Simple steps in WordPress Security

May 25, 2015 | Tips and Tricks

If you are running on WordPress then you can follow those simple steps in assuring a better WordPress security of your website. There are many articles about this matter, many told you to use free or paid plugins, but I think you could take the matter in your own hands, and make little adjustments so your website will become more secure.

1. Redirect with .htaccess

The original .htaccess file looks like this:


# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

so, after


RewriteBase /

add a new rule


RewriteBase /
RewriteRule ^login$ wp-login.php

Now you can access the login page using these 2 urls (/login and /wp-login.php). So we need to hide the wp-login.php links in your blog.

2. Change the links from wp-logins.php to /login

In your functions.php (or someone plugin) add this filter


add_filter('site_url',  'wplogin_filter', 10, 3);
function wplogin_filter( $url, $path, $orig_scheme ) {
 $old  = array( "/(wp-login\.php)/");
 $new  = array( "login");
 return preg_replace( $old, $new, $url, 1);
}

Now, every time wordpress call site_url(“wp-login.php?action=xxx”); this function will redirect to /login.

3. Don’t use admin as your username

This should be the easy one to set up. Visit your profile page and choose something different then the admin to be your username.

4. Use strong password for the Administrator Role

Assuming that you have only one user with the Administrator role, try to use a strong password, in which to include, lower and uppercase letters, symbols like: !, @, #, $, %, ^, &, ), (, -, = and numeric characters.

5. Install a plugin that will prevent Force Brute Logins

There are many choosing options when it comes in choosing a Force Brute Plugin, and I think it’s only a matter of personal choice since basically all of them do the same thing. Prevent access to login page, if a non-valid login details have been entered more then X time, and it’s up to you which one you will choose to use.

468

2 Comments

  1. Terry Chadban
    Terry Chadban on February 27, 2016 at 3:27 am

    Hi,
    Would it be possible to change the login page name to something other than ‘login’ using this method? eg some security plugins like iThemes Security (which we use on all the sites we build) have an option to set the login page to a random set of letters like ‘fykx’, or something easy to remember but not easy to guess, like ‘login’ is.
    Terry

    Reply
    • Eduard
      Eduard on February 29, 2016 at 11:27 pm

      Yes of course you can change it to something else, depending on what option you choose (via .htacccess file) or adding the custom function in your theme’s functions, you can simply change “login” to whatever you want.

      Hope it helps,
      Kind Regards

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This