In my previous post we shown a comparison of security plugins. I am trying to post everything for DIY user of wordpress. So that you can learn wordpress security and you don’t need to hire a wordpress security expert and save your money. With that phase today we will discuss about 10 WordPress Security Tips for DIY users. So lets get started.
Top 10 WordPress Security Tips for DIY users:
- Change the Default “admin” username
- Disable File Editing
- Disable PHP File Execution
- Limit Login Attempts
- Change WordPress Database Prefix
- Password Protect WP-Admin and Login
- Disable Directory Indexing and Browsing
- Disable XML-RPC in WordPress
- Automatically log out Idle Users
- Add Security Questions to WordPress Login
Change the Default “admin” username
Once upon a time every webmaster used “admin” username for their dashboard. So it is easy to guess the username for a malicious hacker and harm your website. So, you need to change your default “admin” username. There is 3 ways to change WordPress Admin Username
- Manually change the default admin username in WordPress
- Via Plugin
- Using PHPmyAdmin
Manually change the default admin username in WordPress
This a very easy and effective method to change username in wordpress. To complete this method follow these steps:
- Log into your Dashboard. On the left-hand menu, hover to Users and choose Add New.
- Fill in all required information. You should give it a harder-to-remember username (that’s our purpose). In the Role drop-down menu, choose Administrator so that this new user has the right as an admin. Then hit Add New User.
- Hover to the top right of the page to log out.
- Now log in again to your Dashboard but by new user account.
- Choose to view All Users in Users section. Hover to the default admin and click on Delete.
- To save all the contents you have previously created with the old admin account, tick on Attribute all content to. And from the drop-down menu choose the new admin username.Finally, Confirm Deletion.
Disable File Editing in WordPress
WordPress has a default theme and plugin editor within it’s dashboard. If it is in wrong hand it could be dangerous. So you need to disable this feature of wordpress. To do this:
- Open up your wp-config.php file in a text editor.
- Anywhere above the line in that add the line
define( 'DISALLOW_FILE_EDIT', true );
- Save the file.Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.
Limit Login Attempts on WordPress
If you do not enable this your website can be hacked by brute force method. So you need to Limit Login Attempts on WordPress. There is several plugins what does this. You can find Best WordPress Security Plugins in this article.
Change WordPress Database Prefix
As you already know wordpress is a very secured and flexible content management system. Though you need a hard security for your website. So that no hacker can bypass your security. WordPress default table prefix is: “WP_” what is common. So you need to change this. There is two method for changing this:
- CHANGING THE DEFAULT DATABASE TABLE PREFIX BEFORE INSTALLING WORDPRESS
- CHANGING THE DEFAULT DATABASE TABLE PREFIX AFTER INSTALLING WORDPRESS
CHANGING THE DEFAULT DATABASE TABLE PREFIX BEFORE INSTALLING WORDPRESS
- Open your wp-config.php.
- find $table_prefix = ‘wp_’;.
- And replace the “wp_” with your own prefix. Such as: “wp1234_”.
- Hit save and continue to install
CHANGING THE DEFAULT DATABASE TABLE PREFIX AFTER INSTALLING WORDPRESS
Before you begin Create a backup of your wordpress website. Now proceed:
- Open your wp-config.php.
- find $table_prefix = ‘wp_’;.
- And replace the “wp_” with your own prefix. Such as: “wp1234_”.
- Hit save
- Open phpMyAdmin and select your desired Database.
- Now one way to do that is to rename each table manually.
- To make things faster, here’s a list of SQL commands that you can run to rename all 12 of the default WordPress tables:
RENAME table `wp_commentmeta` TO `wp_ a1b2c3d4_commentmeta`; RENAME table `wp_comments` TO `wp_ a1b2c3d4_comments`; RENAME table `wp_links` TO `wp_ a1b2c3d4_links`; RENAME table `wp_options` TO `wp_ a1b2c3d4_options`; RENAME table `wp_postmeta` TO `wp_ a1b2c3d4_postmeta`; RENAME table `wp_posts` TO `wp_ a1b2c3d4_posts`; RENAME table `wp_terms` TO `wp_ a1b2c3d4_terms`; RENAME table `wp_termmeta` TO `wp_ a1b2c3d4_termmeta`; RENAME table `wp_term_relationships` TO `wp_ a1b2c3d4_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_ a1b2c3d4_term_taxonomy`; RENAME table `wp_usermeta` TO `wp_ a1b2c3d4_usermeta`; RENAME table `wp_users` TO `wp_ a1b2c3d4_users`;
- MODIFY THE OPTIONS TABLE
SELECT * FROM `wp_ a1b2c3d4_options` WHERE `option_name` LIKE '%wp_%'
- MODIFY THE USERMETA TABLE
SELECT * FROM `wp_ a1b2c3d4_usermeta` WHERE `meta_key` LIKE ‘%wp_%’
This will change prefix of your website.
Password Protect Your WordPress Admin (wp-admin) Directory
This can be done in two methods. Such as:
- Direct From Cpanel
- Manually with help of .htaccess
Create A Password Protected Directory Directly From cPanel
- Login to your cpanel
- Navigate to security section
- Click on Directory Password.
- Type your password and save.
Create A Password Protected Directory Manually
- Login to cpanel or ftp
- Create a file with dot (.) such as: “.wpadmin”.
This will create file under /home/<username>/public_html/wp-admin/.wpadmin location.
- Go to
- Enter Username and Password
- You will see username and password combination like this:
- Now open .wpadmin and paste the username and password combination.
- Now create a .htaccess file in wp-admin directory. And paste these lines in the .htaccess:
Disable Directory Indexing and Browsing
Some WordPress folders like wp-content or wp-includes contain sensitive data. As you know, the wp-content folder contains your themes, plugins and media uploads. Anyone can simply surf through those media files and hackers can find potential exploits. So that's why you need to disable directory indexing and Browsing. To do this:
- Open your .htaccess and Paste the line:
Options All -Indexes
Disable XML-RPC in WordPress
The XMLRPC allows remote connection to WordPress. So you need the xml-rpc for your wordpress website for so many advance works. But if you don’t need this you need to disable this. This can be done using a plugin or manually using .htaccess. I am showing you the .htaccess method. Cause it is manual and it is effective. You can find so many plugins but you won’t find .htaccess method. To do this add these lines into your .htaccess:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 126.96.36.199 </Files>
Automatically log out Idle Users In WordPress
You need to log out automatically idle users. Otherwise malicious users can use session hijacking and hack your website. To do this you need to add a plugin idle users logout plugin or you can use any of the best wordpress security plugins.
Add Security Questions to WordPress Login
- Install a plugin WP Security Question .
- Navigate to Settings » Security Questions
- Type your security questions and done.
- Check your wp-login.php page
This was a very long post. With this post you will understand and learn a lot of things about wordpress security. This will help if you are newbie to wordpress security or if you are a DIY(Do It Yourself) user. If you are not DIY user you can simply use our contact us and message us if you need any wordpress maintenance service or wordpress security service.
If you are using WordPress you surely need for Security. WordPress Security is a vast area. In my Previous WordPress Security Post I have shown how to scan a WordPress website. Today I will provide you a review about WordPress security plugins. Like no one else. I will show you review with pros and cons. With detailed explanation how the plugins work. And much more.
Table of Contents
- Top WordPress Security Plugins
- Pros and Cons of Security Plugins
Top WordPress Security Plugins
In this section we will see top wordpress security plugins what is ruling in the market. There is a lot of security plugins. Most of them are not suitable or good for your website. People often claim about security plugin. Here is some list of WordPress Security Plugins what is good and reviewed by us:
WordFence is a one of the most popular WordPress security plugins. It continues checking your site for malware. It scans all the files of your WordPress core, theme and plugins. If it finds a malware then it will notify you. It is a free plugin.
Hide My WP is well known for hiding wordpress url. It has features of: Hide WordPress wp-admin URL, Hide WordPress wp-login.php, Hide plugins name, Hide themes name, Hide style IDs and META IDs, Hide author by ID URL, Hide WordPress common paths like: wp-content, wp-includes, /plugins, /themes,upgrade.php also it Adds Firewall against SQL/Script injection.
All in One WP security provides features like stopping brute force, USER ACCOUNTS SECURITY, USER REGISTRATION SECURITY, DATABASE SECURITY, FILE SYSTEM SECURITY, HTACCESS AND WP-CONFIG, PHP FILE BACKUP AND RESTORE, BLACKLIST FUNCTIONALITY, FIREWALL FUNCTIONALITY and much more.
Security Ninja has features of brute-force attack on user accounts to test password strength, numerous installation parameters tests, File permissions, version hiding, 0-day exploits tests, debug and auto-update modes tests, database configuration tests, Apache and PHP related tests, WP options tests.
Sucuri security is a sister concerns plugin from Sucuri. It actually uses sucuri database and checks about malware and some features like Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions and Security Notifications.
|WordFence||Hide My WP||All In One WP Security||Security Ninja||Sucuri Security|
|Brute Force Attack||Yes||Yes||Yes||Yes||Yes|
This is the best comparison so far within the security plugin. I hope this helps you a lot to understand which security plugin is best. If you need any WordPress Security Service feel free to contact us.
Most of the wordpress security plugins are fraud. Yes! fraud, cause they doesn’t update you about the vulnerability. WordPress plugins only does ip blocking, wp-admin url changing, log checking and nothing. Seriously dude this is your wordpress site you earn money from it or you showcase your portfolio. So it is better that you know the ugly truth of wordpress security scan.
About 90% blog around internet provides the wrong information about security checkup of your wordpress site.
Most of the blogs checklist for wordpress security I collected from internet are:
- Password Checking.
- You cannot keep admin username.
- WordPress Salt checking.
- Theme’s malware.
- Plugin Malware.
- and nothing.
Check this things using a plugin and you are done. Most of the bloggers says that. There is nothing about exploits, zero days or any other ways.
A wordpress website security scan means what are the gateways or vulnerabilities or possible ways wordpress site can be hacked. Then checking if any possible malwares.
What are the methods for wordpress hacking:
- Theme’s exploit checking.
- Plugin’s exploit checking.
- Using WpScan to scan entire wordpress website.
- Using reverse IP to check server then symlink or server root.
Theme’s Exploit Checking: If you are using any popular theme like avada, bridge, newspaper etc etc. Then you can search exploit for your website in Exploit-DB or WpVulnDB. Trust me 90% of the popular theme is vulnerable or they keep their Remote code.
WpScan: If you are not using a popular theme or you are using a custom plugin then use WPScan to scan your wordpress website for vulnerability. Here is user guide for WPScan
Using reverse IP to check server then symlink or server root: This is total black hat hacking. For security reasons I won’t show you the methods for exploit but I will tell you the procedure. So that you can search on google and learn for those stuff. At first you need to know you server’s IP address then go to bing and use bing dork for finding SQL injection / LFI / RFI / Image Upload / File upload vulnerabilities inside of the server, then shell upload >> Server root or Symlink and Bang!
These are the methods for wordpress website hacking. So you have to check first if your wordpress site is hackable or not.
Now move on to the Malware Part.
In this section I will speak about how to scan if there is any existing malware or not. So to do that we may need third-party websites or manual checking. Below I am describing more
Manually Malware Checking
It is a hard method but it is effective. It is time consuming but you can ensure that you removed by yourself. For manual malware checking use this checklist:
- Check your .htaccess file.
- Check every JS files and look for encrypted JS or regex codes and remove those lines of codes.
- Check every PHP files and look for encrypted PHP codes and remove those malicious codes
This is so time consuming that’s why a lot of people uses tools.
Malware Checking By Automated Tools
Use these tools for scanning malware
These are the methods for malware scanning. If you seen this work is complex or hard you can check our WordPress Security Services
In serious word no one speaks straight forward like me. I usually show every methods. Whereas most of the people wants that you go and buy their services, though I want that too but I don’t want that I keep knowledge inside of myself I want to spread the knowledge. Thank You!