9 Easy Ways to Secure your WordPress Blog or Site
WordPress Security or Hardening the website is important activity to be followed to prevent from Hackers. Practically we cannot stop Hackers, But there are few configurations which will help in prevent them with these easy ways. Lets start digging into it,
1. Double Layered Authentication for WP-LOGIN.php
Using htpasswd utility of apache web server, we can restrict /wp-login.php/ file using custom username and password, later followed by WordPress authentication. This adds two level authentication. Use the below configurations either in httpd.conf file of apache web server or in .htaccess file located in /var/www/<domainRoot>/htdocs/.htaccess
#Protect wp-login <Files ~ wp-login.php> AuthUserFile /etc/httpd/conf/.htpasswd AuthName "Private access" AuthType Basic </Files>
In the above, .htpasswd is the authentication file used for authentication, which can be created using htpasswd utility. for details about How to use htpasswd , Please follow this article – How to Protect URLs, Files & Directories with Apache htpasswd Utility
2. Restrict xmlrpc.php
spammers or hackers use xmlrpc.php to make your website down. It is safe to restrict completely in .htaccess or in httpd.conf file
# BEGIN protect xmlrpc.php <File xmlrpc.php> order allow,deny deny from all </File>
# server httpd reload
Reload the apache httpd server configuring the above using above command.
3.Hide .htaccess file
If we didnt prevent accessing .htaccess file, we are leaking our important rules and configurations to outside world. Again in httpd.conf file, use the below lines to Restrict permanently,
<Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files>
4.File Permission for wp-config.php
Change the file permission of wp-config.php in the linux terminal by using this command, with this permission, you can only make it as read and write permission.
#chmod 600 wp-config.php
5. Avoid using common user names
Hackers will specifically go on attack on weak or common username and passwords. Try avoiding user name such as admin and passwords in the same sequence. This applies to your htpasswd authentication credentials as well.