The best WordPress security tips and plugins that you don’t know about yet
but need to.
There’s no reason to reiterate why WordPress is one of the best CMS and widely-used in the world. So let’s get down to business. Here are three WordPress security tips that you need to integrate today:
1 – Hiding the default WordPress administrative login URL.
Hackers and bots (designed by hackers) can detect if your website is using WordPress simply by visiting /wp-admin after your website’s URL. This is the default WordPress admin dashboard page: www.yourwebsitehere.com/wp-admin
When a bot/hacker finds that this login page exists now:
- It’s obvious that your website runs WordPress. It may not be identifiable which version, but hackers can use exploits for every older version of WordPress, and if you haven’t updated your site in time, you are at risk. Even if you do constantly update, you can be hit with a 0Day exploit: one that hasn’t been patched by WordPress yet.
- It has the location of the golden door. The secret entrance. Your websites.. private parts. If a hacker gets unauthorized access of your WordPress administrative dashboard, they can redirect your website to a fraudulent site, potentially causing your customers to get their credit card information stolen or worse. If you don’t do your rightful part in securing your website, you may even be sued by your own customers!
Bots and brute forcing tools can be used to guess hundreds or thousands of different combinations of usernames and passwords, until sometimes they guess correctly.
2 – Hiding the fact that your website was even created with WordPress.
Going along with some points in #1, if your website is identifiable as WordPress, exploits can be ran against your installation. Even with an up-to-date WordPress; other plugins, themes, and custom code can also render your website vulnerable.
To fix problems #1 and #2 simultaneously, I highly recommend a WordPress plugin called WP Hide & Security Enhancer. The free version provides you with everything you need to change your login URL, admin dashboard location, and default WordPress folder names, along with a lot more. The only con to this plugin is that some users may consider it too complex with all of the options present.
3 – Changing folder and file permissions.
By default, WordPress tries to change some file permissions to it’s best ability. However, it is limited by it’s own permissions given when uploaded (or installed through a control panel). File/folder permissions in this case are specific to Linux web hosting. They can be seen/edited with an FTP client (such as FileZilla) or sometimes on a web host’s file browser.
WordPress themselves always recommend changing the permission of the wp-config.php file right away, something that the installer is unable to do itself. Ideally, you want to always try for the least permissive option, and only if it encounters errors should you increase. In the case of wp-config.php: 400, otherwise 440 is ideal.
Some plugins require the /wp-content/ folder, /wp-content/cache/, and /wp-content/uploads/ to be writable, and require 755 permissions. It’s suggested to leave these directories at 750 otherwise.
All files should be 640 or 644 (except wp-config.php).
No directories should ever be given 777 permissions, even upload directories.
4 – Adding 2FA (Two Factor Authentication)
Adding additional security for your admin account is highly recommended in all instances. Unfortunately, WordPress’ free software doesn’t come packed with the 2FA option. Instead, you will have to use a plugin. Two of the most popular and highly-rated 2FA plugins are:
- “Two Factor Authentication” plugin by David Anderson
As one of the most popular 2FA plugins on the WP market, Two Factor Authentication touts 2FA ability for individual users, available on a per-role basis (ie. available for admins but not subscribers), and support for Google Authenticator, Authy and more.
As of writing this article, Two Factor Authentication has been tested on up-to WordPress v5.8, and requires PHP 5.6+.
- “WP 2FA” by WP White Security
A bit less downloaded than the previously mentioned plugin, WP 2FA comes with a slightly higher rating among it’s users. Features such as free two-factor authentication for all users, 2FA backup code support, and Google Authenticator, Authy, OTP and others.
As of writing this article, WP 2FA has been tested on up-to WordPress v5.7.2, and requires PHP 7.0+. Keep this in mind, as it will exclude many older websites, WordPress installations, and perhaps older plugins & themes.
A notable mention, Wordfence Login Security offers two-factor authentication as well as CAPTCHA integration, and tips the scales as the highest-downloaded 2FA plugin on the WordPress market.