Additional Security Tips to Harden Your Website
So you have already implemented each element from the basic security checklist, such as hiding your login screen, not using Admin for your user name, limit login attempts, and so forth. You can find countless articles on basic WordPress security on the internet. The following additional steps may not be as well known but can secure your website to the next level if activated on your WordPress site.
“Security is always excessive until it’s not enough.” [Robbie Sinclair]
5 Security Tips You May Not About
1) Use Email for Username
About 2 years ago, I was rushing to create a fresh new WP install. During installation, I was asked a question which I am very familar with, what is the Login User Name? Being distracted with something, I mistakely inserted the admin email address for the new website.
I caught this error and was about to change the User Name when the thought occurred to me, why not just keep it? Who would think that a User Name was an actual email address? Besides, this email address was 15 characters long, which in partnership with a strong password, would create a difficult combination to crack, and it would only be a slight inconvenience for the client to type a few more characters.
Later I discovered that some Professional Wordpress builders actually recommended using an email address as the User Name.
2) Limit Login By IP Address
If you are the only one who requires access to the WordPress login screen, such as a personal blog or a sole proprietor business, then this tip will totally eliminate anyone from attempting to gain entry to your login screen. Only your IP address will be allowed to login, all other IP’s will be blocked by the .htaccess file.
Edit the .htaccess File
You require the following tools:
- FTP (Filezilla or Cyberduck) to download and upload the file on your server.
- Or File Manager within your CPanel to download and upload the file on your server.
- A text editor (Notepad, TextEdit, Notepad++, Coda, Atom, VS Code, etc.) to edit the .htaccess file.
Follow the following steps:
1) Download the .htaccess file.
2) Open this file in your text editor. Save a backup copy of the .htaccess file just in case something goes wrong.
3) Embed the following code at the bottom where there is room.
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all
Replacing x.x.x.x with your IP address.
4) Save your edited .htaccess file.
5) Upload back to your server.
6) Refresh your browser and access your login page.
Caution: if you take your laptop to Starbucks, you will be blocked.
3) Modify Login Error Warning
Normally, when someone uses the incorrect user name or password, WordPress will display what was amiss.
You are already giving the hacker hints of what was wrong and you certainly don’t want to give any unauthorized person tips to help them hack your WordPress dashboard. To modify the error message to read something other then Password or Username incorrect, you need to modify the functions.php file.
Where is the functions.php file?
Using either your FTP or File Manager (CPanel)
Follow the images left to right below:
wp-content > themes > the theme you are using > functions.php
Edit the functions.php File
You require the following tools:
- FTP (Filezilla or Cyberduck) to download and upload the file on your server.
- Or File Manager within your CPanel to download and upload the file on your server.
- A text editor (Notepad, TextEdit, Notepad++, Coda, Atom, VS Code, etc.) to edit the functions.php file.
Follow the following steps:
1) Download the functions.php file.
2) Open this file in your text editor. Save a backup copy of the functions.php file just in case something goes wrong.
3) Embed the following code at the bottom where there is room.
function custom_wordpress_error_message(){
return 'Incorrect Login Credentials...';
}
add_filter( 'login_errors', 'custom_wordpress_error_message' );
4) Save your edited functions.php file.
5) Upload back to your server.
6) Refresh your browser and access your login page.
This is the new error message displayed
4) Review All Users
If your website has multiple users, an audit of all your users should be performed.
This is something that is often overlooked, but very crucial as someone could be sneaking in from within your own organization.
Or worst yet a former user leaves your business or organization and takes their login information with them.
- Does each user still have a need to access your site.
- If so, do they have the correct user role? (Administrator, Editor, etc.)
- Are there any users who have left?
- Are any current users not active with editing anymore?
These are just some of the key questions that you need to survey.
If you are not sure what the current user role capabilities are, the WordPress Codex breaks it down for you. WordPress Roles and Capabilities.
If you really want to customize your user roles, there is a free plugin in the WordPress Repository:
Capability Manager Enhanced
Features:
- Create Roles
- Manage Role Capabilities
- Change the capabilities of any role
- Add new roles
- Copy existing roles into new ones
- Add new capabilities to existing roles
Making sure only those who have a need are listed as a user and have the correct role assigned, can close this backdoor.
5) Log Out Inactive Users
We have all experienced logging into a bank or online payment website, then if we are idle for 10 minutes or so, you will find that the site automatically logged you out, followed by a Timeout message, prompting you to log back into your account.
The purpose of automatic logouts is purely for security reasons. It is to prevent any unauthorized individual from examining your private account information, whether intentional or unintentionally.
This same security measure should also apply to your WordPress security requirements. I am sure every one of us has been guilty of walking away from our computer without logging out to get a snack, visit the restroom, or even just talk story with a co-worker at the water cooler. A person (i.e. janitor, visitor, etc.) just needs a minute or less to gather sensitive information, add themselves as a user, or even worst shut down the website.
How about those who work from home?
I suggest you still implement the automatic log out feature, even though it is only you or your family in the vicinity of your computer. Why?
- Do you have guests over?
- Do your kid’s friends hang out?
- Do have a repairman over, things break.
Bottomline: You just went to be secured!
Automatic Logout Plugin:
Inactive Logout
“Make your WP account secure from snoopers, friends to protect your data by assuring auto log out system within a certain defined time. This will help you keep safe from any users using same machine to access your account in case you are away and forgot to logout and kept your site logged open.”
Note: there are other plugins with this same capability, but I did not list them because they have not been updated for 2 years or more.
Manually code
For those who rather not use a plugin:
Here is a quick way to add an automatic logout feature to your WordPress powered website.
WordPress Auto Logout after Inactivity
- Add code to your child themes functions.php file
- Create a auto-logout.js file
- Enqueue the script and localize it for the ajax to work
These security tips are to supplement your primary security measures already in place.
Hopefully, they can harden your WordPress security to the next level.
What do you think?
Gerald Watanabe
Islandwebtek
