10 Best Practices for WordPress Security Risks
10 Best Practices for WordPress Security Risks
WordPress is one of the most popular and considerably used platforms for creating websites and blogs. Still, it also comes with some security risks that need to be addressed. However, you may end up losing your data, compromising your point’s performance, If you don’t follow the security way. In this blog post, we will bat some of WordPress users’ common security risks and how to resolve them.
1. use strong username and password for admin accounts
Most of the users use the default “admin” as their username and Password when they create a new WordPress account but this can attract hacker attention quickly. So, better is to use a strong username and password that makes WordPress admin users log in securely and hackers can’t access that username and password easily.
2. Enable Two-factor Authentication
This is also an important security step that we have to make sure of as an Admin. We have to enable “Two Factor Authentication” on our site and whenever anyone login especially the Admin, they have to enter the verification code to log in to the dashboard. The benefit of this Step is that if a hacker gets your admin username and password, but without the 2FA verification code, the hacker can’t get access to the dashboard. Many plugins are available to enable 2FA on our site but the best ones are [ Wordfence Plugin, miniOrange’s Google Authenticator, WP 2FA ]. So this is a very important step from a security perspective.
3. Limit Login Attempts
We should limit the login attempts up to 5 times for our WordPress website to make it more secure from brute force attacks. After a specific time of failed attempts that particular user gets blocked temporarily for some time depending on how much time we want to block them. After that amount of time, that person can try logging in. The benefit of this step is to stop brute force attacks on our website which hackers love to do. By this step, we can secure our website from spammers. The best plugin for this is Wordfence plugin. We can do this manually also if we have an advanced knowledge of WordPress and its file structure. For this follow the below steps:
1) Login to your CPanel account and click on file manager.
2) Open the public_html folder. Navigate to wp-content > Themes.
3) Select your active theme folder. Inside, locate the functions.php file.
4) Right-click on it to Edit the file and paste this code.
function check_attempted_login( $user, $username, $password ) {
if ( get_transient( ‘attempted_login’ ) ) {
$datas = get_transient( ‘attempted_login’ );
if ( $datas[‘tried’] >= 3 ) {
$until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );
$time = time_to_go( $until );
return new WP_Error( ‘too_many_tried’, sprintf( __( ‘ERROR: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );}}
return $user;
}
add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 );
function login_failed( $username ) {
if ( get_transient( ‘attempted_login’ ) ) {
$datas = get_transient( ‘attempted_login’ );
$datas[‘tried’]++;
if ( $datas[‘tried’] <= 3 ) set_transient( ‘attempted_login’, $datas , 300 ); } else { $datas = array( ‘tried’ => 1
);
set_transient( ‘attempted_login’, $datas , 300 );}}
add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 );
function time_to_go($timestamp)
{
// converting the mysql timestamp to php time
$periods = array( “second”, “minute”, “hour”, “day”, “week”, “month”, “year” );
$lengths = array( “60”, “60”, “24”, “7”, “4.35”, “12” );
$current_timestamp = time();
$difference = abs($current_timestamp – $timestamp);
for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {
$difference /= $lengths[$i];
}
$difference = round($difference);
if (isset($difference)) {
if ($difference != 1)
$periods[$i] .= “s”;
$output = “$difference $periods[$i]”;
5) Save the file and exit.
4. Change wp-admin and wp-login URL
By applying this step we can protect our WordPress website login panel from anyone who tries to log in without our permission. The basic admin URL link is just write the “domain.com/wp-admin” or “domain.com/wp-login” We can access the login page for the WordPress dashboard where hackers can try the brute force method to enter our website dashboard, but by simply changing the Admin URL we can stop hacker or any 3rd person from accessing our website login page. So this small change in the WordPress default URL can make our website more secure against hackers. This can be done by WPS hide login plugin and manually.
1) Login to your Cpanel and download wp-login.php file for backup.
2) Find and Replace the Old Login URL. Find: wp-login, replace: the new one ex: wp-new-url.
3) Change the wp-login.php file name to the URL name kept under the file ex: wp-new.php Note: the new name changed in the file should match the file name so make sure both are same.
4) now test the new URL EX: domain.com/wp-new.
5) if anything goes wrong upload the file of step 1.
5. Change the Database Prefix
Besides securing the website from hackers it is also important to secure our WordPress database because our WordPress database is vulnerable to SQL injection so in order to protect that we can change the prefix of the database from WP to anything else. This will protect our database from hackers to get a hint that this is a WordPress DB. We can do it manually and also we can use plugins. I suggest that just making use of plugins as if one doesn’t have knowledge of DB can mess up the website.
Plugin : Brozzme DB Prefix & Tools Addons.
6. Integrate the Captcha under contact form
If we are using the contact forms under our WordPress website then we must integrate the captcha under all the forms to protect it from spammers. If we don’t use a captcha then it might happen that spammers spam out the dashboard with fake entries and to stop them this Captcha is necessary. To integrate follow the steps:
1) Open this link Google Recaptcha
2) Navigate to the Admin console.
3) Login/create your Google account.
4) Add label [ domain.com ]
5) select the reCaptcha type according to the need.
6) Add a domain under domains and submit your Request.
7) Now copy the secret key and site key and enter that in the WordPress website to activate the reCaptcha.
8) Then paste these keys under the WordPress dashboard under integration.
7. Disable XML-RPC file
This XML-RPC file is the core WordPress API that allows developers to interact with WordPress sites using XML and https protocol. In short, you need XML-RPC enabled to access and publish your blog remotely, such as when you want to use a mobile app to manage your site or make connections to automation services such as Uncanny Automator or Zapier. In order to disable this we can add the below code to our .htaccess file, but first take a backup of this file and then add this code :
# Block WordPress xmlrpc.php requests
order deny, allow
deny from all
allow from 123.123.123.123
Or we can make use of a plugin called WP-code under which we can navigate to Add snippets and under search bar search “disable xmlrpc” just add the disabled XML-RPC snippet to disable the XML-RPC file.
8. Take Frequent Backups
The Backup can be helpful at any point in time if our WordPress website faces any failure due to some changes or updates then at that time we can use that most previous backup to make our website work. For that, we can manually take a backup of the files under public_html and take a backup of the MYSQL database.
9. Hide WordPress Version
Hiding the WordPress version from your website is a security measure that some people recommend to prevent hackers from exploiting known vulnerabilities in older versions of WordPress, plugins, or themes. If You want to hide this then we have to use a plugin called WPcode. Under that plugin navigate to add a new snippet and add this code:
Add this code and right-hand side select PHP snippets and save the snippet.
function wpbeginner_remove_version() { return ‘ ‘; }
add_filter(‘the_generator’, ‘wpbeginner_remove_version’);
And then save that snippet, And also we can hide the version by just installing the sucuri plugin.
10. Update the WordPress version, theme, and plugins
We have frequently checked our WordPress website that there are any updates available under plugins and themes. If it’s there just update that and make your website up to date by updating and regularly tracking the Dashboard. This would help minimize the risk of getting hacked due to previous versions of the theme and plugin vulnerabilities. So, this was the point to keep in mind and secure your website.
Conclusion
WordPress is a powerful and popular CMS, but it also faces many security risks. To keep your site safe and secure, you need to follow some best practices and implement some security measures. By doing so, you can protect your site from hackers, malware, and other threats that can harm your business reputation, customer trust, and search engine ranking.