If you do everything we have said so far, you are in very good shape.
But as always, there is something else you can do to strengthen your WordPress security.
Some of these steps may require encoding information.
Of the top 10 million websites in the world, 35.1% of websites work on WordPress. There is approximately 43.2% of the web market shared by CMS (Content Management System), of which WordPress owns 60.1% share. Therefore, we can say that WordPress is used by one third of the Web.
In my previous posts we showed comparisons of security plugins. I’m trying to post everything for a DIY wordpress user. To learn wordpress security and you do not need to hire a wordpress security expert and save your money. In that section today we will discuss 13 WordPress Security Strategies for DIY Users.
And to do that I will explain the things you need to understand about WordPress security and I will show you DIY ways to strengthen the security of your WordPress website from start to finish. So get started.
Table of Contents
- 1 How to change the default username
- 2 How to disable file editing
- 3 Protecting the Admin and Login pages with a password
- 4 Reduce the number of simultaneous logins
- 5 Automatically log out idle users in wordpress plugin
- 6 Limit Login Attempts
- 7 Add Security Questions to WordPress Login Screen
How to change the default username
In the old days, the username of the default WordPress administrator was “admin”. Since usernames make up half of the login details, this makes it easier for hackers to attack.
Thankfully, WordPress has already changed this and now requires you to choose a custom username at the time of installing WordPress.
However, some WordPress installer clicks 1, still set the default administrator username to “admin”. If you find that to be true, it might be a good idea to change your web hosting.
Since WordPress does not allow you to change usernames automatically, there are three ways you can change the username.
- Username and delete the old one
- Use the Username Changer plugin
- Update username from phpMyAdmin
We have included all of this in our detailed guide on how to properly change your WordPress username (step by step)
How to disable file editing
WordPress comes with a built-in code editor that lets you edit your themes and plugin files from your WordPress admin area. In the wrong hands, this feature can be a security risk, which is why we recommend turning it off.
You need to do one simple thing to disable editing files on the WordPress website. You need to access the wp-config.php file and paste the next piece of code.
// Do not allow file editing
define (‘DISALLOW_FILE_EDIT‘, true);
Alternatively, you can do this with a single click using the Confirmation feature in the free Sucuri plugin mentioned above.
Protecting the Admin and Login pages with a password
If you are able to protect the Admin and login pages of your WordPress website with a password, you will be able to install an additional layer of protection on the site. There are plugins, which can help you get that functionality. Or, you can simply submit a captcha to the sign-in pages. After that you will be able to minimize the threat posed by DDoS attacks.
Usually, hackers can ask for your wp-admin folder and unlimited login page. This allows them to try out their hacking tactics or attack DDoS.
You can add additional password protection at the server level, which will effectively block those requests.
Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.
Reduce the number of simultaneous logins
WordPress also allows simultaneous login with a specific username and password. This could be another safety risk to consider. If you are the only person to use WordPress credentials, you should limit the number of one-time entry. Fortunately, WordPress provides the ability for you to do the same.
There is a plugin called Block Double Logins that you can install on your WordPress website to accomplish this functionality. After installing this plugin, you will be able to reduce the number of logins. If you are the only person who will use the WordPress website, then there is no need to leave things as they are.
Automatically log out idle users in wordpress plugin
Idle users can pose a security risk. When an account stays for a long time without communication, it increases the chances of a hijacking session. This is where the hacker can gain control of the account without using credentials to sign in. This is one of the driving forces behind why many banks and other institutions automatically dismiss unemployed users.
If you are using a WordPress website alone, you may not think much about staying idle. But even your own account can be exploited that way. Never assume that your website is too small to get the attention of hackers and bots.
In this tutorial, I will show you how to log in without idle users to improve your WordPress security. This is one of the many ways to keep your site safe.
Setting WordPress to Log Out Idle Users
Just set the duration and add an exit message. Don’t forget to click the save button to save your settings.
Limit Login Attempts
Hackers specify login credentials to access WordPress sites every minute of the day. In fact, the WordPress login page is the most attacked page on the WordPress site.
When a hacker enters, they gain full access to your administrator dashboard and can control your site. From there, they can misuse your site to advertise and sell illegal and fraudulent products, spam your visitors, steal your business information, among a long list of bad practices.
Fortunately, you can protect your login page by limiting the number of login attempts the user is given to install the appropriate credentials. In this guide, we will show you.
how to setup limit login attempts on a WordPress site
First, you need to install and activate the Login LockDown plugin. For more details, see our step-by-step guide on how to install the WordPress plugin.
When activating, visit Settings »LockDown Login Page to set up the plugin.
For detailed instructions, see our guide on how to limit attempts to login to WordPress and why.
Add Security Questions to WordPress Login Screen
By adding security questions to the WordPress signup page, users will be asked to set a security answer with an answer. After that the user needs to answer the login security question as set during registration on the site. If a user enters the wrong response, they cannot sign in.
Similarly, with a WordPress password, the security question has a major impact on WordPress security. If you are using a multi-authoring site, then you may need to add security questions to the WordPress login screen.
For example, a WordPress username and standard password can be easily accessed, but the security question and answer are not speculative. So there is no way to break it. This way you can protect your site from hackers and spammers.
First, you need to install and activate WP Security Question from the WordPress plugins directory. The WP Security Plugin enables the security query option in WordPress subscriptions, login and password forget.
- You can add an unlimited number of security questions.
- You can show / Hide the security question on the signup page, login page and forget the password page.
- Users can set a security response from their profile page.
Adding a security question to your WordPress login screen makes it even more difficult for anyone to gain unauthorized access.
You can add security questions by installing the WP Security Questions plugin. When activating, you need to visit Settings »Security Questions Page to set up plugin settings.
For detailed instructions, see our tutorial on how to add security questions to the WordPress login screen.