Аgile methodology to protect your WordPress site

These solutions don't guarantee 100% protection, but it might significantly improve the security assurances of your blog.

Wordpress security

Administrative area of ​​any app software development has long been a favorite target for hackers, and it is extremely concerned about the safety of developers. This also applies to WordPress - launching a new blog, the system creates an administrator account with a unique randomly generated password in real time, what is blocking general access to system settings, controlling it using the login page.This article focuses on the issues of security hardening of WordPress - you must be aware that only one simple request separates "evil hackers" and the admin panel of all your blog or website! And the latter is protected as hard as powerful you chose a password.

1. Rename the WordPress folder.

Starting with version 2.6, it became possible to change the path to the wp-content folder. Unfortunately it is still not applicable to the wp-admin folder. Thinking about the security assurances, bloggers ate a dog on it and began to hope that this will be possible in future versions. Until that happens, we propose to use the following alternative solution. After unpacking the archive with WordPress files, you will see the «WordPress» folder - Rename folder (ideally to something strange like "wordpress_live_OX42gg") and then adjust accordingly wp-config.php file located in the root directory.

2. Remove the Administrator account.

During the installation process, WordPress creates an administrator account with the «admin» default nickname. On the one hand it is quite logical, on the other - a user with a well-known nickname, ie, ID - 1, has administrative rights, is a predictable target for hackers with their password guessing programs. Hence our advice:

  • Create another user with administrative privileges and your nickname.
  • Complete the work session.
  • Please login below your new account.
  • Remove the "admin" account.

3. Choose a strong password.

Probability and frequency of potential attacks is directly dependent on the popularity of the blog. And up to this point, it is better to make sure that your site does not remain the weak links in the security chain. Most often it is the passwords are the weakest link in the chain. Why? The methods of choosing password in the majority of users are often careless and spoiled. Many studies have shown that the most passwords - existing monosyllabic words typed in lowercase letters, which are not difficult to find. The password guessing programs, there are even lists of the most commonly used passwords. There is implemented intuitive resistance dialed password indicator in WordPress that shows the color of its level of complexity:We recommend using at least seven characters that combine uppercase and use special characters such as !"? $% ^ & ().

Custom development

4. Limit the number of failed login attempts.

WordPress does not keep statistics of authorizations, both successful and not. It is very inconvenient for the administrator, because he does not have the opportunity to see whether there were unauthorized access attempts to take any action if they become more frequent. We offer two solutions: plugins Login LockDown and Limit Login Attempts. After installation, they are not only log authorizations, but also limit the number of failed login attempts by blocking a certain time trying to IP.

5. Maintain the current version.

Finally, WordPress web developers tend to react very quickly, if they find a vulnerability in the engine. So stay tuned and updated as possible. Fortunately, WordPress notifies the release of the new version. This also applies to plug-ins - keep their current version. Remember: less is better when it comes to any add-ins and add-ons. As an administrator, you must make sure that you have installed and active, only those plug-ins that you really need. Each plug-in is a potential security risk and threat, as they are developed by foreign developers.

Can you share your small business advice?

How do you protect your blog from hacking? What do you use for this?

Best regards,
Your Ardas Team