Working with popular content management systems can be a great way to manage, modify, and maintain your website. But with great popularity comes great responsibility in securing your WordPress installation from hackers who aim to exploit popular systems like WordPress. Let’s see how we can secure our server and protect ourselves from attackers.
Why do I need to secure WordPress?
The popularity of WordPress makes it a target for hackers. With millions of users around the world, attackers get the best bang for their buck by exploiting these widely used tools. A single exploit could allow a hacker to compromise hundreds or thousands of websites, which could mean your website is one of many affected.
The main ways that WordPress is hacked or compromised are through easy-to-guess passwords, and the compromise of themes, plugins, and an outdated WordPress installation. Keeping passwords and usernames, themes, plug-ins, and basic installations up to date with the latest fixes can go a long way in protecting your server from attackers.
Let’s see how we can update these things and make sure our WordPress installation is up to date.
Creating a secure username and password
Although you cannot change the username set when installing WordPress, we can create another administrative user that does not have an easily guessed username such as “user” or “admin”, which may not have been taken into account during the installation. Then we can create a secure password for the original administrator account, so that it is not guessed.
Easy to guess usernames allow attackers to guess common usernames and password combinations to access your WordPress installation. By having an obscure and unique username, even if your password is something simple like “password”, attackers will still have to guess your complicated username to gain access.
With a username like “mywebsite123987 @ # $ @!”, Hackers will have a hard time compromising your server in this way.
To create a new user, open your dashboard and go to Users.
To select Add new in the top navigation to create a new user.
Make sure to provide a unique and hard to guess username and password with more than 12 characters including letters, numbers and symbols.
Assign this user the Administrator role, then select Add new user.
Now we can go back to the Users page and select our original administrator account named user.
Generate a new password for our original user which will be impossible to guess. Now that we have our other administrator account, our original account named user can have a very long and complicated password, so it is not forced by attackers to be such a common username.
Modifying the WP-Admin login URL
Another great way to keep your login pages secure is to change the default wp-admin login URL to something unique. This way attackers cannot automatically try to connect to your website via the default. example.com/wp-admin/ URL and will have to guess your login page (securely named) to attack your website.
While this is not a feature supported by WordPress, there are two ways we can achieve this. Using a plugin or manually editing files to make our changes.
For this article, we’ll manually edit our files and do our best to avoid unnecessary plugins.
It is important to note that these changes will not affect WordPress updates and could cause issues in the future. To ensure smooth updates, it is recommended that you keep a backup of all changed files and restore them before updating. Then you can just do the same changes again to restore your secure WordPress login URL.
To get started, you will need a good text editor like Notepad ++ which has a powerful find and replace feature. Once we have that, let’s find our wp-login.php file in our WordPress root directory.
First of all, take a backup of this file in case we need to revert to the original login URL at some point. Once done, open wp-login.php in Notepad ++ so that we can issue the find and replace module that we need to secure our login page.
To access the find and replace module, go to Look for in the top menu and find Replace.
Once the module is open, in the Find what: enter field wp connection and in the Replace with: enter the desired login URL. In this case, I chose custom_login to be our new login page.
To select Replace all to replace all occurrences of wp connection.
Save your file and return to the WordPress home directory. It’s time to rename our wp-login.php drop to custom_login.php.
Now to test that our change worked, go to the wp-admin directory on your website. In my case, it is located at http: // localhost / wordpress / wp-admin /. When loading this URL, you should find that it gives an error or a “Page Not Found” warning. This means that our login URL has changed and cannot be found by hackers using a default login URL!
Now let’s open the correct login page, in my case located at http: //localhost/wordpress/custom_login.php.
Congratulations! You changed your default login URL to a more secure, unique URL that will be harder for hackers to guess. This will prevent your login page from being forced by programs specifically searching for the wp-login.php Url. One more step towards safety!
Keep WordPress plugins, themes, and core up to date
The most effective way to protect your WordPress installation is to keep WordPress themes, plugins, and core installation up to date.
Plugins and themes are often targeted by hackers as they tend to be developed by third party developers with somewhat limited resources as opposed to the WordPress organization whose priority will be the security and bug testing of plugins and official themes.
Themes and plugins are created the way the developer intended to write them, and they often aren’t thoroughly exploited tested. This can cause problems for users after an attacker finds a bug in theme files that may not have been updated for all users. It can also happen years later.
Plugins work the same way but can be used more widely by WordPress users, making plugins an ideal target for hackers. There have been many instances where plugins installed by millions of users are exploited, and all websites with the affected plugin can be compromised if they are not updated.
To manage WordPress updates, go to the dashboard and search Home.
This page will help you manage major updates, theme updates, and even plugin updates all in one central place. You will be notified of any obsolete extensions and you will have the option to update them here. You will only need an FTP access with modification rights on the theme, the plugin or the installation of WordPress.
While WordPress often provides warnings on the main dashboard page for outdated files, check this WordPress updates page often and make sure your files are up to date. Fixing obsolete files is one of the most effective ways to prevent simple takeovers by attackers.
Minimize the use of installed plugins and themes
It can certainly be a challenge to keep themes and plugins up to date with the latest fixes, especially if you are using dozens or more of themes and plugins. One of the easiest ways to minimize this risk is to limit the amount of plugins and themes you use.
This results in exponentially fewer attack vectors for hackers for each plugin or theme that is not installed and may have potential exploits. Moreover, uninstalling disabled plugins and themes will prevent even unused tools from being exploited by serious bugs in the future.
Once you’ve decided not to use a plugin, remove it from your website entirely. Even the old disabled plugins turned out to have serious bugs which were compromised by large-scale hackers.
While there seems to be a plugin for everything, even some of the things we’ve done today, minimizing your use of plugins and theme installations will definitely help protect your website from easily exploitable bugs that hackers can. find even years later. If possible, install only the default theme and the one you are using, and the fewest plugins possible to make your site work.
Remember that the more users that have a plugin or theme installed, the more the target is for hackers to find an exploit.
Step back for sanitation and peace of mind
A final step in protecting irrevocable compromises is to keep backups secure. If there is an announcement of a bug found in a plugin or WordPress, you may be able to revert to a more secure installation or simply remove the affected files from the live website.
If the exploit is serious enough, you might want to have a fresh install of WordPress and just import your posts into the new secure installation.
While there are a million ways to back up your data, we’ll show you the most basic form of WordPress file backup using the built-in export tool.
This tool is located at Tools > Export in the WordPress dashboard.
From there, you can manually export posts, pages, media files, or all content.
This will not save your theme or plugins in any way, nor any modified files like our custom_login.php page. However, in the event of a disaster, you will have secure backups of all your posts and pages to be easily imported to a new installation.
Other methods of backing up your files include exporting the entire SQL database. But once compromised, it’s hard to say exactly which files and data is at risk of a long-term backdoor. If your WordPress installation has been compromised, it’s best to start over on a fresh installation with as few files as possible.
Safety: endless work
While this guide only touches the surface of security, these are some of the most effective methods to avoid total WordPress compromise. These are the most widely used attack vectors by hackers and securing these systems will secure your site against the most common and automated attacks against WordPress installations around the world.
A strong username and password that are not easy to guess, a personalized login page, and up-to-date plugins, themes and basic installations will go a long way in securing your server. Combine that with solid backups and minimizing third-party tools, and hackers will have far fewer vectors to exploit against your WordPress installation.
Combining strong WordPress practices with strong server security practices such as encryption, firewalls, and malicious activity detection will keep your website secure and a safe place on the web!