Imagine you’re having a great day until you receive a call from a customer who is furious that your website is down. You rush to get on your website and you’re blocked out. You try everything to get your website back up, but you have no backups and all of your files are corrupted. You wish you had been more serious about your WordPress website security… Sadly, 30,000+ websites are hacked each day. WordPress websites are an easy target for attacks because of plugin vulnerabilities, weak passwords, and outdated software. Most small business owners don’t think their website is vulnerable, but in reality, all websites are. That’s why Small Business Deacon is big on website security. Here are our 7 tips on how to tighten your WordPress website security:
1. Shield the WP-Admin Directory
The directory is your WordPress website’s guts. If a hacker broke in to this part of your WordPress website, it could be broken instantly. One solution is to password-protect the directory. In an essence, your website will now have two different passwords.
One protects the admin section, and other protects the login page to your website. We also recommend the AskApache Password Protect plugin for securing the admin space. This plugin routinely generates a .htpasswd file, encrypts the password, and configures the right security-enhanced file permissions.
2. Rename Your Login URL
Renaming the login URL is pretty straightforward. By default, the WordPress login web page is accessed at /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example: https://www.yourwordpresswebsite.com/wp-login.php. When hackers know the direct URL of your login web page, they will do everything to brutally get inside your website. They attempt to log in with their Guess Work Database- a database filled with thousands of different username and password combinations. The quick and simple solution is to install, activate, and configure the iThemes Security plugin for WordPress.
3. Use a 2-Factor Authentication
Two-factor authentication is one of the easiest ways to protect your WordPress website against a stolen password and brute force attack. In WordPress, this can be through SMS verification (by downloading the Two Factor Authentication plugin) or the Google Authentication app (we recommend it for backup). This does add an extra step to the login process, but it makes your account much more secure and is completely worth it
SMS Verification Setup
To add on SMS verification, you will first need to install the Two Factor and Two Factor SMS plugins. You will also need a Twilio account (there is a limited plan that will work for this.) The first plugin, Two Factor, provides multiple ways to set up 2-step verification in WordPress. The second plugin, which is called Two Factor SMS is an addon for the first plugin. It adds support for 2-Step SMS verification. For this to work, you will need both plugins installed and activated. After activation, go to “Users”, which can be found on the left side of your WordPress admin, then select “Your Profile”. On this page, you need to scroll down to “Two Factor Options” section.
Check the box next to the “SMS (Twilio)” option and then click the radio button to make it your primary verification method. After those steps are completed, scroll to the Twilio section. This is where you will need to go into your Twilio account and get the needed information: Twilio Account SID, Auth token, and sender phone number. Then put in the phone number you want your future codes to get sent to in the “Receiver Phone Number” box. Now you can log out and see this work in action.
Google Authentication Setup
To add on Google authentication verification, you will first need to download the Google Authenticator app on your mobile device.
Note: We use this method for backup just in case the SMS verification is not working. Ex: You login and a SMS code is sent to your phone. If you did not receive it, click “Use Backup Method” on the Verification Code page.
After you have the app, go to “Users”, which can be found on the left side of your WordPress admin, then select “Your Profile”. On this page, you need to scroll down to “Two Factor Options” section. Under “Enabled”, check off the box next to “Time Based One-Time Password (Google Authenticator)” and then click on “View options’ link to begin the Google Authenticator app setup. First, you’ll need to scan the QR code with the app.
Click the “+” button in the bottom right corner of the app. Go ahead and scan the QR code shown on the plugin’s settings page using your phone’s camera. Your website will now be added to the app. The app will also give you a six digit code that you need to enter the code in the plugin’s settings page. Once you’ve done that, your Google Authentication is set-up!
4. Deny Directory Access with .htaccess
When you create a brand new directory for your website and don’t put an index.html file in it, it’s possible you’ll be shocked to see that your website’s visitors can view your website’s full directory. For instance, when you create a directory referred to as “information”, you’ll be able to see all the pieces in that directory just by typing https://www.instance.com/information/ in your browser. No password is required.
That’s why you need to deny access by creating a .htaccess file. Your .htaccess file is a server configuration file that directs how your server should handle certain things on your website (i.e redirecting users, password protect admin area, etc.) You may not have this file yet if you have not set up “pretty permalinks”. You can do this by going to “Settings”, then to “Permalinks”. All you have to do here is select “Save Changes” on the Permalinks page and your WordPress website will create a .htaccess file.
5. Have a Website Backup Schedule
Regardless how safe you think your website is, there is always still a chance it can get hacked and broken. That is why backing up your website daily is important. Having a backup ensures you’re able to restore your website without having to start from scratch. Pick a day or two each week to do your backup. Mark your calendar to remind you. You don’t want to be sorry.
6. Monitor Your Information
For additional safety, be sure to monitor the modifications to your WordPress website’s information. You can do this by using security plugins, like iThemes Security.
7. Hide Your WordPress Model
Your current WordPress model version can be found very easily. And that’s a problem. If the hackers know which model of WordPress your website runs on, it’s simpler for them to tailor-build the proper brute attact. You can hide your model version with most safety plugins, like the WP Hide & Security Enhancer plugin.