Irrespective of whether you own a personal blog or a business critical website with sensitive data, you must give due emphasis on securing it to the greatest possible extent. To prevent a visitor with malicious intent from gaining access to your website, it is vital to prepare a security check-list and perform periodic security audits.

Having said that, a cent percent secure system is practically impossible to configure as there’s always the probability of new ‘threats’ emerging out of the blue. While it may not be possible to fully eradicate the risk of security breaches, following a set of best practices can help you in minimizing the potential vulnerabilities.

When it comes to securing a WordPress website, you will be spoilt for choices as far as the availability of resource is concerned. There are loads of tips, tweaks and tutorials published on a host of websites and blogs. However, when you take a closer look, you might get disappointed by the lack of substance. WordPress security measures listed down on most of these websites are very basic in nature. Be it upgrading to the most recent version of WordPress, or scheduling periodic backups, or using an admin password with high complexity – you might already have implemented all these fundamental measures. Quite obviously the question that comes to your mind is “What’s next?”

This tutorial is intended to give a definite answer to your question. Discussed here are ten innovative security measures that can help you in keeping the control of a WordPress website in your safe custody. Let’s now get on with the details.

1. Use Two-Factor Authentication:

When you implement two factor authentication, a person trying to login to your WordPress dashboard will have to input a random generated OTP (One Time Password), besides the standard user name and password. Cryptographic functions are used to generate OTP in real time and it is sent over only to the intended recipient on a communication device via a secure gateway. Cell phone is the most widely used communication device for this purpose.

So even if a hacker manages to steal your username and password, still he won’t be able to access your WordPress admin panel without the One Time Password.

How to Implement Two-Factor Authentication?

You can use any OTP generating plugin to implement two-factor authentication on your WordPress website. Both commercial as well as free to use plugins are available in the market. Two recommended plugins that are freely available on the WordPress repository are:

1. Two Factor Auth
2. Duo Two-Factor Authentication

Both the plugins are very easy to configure even for a rookie webmaster. Detailed documentation on installation and set up can be found on the respective plugin pages.

2. Disable Template File Editing Through WP Dashboard

A WordPress user with administrative access can edit your website’s template files by navigating to Appearance > Editor. In case a visitor with malicious intent manages to hack your admin user credential, then he too can make the desired modifications to those files right from your WordPress dashboard. To prevent such an occurrence, you can disable file editing from WordPress dashboard.

How to Disable Template File Editing?

In order to disable file editing via dashboard editor, you need to add a line of code to your WordPress website’s configuration file. Go to the file manager program available on your hosting control panel and browse to the root directory. Open the wp-config.php file in a text editor and append the following line of code at the bottom of the file.

define( ‘DISALLOW_FILE_EDIT’, true );

3. Hide Login Error Feedback from Visitors

What purpose does it serve to display error logs to your visitors? Absolutely nothing. When something goes awry, only you, the admin user, should know about it. To make the matter worse, by making the error feedback public, you are actually giving just enough hint to a technically expert visitor to try and hack your website.

How to Stop Displaying Error Feedback?

There is a straightforward method to prevent WordPress login error feedback from getting displayed publicly. After logging in to your WordPress admin panel, navigate to Appearance > Editor. Open the active theme’s functions.php file and place the following code snippet anywhere inside the file.

add_filter('login_errors',create_function('$a', "return null;"));

4. Delete the ‘admin’ User

The default administrative user account which is created automatically at the time of WordPress installation is ‘admin’. It is also the most vulnerable area as far as WordPress security is concerned, which gets exploited by the hackers more often than not. So deleting this default ‘admin’ account and managing your website from another ‘pseudo’ admin account is a very good idea to keep the hackers at bay. At the very least, it will make the life a little more difficult for any potential hacker.

How to Delete Default ‘admin’ User?

This activity can be performed at two different stages as described below:

1. While Installing WordPress: If it’s a new hosting account on which you are looking to create your WordPress website, then you can get rid of the ‘admin’ user while installing WordPress. On the first installation screen you get user configurable options. User name is one such item that you are allowed to modify. Before clicking on the ‘Install’ button located at the bottom of your screen, just replace the default user name ‘admin’ with whatever you prefer to name it as. Then proceed with the installation process as you would normally do.
2. For an existing WordPress installation: When you already have an existing WordPress website, first you need to log in with your ‘admin’ account and create a new user account. Do ensure that you are providing the new user with full administrative privilege. Then log out of the ‘admin account and log in again using the newly created user account. Go to the ‘Users’ tab on your WordPress dashboard and delete the ‘admin’ user account. You can now manage your dashboard with the newly created administrative user.

5. Hide WordPress Version Number

Each version of WordPress has a few vulnerabilities that are usually fixed when the subsequent version gets released. If a hacker manages to identify which version of WordPress you are using, then he can readily associate it with a known weakness and exploit it to gain control of your website. To prevent such a scenario, you can instruct WordPress functions file not to disclose the version number.

How to Hide WP Version Number?

Usually WordPress version number gets inserted in to your theme’s header file via the ‘wp-head()’ function. However, removing the function is not a solution, because the same function might also be used by some of the plugins that you have installed. Instead, a better alternative is to add the below code snippet to your functions.php file.

remove_action('ks29so_head','ks29so_generator');

6. Block Access to Bots

Bots are computer programmed automated tools used by hackers to take control of your website. These automated programs can also utilize your web hosting resources to perform other activities on behalf of the hacker. By preventing bots from gaining access to your web pages and directories, you can tighten your grip on website administration.

How to Prevent Bots from Accessing Your Website?

Mod rewrite is an effective remedy for blocking bot access. Using any text editor program, open the ‘.htaccess‘ file present inside your WordPress root directory. Scroll down to the bottom of the file, insert the below mentioned code snippet and then save the file at the same location. Do ensure that you are not changing the file name.

SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (pycurl|casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|planetwork) keep_out
Order Allow,Deny
Allow from all
Deny from env=keep_out

7. Use Proper File/Folder Permissions

File permissions are nothing but an access restriction method. Using proper file permission parameters, you can prevent the visitors from accessing important configuration files residing in your WordPress installation directory.

How to Implement Access Restriction?

Listed below are the recommended file and folder permission settings for your WordPress website:

CHMOD value for all data files should be set to 644.

CHMOD value for all folders and subfolders should be set to 755.

CHMOD value for WordPress configuration file (wp-config.php) should be set to 640.

8. Limit User Login Attempts:

In all probability, a hacker is expected to use different combinations of username and password to break in to your WordPress admin panel. Unless there’s a limit on the number of failed login attempts, a hacker can continue for as long as it takes to find the right username-password combination.

How to Limit Login Attempts?

The simplest way to limit user login attempts is to use an open-source plugin, Limit Login Attempts. It can be freely downloaded from WordPress Plugins repository. After installing and activating the plugin, you can specify the number of failed logins a user is allowed to attempt for a certain period of time.

9. Use SSL Mode for Login Sessions

Forcing your WordPress website to SSL mode for login ensures safe data transfer between the user’s web browser and your server. Web browser encrypts the user name and password before sending it over to your server system via a secure channel when SSL is used.

How to Use SSL Mode for All Logins?

First and foremost, you must have a valid SSL certificate installed on your web server. In order to force SSL mode for all user logins, you need to define SSL login preferences on your WordPress configuration file (wp-config.php). You can either force SSL mode only for the admin user or enable this feature for all logins. Go to your root directory and open the wp-config.php file. Then add either of the below given code snippets depending upon your requirement.

Only for admin login sessions:

define('FORCE_SSL_ADMIN', true);

For all user login sessions:

define('FORCE_SSL_LOGIN', true);

10. Disable Access to ‘wp-content’ Folder

All images and media files that you upload to your WordPress website are stored inside ‘wp-content’ folder. It also contains all the plugin files. Hackers can use it as an entry point to inject harmful elements on to your website. Another unethical activity that can be performed through the same channel is bandwidth theft. So it’s highly recommended that you block public access to this directory.

How to Disable Access to Media Files & Plugins?

You can add a rule to your .htaccess file to prevent access to all the file types available inside ‘wp-content’ folder. Do keep it in mind that CSS & JavaScript files, along with the images (jpg, png, gif), are at the highest risk of being exploited by the hackers.

Order Allow,Deny
Deny from all
<files ?.(jpg|gif|png|js|css)$? ~>
Allow from all

Conclusion:

With each passing days, the hackers are inventing newer techniques to take control of your website and business. There’s no point in sticking to what the ‘others’ have been doing for ages. To eliminate the possibility of getting your WordPress website hacked, you need to stay a step above and be smarter than your nemesis.