JANUARY PROMOTION: Only $17 get Bonsai WordPress theme
LEARN MOREHey guys! So here we meet again on our weekly Understanding WordPress show, where I am more than happy to provide you with some basic as well as advanced knowledge on WordPress. Last time, we have talked about What Beginners Should and Should Not Do, I believe you have successfully processed all the information into your mind, at the same time slowly turning them into your own methods. Now! It is high time we learned something a little bit more complex about protecting your precious WordPress Admin Area.
Why do we need to protect the WordPress Admin Area and How to do it? Well, the answer to the first question is quite simple: This administration area is usually one of the favorite targets I of hackers, so it needs strict protection. You should know that when WordPress creates a blog, its administrative user is given a completely safe password while blocking all public access to the settings area. Now this is what we will talk about in this article, mainly how to protect it! Please remember hackers nowadays are very smart and insidious. Therefore, it is going to take you 100% of efforts to stop any hack before it can happen. How to do it will be presented below, but may I tell you in advance that these tricks, although amazing, can only help you strengthen the protection, not granting you the complete security!
Enough talking! Time to discover what these 9 tricks are, shall we?
I know what you are thinking, but I will stop you right there before you say I have mentioned this step too often. Why? Because it is indeed very important! A strong password will make hackers’ life a little bit more difficult as they try the brute force attacks, hence your WordPress website will be safer. If you do not know what a strong password is, take my advice: make it a combination of letters, numbers and special characters.
Moreover, remember not to use the same password for different areas, but make them distinct from each other and all hard to guess. Another thing is to change them often to distract any potential hackers.
Firstly, the WordPress configuration file wp-config.php stores the settings as well as access data for the database. However, some security-related factors can also present there. Generally, these following definitions which can be seen in the wp-config.php file (but may not be) need to be added or modified:
As the name indicates, restricting login attempts means locking a user out after they have entered the wrong password for a specific of times. This method is to prepare yourself for the event that a given hacker might figure something out about your password through guessing or developing a script to do so, and attempt to try it. Don’t tell me you don’t need it because you have such a strong password that cannot be guessed! Preparation for the worst is always better!
Use this plugin called Limit Login Attempts to do the job!
As WordPress developers are very quick and efficient in making positive changes as well as fixing bugs and other security holes in WordPress, you had better keep a close watch on it and keep it updated all the time. Once the issues are all fixed, WordPress will make an announcement and lay them all out under the sunshine, I mean on the Internet. Owing to this, hackers can easily find ways to attack your website provided that you are using the old version.
So, hit the update button every time WordPress release a new version, or else you will run the risk of inviting hackers to your website.
Understanding WordPress thoroughly, you will see having two passwords for your WordPress website is actually quite ideal. After all, it is not too hard a task to generate two passwords so that your WordPress Admin Area can be placed under stricter protection. All you need is a plugin called AskApache Password Protect, which serves to encrypts your password and creates a .htpasswd file, at the same time establishing the proper security-improved file permissions on the two.
Anyway, you can use cPanel Password Protection on a Directory in case you are utilizing a cPanel Web Host to password protect wp-admin directory.
By default, an administrator account will automatically be there when you first install WordPress, and yes, its username is admin. Because this is preset by WordPress and everyone knows well about it, it can be a very easy target for hackers. In an attempt to break into your website, all hackers have to do is to break its password.
Thus, it is advisable that you follow these steps after installing WordPress:
Since WordPress has decided to allow users to move the wp-config.php file, you should immediately take advantage of it and move this file else where. Why do you have to do such a thing? Because this very file contains some of the most sensitive pieces of information and because it is quite tricky to access the parent file server level, it is quite a nice idea that you move it to somewhere out of the real installation.
After that, any user trying to fix the path will get nothing in return because WordPress will only count on the top index of the configuration settings file.
You know how error message works, don’t you? It will notify users should they enter a wrong password or an invalid username, which obviously means that if hackers manage to get one right out of the two, the error message will act like a clue telling them that. Hence, it is recommended to remove the error message completely so that it will leave hackers with no hint. You can do so by adding the code below into the functions.php in your theme folder.
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Why should we rename and upload WordPress folder? Well, there are many advantages, but I will only tell you some: firstly, the files will not be lost in the main directory anymore, and they can also be found much more quickly; secondly, the admin area can no longer be found easily by humans, because it will require robots to do the job. What does this mean? Yes, security improved! But how to do it? Well, while you can alter the path of the wp-contentdirectory, it is impossible to do so with the wp-admin directory. However, there is still something you can do to replace this inconvenience!
Now, as you extract the zipped WordPress files, you will run into a folder named WordPress. It is advisable for you to rename this folder into something more complex, and, at the same time making some changes to the wp-config.php file. Finally, upload it to the root directory of the domain and you will finish the process.
So that is the end of the fourth article in series “Understanding WordPress” that I have been writing lately! I think you have realized by now how important it is to protect your WordPress website in general, and your WordPress Admin Area in particular. Understanding WordPress to this level will of course raise your awareness, and I sincerely hope you can learn something useful from this thread. Anyway, do not forget to come for the next release, where I will offer so much more interesting and helpful knowledge about WordPress!
Have any question? Please have a discussion with us in the comment section right down below!