Secure the login page and prevent brute-force attacks
i. Set up website login lockdown and ban suspected users
The login lockdown records the IP address and timestamp of every login attempt made on a website. Whenever there is a hacking attempt with repetitive wrong passwords, the login function is automatically disabled for all requests from that IP range. This information is immediately passed on to the website admin by email for furthur actions.
ii. Use complex password
It’s true that remembering complex password is a trouble for most users. But make it a practice to use complex password for your website backend and make sure to change this regularly to boost your security. Using a password with at least 16 characters consisting of one number, one upper case, one lower case and special characters is ideal to fortify your WordPress site.
iii. Rename your login URL
You can use ‘Rename wp-login.php’ which is a very light plugin that lets you easily and safely change wp-login.php to anything you want. Leaving the backend URL as default will make life easy for hackers to find out the location of your page. The easiest way to hide your Login page is to rename the URL.
iv. Enable honeypot login method
A honeypot involves creating a form with an extra field that is hidden to human visitors but readable by robots. The robot fills out the invisible field and submits the form, giving up you to easily avoid their spammy submission or blacklist their IP. This system can easily determine if it’s a normal login or attack on your website.
v. Change the admin username
The default WordPress admin username such as ‘admin’ makes your WordPress site vulnerable to hackers. What most website users fail to realize is that protecting the username is as important or more important than protecting the password the password of your website.
vi. Enable CAPTCHA option in the login page
Login CAPTCHA is just one feature that this plugin utilizes as a “Brute Force” prevention technique. It helps protect you from spam and password decryption by asking you to complete a simple test that proves you are human and not a computer trying to break into a password-protected account.
Disable the XML-RPC feature
XML-RPC is an XML based protocol that is used to perform actions on a remote server. The XML-RPC protocol has been enabled by default in WordPress since version 3.5 and it no longer gives you the option to turn it off from within the user interface. An attacker can easily deface or breach into our website with some procedure calls like “system.multicall”. So better not to enable this feature unless we communicate with a mobile or web application.
Remove the readme.html file
Every time WordPress is installed or updated a file called readme.html is included. This file may disclose very useful and primary information for an attacker in exploitation. From this HTML file attacker can understand the WordPress core file contains any vu8lnerability or not. Remove this file and be more secure by hiding the CMS version.
Secure the Database
During WordPress installation use a tough password and username with an alphanumeric table prefix. This will secure the database from external attacks.
Update WordPress and third-party plugins regularly
WordPress is the most popular blogging platform in the world. Millions of websites including various popular blogs are using WordPress as a content publishing platform. So, hackers are also more attentive in hacking WordPress based websites. If we can fix the updates coming from the WordPress and the third party plugins we can avoid the attacks up to a limit. Here are some plugins that can be used for hardening your WordPress website security: All In One WP Security & Firewall, Sucuri, Wordfence Security, iThemes Security.
