Hello there, this is my first tutorial, it will be about the security section of the WordPress, and if you're interested, I will be making more tutorials about the WordPress for different sections.
Today, our focus is the security, as well known, the WordPress is an open-source and free to use, and among the most used between the other available CMS (Content Management System), makes it represent ~25% of the web.
Hosting platform side: The server where the website will be hosted must be optimized and secured, shared hosting plans are more often the less secure, depends on their reputation in the market that reflects their efforts in keeping their servers secure, by having a powerful infrastructure, I mean, the softwares and hardwares that empowers the security even for shared plans, use your shared hosting provider wise, or go for a VPS.
Website application side: Talking about the WordPress, it's core is so secure, it might be a free application, but being open-source and having that massive community helps this application to get better, beside the available updates, plugins, tips and solutions, makes it more secure at the end, while the non-trusted and non-supported plugins and themes could harm your WordPress website by making it vulnerable.
Username: Having a username as "admin" and "administrator" for your WordPress website would be a serious problem, makes it easier to target, while using a username that is hard to guess, would be your first step to harden your security. Apply this when installing your WordPress, and in case it's already installed, no worries, l ogin to your dashboard, go to: Users > All Users, create a new account with the role of Administrator and delete the old "admin/administrator" account. The username could be changed but not in the WordPress dashboard, you'll need to do it manually by editing the 1st username in the database.
Note: Make sure to add a Nickname and apply it in Display name publicly as instead of the Username.
Password: Having a guessable password for your WordPress dashboard is not a wise decision, make sure you use a strong password. Note: You can use a strong password generator and also force strong passwords to all your WordPress users if you activated the registration option.
A new version of WordPress doesn't only include additional features and bugfixes, it addresses the known security issues so make sure not to skip them, especially the minor updates (x.x.x)
According to the statistics, it represents 51% of the hacked WordPress websites, due to the security issues of themes and plugins (29% and 22%). It means that every installed theme and plugin is a potential security risk in case it is poorly coded or otherwise not up to date. For that reason, you should limit the number of active plugins on your WordPress, and to get rid of the inactive plugins and all what you can go without, limiting the used plugins will improve not only the security of your WordPress but will make it load faster. And about the theme, don't keep more than two themes, if possible, keep one theme only and it better be a premium one.
It’s a good idea to scan new themes of malicious code if you’re not 100 per cent satisfied that the code is clean. Luckily, there was a few great programs to help you out – and they’re all free, no less. Theme Authenticity Checker (TAC)
Exploit Scanner searches the files on your site, as well as the posts and comments tables of your database, for anything suspicious. It also examines your list of active plugins for unusual filenames. This plugin is also easy to use – just install and activate it and go to Tools > Exploit Scanner to run a scan.
You might also want to look into the type of backup service your hosting provider has in place. Many offer daily backups, which can really save your skin (I’m speaking from experience).
A good way to avoid the brute force attacks is to limit the number of login attempts users are allowed to perform before WordPress shuts them down. Plugins as WP Limit Login Attempts track failed attempts by IP and prohibit further ones if necessary.
To make these kinds of attacks even more difficult, you can install a two-step authentication process. That way users will have to input additional credentials, for example, that have been sent to their mobile phone. Here are two plugins for this: Duo Two-Factor Authentication Clockwork SMS
The WordPress by default creates databases with the wp_ prefix, as of every well known fact about the WordPress, it could be helpful for the hackers. You can change the prefix after the WordPress installation, manually by going to the wp-config.php file and scrolling down to: $tableprefix = 'wp'; By changing the prefix name from the wp-config.php file, the database name should be edited by phpMyAdmin or any similar services. This is a helpful plugin about that matter: iThemes Security.
By choosing correct file permissions on your server, you can avoid non-permitted upload or changing of files. Permissions can be changed via an FTP client such as FileZilla. As for what they should be changed to:
755 or 750 for directories 644 or 640 for files wp-config.php should be set to 440 or 400 More information can be found here: WordPress Codex - Changing files permissions.
This is the end of this tutorial, I hope it provided you with helpful tips, if you have any questions, or anything you want me to cover the next time about the WordPress, please let me know in a comment, thank you so much for your attention.