference: http://blog.macwill.in/2015/05/ways-to-secure-wordpress-websites/