8 Secrets to Lock Down Your WordPress Security

8 Secrets to Lock Down Your WordPress Security

It’s no secret WordPress remains the top, most popular CMS. WordPress secures 60% of the worldwide market share, followed by a myriad of smaller content management systems like Joomla in 2nd place at 7% and Drupal in 3rd at 5% (source: OpenSourceCMS). Unsurprisingly, WordPress’s popularity also makes it a big target for website hackers. Use these 8 secrets to lock down your WordPress security against website attacks like brute force, SQL injections, XSS, and more.

Lara Lee Design | 8 Secrets to Lock Down Your WordPress Security, Learn More

Quick Links:

Common WordPress Attacks Defined

It’s No Secret: The 3 Basic WordPress Security Tips

Why Would Attackers Want to Target a Small Website?

  1. Change the Default admin Username and Hide the New One
  2. Add reCAPTCHA to the WordPress Login Form
  3. Lock-out Users with Multiple Failed Login Attempts
  4. Rename the WordPress Login Page
  5. Hide the WordPress Version
  6. Block Access to wp-config.php
  7. Enable the “Under Attack” Mode on Cloudflare
  8. Rename the Default wp- WordPress Database Prefix

Common WordPress Attacks Defined

Brute Force

Brute force describes a hacker’s attempt to gain access to your website by the sheer multitude of login guesses until they find the one that gets them in. Rarely do brute force attackers do this manually. Instead, they use computers to logically test various password sequences at a rapid pace to get in quick.

SQL Injections

A SQL injection describes a hacker’s attempt to plant malicious code into your website’s back-end, specifically targeting the WordPress database—where you store your most sensitive information such as user data, login info, and more.

XSS (Cross-Scripting)

Cross-scripting (XSS) describes a hacker’s attempt to plant malicious code into your website from the front-end, where users see and interact with your site in their web browser. This also includes the info users input to login into your website. As a result, hackers can use XSS to gain unauthorized access to your website.

Here’s a WordPress attack you may not have heard of yet: dark SEO.

Dark SEO (Black Hat SEO)

Similar to the infamous Chinese brushing scams used to bolster user shopping reviews of businesses, dark SEO hackers use innocent websites to host spammy backlinks. At first glance, this kind of black hat SEO quickly boosts rankings and traffics, but this quickly turns for the worst. Then, Google, Baidu, Bing, and other search engines penalize the victim’s website for unsafe and/or spammy content. Ultimately, website SEO, traffic, and rankings plummet.

Black hat SEO steals the money of businesses who unknowingly purchase black hat SEO services. Hackers can also use black hat SEO to ruin competitors’ websites and rankings.

Why Would Hackers Want to Attack a Small Website?

Many WordPress websites are small. Even websites without e-commerce are potential victims of WordPress attacks. As a result, many WordPress website owners wonder why an attacker would target their website.

There are several reasons a small website is still attractive to hackers, as small websites can still:

  • Store sensitive user information that can sell well on the black market
  • Host malicious code, such as viruses, that can be used to steal visitor’s private info
  • Host malicious files, such as spam and illegitimate advertising
  • Provide spammy backlinks

Furthermore, small websites also have a greater likelihood that the webmasters don’t check in very often to kick the hackers out and stop the attack.

Even webmasters who do check-in often have limited knowledge and tools to address an attack. (The first step, in case you don’t know, is to contact your web host immediately after a successful attack. Your web host can enact security measures to stop the attack and help you regain access to your website.)

It’s No Secret: The 3 Basic WordPress Security Tips

Update, Update, Update!

Developers constantly release updates not only to provide additional features or improving the existing, but also to combat the latest hacking attempts on your website. Update WordPress core, PHP version, and plugins regularly to close WordPress security loopholes.

Install an SSL Certificate

Secure your website’s communications between its servers and its visitors with an SSL certificate. Learn about what all those SSL features mean and follow the tutorial to install your SSL certificate at “How to Secure Your WordPress Website with SSL.”

Lara Lee Design | How to Secure Your WordPress Website with SSL, Learn More

Backup Regularly and Store the Backups Safely Offsite

Even if your website isn’t hacked, you need backups to restore your website to health in the event an update causes catastrophic problems. Backups are also useful for any future website migrations. Find and install a backup plugin like UpdraftPlus and configure it to both automatically run routinely and to store the backups off-site, such as on Updraft Vault, Dropbox, or Google Drive.

The Big 8 Tricks to Increase WordPress Security

Change the Default admin Username and Hide the New One

By default, WordPress calls the super admin/webmaster user “admin.” This is dangerous to leave as-is, because now hackers already known half of your website login credentials. Change it. Then, go one step farther and hide the new username from appearing anywhere, like your Author page.

Protects against: Brute Force

  1. Log into your web host’s cPanel
  2. Open File Manager
  3. Find wp-config.php in the root directory
  4. Take note of the WordPress database name, somewhere around line 3 in the code
  5. Return to cPanel
  6. Open phpMyAdmin
  7. Expand the WordPress database for your website
  8. Open the wp_users database
  9. Find the admin username in the list
  10. Change the following fields’ values and save the changes:
    • user_login*
      (the actual, formal username)
    • user_nicename
      (how the name displays on author archive; no spaces)
    • display_name
      (how the name displays front-end; spaces OK)
  11. Save changes

Most of the time, the user_nicename and display_name are the same.

Additionally, security plugins like WordFence also close a loophole in the WordPress core API that exposes usernames when a user inputs certain URL queries (source: Kingscel).

Add reCAPTCHA to the WordPress Login Form

Google’s reCAPTCHA is great, because it’s bot-deterrent. Computers and bots have a difficult time completing the reCAPTCHA challenges. For example, a bot can’t click the “I am not a robot” checkbox. Adding a reCAPCHA to the WordPress login form (and any forms on your website like contact or comment forms) stops bots from interacting with your website.

Protects against: Brute Force

  1. Find and install a WordPress plugin with reCAPTCHA capabilities, such as WordFence or Advanced noCAPTCHA & reCAPTCHA (v2 & V3)
  2. In another browser tab, go to Google reCAPTCHA in the Admin Console
  3. Complete the form to obtain a Site Key and a Secret Key for your website
  4. Return to the reCAPTCHA plugin tab
  5. Copy-paste the Site Key and Secret Key into the plugin fields
  6. Save changes

Lock-out Users with Multiple Failed Login Attempts

Keep hackers from guessing your logins. Lock them out after repeated login failures. Better yet, configure immediate, automatic lock-outs if the user tries to input the default “admin” username that you changed earlier.

Also, don’t forget to whitelist yourself!

I recently witnessed Loginizer in action, staving off attackers and implementing some serious lock-outs….from the other side. Without whitelisting myself, I was locked out of my own website, alongside my attackers. Whitelist yourself to retain access even in a lockdown.

Protects against: Brute Force

  1. Find and install a WordPress login security plugin like Loginizer
  2. Set a number for the max retries before a lockout and the number of lockouts before an extended lockout
  3. Find and copy your current IP address, from the Loginizer dashboard, for instance
  4. Return to the settings and paste your IP address into a field like “Whitelist IP
  5. Be sure to enter any other IP addresses, such as your home vs. office IP addresses

Rename the WordPress Login Page

Hackers look for default WordPress login page at example.com/wp-admin/. Thwart their efforts, and block access to the login form by redirecting visitors to a new login URL. This can be tricky to execute manually, so consider a plugin.

Protects against: Brute Force

  1. Find and install a WordPress login security plugin like WPS Hide Login or Rename wp-login.php
  2. Enter a new login URL
  3. Save changes in WPS Hide Login or whatever plugin
  4. Go to your page caching plugin
  5. Add the new login URL to the list of pages to exclude from page caching
  6. Save changes to the page caching plugin

For an even more difficult obstacle to hackers, try using .htaccess and .htpasswd to hide the WordPress login with Pagely’s tutorial.

Hide the WordPress Version

By knowing which version of WordPress your website is using, hackers can exploit known loopholes. Keep them guessing by hiding your WordPress version.

Protects against: SQL Injection, XSS

  1. Go to the WordPress Dashboard > Appearance > Theme Editor > functions.php
  2.  Add this code snippet and save:
    remove_action('wp_head', 'wp_generator');

Block Access to wp-config.php

The wp-config.php document contains extremely sensitive WordPress information, such as database names, usernames, and even the actual Secret Keys to access encrypted communication and info. However, despite the sensitive nature of wp-config.php, WordPress installs with wp-config.php in a public directory. Anyone can type the URL to view your wp-config.php. Shut down access immediately with a quick update to your .htaccess text.

Protects against: Brute Force, SQL Injection, XSS

  1. Log into your web host’s cPanel
  2. Go to File Manager
  3. Open .htaccess in the root directory
  4. Add the following code snippet at the bottom and save:
    # protect wpconfig.php
    <files wp-config.php>
    order allow,deny
    deny from all
  5. Save changes to .htaccess
  6. Open wp-config.php
  7. In a new tab, visit the WordPress secret key generator API to automatically generate a new set of random keys
  8. Copy-paste the new keys over the old keys into wp-config.php
  9. Save changes to wp-config.php

Enable the “Under Attack” Mode on Cloudflare

If you’ve taken advantage of setting up a free account with the popular CDN Cloudflar, consider switching on the “Under Attack” mode when you suspect a distributed denial of service (DDoS) attack.

“Under Attack” shows visitors a JavaScript challenge when entering the website: a brief delay up to 5 seconds testing for suspicious traffic. Then if suspicious activity is detected, Cloudflare displays a Captcha challenge that bots will fail.

However, as Cloudflare documentation says, this mode is best used only when currently experiencing a DDos attack. It’s not effective on other kinds of attacks, but can nevertheless result in an SEO penalty due to search engine crawler blocks and long page load times.

Protects against: Distributed Denial of Service (DDos)

  1. Login to Cloudflare.
  2. Select your site.
  3. Under Quick Actions, toggle on the “Under Attack Mode.”

Rename the Default wp- WordPress Database Prefix

For advanced security, consider completely switching up the default “wp-“ prefix WordPress assigns to its databases. Cloudways has a great in-depth tutorial on this, which I’ve summed up here.

Protects against: SQL Injection, XSS, Directory Traversal

  1. Backup your website and databases with a plugin like UpdraftPlus
  2. Log into your web host’s cPanel
  3. Open File Manager
  4. Open wp-config.php in the root directory
  5. Find this line of code:
    $table_prefix = 'wp_';
    and replace “wp-” with a new prefix of choice, for example: “ex-”
    (It must be web-friendly, so only alphanumerical prefixes with underscores allowed/no spaces or special characters.)
  6. Save changes to wp-config.php
  7. Return to cPanel
  8. Open MySQL Manager
  9. Run the SQL Command and enter the following rename commands to update the WordPress database tables:
    RENAME table 'wp_commentmeta' TO 'ex_commentmeta';
    RENAME table 'wp_comments' TO 'ex_comments';
    RENAME table 'wp_links' TO 'ex_links';
    RENAME table 'wp_options' TO 'ex_options';
    RENAME table 'wp_postmeta' TO 'ex_postmeta';
    RENAME table 'wp_posts' TO 'ex_posts';
    RENAME table 'wp_termmeta' TO 'ex_termmeta';
    RENAME table 'wp_terms' TO 'ex_terms';
    RENAME table 'wp_term_relationships' TO 'ex_term_relationships';
    RENAME table 'wp_term_taxonomy' TO 'ex_term_taxonomy';
    RENAME table 'wp_usermeta' TO 'ex_usermeta';
    RENAME table 'wp_users' TO 'ex_users';
  10. Double-check that every WordPress table gets a rename command; add as necessary.
  11. One database also requires updated field names within it. Run these additional update/replace commands to update the fields:
    UPDATE 'ex_options' SET 'option_name'=REPLACE('option_name','wp_','ex_') WHERE 'option_name' LIKE '%wp_%';
    UPDATE 'ex_usermeta' SET 'meta_key'=REPLACE('meta_key','wp_','ex_') WHERE 'meta_key' LIKE '%wp_%';
Lara Lee Design | 8 Secrets to Lock Down Your WordPress Security, Learn More >