Set up website lockdown and ban users
A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
Use 2-factor authentication
Introducing the 2-factor authentication (2FA) at the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.
Use email as login
By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.
Rename your login URL
To change the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.
When hackers know the direct URL of your login page, they can try to brute force their way in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).
So, at this point – if you’ve been following along – we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.
Adjust your passwords
Play around with the website’s passwords and change them regularly. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters. This password generator is a useful resource.
Change the WordPress database table prefix
If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.
Using the default prefix makes your site database prone to SQL injection attacks. Such attack can be prevented by changing wp- to some other term, e.g. you can make it mywp-, wpnew-, etc.
Back up your site regularly
No matter how secure your website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.
Protect the wp-config.php file
The wp-config.php file holds crucial information about your WordPress installation, and it’s in fact the most important file in your site’s root directory. Protecting it means protecting the core of your WordPress blog.
It gets difficult for hackers to breach the security of your site if the wp-config.php file becomes inaccessible to them.
The good news is that making this happen is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.
Now the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set the highest on the priority list. So, even if it is stored one fold above the root directory, WordPress can still see it
Disallow file editing
If a user has admin access to your WordPress dashboard then they can edit any files that are part of your WordPress installation. This includes all plugins and themes.
However, if you disallow file editing, even if a hacker obtains admin access to your WordPress dashboard, they still won’t be able to modify any file.
Add the following to the wp-config.php file (at the very end):
Connect the server correctly
When setting up your site, connect the server only through SFTP or SSH. SFTP is always preferred over the traditional FTP because of its security features that are, of course, not attributed with FTP.
Connecting the server this way ensures secure transfers of all files. Many hosting providers offer this service as part of their package. If not – you can do it manually (just google for tutorials; there’s a lot of stuff out there).
Set directory permissions carefully
Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.
In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole filesystem – directories, subdirectories, and individual files.
This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.
Disable directory listing with .htaccess
If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.
For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.
You can prevent this by adding the following line of code in your .htaccess file:
Options All -Indexes