View Full Version : How can I secure my Wordpress

AP admin
07-30-2010, 08:35 PM
Here [/URL]are some of the security measures for your WordPress Admin Area. It is not necessary to follow all of these tips, but you should still have a few of these implemented on your site in order to be sure. The more steps you take, the harder it will become for the hackers.

1. Create Custom Login Links
It is very obvious that in order to access the WordPress admin panel, all one has to do is type in the url of the site with /wp-login.php. Now if you used a same password in more than one location, and it was exposed publicly then it is easy for the hacker to hack your site. A plugin called Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. You can also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly. You can then set your login url to something more cryptic amd more harder one. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.
2. Pick a Strong Password
Do not use the same password in other places. Try to make each password different and hard to guess. Use the WordPress Password Strength Detector to your advantage and make your password strong. Another thing you need to do is to change your password periodically, so even if some has guessed your password, it is useless for them once you have changed it.
3. Limit Login Attempts
Sometimes the hacker might think they know your password, or they might develop a script to guess your password. In such case what you need to do is limit the login attempts by using a plugin called Login Lockdown which will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings via your wp-admin panel.
4. Use Secure SSL Login Pages
You can login to WordPress Admin Panel through the encrypted channels with SSL i.e your session URLs will have [URL="https://./"]https://. (http://www.eukhost.com/) You must confirm with your webhosts that you have Shared SSL, or you own a SSL certificate. Once you have confirmed paste the following code in your wp-config.php file:
define(’FORCE_SSL_ADMIN’, true);
There is also a plugin called Admin SSL that will force SSL on all pages. It is easier if you run this plugin, but it is only compatible with version 2.7 and above.
5. Limit Access via IP Address
You can also allow only certain IP Addresses to access. All you need to do is create a .htaccess file in /wp-admin/ folder and paste the following code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WordPress Admin Access Control”
AuthType Basic

order deny,allow
deny from all
# whitelist Work IP address
allow from xx.xx.xx.xxx

Where replace the xx.xx.xx.xxx with the IP you want to allow to access. Change the IP Address and it will work.
6. Never use “admin” Username
This is the first user that is created when WordPress is installed. You should never use or keep this user. You should create another user using your WordPress admin panel, and assign administrator roles to it. Try to make this username something that is not obvious, so it is harder for the hacker to guess. Then delete the admin user altogether to stay on the safe side.

7. Remove Error Message on the Login Page
When you enter a wrong password or an invalid username, you get an error message in the login page. So if a hacker gets one thing right, the error message will help them identify that. Therefore it is recommended if you remove that error message entirely. For this you just need to Open your functions.php located in your theme folder and paste the following code:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
8. WordPress AntiVirus Protection
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Special feature of this plugin is Manual testing with immediate result of the infected files, and Daily automatic check with email notification.
9. Stay Updated with the Latest WordPress Version
Last but not the least is to keep your WordPress version updated with the latestone because after each version is release, WordPress also releases the bugs and exploits of the previous version which puts your Admin Area in risk if you don’t upgrade.
10. One Time Password
One Time Password plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by keyloggers.

11. WordPress Firewall Plugin
WordPress Firewall Plugin Detect and log suspicious-looking parameters — and prevent them compromising WordPress. It also protect most WordPress plugins from the same attacks. You can optionally configure as the first plugin to load for maximum security. It will give you an option to send an email to you with a useful dump of information upon blocking a potential attack and much more.


07-31-2010, 09:10 AM
nice Tips and Sharing. Thanks

10-21-2010, 09:08 AM
The WordPress software has been one of the few things that has made blogging explode in the past couple of years. The software is real easy to set up and simple to use. They have what they like to call, the “5 minute installation” setting which allows people to have their blogs ready for publishing almost instantly. Also, another thing that amazes people about WordPress is the amount of configurations that you can change with it.

07-27-2011, 12:51 PM
Greetings. We are pleased to announce the release of wSecure. wSecure hides your Wordpress admin URL with a special key so that only you can access. The problem with Wordpress is that anyone can tell if your site is Wordpress by simply typing in the default URL to the administration area (i.e. www.yoursite.com/wp-admin). wSecure helps you hide the fact that your website is built with Worpdress from prying eyes.

Check out wSecure in action here: http://wp.joomlaserviceprovider.com