Have you ever thought about the security of your WordPress installation? Or rather has your installation ever been attacked or hacked?
Well, security is one very important feature that every other developer is always worried about. In this article, I would like us to discuss ways of making your installation secure to avoid attacks from hackers who might want to hijack your work and gain unauthorised access.
There are several factors to check in making your installation secure, ranging from the strength of your passwords to setting permissions correctly. There are also plugins available for use in securing in installation, but most of them come with a limitation, some being very difficult to use and other causing a lot of traffic or conflicts with others. I am going to talk about some of the things that you can do to make sure that your installation of WordPress is secure.
1. Strong Passwords and Default Values
One of the things that every WordPress developer knows is that all WordPress installations use wp-login and admin as the default username. These are some of the most common defaults that hackers can use to try and force access to your WordPress installation. With those two, the only value they might not have is the password, but they can write scripts that could attempt to guess the password value, and if they gain access, it could be terrible. Another default value that hackers know is the database name that is by default prefixed by the wp_ keyword. These three are defaults that are known by every other person, and even though we might not have evidence of them being used, why can’t we make it hard for the hackers? These values can be changed during installation of WordPress, or on the settings of an installation that already exists.
During installation of WordPress, the default values are always suggested. This, especially when you click on the ‘Lets Go’ button, can be seen on the screens that follow.
In the screen above, the default prefix value for tables is set as wp_. This is common with all WordPress installations. You will be doing yourself some good by changing this to any other prefix, avoiding the default value.
After that screen, you are taken to the screen below.
Here, we can see that the username has a default value of admin. It is advisable to change this to a different username. Sometimes you might interact with your users, and might be afraid that they will still get to see the name you chose. In such cases, you can choose a nickname in settings, that is the name they would see. Try as much as possible to pick a username that can not be identified with you as well, such as your own name. You will also be prompted to pick your password here, make sure that the password you pick is very strong, you can see the password strength as you enter it.
2. Existing WordPress Installation
If you did not change the default values during installation of WordPress, you can still change them. I would advise you to always change them during installation since it is quite easy and straightforward. The table prefix is one of the sensible things to change here because it is touching a lot on the database. If you do this and make undesirable changes to the database, it would mean that your site would not be accessible if you had not backed up the database.
3. Username and Password
As I mentioned earlier, having admin as your username is not secure. If you have an installation with admin as the username, you do not have to worry although there is no simple way of renaming it apart from creating another user. This can be done by deleting the admin account, of course after creating a new account!
The first step to do this is logging in to your dashboard and clicking on users. You can add a new user by clicking on the Add New menu option. Here, set the username to something else, of course avoiding your real name which could be risky to use, or easy to guess.
After this, fill the other required fields which include the password, email, first and last names and website. You can leave blank the website and last name if you do not want them. Remember to use a very strong password, and set role as an administrator.
Now, you can logout of WordPress and log back in using the new username that you have just created. Going back to users on the dashboard, you can see now that you have two users, the new one and the one that you had. We need to delete the user with username admin. When you hover the cursor over it, you can see extra options such as edit and delete. Click on delete to remove it completely. See the image below.
To add a nickname to the new user, simply click on profile on the sidebar. This will bring a form that you will fill, adding a nickname that can be visible to website users if you interact with them.
4. Brute Force Logins and Securing Admin Area
An attacker might get into a situation where they are trying to guess one password after another in order to gain access to your installation. This is a brute force attack. One of the best ways to avoid this is to make sure that you are not using common passwords.
There is a plugin called Bulletproof Security that is used to limit the number of times a user is allowed to guess a password, or to attempt a login. This plugin suspends a visitor for an hour if they incorrectly use the wrong password for three consecutive times. You can use it by login into your dashboard, then go to plugins and add new. Once installed, launch it from the side bar and simply select the default options and save.
The admin area location is another value that is targeted by hackers. To avoid this, you can add a basic trap that redirects attackers in case they manage to pass through the Bulletproof Security plugin. Stealth Login Page is a plugin that can be used for this purpose. After installing this plugin, launch it from the sidebar and enable it. Then add a pin or a url that attackers can be redirected to if they try to gain access to your login page. The image below shows how the plugin looks like when launched.
The pin is important. It will be added to your login page, and you will need it to be able to login to your dashboard.
The measures discussed above will no doubt help you secure your WordPress installation. There is no limit to the things you can do to make sure that your installation is safe. There are other things you can do such as limiting users with admin roles, using LastPass or Clef, avoiding the use of repetitive passwords among others.